AEPD (Spain) - PS/00236/2020: Difference between revisions

From GDPRhub
No edit summary
 
(6 intermediate revisions by one other user not shown)
Line 54: Line 54:
}}
}}


The Spanish DPA fined an energy company €1,500,000 for violating Articles 13 and 25 GDPR.
The Spanish DPA fined an energy company €1,500,000 for not providing sufficient information to data subjects under Article 13 GDPR, and for not implementing adequate measures to avoid or mitigate risks related to the data processing under Article 25 GDPR.


== English Summary ==
== English Summary ==
Line 69: Line 69:
Some additional clauses were implemented during the investigation, although the exact moment is not proven.
Some additional clauses were implemented during the investigation, although the exact moment is not proven.


 
Also, the DPA found that the information required by Article 12, 13 and 14 GDPR provided to the clients was not in line with the regulation.
=== Holding ===
=== Holding ===


Line 82: Line 82:


===== Infringement of Articles 6 and 22 GDPR =====
===== Infringement of Articles 6 and 22 GDPR =====
The AEPD also analyzed whether the controller was carrying out automated decision-making without consent, as the GDPR related information that was provided by the controller stated (differently for each method of contracting) that:
* The personal data provided may be used to manage the contracts, for fraud prevention, for the execution of a commercial profiles of the client and to subsequently carry out personalized commercial communications.
* Data obtained from third-party databases may be used to create commercial profiles of the clients, what may lead to an automated decision-making for sending personalized commercial communications.
The DPA alleged that consent was not being collected properly, as it lacked information about the identity of the controller, the categories of data, the third-party recipients, etc. Also, there was no proper information, in relation to Article 14, about data collected from third parties.
The DPA also regarded that the information given about automated decision making did not comply with Article 22 requirements, that requires the logic of the system to be explained, but also the importance and consequences of such decisions, the foreseen processing of data in this regard, as well as comprehensive information given, for example, in form of examples. Additionally, there was no specific consent for automated decision making.
However, the controller alleged that there was no actual automated decision making, as every final decision was taken by a human. Also, they said that for things such as fraud prevention, they were relying on a legitimate interest, not on the consent of the client. They also clarified that they were not currently doing any kind of automated decision making for consumer profiles.
In addition, the DPA could not prove that the controller was using data from third-party databases.
For all these reasons, the AEPD considered that there was no evidence of a violation of Article 6 and 22 GDPR.
The DPA also discussed, based on the controller's allegations, whether, similarly to their [[AEPD - PS/00240/2019|decision on Equifax]], the infringement of Articles 6 and 22 were instrumental to the infringement of Article 13 (that is to be discussed later) – and therefore only a fine based on the main infringement could be imposed –. However, the AEPD disregarded this argument, as they considered that, even if the infringements could be related to each other, all of them could be committed independently, are were thus not a means for committing the others.


===== Infringement of Article 13 =====
===== Infringement of Article 13 =====


The AEPD found that not all the requirements from Article 13 GDPR were met. For instance, the information provided via some of the contracting channels did not offer information on the data subjects rights, nor offered a way to access to the entirety of the information on a second layer. Therefore, the information offered was in general (although it varied, depending on the contracting channel that was used) fragmented and scattered, and did not meet what Article 13 requires.
For example, when the contract was made via phone, the only possibility to obtain the most basic information was either to be redirected to another call or to go to the privacy policy, without being informed at the moment of contracting about the rights that the data subject is entitled to. When contracting via electronic means, the data subject could not easily obtain such information, but was redirected to the contracting agreement and to a non-easily-accessible information that had to be thoroughly looked for on the controller's website.
According to Article 13 GDPR, all this information has to be directly given to the data subject by the controller, not being possible that the controller offers this information in a generic way yet the data subject needs to actively look for it. This is also in line with the transparency obligation: the information needs to be offered at the moment of the collection of the data; not afterwards.


This is normally done by providing the information in layers. The AEPD explains that, for example, in case of phone contracting, the basic information (purposes, identity of the controller, data subjects rights, and most relevant information about a particular processing) could be provided during the call itself, sending afterwards the rest of the information via email, or via a link to the privacy policy. Additionally, the AEPD remarks, the fact that layers are used to provide information cannot lead to a delay in the provision of the less relevant information, what also needs to be done in the moment of the collection of the data.
The AEPD also analyzed the content of the information provided. Firstly, the the way that the data subject is informed about the identity of the controller is problematic. The controller, EDP, is divided into two different companies: EDP Energy and EDP Marketer. The information provided states that "the data will be processed by EDP Energy and EDP Marketer", who are both said to be controllers. However, there is no specific reference to which company processes which data and for what purposes, which leads to a confusing and imprecise information. The privacy policy, after clarifying the existence of both controllers, only uses the generic name (EDP) without further specification.
The AEPD also noted that it is difficult, with the information provided, to identify how processing activities relate to each legal basis alleged by the controller. Therefore, it is not clear for which processes the controller is relying on a legitimate interest. It is not possible to identify what are the legal basis that are been relied upon for each processing activity. This should be clearly provided in the information. Also, what particular legitimate interest or interests are wielded by the controller is not clarified (although later the controller made clear that such interests were fraud prevention and marketing).
The AEPD remarks that the information must be provided in a concise, transparent, understandable and easily-accessible manner. This is also related to the transparency requirement set forth by Article 5(1)(a) GDPR.
The AEPD also notes that it is not clear what consequences has the creation of commercial profiles of the clients, and whether this processing can be objected, in accordance to Article 21, and regardless whether it can be considered profiling in accordance to Article 22 GDPR. The DPA also mentions the fact that it is unclear what processing activities will be derived from consent, as the information provided is not specific or understandable to a regular person (e.g. the processing for providing personalized offers, based on the resulting of the aggregate of the indicated data).
In relation to information regarding Article 21, the DPA states that the controller should provide information about what particular processing activities may be subject to the right to object, in connection with the alleged legitimate interest. The mere statement of the existence of such right, referring to "a right to object to certain processing activities" is not enough.
The AEPD also remarks that, to guarantee the exercise of the rights, it is necessary for the data subject to be informed about what legal basis is used for each processing, so the data subject clearly knows for which processing activity has given consent, therefore being able to withdraw it, and for which processing activities a legitimate interest is used, so the data subject can object to such processing.
With basis on those grounds, the AEPD found a violation of Article 13 GDPR.
===== Sanction =====
===== Sanction =====
For assessing the quantity of the fine, the DPA took into account the following circumstances:
* The seriousness of the violations.
* The lasting in time of the violations and their nature: they result from a lack of adequate measures from the controller.
* The either intentionality, either negligence of the controller, who should have spotted the risks and problems.
* The fact that the infringements existed since 2018.
* The relation between the infringements and the controller's core business activity.
* The size of the company: being their revenue from 2018 €1,236,124,000.
* The amount of data processed and procession activities carried out: contracts with 37.197 natural persons were carried out in 2019.
* Previous infringements from the controller in different proceedings (PS/00101/2018, PS/00363/2018, PS/00109/2019), regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR.
* The fact that the infringements related to Article 25 GDPR did not include the processing of sensitive data.
Based on all this, the AEPD decided to fine the controller (EDP Energía) €1,500,000:
* €500,000 for the violation of Article 25 GDPR.
* €1,000,000 for the violation of Article 13 GDPR.
This sanction was issued at the same time and in the same manner than the sanction against [[AEPD (Spain) - PS/00037/2020|EDP Marketer]], the other company from the EDP group.


== Comment ==
== Comment ==
''Share your comments here!''
In their allegations, the organizational structure of the group of the controllers is clarified. The existence of two companies comes from procedural and formal issues that arose when the group was bought. Currently, only EDP Marketer has employees and actual management and operative capacity, therefore being EDP employees the only ones accessing the data. In practice, all processing activities are carried out by EDP Marketer, either as a joint controller or as a processor of EDP Energy.
 
This structure was in principle going to be rearranged, but was paralyzed by the start of negotiations for the sale of the group.


== Further Resources ==
== Further Resources ==
Line 98: Line 154:


<pre>
<pre>
Page 1
1/136
 Procedure No.: PS / 00236/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: Various claims have been submitted to this Agency
against the entity EDP ENERGÍA, SAU in which the
processing of personal data without the consent of the interested party. Sayings
treatments are produced within the framework of the contracting of electricity services
supposedly carried out by a representative of the client, without said entity
can prove the existence of such representation and have given rise to various
actions of this Agency, among which it is worth mentioning the initiation of various
sanctioning procedures such as procedures PS / 00101/2018,
PS / 00363/2018 or PS / 00109/2019, which have concluded by declaring the existence of a
infringement of the provisions of the data protection regulations.
SECOND: In view of the antecedents mentioned in the previous number, the day
June 3, 2019, the Director of the Spanish Data Protection Agency urged
the General Subdirectorate of Data Inspection the initiation of previous actions of
investigation in order to prove, where appropriate, the existence of a regular conduct and
continued possible violation of data protection regulations by
EDP ​​ENERGÍA, SAU
THIRD: On June 13, 2019, a
claim against EDP ENERGÍA SAU for the processing of personal data without
consent of the interested party in contracting the supply of electricity.
Said claim made by Doña AAA refers to the hiring of
supply of electrical energy with the company EDP ENERGÍA, SAU carried out on 9
January 2019 in the name of the claimant without her consent. The claim
was admitted for processing by agreement of the Director of the Protection Agency
of data dated September 10, 2019.
FOURTH: On December 17, 2019, the General Subdirectorate of Inspection
formulates a request to EDP ENERGÍA, SAU to facilitate the following
information:
1. Specification of the contracting channels (telephony, internet, distributors
own or subcontracted, sales force with own home visits or
outsourced, etc.…) of the services marketed by EDP ENERGÍA, SAU to
Physical persons.
2. Description of the contracting procedure followed through each of the
previous channels when the contract is made by a third party in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/136
representation of the natural person who owns the contract. In this regard, it is requested to provide,
in addition to all the information it deems appropriate for the purposes of documenting the
procedure, the following:
2.1. Copy of documents (model forms, contracts, arguments
telephone numbers, etc.) used to collect the personal data of the owner and the third party
that acts by representing it, indicating the channel or channels for which it is used
each.
2.2. Description of the procedures enabled through each of the channels
contract so that a third party can prove the representation of a holder to the
sign a contract with EDP ENERGÍA, SAU
2.3. Specification of the procedure followed by EDP ENERGÍA, SAU for
store the evidence that proves the capacity of representation of the third party in
the procedures in which this type of contracting is carried out, indicating the
channel or channels for which each is used.
2.4. Attach models and / or examples of type evidence collected under the
procedure followed in section 2.3.
3. Information on the number of contracts signed in 2018 and 2019 by third parties in
representation of the owners of the services (natural persons) with distinction of:
3.1. By virtue of what this representation is supported (power, degree of kinship, etc.)
3.2. Procedure or formula for accreditation of the representation followed.
3.3. Recruitment channel for telephony, internet, own distributors or subcontractors,
sales force with own or outsourced home visits, etc.…)
FIFTH : On January 13, 2020, the entry in the AEPD of the
answering brief from EDP ENERGÍA, SAU to the request for information
previous. In this document the following is stated:
“FIRST- Specification of the contracting channels (telephony, internet,
own distributors or subcontractors, sales force with own home visits or
outsourced, etc.…) of the services marketed by EDP ENERGÍA, SAU to
Physical persons.
EDP ​​has different channels to formalize the contracting, distinguishing the
following:
A. Telephone Channel, with partial or definitive closure of the contracting process
through a phone call. It includes the following subchannels:
- CAC Inbound: Call reception, from customers to EDP. In general they are
and EDP customers who are identified from the beginning of the call through a
security protocol, although customer calls can also be received
potentials.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/136
- Telemarketing: Issuance of calls, from EDP to already owned databases
customers for upselling or churn recovery. It is used for the realization of
the call the telephone number that appears in the client's file, and that has been
provided by said person previously.
- LEADS: Issuance or reception of calls, about users who have expressed a
interest in any platform or web page (raffles, promotions, comparators of
offers, blogs, advertising agencies, etc.) leaving your basic data to be
contacted or contacting themselves at the phone number shown.
These users usually do not yet have active contracts with EDP.
B. Web channel, closed by means of a digital form. The user accesses through
a website and start a hiring process totally online, without interaction with
agents.
C. Distributors, with face-to-face or digital closing of the contracting process,
including:
- EDP's own Commercial Offices. Usually already EDP clients who come
proactively to the office, although it can also be about potential clients.
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to perform
their purchases and are interested in EDP's offer.
D. External Sales Forces, with in-person closing of the contracting process,
including:
- Stands at Fairs, Shopping Centers, etc. In general, new clients who come
to such events or places and are interested in EDP's offer.
- Home visits with prior request. Clients or potential clients who have
provided your data and consent to receive proposals from an EDP agent to
address.
SECOND.- Description of the contracting procedure followed through each
one of the above channels when the contracting is carried out by a third party in
representation of the natural person who owns the contract.
A. Telephone Channel:
Next, the procedures implemented in EDP in
those cases in which the contracting is carried out by a third party in
representation of a natural person by telephone:
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
As a representative, you are asked about your relationship with the owner and if you have
authorization of said person. 2) Once the previous point has been confirmed, they are requested
identification data of the representative, and all the data of the owner necessary to
formalize the hiring. 3) Finally the Consent is read and recorded in audio
Representative express. 4) The holder of the contract, for informational purposes, is sent
in duplicate, with a stamped envelope, the contractual documentation in compliance
of the provisions of the consumer and user protection regulations.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/136
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
hiring as a representative is asked about their relationship with the owner. 2) A
Once the previous point has been confirmed, identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. 3) Then
the Express Consent of the representative is read and recorded in audio. 4) Finally
durable support is sent to the phone / sms provided by the representative, and is expected
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
duplicate, with a stamped envelope, the contractual documentation in compliance with the
provided in the consumer and user protection regulations.
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
representative is asked about his relationship with the owner. 2) Once the
previous point, identification data of the representative is requested, and all the data of the
holder necessary to formalize the contract. 3) It is then read and recorded in
audio the Express Consent of the representative. 4) Then support is sent
durable to the phone / sms provided by the representative, and awaits your confirmation.
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
franked, the contractual documentation in compliance with the provisions of the
consumer and user protection regulations. 6) In this channel, by the mode of
contracting and the characteristics of the clients who use it, it is in progress,
as a pilot test, communication via SMS or e-mail to the represented (in cases of
not related to the representative to study its effectiveness and receptivity.)
B. Web: The option of contracting with a representative is not offered.
C. Distributors:
In the case of contracts made in EDP's own Commercial Offices (in
third-party stores there is no possibility of contracting in the name and on behalf of
a third) the procedure is as follows:
1) In those cases in which the user indicates that he wishes to make a contract
as a representative of a third party, you are asked about your relationship with the owner. 2) A
Once the information is obtained, the identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. Likewise,
requires a photocopy of the NIF, both the representative and the represented. 3)
The presentation of an authorization document is also required.
completed and signed by both interested parties (representative and owner).
D. External Sales Forces:
In the case of contracts made by external sales forces (fair stands,
shopping centers and home visits, provided there is prior request by
of the interested party), in the contract the identification data of the representative will be collected,
Also requesting the data of the owner necessary to formalize the contract.
In the contract, it is expressly specified that the representative declares to have
of sufficient powers to sign the contract on behalf of the client to whom it is
is responsible for informing of all the conditions thereof. It is required, on the other
part of a photocopy of the representative's NIF.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/136
Next, an audio verification of the hiring is recorded where you are
indicates on two occasions to the representative, the fact that he acts on behalf of the
holder of the supply and the relationship-kinship that binds them is confirmed.
Therefore, to prove the representation, the contracting stub is formalized
where the representative declares to have sufficient powers to sign the
contract on behalf of the client who is responsible for informing of all
conditions of this. Likewise, a copy of the representative's NIF is provided.
In this regard, it is requested to provide, in addition to all the information that it considers appropriate
For the purposes of documenting the procedure, the following:
2.1. Copy of documents (model forms, contracts, arguments
telephone numbers, etc.) used to collect the personal data of the owner and the third party
that acts by representing it, indicating the channel or channels for which it is used
each.
A. Telephone Channel:
A.1 - CAC INBOUND
The data collection is carried out in the system of each of the providers,
following the order that corresponds according to the type of client, contracted product
or campaign.
Documents:
1) Sales data template (Evidence 1)
2) Express Consent Sales representative CAC (Evidence 2)
Evidence 2 contains the following:
"[XXXXXX] we're going to record your agreement. Okay?
It is [hh: mm] on the day [dd] of [mm] of [20XX], and Mr./Ms. [Name and surname]
with DNI [DNI number], as [husband / wife / child / attorney / representative] and in re-
presentation of the holder [name and surname / company name] with ID / CIF [number
DNI / CIF] phone [phone] and email [email] has called and accepts the
EDP's offer for management [supply address] consisting of [con-
plan conditions -dto en la luz-] for [CUPS LUZ: ES…] on the EDP price
current electricity price [power price (€ / kW month) and energy term price
(€ / kWh)] and / or [plan conditions - gas discount] for [CUPS GAS: ES ...] and
current EDP gas price [price term availability (€ / month) and term price
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
promotion works].
[If the collection date is not chosen] The chosen payment method is [direct debit
bank account in your current account / in the account ...] and will be charged on the date
indicated on the invoice.
[If the collection date is chosen] The payment method chosen is [direct debit bank
caria in your current account / in the account ...] and will be charged on a date
Specifically, the days [DD] of the month. In that case, the payment period may be shorter
greater than or greater than the 20 days established in the regulations ".
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/136
"On behalf of the client, and after passing a risk analysis of the transaction
ration, we will take the necessary steps to activate the access contracts,
moment from which the new contract will come into force, being resolved
previous.
The contract / s will have a duration of 1 year, extendable for the same period
Except for a complaint in advance of 15 days. Are you satisfied with the above
mation and conditions of the contract / s? [Yes / Ok].
In a few days you will receive the contract including a withdrawal document for
duplicate, of which you will only have to return us signed one of the copies in
The self-postage envelope does not need a stamp, which we will attach to it.
You have 14 calendar days to exercise your right of withdrawal. Not obs-
Therefore, if you request it, we can start the procedures now. Then,
If you subsequently withdraw from the contract, you must pay the corresponding amount
tooth to the borrowed supply period. Do you want your contract to be processed
you immediately? [OTHERWISE].
You will still receive an invoice from your current company for a probable period-
less than normal. From there, from the entry into force of the contract
You will receive the invoice from EDP with all our advantages.
Your personal data and that of your client will be processed by EDP Comer-
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
fraud prevention, profiling based on customer information and
EDP, as well as the realization of personalized communications about products
coughs or services directly related to their contracts, being able in any-
want to oppose them ".
"Additionally, so that EDP can advise you with the best
proposals:
Will you allow us to present energy-related offers to your client?
adapted to your profile after the end of the contract, or send you at any
information on non-energy products and services, from companies
Collaborators or EDP? [OTHERWISE]
Will you allow us to complete the commercial profile of your client with information
of third-party databases, in order to send you personal proposals-
and the possibility of contracting or not certain services? [OTHERWISE]
Your request has been registered with the code that I am going to indicate. If you wish,
you can make a note of [COD. CIG] ".
A.2 - TELEMARKETING
The data collection is carried out in the system of each of the providers,
following the order that corresponds according to the type of client, contracted product
or campaign.
Documents:
1) Sales data template (Evidence 1)
2) Express Consent Sales representative TLMK (Evidence 3)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/136
The text of evidence 3 is as follows:
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
agreement?. [Yes].
Well, it is [hh: mm] on the [dd] day of [mm] of [20XX
[Mr / Mrs] [name and surname] with DNI [DNI number] as [husband / wife / child / attorney-in-fact
address / representative] and on behalf of the owner [name and surname / reason
social] with ID / CIF [ID / CIF number], phone [phone] and email [email]
accepts EDP's offer for the address [supply address] consisting of
in for [CUPS LUZ: ES ………… ..] on the current EDP price of electricity
[power price (€ / kW month) and energy term price (€ / kWh)] and / or [conditions
purposes of the plan - gas discount] for [CUPS GAS: ES ……………………….] and price
Gas EDP in force [price term availability (€ / month) and term price
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
promotion works]. The chosen form of payment is [direct debit at
your current account / in the account ………] and will be charged [on the date indicated
on the invoice / on A SPECIFIC DATE, THE DAYS (DD) OF THE MONTH. ON
IN THIS CASE, THE PAYMENT PERIOD MAY BE LESSER OR HIGHER THAN
THE 20 DAYS ESTABLISHED IN THE REGULATIONS]. In the name of his repre-
sitting down, and after passing an analysis of the risk of the operation, we will make the
tions necessary to activate the access contracts, from the moment
which will enter into force the new contract, being resolved the previous one.
The contract / s will have a duration of 1 year, extendable for the same period
Except for a complaint in advance of 15 days.
Are you satisfied with the above information and conditions of the contract / s? "
[Yes / Ok]. "Thank you."
In a few days you will receive the contract (including withdrawal document) for
duplicate, of which you will only have to return us signed one of the copies in
The self-postage envelope does not need a stamp, which we will attach to it.
You have 14 calendar days to exercise your right of withdrawal in the
form that you consider appropriate. However, we can initiate the procedures during
within that period if you request it, in which case if you withdraw from the contract
must pay the amount proportional to the borrowed part of the supply. From-
Whether your hiring is processed immediately? [OTHERWISE]
You will still receive an invoice from your current company for a probable period-
less than normal. With the entry into force of the contract you will receive the invoice
from EDP with all our advantages.
Your personal data and that of your client will be processed by EDP Comer-
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
fraud prevention, profiling based on customer information and
EDP, as well as the realization of personalized communications about products
coughs or services directly related to their contracts, being able in any-
want time to oppose them.
Additionally, so that from EDP we can advise you with the best
proposals:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/136
Will you allow us to present energy-related offers to your client?
after the end of the contract, or send you at any time information on
products and services of the financial, insurance and automotive sectors,
Collaborating Companies or EDP?
[OTHERWISE]
Will you allow us to complete the commercial profile of your client with information
of third-party databases, in order to send you personal proposals-
and the possibility of contracting or not certain services?
[OTHERWISE]
We remind you that you can exercise your rights to
access, rectification, opposition, deletion, limitation and portability, through
any of the routes indicated in the General Conditions that may
check on our website *** URL.1.
[Only in case of gas contracting] ”For your safety we remind you of the obligation
legal obligation to collaborate with your Distribution Company by facilitating access to
your instalations."
In order to process your request we need you to confirm the acceptance of this
offer that has the Code, please take note: “CIG CODE”.
A.3 - LEADS
The data collection is carried out in the system of each of the providers,
following the order that corresponds according to the type of client, contracted product
or campaign.
Documents:
1) Sales data template (Evidence 1)
2) Express Consent Sales Representative LEADS (Evidence 4)
The content of evidence 4 is as follows:
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
agreement?. [Yes].
Well, it is [hh: mm] on the day [dd] of [mm] of [20XX] and [Mr / Mrs] [name
and surnames] with DNI [DNI number] has requested the call from EDP and as
[husband / wife / child / attorney-in-fact / representative] and on behalf of the owner
[name and surname / company name] with DNI / CIF [DNI / CIF number], telephone [telephone]
and email [email] accepts EDP's offer for the address [address
of supply] consisting of [plan conditions -dto in the light for [CUPS
LIGHT: ES ………… ..] on the current EDP price of electricity [price of
power (€ / kW month) and energy term price (€ / kWh)] and / or [conditions of the
gas discount plan] for [CUPS GAS: ES ……………………….] and EDP price
gas current [price term availability (€ / month) and term energy price
(€ / kWh)]; and / or It works [annual price of the service, plan conditions
promotion works]. The chosen form of payment is [direct debit at
your current account / in the account ………] and will be charged [on the date indicated
on the invoice / on a specific date, the days (dd) of the month. in that case the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/136
payment period may be less or more than the 20 days established in the
normative]. On behalf of your client, and after passing a risk analysis
of the operation, we will take the necessary steps to activate the contracts of
access, moment from which the new contract will come into force, leaving
solved the above.
The contract / s will have a duration of 1 year, extendable for the same period
Except for a complaint in advance of 15 days.
Are you satisfied with the above information and conditions of the contract / s? "
[Yes / Ok]. "Thank you."
In a few days you will receive the contract (including withdrawal document) for
duplicate, of which you will only have to return us signed one of the copies in
The self-postage envelope does not need a stamp, which we will attach to it.
You have 14 calendar days to exercise your right of withdrawal in the
form that you consider appropriate. However, we can start the procedures
during that period if you request it, in which case if you desist from the
contract must pay the amount proportional to the borrowed part of the
supply. Do you want your hiring to be processed immediately? [OTHERWISE]
You will still receive an invoice from your current company for a period
probably lower than normal. With the entry into force of the contract you will receive
the EDP invoice with all our advantages.
Your personal data and that of your client will be processed by EDP
Comercializadora SAU and EDP Energía SAU to manage their contracts,
fraud prevention, profiling based on customer information
and EDP, as well as the realization of personalized communications about
products or services directly related to their contracts, being able
at any time oppose them.
Additionally, so that from EDP we can advise you with the best
proposals:
May we present you with energy-related offers tailored to your
profile after the end of the contract, or send you at any time
information of non-energy products and services, of companies
Collaborators or EDP?
[OTHERWISE]
Will you allow us to complete the commercial profile of your client with information
of third-party databases, in order to send you proposals
personalized services and the possibility of contracting or not certain services?
[OTHERWISE]
We remind you that you can exercise your rights to
access, rectification, opposition, deletion, limitation and portability, through
any of the routes indicated in the General Conditions that may
check on our website *** URL.1.
B. Web: The option of contracting with a representative is not offered.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/136
C. Distributors:
In the case of EDP's own commercial offices, data collection is carried out
in the system of each of the suppliers, following the corresponding order
according to the type of client, contracted product or campaign.
Documents provided:
1) Sales data template (Evidence 1)
2) Representative management authorization template (Evidence 5)
Regarding the content of the evidence 5, the document contains three
Differentiated boxes. The first one indicates that "the HOLDER (D. ,,,, DNI or CIF) in
proper name or representation of the company. " The second box indicates that
“AUTHORIZES (D. ,,,, DNI ... or CIF) to carry out the management of (indicates 4 possibilities:
registration / cancellation, change of ownership, change of direct debit, and / or other procedures)
the box next to each of them must be marked. In the third box,
collect "SIGNATURE" and leave the spaces corresponding to the place, date (day, month and
year) and space for the signature of the authorizing and authorized.
Next, the following legend is highlighted with a red background:
"NOTE: TO BE VALID, THIS AUTHORIZATION MUST BE PRESENTED
ACCOMPANIED BY PHOTOCOPY OF THE HOLDER'S AND THE AUTHORIZED'S ID.
WHEN IT IS AN AUTHORIZATION GRANTED BY A REPRESENTATIVE
DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF OWNERS,
FOUNDATIONS, SCHOOLS, ..., IN ADDITION, A PHOTOCOPY OF THE
TIMELY POWER OF ATTORNEY ”.
The following text follows;
"Interested parties are informed that the personal data provided in
This form will be treated as the data controller by EDP ENERGÍA,
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
for the processing of authorized management.
The personal data that you provide us will be used, in the manner and with the
limitations and rights recognized by the General Data Protection Regulation
(EU) 2016/679.
The interested parties whose data are subject to treatment may exercise their rights
of access, rectification, deletion, portability, limitation and opposition to treatment
of these data, proving your identity, by email addressed to
cclopd@edpenergia.es or by writing to the person responsible for the treatment at the
Address Plaza del Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can put
in contact with the EDP Data Protection Officer, at the same address
postal or email dpd.es@edpenergia.es, if you understand
violated any of your rights related to data protection, or in your
case, file a claim with the Spanish Agency for Data Protection "
D. External Sales Forces:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/136
In the case of external sales forces (fair stands, shopping centers and
home visits, provided there is a prior request by the interested party), the
Data collection is done on a paper stub. This data is digitized in
Channel Management Tool (HGC).
For verification, data collection is carried out in the system of the supplier of
check.
Documents:
1) Sales receipt (Evidence 6)
2) Sales data template (Evidence 1)
3) Verification script (Evidence 7)
With regard to evidence 6, which the defendant calls the
sales, the document, under the title "contract for the supply of energy and / or services",
It contains on its first page three boxes.
In the first one there are spaces to fill in the data related to the point of
supply (address, electricity cup, gas cup) and separately check boxes
the contracting of a light + gas contract or one of the two services individually. I know
They also contain spaces to fill in the data of the contract holder
(name, surname, telephone and email) and representative data (name,
NIF and address and several boxes are included to mark that the representative is in
status of spouse / registered partner, ascendant / descendant or attorney-in-fact) below
of such boxes, a text indicates that “it declares that it has sufficient powers to
sign this contract on behalf of the client who is responsible for
inform of all the conditions of the same. "
Below this box is the following legend; "The client hires, for the
supply indicated, the gas supply with EDP Comercializadora, SAU and the
supply of electricity and / or complementary services with EDP Energía, SAU,
(hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) with
in accordance with the Specific Conditions set out below and the
General Conditions in annex.
The client requests that the provision of the supply / supplies and / or services be
start during the withdrawal period contemplated in the general conditions. "
In the second box entitled specific conditions of the contract and in which
Separately depending on whether it is gas or light, certain information is contained on
rates and in which there are spaces to be completed and boxes to mark
relating to the services that are contracted, it appears both in the gas part and in the
light a box that must be marked to indicate that the owner is changing. I also know
includes a space to fill in the data related to the current account for
direct debit charges (this space is common to all contracted services)
Below this box is the following text: “EDP reserves the right to
waive this contract if the actual supply data does not comply with the
declared by the client at the time of hiring. " Below is a box for
mark that "The client expressly declares to know and accept the above
Specific conditions." And another to mark that “The client declares to have been
informed and received the annex with the General Conditions, which he accepts. " It adds
then that “The client, if he / she had the status of consumer, has the RIGHT
TO DESIST this contract if it had been formalized remotely or outside the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/136
establishments of the marketer as indicated in the general conditions
and acknowledges that the corresponding withdrawal document has been delivered to the
effect." Below is a box to mark that “The client declares to have
received the withdrawal document and have been informed of it. "
In the third box, under the heading CLIENT / REPRESENTATIVE after noting that the
information related to data protection can be read on the back, allows you to mark
the following consents:
 I consent to the processing of my personal data once the relationship has ended
contractual, to carry out commercial communications adapted to my profile
of products and services related to the supply and consumption of energy. In addition,
I consent to the aforementioned treatments during the term and after the end of the
contract, on non-energy products and services, both of the Group companies
EDP ​​and third parties.
 I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services.
On the back of the first page there is a section entitled “Basic information
on Data Protection ”: which contains the following:
" Personal data will be processed by EDP COMERCIALIZADORA,
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
Responsible for the Treatment, for the maintenance, development, compliance and management
tion of the contractual relationship, fraud prevention, profiling based on
in information provided by the Client and / or derived from the provision of the service by
part of EDP, as well as sending commercial communications, related to products and
services related to the supply and consumption of energy, maintenance of ins-
facilities and equipment, and that can be customized based on your profile of
Client, as reported in the General Conditions, being able to oppose in any-
any time to send commercial communications. Additionally, the Client
gives your explicit consent for the processing of personal data collected
on the obverse. Without prejudice to the consents given, the client may exercise,
at all times, your rights of access, rectification, opposition, deletion, limitation
tion and portability, through any of the channels indicated in the Conditions
General. "
In the part of general conditions the following information regarding
personal data protection:
“ LOPD Purposes of the processing of personal data. According to
provided in current regulations, the client is informed that all data
provided in this contract are necessary for the purposes of its formalization.
Said data, in addition to those obtained as a result of the execution of the
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
c / General Concha, 20, 48001, Bilbao and by EDP ENERGÍA, SAU with address at
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/136
in order to manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service, to carry out actions to prevent
fraud, as well as profiling, personalized commercial communications
based on information provided by the Client and / or derived from the provision of the
service by EDP and related to products and services related to the
supply and consumption of energy, maintenance of facilities and equipment.
These treatments will be carried out in strict compliance with the legislation
current and insofar as they are necessary for the execution of the contract and / or the
satisfaction of EDP's legitimate interests, provided that the latter are not
other rights of the client prevail.
Provided that the client has explicitly accepted it, their personal data will be
treated, even once the contractual relationship has ended and provided that there is no
Produces opposition to said treatment, to:
(I) The promotion of financial services, payment protection services, automotive
or related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract, (II) The preparation of
Commercial profiles of the Client by aggregating the databases of
third parties, in order to offer the Client personalized products and services,
thus improving the customer experience, (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (IV)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers, specifically aimed at achieving the
contracting of certain products and / or services from EDP or from third parties
depending on whether the client has consented to it or not, being in any case treated
data whose age will not exceed one year. In the event that said process was carried out
carried out in an automated way, the client will always have the right to obtain intervention
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
resulting decision.
Categories of data processed
By virtue of the contractual relationship, EDP may process the following types of data
personal: (I) Identifying data (name, surname, ID, postal address, address
email, supply point, etc . ), (II) Identification codes or keys
User and / or Client, (III) Personal characteristics data (date of birth,
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
of these , (VI) Economic, financial, solvency and / or insurance data.
Personal data will be kept for the duration of the contractual relationship
and at most, during the statute of limitations for legal actions
corresponding, unless the Client authorizes its treatment for a longer period,
applying organizational and security measures from the beginning of the treatment
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/136
to ensure the integrity, confidentiality, availability and resilience of data
personal
Communications and recipients of personal data.
All personal data derived from the provision of the service and those obtained in
By virtue of this contract, they may be communicated to the following entities:
i)
The corresponding distribution company, producing with it an in-
permanent exchange of information for the adequate provision of the service,
among them the request for access to your network, the readings (which in the case of
remote-managed controller will be hourly) and / or consumption estimation, quality control
supply, request for supply cuts, modifications in the pos-
tencia, etc.
ii)
The Organizations and Public Administrations that by Law correspond.
iii)
Banks and financial entities for the collection of services rendered.
iv)
Other companies of the business group, solely for administrative purposes
internal and the management of the products and services contracted.
v)
National equity solvency and credit services (Asnef-Equifax,
...) to which in case of non-payment, without just cause by the Client,
You will be able to communicate the debt, as well as fraud prevention services,
with the sole purpose of identifying erroneous or fraudulent information provided during-
you the hiring process.
saw)
EDP ​​suppliers necessary for the adequate fulfillment of the obligations
contractual arrangements, including those that may be located outside the State
European Economic space, in which case it is duly adequate
international data transfer.
Rights of the data owner
The client will have the possibility of exercising freely at all times
and completely free the following rights:
i)
Access your personal data that is processed by
EDP.
ii)
Rectify your personal data that is processed by
EDP ​​that are inaccurate or incomplete.
iii)
Delete your personal data that is processed by EDP
iv)
Limit EDP's treatment of all or part of its
personal information.
v)
Oppose certain treatment and decision-making
automated data processing, requiring human intervention
mana in the process, as well as to challenge the decisions that are final-
adopted by virtue of the processing of your data.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
15/136
saw)
Port your personal data in an interoperable format and auto-
enough.
vii)
Withdraw at any time, the consents granted
previously.
In accordance with current regulations, the user can exercise their
rights by requesting it in writing, and together with a copy of a certified document
accrediting identity, at the following post-
such: Plaza del Fresno, 2, 33007 Oviedo or by email
*** EMAIL . 1 .
Likewise, you can contact the protection delegate
of EDP data at the following postal address Plaza del Fresno, 2,
33007 Oviedo or in the email *** EMAIL.1 , in the event that
understands that any of their rights related to the protection of
data, or, where appropriate, file a claim with the Agency
Spanish Data Protection, at the address Calle de Jorge Juan,
6, 28001. Madrid "
Evidence 7 refers to a sales process with express online verification.
SCRIPT VERIFIER-AGENT
Part 1 (Agent call to number *** PHONE.1 or *** PHONE.2 )
VERIF - EDP ​​Verifications, good morning. Can you tell me your phone number to
perform verification?
AGE - Good morning, my phone is XXXXX.
VERIF-I proceed to issue the outgoing call.
Part 2 (Outgoing call from the verifier to the agent's phone)
VERIF: Good morning, can you tell me ID ?. XXXXX Can you tell me your name and surname and
collaborating company? If the tool returns the collaborator's data (and the
itself is active) we will check if they match, if so we continue, in
If they do not match, we will ask you again for the data / s that do not match for
reconfirm the discrepancy, if you continue we will indicate: «We cannot carry out the
verification, the data you provide us is inconsistent »). In case the
tool does not return anything to us, we will ask you again for your ID and if you continue
Without appearing we indicate: «We cannot carry out the verification, your company has not
accredited ».
VERIF- Can you tell me the name, surname and ID of the signer? XXXXX How many
contracts have you signed? XXXX (maximum 6 contracts per call) made at the Stand
of EDP in CC XX / in the store of the collaborator XX
VERIF-Is the signer the owner of the contracts? In case of being the owner, request
contact telephone number and province. If you sign as a representative, request a name,
Surname and DNI of / the holders (maximum 3) and contact telephone number and main province
of each holder.
VERIF-Can you tell me the phone number of the signer to carry out the verification?
XXXXX
VERIF-I proceed to issue the call to start the verification.
Part 3 (Outgoing call from verifier to verification phone)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/136
VERIFY CUSTOMER- Good morning, I am XXXX from the company *** COMPANY.1
collaborator of EDP. For security reasons I inform you that this call is
being recorded, do you confirm that it is SIGNING NAME with DNI XXXX and that
has just signed XX contracts at the collaborator's EDP stand / store (in case of
sign as representative indicate “in representation of name-surname HOLDER
DNI) Yes / No . What relationship-kinship do you have with the owner? (this question I don't know
performed when the owner is a company).
- Tenant, I have the rented house. Request that it happen to the agent and
tell you that a tenant cannot sign as a representative. KO verification.
-Family or attorney-in-fact: continue verification.
Perfect, please pass me on to the agent to take some information and carry out the
verification, thank you.
2.2. Description of the procedures enabled through each of the channels
contract so that a third party can prove the representation of a holder to the
sign a contract with EDP ENERGÍA, SAU
A. Telephone Channel:
A.1 - CAC INBOUND
Recording of the legal text where the representative confirms the data provided from the
represented.
A.2 - TELEMARKETING
Recording of the legal text where the representative confirms the data provided from the
represented and durable support via sms / email where the representative confirms
new said data.
A.3 - LEADS
Recording of the legal text where the representative confirms the data provided from the
represented and durable support via sms / email where the representative confirms
new said data.
Additionally, in the pilot test of this channel, another
sms / email informing of the representative's action.
B. Web: The option of contracting with a representative is not offered.
C. Distributors:
In the case of EDP's own commercial offices, it is requested to fill out and
signed by both interested parties (representative and owner) a document of
express authorization in which the data of both persons and copies of their
NIF.
D. External Sales Forces:
In the case of external sales forces (fair stands, shopping centers and
home visits, provided there is a prior request by the interested party), the
compilation, the hiring stub is kept where the representative declares
have sufficient powers to sign the contract on behalf of the client to
who is responsible for informing of all the conditions of this.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
17/136
Likewise, the verification recording is available and kept where they are confirmed
with the representative the data of the represented, as well as the relationship / kinship that
unites them.
2.3. Specification of the procedure followed by EDP ENERGÍA, SAU for
store the evidence that proves the capacity of representation of the third party in
the procedures in which this type of contracting is carried out, indicating the
channel or channels for which each is used.
A. Telephone Channel:
A.1 - CAC INBOUND
The recording is stored linked to the commercial management system of
Contacts where the request is registered.
A.2 - TELEMARKETING
The recording and durable media are stored in the recording system.
Channel commercial management.
A.3 - LEADS
The recording and durable media are stored in the recording system.
Channel commercial management.
B. Web: The option of contracting with a representative is not offered.
C. Distributors
In the case of EDP's own Commercial Offices, the authorization document
It is stored linked to the Contacts commercial management system
where the request is registered.
D. External Sales Forces:
The recruitment stub and the recording of the verification call are located
stored digitally in the Canales commercial management system.
For its part, the paper copy is sent to the supplier commissioned by EDP of the
custody of said documents.
2.4. Attach models and / or examples of type evidence collected under the
procedure followed in section 2.3.
A. Telephone Channel:
A.1 - CAC INBOUND
An example is provided with the recordings (Evidence 8) It is an audio with the
recording of a service contract in a specific case carried out through
representation. Its content is the same as in evidence 2.
A.2 - TELEMARKETING
Examples of recordings and durable supports are provided (Evidence 9 and 10,
respectively) Evidence 9 consists of an audio with the recording of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/136
contracting services with a client representative. Play the content
of evidence 3. Evidence 10 is a document with the following text:
"Confirmation of acceptance of communication by sms:
On 2019-04-26 15:50:06 an SMS was sent from the phone number
+ *** PHONE. 3 with the text:
EDP ​​Offer : *** OFFER. 1 Please respond with a YES to this SMS to
accept and
activate discounts. Thanks. Details:
http://edpconfirma.es/OOUSEAVSXK
to the recipient's phone number *** PHONE . 4. Said message was
responded with notification ID OOUSEAVSXK, on ​​2019-04-26
15:50:46 and with the text: If which we accept as valid for processing
of the product offered in the document shown below. I know
Indicate below personal data of the contractor and of the offer and the
following information: Your personal data will be processed by EDP
Comercializadora SAU and EDP Energía SAU to manage their contracts,
fraud prevention, profiling based on customer information
and EDP, as well as the realization of personalized communications about
products or services directly related to their contracts, being able
at any time oppose them.
We remind you that you can exercise your rights to
access, rectification, opposition, deletion, limitation and portability, through
any of the routes indicated in the General Conditions that can
check our website *** URL.1 . "
A.3 - LEADS
Examples are provided with recordings and durable media (Evidence 11, 12,
and 13, respectively)
B. Web: The option of contracting with a representative is not offered.
C. Distributors:
Regarding our own Commercial Offices, a model document is attached.
authorization completed by the representative in favor of the represented
(Evidence 14).
D. External Sales Forces:
With regard to the evidence generated by external sales forces, is attached
hiring stub model where the representation is collected (Evidence 15),
as well as the recording in which it is confirmed, as well as the relationship-kinship
that links them (Evidence 16).
THIRD. - Information on the number of contracts signed in 2018 and 2019 by
third parties on behalf of the owners of the services (natural persons) with
distinction of: 3.1. By virtue of what this representation is supported (power, degree of
kinship, etc.) 3.2. Procedure or formula for accreditation of representation
Following. 3.3. Recruitment channel for telephony, internet, own distributors or
subcontractors, sales force with own or subcontracted home visits, etc. ...)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/136
In relation to the request for information regarding the number of contracts signed in
the years 2018 and 2019 by third parties on behalf of individuals, it is put into
knowledge of the AEPD the following information related to each of the channels:
A. Telephone Channel:
A.1 - CAC INBOUND
Year Channel Representation
No. Contracts
2018 CAC Relationship
1,536
2018 CAC Unrelated
436
2019 CAC
Relationship
1,351
2019 CAC Unrelated
295
A.2 - TELEMARKETING
Channel Year
Representation
No. Contracts
2018 TELEMARKETING
Relationship
2,708
2018 TELEMARKETING
No kinship
114
2019 TELEMARKETING
Relationship
1,910
2019 TELEMARKETING
No kinship
83
A.3 - LEADS
Channel Year
Representation
No. Contracts
2018 LEADS
Relationship
17,040
2018 LEADS
No kinship
2,719
2019 LEADS
Relationship
17,808
2019 LEADS
No kinship
3,496
B. Web: Hiring with a representative is not contemplated.
C. Distributors (own commercial offices):
Year Channel Representation
No. Contracts
2018 OOCC Relationship
261
2018 OOCC Unrelated
64
2019 OOCC Relationship
244
2019 OOCC Unrelated
52
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
Year Channel Representation
No. Contracts
2018 FVE
Relationship
43,008
2018 FVE
No kinship
523
2019 FVE
Relationship
11,945
2019 FVE
No kinship
13
SIXTH : In writing dated May 29, 2020, sent on June 1, 2020,
formulates a new information request to EPD ENERGÍA, SAU requesting the
which is related below:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
20/136
1. Copy of the content included in the Register of Treatment Activities (article
30 of the RGPD) regarding personal data processing activities
carried out in the context of contracting services with EDP ENERGÍA, SAU
2. Copy of the content included in the Risk Analysis or Assessment carried out by the
entity in compliance with article 32 of the RGPD regarding the processing of
personal data made in the context of contracting services with EDP
ENERGÍA, SAU
3. Enter the information previously provided by the entity to the AEPD, registered
with the number 001390/2020, it is specified on a recurring basis (see evidence 2, 3, 4,
6, 10, 12, 14, 15) that personal data will be processed for all
purposes described, in addition to EDP ENERGÍA, SAU, by another legal entity
(EDP COMERCIALIZADORA, SAU). The following information is requested in this regard:
3.1. Reason that justifies that both entities process the personal data collected.
3.2. Detail of the circumstances that condition, if any, that the treatments
made on specific personal data are executed by one or the other
entity.
3.3. Detail, where appropriate, the procedures and mechanisms used to
guarantee the separation of personal data processed by one and another entity of
so that each one only has the possibility of treating what corresponds to it according to
of the legitimate purpose pursued at all times.
SEVENTH: On June 17, 2020, this Agency has a written entry of
EDP ​​ENERGÍA, SAU in which the following is stated regarding the last
question raised in the request of this Agency referred to in point
previous:
"THIRD.- Enter the information previously provided by the entity to the AEPD,
registered with the number 001387/2020, it is specified on a recurring basis (see
evidences 2, 3, 4, 6, 10, 12, 14, 15) that personal data will be processed for the
set of purposes described, in addition to EDP ENERGÍA, SAU, on the other
legal person (EDP ENERGÍA, SAU). In this regard, the following is requested
information:
3.1. Reason that justifies that both entities process the personal data collected.
3.2. Detail of the circumstances that condition, if any, that the treatments
made on specific personal data are executed by one or the other
entity.
As these two questions are directly related to each other, the answer is given
joint to them. In relation to the evidence provided and that
correspond to supports that are used to carry out the contracting through
of the different channels, reference is made to both EDP ENERGÍA and EDP
ENERGÍA SAU (EDP ENERGÍA), because the company with which they are contracted
The services will be one or the other depending on the product and / or service requested, being
highly probable that the same client when requesting the contracting of the supply
electric and gas, you are contracting with both companies at the same time.
For this reason, the “dual” contract has been drawn up and structured in such a way that a
client can obtain discounts or additional advantages for the fact of contracting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
21/136
both energies with two companies of the same business group, and in order to
keep the discounts updated in each of the energies and information
derived, it is necessary for both societies to know whether the energy initially
contracted with the other Group company remains active in order to maintain and
correctly manage the discounts / benefits applied.
For this reason, and in order to provide the maximum possible transparency to a process
carried out eminently in writing, such as the contracting of services
energy, is why in the clause on data protection it is reported that
the personal data provided during the hiring process will be processed by
both entities, always respecting the functions of each one in accordance with the
contract signed in each case and particularly the type of energy services that
are finally hired.
On the other hand, and regardless of the above, we inform you of this
Agency that the existence of two companies within the Group with the role of entities
trading companies is due to a purely formal issue, a consequence of the
corporate structure and shareholding composition of the companies acquired by the
EDP ​​Group at the time of its establishment in Spain, but not
corresponds to the operational functioning of said marketers, since
only one of them, EDP ENERGÍA, currently has employees and capacity
management and operational. Thus, in practice, all treatments are
carried out by said entity, either as data controller or as
responsible for the treatment of EDP ENERGÍA. Additionally, indicate that the Group
EDP ​​had planned the corporate reorganization of EDP ENERGÍA and EDP ENERGÍA and
the adaptation of its corporate structure with that of its actual operation and its
business operations. This reorganization has currently been affected by
a TOTAL sale process in which both companies are immersed, and that
materialize, could alter or terminate said integration.
3.3. Detail, where appropriate, the procedures and mechanisms used to
guarantee the separation of personal data processed by one and another entity of
so that each one only has the possibility of treating what corresponds to it according to
of the legitimate purpose pursued at all times.
As already stated, all users with access to the system are employees of
EDP ​​ENERGY.
In this way, EDP agents access the personal data of the clients of
said entity as data controllers or, they have access to the
personal data of EDP ENERGÍA clients, as Manager of the
Treatment, in compliance with the provision of customer management services of
EDP ​​ENERGÍA entrusted to it by EDP ENERGÍA, being managed in
quality of the two different roles they occupy under contract regulation
that we make available to this Agency. " (SIC)
Along with this response, an extract from the Registry of Treatment Activities is provided.
which includes the records relating to the activities carried out in the field of
contracting of products and / or services and the risk analysis carried out regarding the
treatments that are carried out in the context of contracting products and / or
services.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
22/136
The risk analysis is contained in an Excel document, it does not contain a date or
firm. 15 risk factors are listed; 1. Commercially sensitive information, 2.
Commercial Communications, 3. Data Origin (external or internal source), 4. Assignments
of data. 5, Treatment Managers. 6. International transfers. 7. Activities
scoring / profiling. 8. Automated decisions. 9. Systematic monitoring of
Headlines. 10. Special categories of data. 11. Large-scale data processing.
12. Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders. 14.
Application or use of innovative technologies 15. Unavoidable Treatment / Restriction
exercise rights or access service. Regarding the potential risk assessment
inherent, the risk scale has 4 levels: low, with a rating from 0 to 12;
average score from 13 to 25; high from 26 to 38 and very high from 39 to 51. The assessment or
The weight given to each of the risk factors is from 1 to 4. In the analysis of
risks, a yes or no is marked for each of the sales channels in each of the
15 risk factors listed above. The sum of the weight attributed to each of
the factors for each channel determine the inherent risk. The result of risk
inherent is medium in all contracting channels, except in web channels and
external forces through home visits in which the risk outcome
inherent is low. Risk correction measures are not indicated.
EIGHTH: On July 16, 2020 you have entry into this Agency, within the framework
of the investigation file E / 5549/2019, written by EDP COMERCIALIZADORA,
SAU stating that “In the framework of the above-referenced procedure, it was required
to EDP by the AEPD to clarify, among other points, certain
information regarding the contracting procedures implemented in EDP
carried out with the intervention of a third party authorized by the owner, as well as attending the
suggestion made in previous procedures communicated by the AEPD in
which suggested making modifications in the way in which this
type of hiring.
2. That, for all of the above, EDP has reviewed the procedure to be followed in the
contracting by third parties on behalf of the owner, in order to strengthen said
procedure and reduce the risks of possible identity theft carried out
in bad faith by the contracting party in this type of process, taking into account,
additionally, the particular needs identified as a result of the state of
alarm decreed last March and that has necessarily required that
all contracts are carried out in a non-face-to-face way.
3. That in order to inform the AEPD of the specific actions that are
are being carried out in relation to this matter by EDP, in compliance
of their duty of proactive compliance (accountability), we attach the
"Contracting procedure by third parties on behalf of the owner", so that they have
visibility on the modifications that are being implemented in these processes
in order to meet your request in this regard, as well as to highlight the
EDP's proactivity regarding its suggestion of adaptation of said
process."
The following aspects are detailed in three sections below: purpose,
contracting procedure with third parties and data and interests of those affected.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/136
In the first section, called the purpose after exposing the situation, it states the
following proposal: “A contracting procedure that, through correct use
and technology insurance, facilitate the contracting of EDP services by
clients through a third party acting under a mandate under the terms of Title IX
of the Fourth Book of the Civil Code, protecting in any case the rights of the client and
agent about your personal data, which will only be treated in accordance with
an adequate basis of legitimacy and in compliance with the principles of the RGPD,
ensuring that they are informed about the treatment and that they can exercise their
rights at all times, as well as to act in case of identifying any action
irregular."
In the second section relating to the contracting procedure with third parties,
distinguishes the procedure followed with a representative with written authorization from the
followed by agent with verbal authorization. In the first case, the
next steps: the agent is informed, the data and authorization are collected and the
contracts on behalf of the client. In the case of the agent with verbal authorization, the
The steps to follow are as follows: EDP proceeds to the information at the
agent and data collection, to be hired by the agent in the name and
representation of the client, sending the client information on the contracting and
possibility of the client to disavow the contract.
Regarding the information to the agent and the collection of the data, it consists of,
as set forth, in the following:
- Services are offered and explained
- It is informed about the need to collect certain data for contracting, as well
as well as the use that will be made of them and the place where more
information about it.
- The data of the agent and the client are requested
- The agent provides EDP with his own data and those of the client and confirms that it is
empowered to negotiate and sign the contract on behalf of the client
- The contract includes all the information required by the applicable regulations and in
relationship with the processing of personal data derived from the hiring.
Regarding the hiring by the agent on behalf of the client
differentiates the hiring in own commercial offices and outside the establishment
mercantile, in which the information is collected in the contract and delivered in support
durable or digital to the agent and remote contracting (by phone)
distinguishing between incoming calls to EDP's CAC, in which the
conversation or outgoing calls (telemarketing, outgoing calls
EDP ​​providers) in which the conversation is recorded, and the contract is sent in
durable support to the president (It is clarified that the conversations are recorded after
have previously informed the user that the conversation is going to be recorded.
The following is noted regarding the step related to sending information to the client
about hiring.
-Once the contract is formalized by the agent, when there is no
written authorization, is sent to the client, by email or SMS, depending on the
communication channel available in each case, a communication in which
It includes: o Confirmation of the contract made through your agent,
including the agent's data or URL link to access the contract signed by
the agent on his behalf (with guarantees of content integrity and accreditation
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
24/136
of the exact date of realization) where you can exercise your right to disallow
hiring in a simple and intuitive way (with a single click) View, print, or
download the contract and withdrawal document
The contract collects all the information about the treatment of the client's data by
part of EDP, in addition to the details of the contracted services.
Clarifies that the contracting procedure based on double authentication factor
It has been designed taking into consideration the procedure approved by the
National Markets and Competition Commission for carrying out portability and
hiring in the telecommunications sector, a sector very similar in
that the contracting procedure refers to.
The communication is made through a trusted third party that accredits the shipment
of the SMS / mail as follows:
-SMS message:
EDP ​​XXXXXXXX. NAME REP SURNAME REP has contracted energy / services in
your name. Before 14 days you can disallow it. Details: *** URL.2
-E-MAIL Message:
SUBJECT: Hiring of NAME TIT SURNAME TIT with EDP
Hello, we inform you that NAME REP SURNAME REP has made on your behalf
the XXXXXXXX contracting related to your energy supply / services. Have
14 days to disallow said management.
See details at: *** URL.2
The step related to the "Possibility for the client to reject the contract" consists of
in the following:
A link is sent to the client, through which they access a portal from which they are
It allows:
- View contract with the possibility of downloading or printing it or
- Disallow the hiring with a single click. Evidence is generated that
guarantees the traceability of the action (exact moment of the realization, as well as
integrity of associated evidence) or
- Download the withdrawal document.
Regarding the third section, data and interests affected, it is indicated what
following:
It has been determined that to achieve the purpose of the treatment, it is essential to
treatment of the following categories of personal data:
-With written authorization
Customer data: Identification (includes copy of DNI), Contact, Services
contracted, Bank details, Supply point data
Mandatory data: Identification (includes a copy of the DNI), Relationship with the owner
(yes / no), Contact
- With verbal authorization:
Customer data: Identification, Contact, Contracted services, Bank details,
Supply point data.
Mandatory data: Identification, Relationship with the owner (yes / no), Contact.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/136
NINTH: Information is obtained on the volume of sales of the entity being the
results of the turnover during the year 2018 of 1,236,124,000 euros. The
Capital according to the information obtained from the Mercantile Registry is 1,000,000
euros.
Information is obtained on the number of clients of the entity. According to the report of
supervision of the changes of marketer, corresponding to the first quarter of
2019, of the National Markets and Competition Commission, the number of
supply points of the entity as of March 31, 2019, corresponding to the scope
domestic, amounted to 1,129,534, constituting 4% of the total electricity sector in
said domestic environment.
TENTH: The internet site indicated in evidence 3 and 4 ( *** URL.1 ) is accessed at
object of downloading the General Conditions of Contract.
The procedure followed to download the document that contains the Conditions
General Contracting, as stated in the diligence of the acting inspector, has
been the following:
-Access through the internet browser to the address *** URL.1 .
- Introduction in the search engine of the text page itself: "General Conditions"
-The website shows, under the following address: *** URL . 3, 2 tabs one
called Related Information and Other Documents.
-The "Documents" tab of the Search Results is selected. Is
offers a total of 78 results, the third of which corresponds to the
"General contracting conditions".
-The "General contracting conditions" are selected and automatically
open a new browser window pointing to the following internet address:
*** URL . 4 .
-Download the document
The content of the general conditions in the "LOPD" section coincides with the
transcribed as evidence 6, with the same LOPD title within the conditions
general, in the fourth number of this Agreement for the Initiation of the procedure
sanctioner.
ELEVENTH: On July 31, 2020, the Director of the Agency
Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the
entity EDP ENERGÍA, SAU, in accordance with the provisions of article 58.2 of the
Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016,
Relating to the Protection of Natural Persons with regard to the Treatment of
Personal Data and the Free Circulation of this Data (General Regulation of
Data Protection, hereinafter RGPD), for the alleged infringement of article 25
of the RGPD, typified in article 83.4.a) of the aforementioned Regulation; for the alleged
infringement of article 6 of the RGPD typified in article 83.5.a) of the aforementioned
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/136
Regulation; for the alleged violation of article 22 of the RGPD, typified in the
Article 83.5.b) of the aforementioned Regulation; and for the alleged violation of article 13 of the
RGPD, typified in article 83.5.b) of the aforementioned Regulation, determining that the
The penalty that may correspond would amount to a total of 3,500,000.00 euros, without
detriment to the result of the investigation.
TWELFTH: The aforementioned initiation agreement has been notified, the investigated entity
filed on August 7, 2020, writing requesting an extension of the term to the
object of presenting allegations. Once the extension of the term was granted, they presented the
allegations dated 08/25/2020 which are briefly the following:
FIRST: ALLEGED BREACH OF THE PRIVACY PRINCIPLE BY
DESIGN IN THE HIRING PROCESSES THROUGH A REPRESENTATIVE .
The AEPD intends to justify the initiation of this sanctioning file in the alleged
lack of documentation that has never been requested. In this regard,
It should be noted that EDP ENERGÍA has a methodology for identifying, analyzing
and risk management, both to identify inherent risks, as well as
specifically to assess the need to carry out the Assessments of
Impact, alleges that it includes as an annex the supporting documentation that proves,
more than enough, that EDP ENERGÍA fully and fully complies with these
obligations and which is specified in the following: - “Risk Analysis Methodology and
conducting Impact Evaluations "-" Record of Treatment activities and
risk assessment of the treatments related to the contracting of EDP
ENERGY ”-“ Privacy Impact Assessment: Channel of Leads to Convert by
Telemarketing ”-“ Privacy Impact Assessment: Telemarketing to clients for
upselling or abandonment recovery ”-“ Privacy Impact Assessment: Channel
CAC to Clients Or Potential Clients (Inbound) ”-“ Impact Evaluation of
Privacy: OOCC Channel to clients or potential clients (Reactive sale) ”-
"Privacy Impact Assessment: Third-party Stores Channel for sale to customers
potentials (Reactive Selling) ”-“ Privacy Impact Assessment: Forces of
external sales through stands at fairs and shopping centers (reactive sales) ”-
"Evaluation of Privacy Impact: Treatment activity: Carrying out
Scoring of B2C Clients prior to hiring ”.
Likewise, and as a consequence of the measures adopted as a result of the
recommendations derived from risk analysis and impact assessments
carried out by EPD ENERGÍA, a large number of
procedures for compliance with data protection obligations from
the design and by default that are provided as annex 2.
Specifically, the following procedures are included in this Annex 2
related to Privacy by Design and by Default, which are part of the
System of Government, Risks and Regulatory Compliance of data protection of
EDP: • Data Protection Methodology from Design and EDP's Default •
Operational instruction Privacy By Design and Privacy by Default of the commercial area •
Form for characterization and registration of treatment activities for analysis
Privacy by Design and Privacy by Default • Flow chart of the Privacy By Design process
and Privacy by Default.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
27/136
It is really striking that the AEPD gives the relevance it gives to the fact
concrete that EDP ENERGÍA had not taken into account in its analysis of
risks, the specific analysis of the risks associated with the possibility of contracting
through a representative, when the AEPD itself, in its own "Practical Guide to
Risk Analysis in the processing of data subject to the RGPD ”(published in its
web (https://www.aepd.es/sites/default/files/2019-09/guiaanalisis-de-riesgos-rgpd.pdf)
does not include any direct or indirect reference to the need to evaluate the
specific risk in relation to data processing, either in contracts or in
other processes, carried out by authorized third parties.
Second, it alleges that all the data processing carried out by
EDP ​​ENERGÍA were analyzed to verify their degree of compliance with the
obligations related to RGPD, proposing measures for its correct
adaptation, regardless of the need for evaluations
impact or not. Delving into the specific risk related to the contracting carried out
through third parties, it must be indicated that the content of the analyzes carried out was
updated at the time, taking into account the considerations that the AEPD has
transferred to EDP ENERGÍA in the administrative procedure related to this
issue that began at the end of 2019 and that, we understand, is the cause of the
sanctioning procedure in which we find ourselves at the moment.
Indeed, as we have already had the opportunity to present within the framework of said
sanctioning procedure previously initiated by the AEPD, the processes of
contracting through authorized third parties had not been identified by
EDP ​​ENERGÍA as an inherent risk factor that was relevant, taking into account
account that: 1) The practically non-existence of claims by clients in
related to this motive. 2) Until now, EDP ENERGÍA did not have any
sanctioning file opened for this cause. 3) The contracting carried out through
third party as verbal agent is expressly recognized in the Code
Civil of 1889.
Although the potential risks identified by the AEPD are perfectly possible,
the probability of materialization of said risks, in the specific case of EDP
ENERGY, was practically nil and that therefore his diligence, with regard to the
carrying out the risk analysis, has been amply accredited.
Specifically, this fact is based on the very low number of claims for
this reason that EDP ENERGÍA has received. Indeed, the number of complaints
for contracting through third parties, it amounts to 8 cases with respect to a total of
105,606 contracts made, as stated in the information provided in the
own file, which we understand, that as surely the
AEPD with EDP ENERGÍA, in probabilistic terms, could be considered a
value that, objectively, does not require an independent assessment and
detailed. And it is not only that in absolute numbers the existing precedents in
EDP ​​ENERGÍA's case were practically nil (8 cases out of 105,606
contracting), but as the AEPD knows very well, of the aforementioned eight (8)
claims, there is only one sanctioning precedent for this entity,
taking into consideration that the AEPD includes in its writing a procedure
that has not yet been firmly resolved (PS / 00109/2019), insofar as
it is being subject to the corresponding contentious-administrative appeal
before the Contentious-Administrative Chamber of the National Court.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/136
It states that the possibility of entering into a contract between two parties through the
intermediation of a third party is an exclusive question of Civil Law, so the
need, or not, of formalities associated with the accreditation of the representation has
to be governed by the provisions of the Civil Code and, where appropriate, by the provisions of the
consumer protection regulations. In this regard, the requirement by the
AEPD that the representation alluded to by the representative is recorded in a medium that
allow its accreditation could be considered logical in an isolated interpretation of
data protection regulations, but it loses meaning when put in context
with the rest of the legal system, more specifically, with the provisions of the Code
Civil, which contemplates, among others, the possibility of hiring by representative
included in article 1259, or the figure of the "mandate", regulated in articles 1709
to 1739 of the same and that establish that: «by the mandate contract a
person to provide a service or do something for the account or commission of another »and
for which total freedom of form is allowed, establishing that "the mandate may
be express or tacit "and that, likewise," acceptance may also be express or
tacit, deduced this last one of the acts of the agent chief executive ». In this case, it does not seem
that such a wide freedom of form is compatible with obtaining evidence of
the existence of the representation or mandate, beyond the manifestations of the
agent, protected by good contractual faith. Likewise, there is little
understandable that a separate consent is required for the treatment of
your data or a confirmation of the order by the principal, since this
would imply denaturing the representation, inasmuch as it would be absurd that who is
designated for the conclusion of a contract in favor of a third party cannot facilitate
the data of the person on whose behalf it acts, or that confirmation is necessary
separated from it to authorize said communication, since the need to
Addressing the represented person directly would make the representative's intervention useless,
since it would be meaningless.
Likewise, and in relation to the possibility that the represented party may provide
additional consents to the hiring itself, it should be noted that this
possibility may well have been authorized by the represented in a way
specific, but as the same freedom of form governs for the granting of this
power (which the norm does not oblige in any case to provide in writing), nor is it
Your reliable accreditation is required at the time of hiring. About this
In particular, it should be noted that to date no assumptions have occurred in the
that any type of incidents have been reported by those represented
related to the granting of said consents.
Regarding other risks identified by the AEPD, it must be indicated that the
The risk of identity theft is very low, since the representative identifies himself
personally by reliable means when the hiring is face-to-face and
providing your DNI data when you do it remotely. However, as well
the AEPD knows the risk theory, it does not hold that the existence of a low risk
may be considered a non-existent risk. In this sense, the risks of there being
identity theft do not differ from those that correspond to the
contracting in their own name, since the same checks are carried out for
avoid this, based on the risks and threats detected in relation to each form
hiring. Therefore, it cannot be taken for granted that this risk was not
taken into consideration by EDP Specifically, this fact is based on the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/136
very low number of claims for this reason that EDP ENERGÍA has received, nor
that no mitigation measures have been adopted, as stated
It will be explained below in the explanation regarding the contracting procedure.
On the other hand, with regard to potential economic damages, although this
It is a question more linked again to the civil sphere of contracting than to the
protection of personal data, it must be indicated that in cases where the
cancellation of contracts for any reason, EDP ENERGÍA assumes the costs of
the services provided, so that there would be no economic damage to the
affected, proof of this is that EDP ENERGÍA has so far not received
no claim for the alleged damages wielded by the AEPD
Regarding the way in which the contracting is carried out, as already stated and stated
both in the information made available to that Agency and in the Background
In fact of the Initiation Agreement, the contracting of the services is preceded by a
series of guarantees that allow to identify the author of the contracts, following the
common practices throughout the supply service contracting sector and by
companies known as "Utilities", both in person and remotely,
this information being recorded, so that, in the event of any
incidence, there is evidence of who is the person who has carried out the
hiring. Against the insignificance that the AEPD intends to grant to the
statement of the representative, perfectly identified, on his condition of
representative of the person in whose name it contracts, it should be noted that this
manifestation has binding legal consequences, which, as already stated,
are subject to regulation and are expressly recognized by our
Legal System, and that imply responsibilities, both from the point of view of
civil view, as well as criminal, so it is not a “mere manifestation”, like the
He came to name the AEPD in the Fundamentals of Law of his writing of initiation of
sanctioning procedure, but it is a legal act, such as the
own consent of the owner, defined by the RGPD itself as a "manifestation
of will ”. Therefore, it does not seem that a legal defense can be defended
discrimination of the relevance of some manifestations versus others, due to the fact that
that are included or not within a specific regulation, or manifested from a
form, or other. Likewise, as stated in the Factual Background, although
later it seems to be obviated in the Fundamentals of Law, in all cases
in which the contracting is carried out remotely, it is indicated that: “To the contract holder, to
informative purposes, it is sent to you in duplicate, with a stamped envelope, the
contractual documentation in compliance with the provisions of the regulations of
protection of consumers and users ”. That is why, in any case, the owner
You have the possibility of knowing the terms in which the
hiring.
Notwithstanding all of the above, as a result of the sanctioning procedures opened in
the year 2019, and following the criteria transferred by the AEPD in the resolution of the
PS / 00109/2019 (do not sign on the day of the presentation of this brief, due to being appealed)
EDP ​​ENERGÍA has proceeded to identify the risk related to the
intervention of third parties in the contracting, making the corresponding analysis
detailed information on this issue and proposals for improvement have been drawn up, in order to give
compliance with the AEPD considerations so that in the procedures
of contracting the person in whose name it is contracted is always informed. The
The proposed contracting protocol has been made known to the AEPD in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
30/136
dated July 16, 2020 and registration number 025308/2020, submitted in any case
before receiving the written Agreement for the Initiation of Sanctioning Procedure, being
a Request for information with a common number for EPD ENERGÍA and EDP
MARKETING COMPANY without the AEPD having ruled on it to date
to the same with the corresponding legal valuation report, as it is
requested, in order to implement a system that was fully compliant with the
criteria and interpretations of the AEPD, limiting itself so far to include in the
Initiation Agreement sent to EDP ENERGÍA certain considerations in
relationship with it. Specifically, the doubts raised in relation to the
proposed procedure, which we understand are the only ones that the AEPD has, are the
following: 1) It is not clear if it applies to all contracting channels, including the
Leads subchannel to which no reference is made; 2) situations are not contemplated
in which the represented can not be informed by the indicated means (mail
email or SMS); 3) the client is not informed of the consents given by the
representative for other treatments with purposes other than hiring the
service requested during the hiring process, nor the possibility of revoking
such consents. 4) no effective dates for the implementation of this
process.
Again, incomprehensibly, instead of requesting additional information from EDP
ENERGY in relation to the proposed procedure, the AEPD chooses to interpret
negatively the information whose content is not clear to you. However, and as
We understand that the will of the AEPD, like that of EDP ENERGÍA, is to achieve a
procedure that allows not only to comply with the different modalities of
contracting provided for in the Civil Code, recognized by consumer authorities
and the competent courts in contractual matters, but also to the
considerations of the AEPD, then we proceed to clarify those that
We understand would be the only doubts of the AEPD in relation to the modifications to the
procurement procedure submitted: 1) The proposed procedure will be applied to
all the contracting channels with which EDP ENERGÍA works, including the
Leads and any other that EDP ENERGÍA implements in the future. 2) Regarding the
doubt raised about what would happen in the event that the contracting person does not
does not have any of the means provided to carry out the confirmation of the
contracting (email or SMS), indicate that the alternatives will be: a. Do it
the owner himself b. Presenting written authorization and copy of the DNI of
representative and represented 3) Regarding the consents granted and the
possibility of revoking them, it should be noted that the communication gives access to the
contractual documentation, where each of the consents are recorded. The
Once this information is known, the user has the possibility of modifying them. Not
However, as a result of the comment of the AEPD in which it questions the validity of the
Authorization of the representative for the authorization of additional consents to the
contracting, EDP ENERGÍA proposes to allow representation only for this purpose and
will collect additional consents directly from the owner. 4) Regarding the
date of implantation, it depends precisely on the opinion that on this
procedure manifested by the AEPD, since it would not make sense to start it if
the supervisory authority considers that it does not meet its criteria to consider it a
appropriate procedure, taking into account the economic costs associated with this
implementation, in addition to the resources of time and dedication necessary for the
deployment of these measures.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
31/136
It is alleged that the alleged breach of the obligations of article 25 RGPD, and
the consequent quantification of possible sanction to impose on its client
derived from said alleged breach, lack any basis for its
consideration. In addition, and, in any case, the quantification of said possible sanction
it lacks any hint of being proportionate.
SECOND. - ALLEGED BREACH IN RELATION TO THE
CONSENT PROVIDED BY THE INTERESTED PARTY .
It alleges that it is interested in stating that the treatment relating to the creation of
a commercial profile based on the information of third parties for the referral of
advertising information is not, in practice, being made, nor at the date of
issuance of these allegations, nor prior to them. For the
Therefore, the treatment that could potentially have been carried out, has not had
place in no case, at any time, so, even though it can be questioned
From the point of view of the other requirements of the RGPD, it is not possible to attribute to EDP
ENERGY carrying out unlawful conduct that may be punishable
derived from the mere obtaining of the consents related to a treatment of
data that, to date, has been non-existent and therefore has not generated the
alleged damage to the fundamental rights of citizens wielded by this
Agency.
The commission of the offense of reference, regulated in article 83.5 (a) RGPD and in
72.1.b) of the LOPDGDD, necessarily requires that the
caused a treatment and that it has not been identified or has not been
regularized the basis of adequate legitimation, stating: “1. Depending on what
established in article 83.5 of Regulation (EU) 2016/679 are considered very serious and
The infractions that suppose a substantial violation will prescribe after three years
of the articles mentioned therein and, in particular, the following: (…) b. The
processing of personal data without the concurrence of any of the conditions of legality
of the treatment established in article 6 of Regulation (EU) 2016/679 ”.
In relation to informed consent, in the Agreement to Start the Procedure
Sanctioner to consider that the required consent is invalid, is part of
the consideration that the information provided to the interested party is not
sufficient, inasmuch as it is not indicated, nor what third-party bases will be consulted, nor
what type of data will be collected, so that the interested party does not know
absolutely what it is that you are consenting to. And it is appreciated that a single
consent for two different purposes.
In this regard, it is alleged that the information is provided in response to the good
practices stated by the AEPD itself and ratified by the LOPDGDD, so that
the interested parties are transferred through the double layer system, so that
the interested party can reinforce the information provided through the consultation that consists
in the same, through the different mechanisms that are granted for this purpose
(informative locution, back of the physical document or EDP ENERGÍA website.
In relation to the absence of clear identification of the sources of third parties or the
categories of data, it should be noted that such information can be derived from the
information provided to the customer in the first layer (by clearly identifying that the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/136
treatment will be carried out with third-party sources) as in the second layer, whose
content is contained in the section called "general conditions of the contract",
whose content indicates: “(II) The elaboration of commercial profiles of the Client
by aggregating EDP databases with data from
databases of third parties, in order to offer the Client products and services
personalized, thus improving the Customer experience. (III) The adoption of
automated decisions, such as allowing the hiring, or not, of certain
products and / or services based on the Client's profile and particularly, on data
such as, the history of defaults, the history of hiring, permanence,
locations, consumption data, types of devices connected to the energy network, and
similar data that allow to know in greater detail the risks associated with the
hiring. (iv) Based on the results obtained from the aggregation of the
data indicated, EDP may make personalized offers and specifically
aimed at achieving the contracting of certain EDP products and / or services. "
As reflected in the cited text, EDP ENERGÍA has broadly identified
detail the types of data that are treated for the detailed purposes, the sources being
consulted for this an obvious derivation of the above.
The indication made on obtaining third-party sources is, therefore,
sufficient content for the user to be fully aware that their
authorization will mean the possibility that the authorized entity can obtain said
information. It must be remembered that there is no legal requirement that, in the
At the time of collecting the data of the interested party, the questioned information must
be contemplated directly in the consent requested. That is, being the
origin of the data the interested party, it only corresponds to the Entity to inform
in accordance with the provisions of article 13 RGPD, a provision that does not establish, in
none of its precepts, the obligation to identify neither the source nor the typology of
the data. Only in the event that said treatment had been
carry out, the Entity should have reported such extremes, since only in
At that time, the provisions of article 14 RGPD would apply. Taking into account
of the non-materialization of said enrichment, this information did not become
transferred to the interested party, not including data in EDP ENERGÍA databases
unrelated to those that have been provided or generated on the occasion of the relationship
contractual maintained between the parties.
In addition, it should be noted that, in the event of obtaining data
from a third party, would be the one who, in his capacity as transferor of the data,
would be obliged to legitimize the communication of the data on the basis of the
consent of the interested party, without prejudice that EDP ENERGÍA would also do so, in
fulfillment of its information obligation once obtained data from
of a third party in accordance with the provisions of the RGPD. In this sense, said
situation could only occur, in the event that the interested party himself, exercising his
right to disposition of the data and with full awareness of it, there would be
expressed your authorization for your personal data to travel to another company,
as would be EDP ENERGÍA, who could only make use of them, in the
assuming that he had also expressed his consent, by means of the
marking the box or express indication, indicating that "Yes" in case of
be done by phone.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/136
On the other hand, in relation to the alleged accumulation of treatment purposes,
by stating that the interested party would authorize the sending of advertising and, secondly, the
use so that EDP ENERGÍA can assess the viability of contracting by
said user. In relation to this point, we must state that the valuation
made by the AEPD starts from an erroneous premise, considering that they are dealing with
two differentiated treatments, in a case in which it is clear that it is a question of
a single purpose, such as the generation of a commercial profile, the use of which is
It is limited to two contexts linked to each other: (i) the first, to carry out the assessment
of the possibility of contracting and, (ii) the second, to issue the corresponding offers
commercials to the user in question.
In this way, both assumptions are necessarily interrelated,
as there is no doubt that it would be meaningless to design a client profile, based on
the data provided by the user and those derived from the service provided, for the
referral of a commercial offer that was sent to an interested party who did not comply
the internal parameters of the Entity to carry out a contract at the moment
of your request.
In relation to this aspect, it is well known by this company that the RGPD requires
that the consents that are collected are specific, as well as
unanimous criterion of the control authorities to point out that the grouping of purposes
related to each other, as would happen in this case, has full place in said
concept, without such grouping giving rise to the consideration, per se, that it has not been
specifically obtained consent. In this area, the approach
on which the AEPD sustains the breach attributed to EDP ENERGÍA,
The regulation established by the LOPGDD, in whose article 6.2 states that: “2.
When it is intended to base the processing of the data on the consent of the
affected for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them. " To the light
of the above, there is an evident specific regulation that enables the grouping of
purposes that the AEPD is now questioning
As an additional matter, it is indicated by this Agency that the consent obtained
It is not in accordance with the regulations, considering that it is not explicit, but
obtained in the same way as a general consent, although there are no
clearly identified the reasons why it would not meet the criteria
issued. For these purposes, the inclusion of the analyzed consent is carried out in a
separate context to the acceptance of the procurement itself, so that either
It is collected in a box in those contexts in which there is documentary support
for this, or in an informative locution that is read and that must be
expressly ratified by the interested party to understand that it has been provided.
In this regard, in the absence of clarity in the regulations on the ways that will allow
determine that a consent deserves the consideration of explicit (understood
as a reinforced consent to the one already required by the RGPD), in the aforementioned
Guideline 5/2020 mentions several nuances that help in this clarification. From
it is extracted that, in addition to meeting the requirements defined in the
Article 7 GDPR, the validity of an explicit consent does not require the attention of
exact requirements, being able to be valid both in written documents, as well as in
telephone recordings.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/136
At this point, it is interesting to emphasize an essential question: although there is neither
legal precept or opinion from the control authorities that determine
clearly the requirements to consider that the consent obtained is
explicit, nor the differences that correspond to the “regular” consent, it is
attributed to EDP ENERGÍA, and to any other entities that act as
those responsible for the treatment, the task of defining at their own discretion in which situations
will understand that such requirement has been fulfilled.
Said casuistry cannot but cause serious legal uncertainty, which in the
assumption that concerns us is not solved, not even with the foundation that
It is stated in the writing of the Agreement to Start the sanctioning procedure, since in
At no time is it clearly stated which factor, element or action has not been
executed by EDP ENERGÍA, to determine that its conduct has resulted
unlawful and deserves a sanction of such magnitude. Accordingly, the
request to the client for an obvious action, such as the verbal indication that yes
consent or the marking of a box, the content of which clearly states the purposes
for which the data will be used, which is unrelated to any other
acceptance and that it is not subject to other purposes, should be considered as a
explicit consent in order to comply with the obligation imposed by the
data protection regulations.
In view of the aforementioned points, EDP ENERGÍA complies with all
of the legally required requirements, of what necessarily has to be concluded
that the Entity's work to collect the consent of the client, in such a way
explicit, they have been rigorously cared for. It is proof of this that, both in the
telephone channels, such as those in which they are conducted in writing, the
Obtaining consent is carried out in a way different from that of the
contracting, it is stated that it is additional to the same and it is understood collected,
only, in cases where the client ticks the box or clearly states
that yes it consents. From all this it is only possible to conclude that the collection process
consent has been made in light of the criteria required by the
applicable regulations, being therefore adjusted to Law.
Thus, the process of obtaining consents that EDP ENERGÍA comes
using is not something new for the AEPD, who has had the opportunity to analyze
the same prior to the beginning of this sanctioning file, in those
files (information requirements and / or sanctioning procedures)
opened due to a claim from a user. Within the framework of these, the
AEPD had full knowledge of the contracting process and the typology of
consents that were collected from the interested parties, having provided the
contracts by EDP ENERGÍA as evidence of compliance. Needless to say, the
The final result of both turned out to be that of their file (see the
claims with reference E / 00915/2019, which was not even admitted for processing, and the
file E / 02714/2019), without making additional assessments on the
compliance with the regulations, which leaves nothing more than to delve into the confusion that
has this part before the very serious accusations made against EDP ENERGÍA by
this Agency.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/136
Additionally, and without prejudice to the arguments presented, the
presumption made in the Agreement to Initiate Sanctioning Procedure, in which
the assessment of the infractions is carried out taking as a premise a double
attribution: (i) the first, derived from the absence of adequate information and, (ii) the
second, as a consequence of the execution of a non-consensual treatment. To these
effects, it should be noted that, even if it is considered that the information provided
the interested party is deficient, this fact cannot lead to the determination of a
infringement of article 6 RGPD, since the treatment that would be carried out takes
as a starting point the adequate legitimizing base. As it is, the definition
made by EDP ENERGÍA regarding the legal basis that would allow it to process the data
for the purposes that have already been mentioned, it would strictly adhere to legitimation
that corresponds. In other words, EDP ENERGÍA carries out the actions
necessary to obtain the corresponding consent of the interested party,
granting him the possibility of granting it or not, voluntarily, through the
marking of the box provided or express indication in cases where these are
collected by phone call. For all these reasons, a
conduct that could be legally reprehensible to EDP ENERGÍA, taking into account
that has rigorously subscribed the terms required by the standard, when proceeding to
request the interested party an action of express will, free, unequivocal and not
conditioned to another end. And for that reason it is not possible to impute to my client the commission of
any infringement of those typified in article 83.5.a) RGPD, in relation to your
Article 6.
THIRD. - ALLEGED BREACH IN RELATION TO THE
DATA PROCESSING RELATED TO AUTOMATED DECISIONS AND
PREPARATION OF CUSTOMER PROFILES.
Third, the Agreement for the Initiation of Sanctioning Procedure, establishes in its
Legal Basis IV a series of alleged breaches related to the
apparent lack of compliance by EDP ENERGÍA with the obligations
derived from the provisions of article 22 of the RGPD, regarding the consideration by
part of the AEPD of the existence of an impediment, the obstruction or the
repeated attention to the exercise of the rights established in articles 15 to 22
of Regulation (EU) 2016/679 in relation to automated decisions and the
elaboration of customer profiles, typified in article 83.5.b) RGPD and, qualified
as a very serious breach for the purposes of prescription in article 72.1.k) of the
LOPDGDD. Specifically, the AEPD maintains that:
1) EDP ENERGÍA does not grant users the possibility to exercise their right
relative to not being the subject of automated decisions, as well as not granting the user the
due information regarding this right,
2) The user is unaware of the possibility of refusing to adopt this type of
decisions.
In this way, the sanction proposed by the AEPD is based on the fact that the
information that is provided by EDP ENERGÍA to the owners of the data is
insufficient and imprecise, without prejudice to the fact that the AEPD acknowledges that EDP
ENERGÍA facilitates and makes available to users the documents with
information regarding compliance with data protection regulations, both in the
time of hiring, as in durable support at the end of the hiring.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 36
36/136
First, with respect to the information provided by EDP ENERGÍA in
relationship with the legitimizing basis (consent in the case at hand)
We must emphasize that the information that is provided to users regarding the
treatments that, being additional to the contracting itself, require the
User consent, is duly provided to users.
Specifically, in the so-called Evidence 6 presented by EDP ENERGÍA during the
substantiation of the informative file of which the present sanctioning file
brings cause, the following is reflected in the supply contract model
boxes: "You can read the information regarding the processing of your personal data at
the reverse. I consent to the processing of my personal data once the
contractual relationship, to carry out commercial communications adapted to
my profile of products and services related to the supply and consumption of energy.
Likewise, I consent to the aforementioned treatments during the term and after the
termination of the contract, on non-energy products and services, both of the
EDP ​​Group companies and third parties. I consent to the processing of my data
personal data for the elaboration of my commercial profile with information from
databases of third parties, for the adoption, by EDP, of decisions
automated in order to send personalized commercial proposals, as well
as to allow, or not, the contracting of certain services "In this case, and
expanding information regarding the treatment of user data in the
general conditions, we find the following information; "Whenever the client
you have explicitly accepted it, your personal data will be processed, even once
once the contractual relationship has ended and as long as there is no opposition to said
treatment, for: (I) The promotion of financial services, protection services of
payments, automotive or related and electronic, own or third parties, offered by EDP and / or
participation in promotional contests, as well as for the presentation of
commercial proposals related to the energy sector after the end of the contract,
(II) The preparation of commercial profiles of the Client by aggregating the
databases of third parties, in order to offer the Client products and services
personalized, thus improving the customer experience, (III) The adoption of
automated decisions, such as allowing the hiring, or not, of certain
products and / or services based on the Client's profile and particularly, on data
such as, the history of defaults, the history of hiring, permanence,
locations, consumption data, types of devices connected to the energy network, and
similar data that allow to know in greater detail the risks associated with the
hiring. (IV) Based on the results obtained from the aggregation of
the indicated data, EDP may make personalized offers, and specifically
aimed at achieving the contracting of products and / or services from EDP or third parties
entities depending on whether the client has consented to it or not, being in any case
processed data whose age will not exceed one year. In the event that said process is
carried out in an automated way, the client will always have the right to obtain
human intervention by EDP, admitting the challenge and where appropriate
assessment of the resulting decision.
From these fragments, it can only be concluded that (i) both for the elaboration of
profiles, such as for data processing adopting automated decisions EDP
ENERGÍA requests the explicit and specific consent of the user, without being able to
be interpreted that automated decision-making is treated on another basis
legitimizing, as well as that (ii) the information related to the elaboration of profiles and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 37
37/136
automated decisions, complies with what is required by article 13 of the RGPD, since
that informs about the existence of automated decisions, including the elaboration of
profiles and provides meaningful information on the logic applied, as well as the
importance and expected consequences of said treatment for the interested party . For
all this and taking into account the first aspect raised by the AEPD regarding the
alleged breach committed by EDP ENERGÍA in relation to the information
provided to users to obtain specific consent, there is no
any interpretation regarding the lack of information and confusing treatment by
of EDP ENERGÍA, which includes the information corresponding to the treatments
specific, providing all the information required in the RGPD.
Second, in relation to the information provided to the owners of the data
Regarding the exercise of rights, it should be noted that EDP ENERGÍA informs
expressly to users in the information provided to them of their right
specific to "oppose" to "the adoption of automated decisions of your data
personal, requiring human intervention in the process, as well as to challenge
the decisions that are finally adopted by virtue of the processing of your data ”.
In this sense, the AEPD considers that EDP ENERGÍA fails to comply with its obligation to
inform the owners of the data by the mere fact that in the information
provided does not appear, expressly and literally, the right to "revoke the
consent ”, appearing in its place the verb that grants the right of the
holders of the data to "oppose" to "the adoption of automated decisions of their
personal data, requiring human intervention in the process, as well as
challenge the decisions that are finally adopted by virtue of the treatment of
your data". We are sure that the semantic and technical nuance associated with both
verbs "opposition" and "revocation", both the experts that the AEPD has,
as the ones that EDP ENERGÍA has, are able to differentiate them
with each other, and determine that they are two legal concepts, but it will also be
with us that Agency, that the average user (a concept widely used by
part of that Agency throughout the procedure at hand) is hardly going to
to be able to differentiate these concepts. In the present case, what is really
important is the effect that the user's request has in practice, which, in
definitively, it is the one that is relevant to the owner of the data, and that generates effects
positive or negative to their fundamental rights, this being what really
protects the RGPD, and not the use of one verb or another, even more so when they
they can be used synonymously.
In this case, the only thing that is intended to be used in the information provided to the
users the term "opposition" with respect to automated decisions, is to be able to
provide the user with a clear, concise and transparent understanding of the information that
is made available to you, and facilitating, in the event that the request of said interested party
conforms to the regulatory requirements, the exercise of the different
Rights. Thus, according to the definition contained in the Dictionary of the RAE, revoke
means "to leave without effect"; and oppose, “put something against something else to prevent its
effect ”, so except for those who have knowledge in the matter and
can appreciate the nuance that differentiates one and the other, the truth is that, for the purposes of
most of the population, both terms would be synonymous and would suppose, in the
practice, the same.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 38
38/136
Without prejudice to all the above, we must highlight, by the
relevance that this has in this allegation, the information contained in Clause 16
of the General Contracting Conditions, relative to data protection. On
said clause, in the section corresponding to "Rights of the owner of the data"
makes express reference to the possibility of revoking the consent that previously
have granted, thus, it is expressly indicated “(VII) Withdraw, at any time,
the consents granted ”.
It refers to its internal procedure, and states that therefore, not only the
Users are informed at all times of the possibility of revoking the
consents granted, but EDP ENERGÍA itself, as a procedure
internally and in order that those in charge of managing requests have the
necessary knowledge in relation to the different possibilities, reflect with
express nature of said right, regardless of the technical term used, since
that the main purpose is to inform and that the user knows the possibility of not being
subject to automated decisions. Thus, the internal procedure referenced
previously, it even includes response models to be able to attend with character
general, the various requests. All this, without prejudice to the fact that each of the
requests are treated in a particular way and in accordance with the specific circumstances of
affect the specific case, and it is necessary to adapt said model of
response depending on the specific casuistry of each request. It is provided as
Annex 3 the procedure related to the management and answering of the
Rights.
In view of the above, the AEPD attends to the lack of knowledge of the average user,
as an argument to consider the informative clauses as not very transparent,
This aspect, however, considers it to be substantially essential since it only relates
as a valid exercise the opposition of the interested party. Taking into account that the right
related to not being the subject of automated decisions is collected with
independent and express nature in the general contracting conditions,
requiring, where appropriate, the explicit and specific consent of the user, and
being the same duly informing in a specific way, as
is justified in the evidence provided, as well as the possibility of opposing
to be subject to automated decisions, it is surprising to say the least that the
AEPD considers that EDP ENERGÍA does not comply with article 22 RGPD for not
offer the client the possibility of literally "revoking consent", that is,
strictly formal and semantic aspect, that an average user without knowledge in
matter does not have the capacity to understand the difference with the word "opposition",
the Agency understanding that it is not valid to report the possibility of "opposing",
as a synonym, to said treatment, which is what EDP actually performs
ENERGY .
In line with the foregoing, it should be noted that EDP ENERGÍA, in no case has
denied the exercise of rights that have not been requested / drafted with
precise character, directing in case of doubt the request to the user, so that the same
can be resolved effectively, satisfactorily and without delay.
Likewise, as has already been stated in previous points, in relation to the
automated decisions, the client is offered the possibility of obtaining intervention
human rights, admitting challenge and, where appropriate, assessment of the resulting decision,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 39
39/136
reason why, in addition to informing about the possibility of not being the subject of
automated decisions, the client is empowered as an alternative to intervene
human. For all the above, it cannot be reasonably interpreted that the owner of the
the data may, even remotely, ignore the possibility or right to
that your data are not subject to automated decisions, nor that EDP ENERGÍA
put limitations, or do not make available to said interested parties the mechanisms
necessary to make the request, being able at any time to "oppose"
to said treatment, or rather, "revoke" the consent given for the
adoption of such decisions, as well as requesting human intervention, which otherwise
On the other hand, in the case of EDP ENERGÍA it always occurs, because although the consultation of
the information is automated, the final decision is made by an employee after
analyze the content of it.
It is provided as Annex 4, by way of example, exercises of right of opposition and of
revocation of consent that has been processed during the last year, to the
effects that the AEPD can know, first hand, what type of rights are
exercised by the holders, in what modality they are received, as well as specifically
how they are properly cared for by EDP ENERGÍA.
For the sake of completeness and in order to address the true scope of the offense, to
even though EDP ENERGÍA includes the possibility of profiling and adopting
automated decisions, the only profiling performed, is related to the qualification of
clients regarding fraud prevention, treatment for which there is
legal authorization and is based on the legitimate interest of EDP ENERGÍA, with
the purpose of safeguarding the success of the contracts made by EDP
ENERGY, as well as preventing customers, whose sole purpose is to consume the service
energy without paying the bills, become part of the client portfolio.
Notwithstanding the foregoing, the owners of the data are informed that said profiling is
reviewed and finally processed by EDP ENERGÍA staff, which is why no
can be considered as an automated decision in itself, taking into account in this
meaning to the literal wording of the concept established by the authorities. In other words,
nor is there any data processing based on automated decisions, nor is there
any manifestation about said treatments, since outside of the strictly
necessary to continue with the service and those provided by law, are not
carried out, which is why, not only can it not be considered that there are
non-compliance with article 22 of the RGPD, as the requirements are met
collected by the regulations, but there are not, nor can there be data owners who
may have been affected by said treatments, so we refer to the
broad jurisprudence previously enunciated in this section as it is fully
application to the case at hand.
This is enough so that there is no basis whatsoever in order to impute to my client
any infringement of those typified in article 83.5.b) RGPD in relation to your
cited Article 22, however, for dialectical purposes and in the unlikely event that
If the commission of said infringement could be considered proven, we state what
follows in relation to the amount of the sanction provided for said alleged infringement
in the Agreement to initiate the sanctioning procedure.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 40
40/136
Make a series of considerations on the evaluation criteria collected in the
RGPD, understanding that the aggravating factors considered in the initiation agreement by the
AEPD would not concur in this specific case, concluding that it has not been substantiated
severity, nor the criteria that allow setting such a high amount of
sanction to the present assumption.
FOURTH.- ALLEGED BREACH IN RELATION TO THE DUTY OF
TRANSPARENCY.
The AEPD, in its Agreement to Initiate Sanctioning Procedure, attributes to EDP
ENERGY the violation of Article 13 of the RGPD, assuming a breach of
duty of information that is proper to him as responsible for the treatment, typified in
article 83.5.b) and classified as mild for the purposes of prescription in article 74.a)
of the LOPDGDD. Specifically, it considers the existence of said infringement due to:
1) lack of information to interested parties about the possibility of accessing information
enforceable in article 13 of the RGPD.
2) the web address provided does not lead directly to the required information
in accordance with article 13 of the RGPD, without allowing immediate access to the
information, nor is access easy for anyone. EDP ​​ENERGÍA no
has no choice but to state, again, and as he has done and demonstrated in the
rest of the alleged breaches alleged by this Agency, which cannot
share the appraisals made by the AEPD, so below
identify the reasons why they understand that EDP ENERGÍA
fully complies with the requirements of the regulations for the protection of
data in terms of transparency in relation to the information provided to the
holders of personal data in the contracting processes.
Regarding the CAC inbound channel, on which it is stated that the information
provided is incomplete, it should be noted that in the case of incoming calls there is at the
the call starts, before the recording starts - and regardless of the
management that the person who calls the customer service department of the
entity-, a telephone announcement where information is provided, among other aspects, of the
rights that assist data subjects, as well as where to find information
additional, so that users receive this information whenever they call,
which not only means that this information is provided to them in the call in which they go
to carry out the contracting of the supply, but also when they are already customers and are going to
carry out any procedure (either a consultation, request a change of power,
make a payment, request a fractionation or file a claim).
In this sense, it should be noted that the RGPD itself expressly provides in its
point 13.4 that: “The provisions of paragraphs 1, 2 and 3 will not be applicable
when and to the extent that the interested party already has the information ”. Therefore,
customers receive all the required information in a first layer of information
verbal, which can be completed by accessing the EDP ENERGÍA website or by
direct in the call itself, depending on the management carried out.
Thus, this information is provided in layers, distinguishing on the one hand the layer
1. “This call can be recorded. The data you provide us will be processed by
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
or query. You can exercise the rights of access, rectification, deletion, opposition,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 41
41/136
limitation and portability at any time. See the Privacy Policy at
our website edpenergia.es or press 0 "
And on the other, layer 2, which collects the information in a more detailed way, which is activated
automatically if the user dials 0, following the prompts
of the first layer: "The use of this TELEPHONE CHANNEL does not oblige the user to
provide any information about yourself. However, to use certain
services or access certain content, users must provide
previously some personal data. In the event that the user provides
personal information, we inform you that the data will be processed by
EDP ​​Energía, SAU and EDP Comercializadora, SAU, with registered office in Oviedo,
Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
hereinafter "EDP", as data controllers, as established by the
General Data Protection Regulation ((EU) 2016/679), hereinafter "RGPD", and
its implementing regulations.
Specifically, your data may be processed, when the user so requests, to
manage the attention and follow-up of requests and inquiries directed through the
website, as well as for conducting surveys and participating in sweepstakes,
games and promotions. The data requested will be mandatory and limited to
those necessary to proceed with the provision and / or management of the requested service, which
You will be conveniently informed at the time of collecting your data from
personal character. In case of not providing them or not providing them correctly, you will not be
may provide the service.
In these cases, the user guarantees that the personal data provided is
truthful and is responsible for communicating any changes to them.
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration
In it, the data processing carried out is based on the relationship
legal derived from your request.
The processing of data for conducting surveys is based on legitimate interest
of EDP in order to improve the quality of the services provided to customers and / or
users, being able to oppose said treatments at any time, without
This affects the legality of the treatments carried out previously.
In no case may they be included in the forms contained in the CHANNEL
TELEFONICO personal data corresponding to third parties, except
that the applicant had previously obtained his consent in the
terms required by article 7 of the RGPD, responding exclusively to the
breach of this obligation and any other in terms of character data
personal.
The personal data of the users registered on the website may be transferred to
the Public Administrations that by law correspond, to other companies of the group
business for internal administrative purposes, and to the suppliers of the person responsible
of the treatment necessary for the adequate fulfillment of the obligations
contractual.
Personal data will be kept for the duration of your contract of
supply with EDP, in all other cases, during the time necessary to answer the
your requests or to analyze the content of your responses to surveys. A
Once the contractual relationship has ended, their requests answered or their
responses, as appropriate in each case, your personal data will be erased,
keeping the rest of the information anonymized solely for the purposes
statistics. Notwithstanding the foregoing, the data may be kept for the period
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 42
42/136
established to comply with the legal obligations of maintenance of the
information and, at most, during the statute of limitations for legal actions
corresponding data, and the data must be kept blocked during the aforementioned
statute of limitations. After this period, the data will be deleted.
In application of the provisions of article 32 of the RGPD, EDP undertakes to
comply with the security obligations of the data provided by users,
trying to establish all the technical means at its disposal to avoid the loss,
misuse, alteration, unauthorized access and theft of the data that the user provides to
through it, taking into account the state of technology, the nature of the data
facilitated and the risks to which they may be exposed. Without prejudice of the previous,
the user must be aware that the security measures in the CHANNEL
TELEPHONE are not impregnable.
EDP ​​will treat the user's data confidentially, at all times, keeping
the mandatory duty of secrecy regarding them, in accordance with the provisions of the
applicable regulations.
The user can exercise their rights of access, rectification, deletion, opposition,
limitation and portability, as well as the revocation of the consents granted
previously, in the legally established terms, communicating it in writing to
EDP, at the following address: LOPD Communication Channel, Plaza del Fresno, nº2,
33007 Oviedo. Likewise, you can exercise these rights by sending an email
email with your personal data to *** EMAIL . 2 . In both cases,
Attach a photocopy of the holder's DNI or document that proves their identity.
Likewise, you can contact the Data Protection Delegate of
EDP, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection at the address Calle de Jorge Juan,
6, 28001 Madrid "
Next, it is indicated by that Agency that “The provisions in
Article 11.1 of the LOPDGDD in the other two telephone channels (Telemarketing and
Leads), nor is the interested party informed that they can access all the information required
in accordance with article 13 RGPD at the indicated email address ”. However,
Such statement is made after reproducing the AEPD the texts in which the
clients of the identity of the person responsible for the treatment, the purposes of the treatment,
as well as the rights that they can exercise and the web where to obtain information
additional. Therefore, it does not seem that such a statement corresponds to the reality of the
facts, so we understand that the Agency will be pleased to modify and eliminate this
alleged breach in its resolution proposal writing.
The analysis continues, referring to the general conditions of
contracting to which the information is sent, indicating that those hosted on the web
they are not easily accessible. In this regard, it is interesting to specify that:
1) Article 11 of the LOPGDD refers to the fact that this information must be provided to the
interested party "indicating an electronic address or other means that allows access from
simply and immediately to the rest of the information ”and that, in this case, as stated
informs the interested party in the locution, after contracting a copy of the
contract in which, obviously, the general contracting conditions are included,
therefore, direct access to said information is provided. Complementarily,
this information is available on the web at all times.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 43
43/136
2) Faced with the alleged difficulty alluded to by the AEPD to find the aforementioned
general conditions contrasts the fact that, as exemplified, a simple
search to access them directly, using the search engine
available on the website. Searching for "contracting conditions"
or “general contracting conditions”, the first results are published
documents related to the general contracting conditions that are of
application both in Spanish, in Galician, in Catalan, and in Basque, leaving
clearly identified the documentation that refers directly to the document
in PDF format, as evidenced in the following address: *** URL.3 .
3) Regarding the fact that it is “required to search in the general conditions (which
include numerous aspects related to contracting) the information related to the
data protection ”, it must be made clear that the general conditions
are composed of four pages, of which practically one of them is
is exclusively dedicated to providing information on the treatment of
personal data made by EDP ENERGÍA, as we are sure that the
AEPD has been able to verify during the process of preparing its written statement
proposed sanction.
In relation to this alleged non-compliance, it is worth mentioning the guidelines
facilitated by the Article 29 Working Group, in which it recommends including the
access to information related to the processing of personal data through
of means in which the interested party can immediately recognize where and how
access this information, (direct links or in the form of an answer to a question
in natural language, in the frequently asked questions section, or pop-up windows).
However, it also states that "depending on the circumstances of the collection
and data processing, a data controller could be obliged to
use additionally. […] ”. Other possible ways of transmitting the information to the
Interested parties derived from the following environments other than personal data could
include the following modes, listed below, applicable to the
relevant environments. a) On paper, for example, when entering into contracts by means
postcards: written explanations, brochures, information in contractual documents,
cartoons, infographics, or flow charts; b) By phone: explanations
verbal words directly from one person to allow for conversation and
answer to questions, or automated or prerecorded information with the possibility of
hear more detailed additional information;
The Article 29 Working Group solely and exclusively provides this information to
recommendation mode, without in any case being considered a bad practice,
nor of course a regulatory breach the fact of making the publication to
through a simple method that, taking into account that the service requires the
conclusion of a contract, the essential method and format and therefore that prevails in this
This assumption is the same as indicated in the GT29's own guidelines, through the
medium in paper and telephone support. All this, without prejudice to keeping accessible
through the web for all those interested who decide to carry out and attend the
content in an intuitive and simple way and without prejudice to the obligation to deliver in
durable support all the contractual information both with the previous information, as
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 44
44/136
with the contract itself. In this sense, we can see that the possibility of
linking "immediately" is susceptible to being interpreted.
The AEPD itself on its website makes it the interested party who must "hit" or
"Find out" which of the treatments included in the registry of activities of the
entity are the ones that really affect their relationship with the AEPD, since the
purposes are included within the description of each of them and not in the
privacy policy accessed.
Regarding the identity of the person responsible for the treatment, the
information already provided after the request for additional information of June 3,
2020 in which EDP ENERGÍA was required, for this purpose, within the Requirement of
Information E / 05549/2019 in which it was explained that the fact that the
information from both entities is due to the fact that it cannot be known prior to
contracting the services that will be requested by the interested party (gas and / or
electricity) nor, therefore, by which of the companies they will be provided, so this
It can only be specified when said services are identified by the own
client. highly probable that the same client when requesting the hiring of the
electricity and gas supply, is contracting with both companies.
For this reason, the so-called “dual” contract of
way that a client can obtain discounts or additional advantages for the fact of
contract both energies with two companies of the same business group, and in order to
keep discounts on each energy (electricity and gas) up-to-date
and derived information, it is necessary for both companies to know if energy
initially contracted with the other Group company remains active in order to be able to
maintain and correctly manage the discounts / benefits applied.
Consequence of the foregoing, the clause on data protection informs
that the personal data provided during the hiring process may be
treated by only one of the entities or both entities, depending on the type of
energy services that are contracted. Therefore, there is no inconcretion, but
the explanation of who is the specific person responsible for the treatment in each case is
It literally contains the first section of the contract, which identifies the
parties, as stated in Evidence 6 provided in the response to the Request
of Information made to this company during the processing of the aforementioned
informative file of which the present sanctioning file brings cause: "The
customer contracts, for the supply indicated, the supply of gas with EDP
Comercializadora, SAU and the supply of electricity and / or services
complementary with EDP ENERGÍA, SAU, (hereinafter joint and / or
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
Specific that are collected below and the General Conditions in annex. "
Therefore, customers know which company will process their data depending on the
requested supply (electricity or gas), something we understand fits perfectly
clear and is derived from both the sales agents' explanations and the tenor
literal of the first clause of the contract. In case of being both services, the data
will be processed by both entities.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 45
45/136
To date, neither in the field of data protection, nor in relation to any of
the regulations applicable to the regulated electricity or gas sectors, or the
Regarding the defense of consumers, there has been no request for
additional information, claim, or complaint in this regard, nor by the own
consumers, nor by the multiple regulators that control and
supervise the activity of trading companies, so it seems obvious
that the information provided does not create problems for customers or other regulators
of the country, more than the AEPD itself.
Additionally, we reiterate two essential aspects in the sector's own operations
in which EDP ENERGÍA carries out its activity, the exposure of which was contemplated in the
information previously sent: 1) The existence of two companies within
of the Group with the role of trading entities is due to a question
merely formal, consequence of the corporate structure and shareholding composition
of the companies acquired by the EDP Group at the time of its establishment
in Spain, but that does not correspond to the operational functioning of said
trading companies, given that only one of them, EDP COMERCIALIZADORA, has
currently with employees and management and operational capacity. Thus, in
In practice, all treatments are carried out by said entity, either as a
responsible for the treatment or as person in charge of the treatment of EDP ENERGÍA.
2) The EDP Group had planned the corporate reorganization of EDP
COMMERCIALIZADORA and EDP ENERGÍA and the adaptation of their corporate structure
with that of its actual operation and its business operations. This reorganization is
has currently been affected by a TOTAL sale process in which both
societies are immersed, and that, if materialized, could alter or terminate said
integration.
For all of the above, it understands that transparency is perfectly justified in
in relation to how the information is provided, as well as the fact that it is
perfectly understandable to the average customer.
The AEPD continues its analysis referring to the purposes and legitimizing bases of the
treatment. First of all, reference is made to those reported treatments
whose legitimizing basis is the contract itself -existing contractual relationship- or the
legitimate interest of the company.
On this matter, it is stated that “It is not easy for anyone, without
knowledge of data protection matters, differentiate which treatments
derive from the contract and which are based on the legitimate interest of the person responsible ".
This assessment is debatable, since it may be evident to anyone
that treatments such as “manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or service improvement ”are closely related to the execution of the
contract, the rest being assignable to legitimate interest. In this regard, we can
contrast this information with that provided by the AEPD itself regarding its
treatments when these have diverse bases of legitimation, as is the case of the
called "HR Management", published on its website ( *** URL.4 ), in which information
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 46
46/136
it can be seen that various bases of legitimation are identified, without indicating what
specific purpose refers to each of them.
Therefore, although this part has nothing to object about the fact that the AEPD's criterion
may be a good practice regarding the level of transparency, it seems
to consider the fact of not having reached this level of management of the
information, cannot be considered a breach of the norm, especially if
we take into account that not even the body that issues the guidelines
transparency (and that he is now proposing a sanction of nothing more and nothing less
than one million euros for this reason), has considered such a distinction necessary in its
website, as has been duly evidenced.
With regard to the alleged omission by EDP ENERGÍA to report
"What is the legitimate interest attributed to the person in charge", it should be noted that the
They are clearly exposed and put in relation to the purposes that are
pursue, that is: fraud prevention and marketing, in relation to the sending of
personalized commercial communications. In these cases it is obvious that there is a
identification between the reported purpose and the self-interest pursued, so
making a separate allusion to the latter would be redundant.
Similarly, by way of illustration, it should be noted that the direct competitors of
EDP ​​ENERGÍA uses informational formulas similar to those implemented in my
represented, without, to date, any proceedings against them having been known
On the other hand, the high number of requests for rights received on the channels
willing to do so demonstrate that customers fully understand the content
information and the rights that assist them, and are perfectly clear what
is what they want to achieve with their request and EDP ENERGÍA, executes said
requests in all cases, always with a marked character of compliance with the
regulations and protection of the fundamental rights of users.
Regarding the need to report on the weighting carried out for
assess whether the legitimate interest is preponderant in this case, it is relevant to mean that
These two assumptions have been addressed by the legislator himself, who in the
Recital 47 of the RGPD expressly refers to the possibility of carrying out these
treatments based on the legitimate interest of the person responsible for the treatment.
Specifically, it provides that: "the processing of personal data
strictly necessary for the prevention of fraud is also an interest
legitimate of the person responsible for the treatment in question. Data processing
personal data for direct marketing purposes may be considered to be carried out by
legitimate interest ”.
The AEPD itself has also ruled on the latter in its report 195/2017
stating that “if the data came only from the information that
provided by the entity in relation to the products or services contracted by the
client, without it being completed with the one originating from other different sources,
certainly the conduct of the entity, consisting of conducting a profiling
for the referral of offers of products or services to their clients, it would be
less invasive of the rights and interests of the clients, being able in this case
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 47
47/136
consider the applicability of the provisions of article 6.1 f) of the Regulation
general of data protection ”.
Therefore, in both cases the weighting of legitimate interest has already been
carried out, both by the legislator, as well as by the Control Authority and, therefore, the
reason given by the GT29 to recommend its publication so that those affected
may file a claim with said authority when they “doubt whether the
weighting test has been carried out fairly ”would be meaningless in this regard.
case, having to raise said claim before the Court of Justice itself.
Justice of the European Union, in order to examine the legality of the provision
introduced in the RGPD, or where appropriate, before the control authority itself and / or
competent national courts. In any case, GT29 itself identifies this
possibility as a good practice and, as stated in the report itself, its
The objective is “to indicate the approach that, in the opinion of the WG29, those responsible for
treatment they must assume in terms of acting with transparency. It is not, for
Therefore, of a legal obligation whose defective fulfillment may entail
a sanction, as is already the case with many other issues that the AEPD is
trying to sanction in this procedure, lacking the slightest principles of
typification, guilt and proof, these facts that never cease to amaze us in what
which we understand is an action that should be subject to compliance
integrity and rigorous by the sanctioning Administration.
The AEPD continues its analysis stating that the treatments for which it is requested
consent, assessing that it is not easy for a person to understand
no specialized knowledge. However, it offers no explanation for
reach that conclusion (beyond a vague reference to the fourth point).
Against the criteria of the AEPD, we understand that the information is given in a
simple language, understandable for anyone. The information contained in
This second layer must be related to the requested consents.
The first consent says: “I consent to the processing of my personal data once
once the contractual relationship has ended, to carry out communications
commercial adapted to my profile of products and services related to the supply and
energy consumption. Likewise, I consent to the aforementioned treatments during the
validity and after the end of the contract, on non-energy products and services,
both from EDP Group companies and from third parties. "
In the second layer, this information is expanded indicating which are the sectors to be
those belonging to third parties on whom communications can be sent "(I) The
promotion of financial services, payment protection services, automotive or
related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract. "
As can be seen, not a single technical term is used to make it difficult to
understanding of these texts, and the conditions of consent are fully
clear.
The second consent requested says: "I consent to the processing of my data
personal data for the elaboration of my commercial profile with information from
databases of third parties, for the adoption, by EDP, of decisions
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 48
48/136
automated in order to send personalized commercial proposals, as well
as to allow, or not, the contracting of certain services. "
The second layer details the content of this consent, indicating: (II) the
possibility of processing personal data of third parties to be added to your profile (III) the
contractual information used by EDP ENERGÍA in the preparation of the profile (IV)
the detail of the purposes of the aggregation of this information.
Finally, the rights of the interested parties are informed in the case of
that automated decision-making occurs in these processes. Therefore, the
EDP ​​ENERGÍA's clear objective is to allow interested parties to have a knowledge
detailed description of the uses for which consent is requested in the absence of will or
any fraud to hide the information. Likewise, the AEPD points out that there is a
lack of clarity in the information provided regarding the aggregation of
information from third parties, as it is not distinguished if it refers to the purpose related to the point
(II) (the possibility of processing personal data of third parties to be added to your
profile) or (III) (the contractual information used by EDP ENERGÍA in the
profiling). In this regard, it seems obvious that the word aggregation is
sufficiently concise, and refers to the sum of both information. The word
Adding is in common use on a day-to-day basis and, according to the RAE, means: “unite or
join some people or things to others ”. In this case, it is clearly inferred from the context
that it would be a question of combining the data that EDP ENERGÍA already has, with which it could
obtain from third parties.
Beyond this, it is unknown what is the specific information whose understanding
It can be complex, as no clarification is provided on this matter. EDP
ENERGÍA has always tried to use clear and understandable language and
there are no technicalities that can complicate the reading of the text, something that seems to
now the AEPD, considers a negative action that penalizes the good faith of EDP
ENERGY in relation to compliance with regulations.
Finally, the AEPD refers to the information regarding the exercise of rights,
with respect to which, as in the previous cases, it does not seem to be sufficient either
for the AEPD the information provided in this regard. Thus, under the heading "Rights
of the data owner ”EDP ENERGÍA informs that:“ The client will count on all
moment with the possibility of exercising freely and completely free of charge the
following rights: i) Access your personal data that are processed by
EDP. ii) Rectify your personal data that is processed by EDP that
are inaccurate or incomplete. iii) Delete your personal data that are processed
by EDP. iv) Limit the treatment by EDP of all or part of your data
personal. v) Oppose certain treatments and decision-making
automated data processing, requiring human intervention in the
process, as well as to challenge the decisions that are finally adopted by virtue of
of the processing of your data. vi) Port your personal data in a format
interoperable and self-sufficient. vii) Withdraw at any time, the consents
previously granted.
In accordance with current regulations, the user can exercise their rights
requesting it in writing, and together with a copy of a reliable accreditation document
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 49
49/136
identity, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or at
the email *** EMAIL . 2 .
Likewise, you can contact the data protection officer of
EDP, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection at the address Calle de Jorge Juan,
6, 28001 Madrid. "
The AEPD considers insufficient the mention made by EDP ENERGÍA regarding the
possibility of opposing "certain treatments" without specifying one by one what
treatments we are referring to, insofar as the AEPD states that
"It must be clear to the interested party which are the treatments that can be
object of opposition ”.
This party does not share this assessment, since this supposed obligation that the
AEPD highlights and seems to impose EDP ENERGÍA is not required by the RGPD, nor
has no legal support, which, as that Agency knows well, is a condition
"Sine qua non" to be able to sanction-
Moreover, and for the sake of completeness, this part would like to highlight again
that the formula used by EDP ENERGÍA is precisely the one recommended by the
own AEPD in its multiple guides and tools related to the duty of information
in accordance with the RGPD, and even on the AEPD's own website, something that, again, not
ceases to surprise this party, since that Agency considers a violation of the
RGPD, proposing for said infringement a penalty of one million euros, for a
alleged non-compliance in relation to a certain practice that she herself
recommended to perform. Along these lines, it should be noted
1) The Guide for the fulfillment of the duty to inform, in which the
following example
2) 2) The FACILITA Tool, of the AEPD, intended for entities to carry out
the adequacy in accordance with the RGPD, including the informative clauses
in accordance with applicable regulations (fictitious data have been included):
3) Report on privacy policies on the internet. Adaptation to the RGPD, where
the AEPD itself exposes as a valid example to adapt the policy of
privacy to the GDPR.
4) Privacy policy of the AEPD, does not collect the alleged information
which is now required of EDP ENERGÍA, and includes formulas such as “when
proceed "
Consequently, EDP ENERGÍA cannot be criticized for not including a
information that is not even indicated as good practice in the guides
prepared for the adequate fulfillment of their obligations by the
responsible for the treatment, and that neither the AEPD itself complies with its
Privacy and other information clauses used on its website.
Nor does it seem to make sense to refer to “It is imprecise to point out that the
interested party can oppose the automated decision-making of their data
personal ”. It is obvious that the information provided using the word "oppose" is
understood as a right both when the treatment is legitimized in an interest
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 50
50/136
legitimate as in a consent (in any case the possibility of
object at any time to the consents granted). The proof is that
When exercising their rights, the interested parties rarely use any of these
terms and are limited to requesting the "unsubscribe" or directly request that they stop using their
data for certain purposes, without using formalities as has been
evidenced in this procedure through the contribution of innumerable examples.
Additionally, this party is interested in showing once again that the AEPD
has had the opportunity to analyze both the general contracting conditions,
such as the information provided in the different contracting processes of which
EDP ​​ENERGÍA has available during the different information requirements and in its
case sanctioning procedures that the AEPD has initiated so far, without
that until now, the AEPD has ruled on possible breaches
of the duty of transparency, having proceeded to file multiple files
in which this documentation was subject to review by the AEPD.
Therefore, having made this information known to the AEPD and
having been analyzed by the latter, without having spoken out against the
itself, EDP ENERGÍA continued to use these documents and procedures
in the legitimate confidence that it was adjusted to the regulatory requirements, in the
extent to which the AEPD, having access to and first-hand knowledge of these
alleged breaches, did not indicate at any time to EDP ENERGÍA that
there was any irregularity, now proposing a penalty of one million euros
for an alleged breach, of which he would have known years ago, but
that it no longer considered not to sanction but not even to warn EDP ENERGÍA. In this
In this sense, it should be noted that the purpose of this supervisory authority is none other than
guarantee compliance with regulations, so in the absence of justification
legal that motivates the opening of Sanctioning Procedure on some aspects
that were previously known and even subject to a file, cannot have
subsequently the imposition of a sanction of the amount that is exposed.
As a conclusion of all the above, it cannot be interpreted that EDP ENERGÍA
It fails to comply with its duties contained in article 13 of the RGPD.
Makes a series of comments on the evaluation criteria related by the
AEPD in the agreement to initiate the sanctioning procedure, considering that no
concur in the present case.
FIFTH.- ON THE AGREEMENT TO START THE SANCTIONING FILE AND THE
ASSESSMENT OF THE POSSIBLE PENALTY. LEGAL BASIS AND
PROPORTIONALITY OF THIS.
A. BREACH OF THE PRINCIPLE OF INTERDICTION OF ARBITRARITY.
In relation to this principle we must attend to two specific questions:
1) The recommendations and publications of the AEPD,
2) The amounts of the sanctions that have taken place in previous cases
Similar.
First of all, certain practices recommended and even applied by the AEPD
relating to the collection of consent and the information to be provided to
interested parties, have served in this case to argue and motivate the alleged
offenses committed by EDP ENERGÍA.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 51
51/136
These criteria are reflected both in the way of jointly compiling the
purposes whose legitimating basis is the consent of the user, as stated
in the Second Allegation, as well as in the presentation of the information related to the
exercise of rights of the interested parties included in the Fourth Allegation. These
aspects, which a priori the AEPD recommends and puts into practice, considering them
examples that are adapted to the applicable regulations, are used as elements
offenders to justify the alleged breach of different legal precepts by
EDP ​​ENERGY.
All this and said in strict defense terms, not only implies that the AEPD
considers insufficient what the Authority itself has incorporated into its clauses
informative, thus resulting in insufficient information in accordance with the RGPD,
rather, the fact of modifying the adopted criterion invalidating aspects without
motivation, or any justification, implies a clear situation of legal uncertainty,
contrary to the constitutional principle of prohibition of arbitrariness contained in the
article 9.3 of the Spanish Constitution; principle that implies that the authorities do not
can make arbitrary decisions, understanding by such, those that suppose a
infringement of the principle of equal treatment of the administered before the application of
the law and the objectively determined rules.
Second, the amounts of the previous sanctions in cases of fact
Similar are not comparable to the proposals in this case.
Specifically, we must bring up the Penalty Procedure
PS / 00097/2019, in which, after having analyzed the contracting system and the
information provided to each of the intervening parties, both the representative,
as the represented, the file of the file is dictated, thus validating all the
documents that accompanied the procedure, that is, the related documentation
to the hiring process.
Likewise, it should be noted that, last March 2019, EDP ENERGÍA, also
received file of actions of the request for information E / 04707/2018,
initiated after complaint filed by Mr. BBB . In this case, the AEPD resolves
that it is not appropriate to process the claim received, considering, therefore, the
contracting procedure and documentation provided, in accordance with Law.
As in the first section of this point, the proposed sanctions, carried out
Without motivation, or due justification, they go against legal certainty, a principle
constitutional established in article 9.3 of the Spanish Constitution, as well as against
the principle of legal foundation. In other words, any decision made by
the AEPD must be objective, well-founded and typified.
In this sense, it is worth mentioning the Judgment of the Supreme Court of the 3rd Chamber
of the Contentious-administrative, Section 3, Judgment of May 13. 2015, Rec.
28/2013, in which the interested party, appeals in cassation, stating among others
allegations the infringement of the principles of interdiction of arbitrariness, security
legal and equality established in articles 9.3 and 14 CE, pursuant to article
88.1.d) LJCA and the Court uphold said motivation. Of this resolution, it is worth highlighting
the next:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 52
52/136
“C) The constitutional requirement of the reasons for the judgments, included in the
Article 120.3, in relation to 24.1, of the Constitution, appears justified, without further ado
to emphasize the ends to whose achievement it tends, which, above all, aspires to
patent the submission of the Judge or Court to the rule of Law and contributes to achieving the
conviction of the parties in the process about justice and the correctness of a decision
judicial, facilitating the control of the sentence by the Superior Courts, and operates
as a guarantee or preventive element against arbitrariness.
d) The breadth of the reasons for the judgments has been qualified by the doctrine of the
Constitutional Court, indicating that it does not authorize to demand judicial reasoning
exhaustive and detailed of all the aspects and perspectives that the parties
may have of the question to be decided, but must be considered sufficiently
motivated those judicial decisions that are supported by reasons that
make it possible to know what the essential legal foundational criteria have been
of the decision, that is, the "ratio decidendi" that it has determined (judgments of the
Constitutional Court 14 / 1991,28 / 1994,145 / 1995 and 32/1996, among many others). A) Yes
It has been recognized by the Constitutional Court itself when it refers to the fact that it is not
an exhaustive or exhaustive examination of the arguments of the parties is necessary, and
when it even allows argumentation by references to reports or other
resolutions. The Judgment of the Constitutional Court nº 122/94 of April 25, affirms
that this right to motivation is satisfied when the judicial decision in a manner
explicit or implicit contains reasons or elements of judgment that allow knowing the
criteria on which the decision is based "."
As a result of the foregoing, it should be noted that the AEPD identifies as an example of a sanction, the
Penalty procedure with file number PS / 0025/2019, since
supposes a procedure of EDP COMERCIALIZADORA, SAU that is in
contentious and therefore does not become firm. Therefore, it cannot be considered a
file that affects the diligence operated by EDP ENERGÍA, nor can it be
considered as an antecedent, since this sanction is not yet final.
Likewise, with respect to the rest of the files brought up in the Agreement
of Initiation of Sanctioning Procedure, PS / 00101/2018, PS / 00363/2018 or
PS / 00109/2019. In Ref .: PS / 00236/2020 EDP ENERGÍA Penalty Procedure
54 as for the first file, the same despite having been paid for soon
payment, in no case EDP ENERGÍA accepted the facts and the infringement that had
been charged, having debated the interpretation of the AEPD throughout the entire
Penalty Procedure, which is why such payment could not be interpreted as
break-in. In the case of file PS / 00363/2018, as in the previous one, in
Each of EDP ENERGÍA's responses defends both the legitimacy of the
treatment, such as the contracting procedure, a procedure that the AEPD does not
had described at no time as not very transparent, insufficient and imprecise,
characteristics considered by the AEPD that are given in this procedure
taking into account that the same information has been used in each of the
files
B. LACK OF PROPORTIONALITY.
At this point, it should be remembered that the principle of proportionality is a principle
General of Law. Reason why, the AEPD must take this principle into account
both when determining the evaluation criteria, and when determining the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 53
53/136
applicable sanction, a principle that, as can be seen from the procedure, from the beginning
of the investigation and said in the strictest sense of defense, it has not been
applied by the AEPD in the Agreement to Start the Penalty Procedure.
In short, analyzing each of the alleged infractions that are attributed to me
represented, it is only possible to interpret that there is an absolute disproportionality in
the interpretation made by the AEPD in this Agreement for the Beginning of
Penalty Procedure, not only because it lacks motivation when it comes to
consider the alleged offense to have been committed, but because of the fact that the sanctions
Proposals escape any criteria previously assessed by the company itself.
AEPD.
And therefore, at least the correction by the AEPD corresponds, in case of
not consider the due cancellation and archiving of the proceedings, assuming therefore
a substantial reduction of each potential infraction to its minimum degree, reaching
even upon warning, due to the absence of any non-compliance, lack of motivation and
disproportionality.
C. DUPLICITY OF SANCTIONS AND COMPLIANCE WITH THE "NE BIS IN PRINCIPLE
IDEM"
An aspect is derived from the Agreement to Initiate Sanctioning Procedure that has
been pointed out at various points in the present allegations thereto, and
whose relevance cannot be ignored. Thus, the infractions that are indicated are
reiterations of the same facts, whose estimation would cause a notorious
duplicity in the sanctions imposed, either because they address circumstances
previously examined by the AEPD or because it estimates the concurrence
multiple infringements on the same fact.
In the first place, this Agency has pointed out the concurrence of a
infringement derived from the provisions of article 25 RGPD by estimating that they have not been
carried out the appropriate actions, referring to the adequacy of the
procedures that are implemented for contracting by third parties. Without prejudice to
the arguments that have been expressed in the corresponding First allegation, to
to which we refer for brevity, it is relevant to note that the appreciation of the
commission of infringement derives from events that, prior to it,
have been previously analyzed by the AEPD. This has meant that, considering the
concurrent casuistry in the same, this was sanctioned in a procedure that,
the date, is appealed.
From the foregoing, it should necessarily follow that the imposition of the
infringement causes the production of new facts that motivate the imposition of
the proposed sanctions. Well, neither is this the casuistry that concerns us,
there have been no new claims or circumstances that have led to the AEPD
to this Agreement for the Initiation of Sanctioning Procedure. Certainly the
imposition of the sanction that is proposed would suppose that, before a fact that has been
evaluated and resolved or punished by the corresponding authority, be it again
examined from the same perspective or, on the contrary, that, in the absence of
materialization of said risk, said sanction would be imposed based on conducts
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 54
54/136
that could potentially lead to non-compliance, but whose production is, to
the date, nonexistent.
Secondly, the AEPD makes use of different normative precepts to
sanction the same act, by simultaneously constituting the commission of three
infractions, although each of them is based on non-compliance with the
duty of information regulated in article 13 of the RGPD
In this sense, as has already been advanced in the previous allegations, although the
Agreement to Initiate Sanctioning Procedure part of the applicability of three
differentiated offenses, corresponding to articles 6, 13 and 22 of the RGPD,
all of them are based on deficient information and ignorance of the
user of the object of the consent request. Thus, the argumentation that embodies
to substantiate your consideration regarding obtaining consent
insufficient, it is indicated that:
"It is considered that the consent thus given is not adjusted to the provisions of
the RGPD and the LOPDGDD. A consent with information is requested
deficient, inasmuch as it does not indicate which third-party databases will be consulted or what
type of data will be collected, so that the interested party is completely unaware
which is what you are consenting to. Nor is it determined who will be responsible
treatment, a generic reference is made to EDP, without the client having
contracted a service only with one of the two entities (EDP
COMERCIALIZADORA SAU or EDP ENERGÍA, SAU) know if you are consenting
that such treatments are carried out by both entities or only the one of which
is a customer. Nor is it clear what type of services will be allowed to contract or not.
Such deficiencies do not allow the interested party to know the consequences of their
decision and thus assess the convenience of giving consent or not. " (Page 46
of the Agreement to Initiate Sanctioning Procedure).
Similarly, regarding the alleged violation of article 22 RGPD, relating to the
commission of automated decisions, the AEPD in its own written Agreement of
Initiation of Sanctioning Procedure, after collecting the aspects related to the
treatment of data in which there are automated decisions, collects the following:
“From all this it can be concluded that the consent given for such purposes does not
is in accordance with the provisions of article 4.7 of the RGPD as long as it is not
duly informed in general, the requirements are not met
specific information established in article 13.2 for decisions
automated and is not specific. The absence of such requirements determines that
the same is not valid so that the treatments based on it lack
legitimation, thus contravening the provisions of articles 6 and 22 of the RGPD. "
(Page 47 of the Agreement to Initiate Penalty Procedure).
In light of the foregoing, each insufficiency mentioned, derives cumulatively, to the
potential breach of article 13 of the RGPD, regarding the duty of information.
For these purposes, the presentation made by
that Agency of two infractions derived from the absence of legitimation basis
sufficient as it is not informed consent and, simultaneously, another infraction
due to the lack of transparency in the information provided. About it, well
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 55
55/136
It is known by the AEPD that our jurisprudence has reiterated in many
occasions as a fundamental principle of Law, that the same fact cannot be
sanctioned twice. The application of this principle non bis in idem supposes
a manifest impossibility of imposing two or more administrative sanctions, for a
same fact, whenever a factual identity occurs, it is attributed to a
same subject and are imposed on the basis of a common foundation in what is
refers to the protected legal asset.
Therefore, there is no doubt that, if the AEPD's assessment is applicable
of the commission of an infringement by EDP of the facts presented regarding
to the articles indicated, it will require the necessary concurrence of applicable laws. On
In this sense, it is essential to bring up the provisions of article 29.5 of the
LRJSP, which states that:
"When the commission of an offense necessarily results in the commission of another or
others, only the sanction corresponding to the most infringement must be imposed.
serious committed. "
Without prejudice to the scarce jurisprudence derived from said precept, as a result of its
previous regulation (Royal Decree 1398/1993, of August 4, approving the
Rules of Procedure for the Penalty Power), our Courts
have preached that, for the assessment of the aforementioned contest, the regulations
“(…) Requires, for the application of the medial contest, a necessary derivation of some
infractions with respect to the others and vice versa ”(Judgment of the Supreme Court of 8
February 1999).
In application of this precept, there are favorable judgments of the Chamber of
contentious-administrative law of the National Court that, in analysis of the matter
it concerns us, explained that:
"Accordingly, this Chamber considers that in the present case there is a
direct connection between the violation of article 6 (treatment of character data
without the consent of the affected party) and the violation of articles 4.3
(treatment of inaccurate data), both of the LOPD. Connection highlighted
due to the fact that the treatment of the complainant's data without his consent,
is carried out only in communication by letter (of the information
about the movements of the TPV of Cortefiel) to his old address, which is what gives
place to the complaint presented by him, and that by not correcting it (precisely because
said incorrect treatment did not have any economic or accounting reflection in said
Bank), is maintained in the different communications by letter made. That is, such
and as indicated by the plaintiff in the lawsuit, it turns out that the treatment that has
consisted, exclusively, of improperly including some data of the affected party in a
report of operations that do not refer to it, can only be produced without mediating its
consent, so that the non-consensual treatment of data of article 6.1 LOPD
It necessarily derives from the improper or erroneous treatment thereof (Art 4.3).
Therefore, the aforementioned article 4.4 of the Regulation for the
exercise of the sanctioning power, therefore, since both offenses are the same
gravity, it is necessary to impose a single sanction 60,101.21 Euros, which is considered
be in this case the one corresponding to the infringement of the principle of treatment not
consented, in which the infringement of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 56
56/136
data quality principle, both of article 44.3.d) LOPD. " (Judgment of 19
November 2009, rec 338/2009)
In light of this, even though the precepts of the
regulations that preceded the RGPD and would cover a differentiated scenario, there is no doubt
that the National Court appreciated the appropriateness of estimating the concurrence of
offenses based on a medial contest among the offenses contemplated
in the data protection regulations, when necessarily the commission of a
requires the production of the other. In this regard, said Hearing states that,
if there is a single action from which two offenses could be derived, it can only be
be taken into account the most serious. In the same way as in the aforementioned case,
in which the improper obtaining of a data necessarily caused a treatment of
inaccurate data, in the case that concerns us, the consideration by this AEPD of
an illegitimate obtaining for not complying with the principles defined by the RGPD for
determine that consent is informed and unequivocal, it must be subsumed
in the assessment pertinent to the duty to inform, not allowing in any way the double
assessment indicated in the penalty proposal.
Therefore, as stated by the AEPD in this procedure, there is no room,
apply different regulatory precepts (articles 6, 22 and 13 of the RGPD) in a way
independent, to sanction on a potential infraction directly related
with the fulfillment of the duty of information, having in any case eliminated the
sanctions proposed in the Penalty Procedure Agreement.
D. LACK OF RELEVANT EVIDENCE FOR IMPUTATION OF THE INFRINGEMENT
AND CORRESPONDING IMPOSITION OF THE PENALTY.
It is necessary to bring up the inquisitive principle or of dominant officiality in the
administrative procedure, which implies that the administrative authority is the
obliged to proceed to the verification of the alleged facts through the ex practice
office of the pertinent tests, thus dominating the principle of material truth. A) Yes
Therefore, in the administrative procedure it is an essential requirement that all
affirmations made are subjected to confrontation with the facts, falling
on the competent authority the accreditation of the same, in order to guarantee the
legal certainty required for the sole purpose of complying with the purposes of the
Public Administration .
Likewise, it is pertinent to point out the provisions of article 53 of Law 39/2015 of 1
October, of the Common Administrative Procedure of Public Administrations,
regarding the presumption of innocence and the non-existence of responsibility while
not to be proven otherwise.
For more abundance, reference should be made to the Judgment of the Court
Constitutional 76/1990, of April 26, 1990, Rec / 695/1985 that delimits the scope
and respect for the presumption of innocence in the sanctioning procedure and that indicates
the next:
“Indeed, it cannot raise any doubt that the presumption of innocence governs without
exceptions in the sanctioning system and must be respected in the imposition
of any sanctions, be they criminal, administrative in general or tax
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 57
57/136
in particular, since the exercise of ius puniendi in its various manifestations is
conditioned by art. 24.2 CE to test set and procedure
contradictory in which they can defend their own positions. In this sense, the
The right to the presumption of innocence entails: that the sanction is based on acts or
means of probative or incriminating charges of the contested conduct; that the load
of the evidence corresponds to the accuser, without anyone being obliged to prove their
own innocence; and that any insufficiency in the test result,
practiced, freely valued by the sanctioning body, should be translated into a
acquittal.
Likewise, we cannot affirm that the evidentiary activity carried out by the
Administration can be considered of charge, and, in the event that this body
so consider it, (STS of December 18, 2000- RJ 2000/92) it has been
fully disproved by means of the statements made by this party, thus
as well as through the documents attached to this lawsuit.
Similarly, the jurisprudential line followed by
Constitutional Court in its judgment of February 20, 1989, in relation to the
principles and guarantees of criminal judicial procedure applicable to the procedure
administrative sanctioning and, which indicates "Our doctrine and criminal jurisprudence have
been arguing that, although both may consider as manifestations of
a generic favor rei, there is a substantial difference between the right to presumption
of innocence, which develops its effectiveness when there is an absolute lack of evidence
or when those practiced do not meet the procedural guarantees and the principle
jurisprudential in dubio pro reo that belongs to the moment of the valuation or
evidentiary appreciation, and that has to judge when, that activity concurs
indispensable evidence, there is a rational doubt about the real concurrence of
objective and subjective elements that make up the criminal type in question "
Regarding these criteria, the Spanish Agency has ruled, agreeing on the
file of proceedings (E / 04684/2017) and stating the following literally:
“(…) For this reason, it is necessary to review in relation to the principle of presumption of
innocence that, to the Administrative Penalty Law, due to its specialty, are
application, with some qualification, but without exceptions, the inspiring principles of the
criminal order, being clear the full virtuality of this principle of presumption of
innocence. In this sense, the Constitutional Court, in Sentence 76/1990, considers
that the right to the presumption of innocence implies “that the sanction is based on
acts or means of proof of charge or incriminating the reproached conduct; what
The burden of proof rests with the accuser, without anyone being obliged to prove
his own innocence; and that any shortcomings in the test result
practiced, freely valued by the sanctioning body, should be translated into a
acquittal ”. In accordance with this approach, it is necessary to
account that they can only be sanctioned for acts constituting an infringement
administrative the natural and legal persons who are responsible for the
themselves by way of fraud or fault ”(…) Ultimately, the application of the principle of
presumption of innocence prevents the imputation of an administrative offense when
has obtained and verified the existence of a proof of charge accrediting the
facts that motivate this accusation. (…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 58
58/136
Finally, review the Judgment of May 25, 2001, issued on appeal
administrative litigation by this National Court, to number 29/2000,
pronounce on the imposition of a sanction based on a presumption
carried out by the Agency, and rules that “(…) the Chamber, as we went on to
reason, from the assessment of the evidence in the administrative file, it reaches
the conclusion that this integrating fact of the
type, that is, it is not proven that the Bank delivered to Mr. ... the respective extract,
This concrete fact provokes serious doubts, in the face of the required certainty ”. Y
concludes by stating that without denying that the events could have occurred as indicated in the
the complainant, neither can the possibility that the extract was not
given to the husband by the Bank, but that he obtained it by taking advantage of some
visit to the home or through the action of a relative, said in terms of
pure hypothesis ”.
In this same sense, the Superior Court of Justice of Madrid ruled in
Judgment of 02/21/2001, in which it states that “The only evidence of the prosecution, of which the
APD infers the responsibility of the appellant, it is the fact that it was the ex-husband
of Dña ... who will provide the lawyer with said extract that was contributed to the incident
modification of measures, and it must be agreed with the appellant that the possession of the
Extract, in the opinion of this Chamber, is insufficient circumstantial evidence to destroy its
presumption of innocence since, certainly, said extract could reach the possession of
D ... through channels other than direct delivery by the bank, for
what not being proven any of these hypotheses, this reasonable doubt
about the way in which the ex-husband obtained the bank account statement
The complainant must always operate for the benefit of the sanctioned, proceeding, in
Consequently, uphold his claim to annul the sanction imposed for lack of
sufficient proof of the appellant's participation in the delivery of the bank statement
to a person other than the account holder ”.
In short, appreciating the various criteria that the body has taken into account
competent in data protection when carrying out the file of
actions in those cases in which it is considered that there is a lack of evidence
and in which the jurisprudential lines outlined have been followed, this part
considers that the legal guarantees that any procedure should not have been protected
respect.
E. LACK OF LEGAL FOUNDATION
As we have stated throughout this writing, the alleged infractions
committed by my client, have not taken place, so it has not materialized,
nor is there any possibility that EDP ENERGÍA has infringed the aforementioned
articles following what is alleged by the AEPD in the Agreement to Start the Procedure
Sanctioner.
It should be noted that any sanctioning procedure and, where appropriate, the sanction
resulting, must be motivated, grounded, and even more decisive, must comply
with the due principle of legality, typicity. As a result of this aspect, it is brought up
the Sentence of the Superior Court of Justice of Catalonia, number 870/2019,
Rec: 454/2016, from which we extract the following:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 59
59/136
"The due effectiveness of the principle of typicity in administrative sanctioning matters
whose requirement certainly derives from our administrative order
sanctioner, also in tax matters, as a manifestation of the guarantees
formal and material that are contained in the constitutional principle of legality
sanctioning ex article 25.1 of the Constitution, and which previously included article 129 of
the already repealed Law 30/1992, of November 26, on the legal regime of
public administrations and the common administrative procedure, applicable to
this case additionally for temporary reasons (and today Article 27 of the Law
40/2015), as well as in this specific tax order, article 178 of the Law
58/2003, General Tax, taking into account the implicit content of the aforementioned precept
constitutional (Article 25.1 of the Constitution), despite its remarkable laconism
(Constitutional Court ruling number 34/1996, of March 11), in which
has highlighted the so-called material guarantee of the principle of legality (among others, and
Since the ruling of the Constitutional Court 42/1987, of April 7, the
Judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of June 8, 161,
200 and 219/1989, of December 21, 61/1990, of March 29, 207/1990, of December 17,
December, 120 and 212/1996, 133/1999, of July 14, 142/1999, of July 22, and 60 and
276/2000, of November 16), which is identified with the traditional principle of
typicity of the offenses and administrative sanctions and that requires a determination
previous and certain regulations of the specific conduct or conducts that by action or
omission is deemed to constitute a fault or an administrative offense, with
prohibition of any analogue or extensive interpretation in malam partem
(Constitutional Court ruling 125/2001, of June 4, citing the
Judgments of the Constitutional Court 81/1995, of June 5, 34/1996, of
March, 64/2001, of March 17, and 113/2002, of May 9), being likewise
jurisprudential doctrine already well consolidated which teaches that in the exercise of its
sanctioning administrative power the acting sanctioning administration does not
responds, properly, to the exercise of an administrative power of essence or of
discretionary trend but predominantly regulated for the application to each case
concrete sanctioning regulatory framework pre-established with a general character in the
applicable sanctioning legal system, which implies, from the outset, the
requirement of the necessary adequacy and rigor in the qualification of the facts
accused and in their punctual incardination and adequate subsumption in the offending type
legally defined for its correction, in such a way that the opposite, certainly,
it would be a determining factor of violation of the subjective fundamental right before
pointed out and all recognized by the current constitutional text ex article 25.1 of the
Constitution (rulings of the Constitutional Court 77/1983, of October 3, and
3/1988, of January 21), which, because it is susceptible to constitutional protection, would
incur in an eventual administrative sanctioning action that violates the same in
the defect of nullity of full right previously provided for by article 62.1. a) of the
Repeated Law 30/1992, applicable to the case for temporary reasons (today Article 47.1. a)
of Law 39/2015) "
For more abundance, article 89 of Law 39/2015, of October 1, on the
Common Administrative Procedure of Public Administrations, which includes the
following: 1. The investigating body will resolve the completion of the procedure, with
file of the proceedings, without the need to formulate the proposal for
resolution, when the procedural instruction shows that
any of the following circumstances concur:
a) The non-existence of the facts that could constitute the offense.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 60
60/136
b) When the facts are not proven.
c) When the proven facts do not manifestly constitute an infringement
administrative.
d) When there is no or it has not been possible to identify the person or persons
responsible or appear exempt from liability.
e) When it is concluded, at any time, that the infringement has prescribed.
In the present case, both a), b) and c) concur, which is why, no
Therefore, it would be possible to continue with the sanctioning procedure initiated, having to
resolve, where appropriate, the file of the proceedings, a request that we present to the
AEPD on a repeated basis, since as evidenced in the present
writing, nor have the offending acts been committed, nor are the
alleged infringing conduct, nor the interpretation and sanctions proposed by the
AEPD are motivated.
THIRTEENTH: Received the allegations made by EDP ENERGÍA, SAU
to the agreement to initiate the referral procedure, noted that in the document
attached to them called "annexes 1, 2 and 4" it is stated that "given the
technical limitations of the electronic office for the presentation of the content of the
Annexes 1, 2 and 4, these are presented by means of a link to a folder ”, indicating
a link to a website and a password, in writing, dated October 3,
2020, a period of 5 business days is granted to present the documentation that
It appears in said document in the Registry of this Agency through the Headquarters
Electronic, for the purposes of registering the documentation
presented, its origin and its integrity.
On October 8, 2020, the
following documents:
Appendix 1:
- Annex 1.a) Risk analysis methodology and implementation of DPIAs
- Annex 1.b) RAT contracting EDPE
- Annex 1.c) RAT risk assessment- EDPE contracting
- Annex 1.e) Impact Assessments -Risk Assessments
- Annex 1.f) Impact evaluations - Reports
Appendix 2 :
- EDP Methodology_Privacy by Design by Default
- Operational Instruction Privacy by Design & Privacy by Default
- PbD form
- Flowchart Procedure Privacy By Design and Privacy by Default
-
Regarding these documents:
- A risk analysis methodology is provided, whose history of
versions dates version 1.0 on 11/24/2017, indicating in the notes of
revision which is an "initial version-working document" and version 1.1 is
dated 05/11/2108 indicating the revision notes “revision prior to the
application of the RGPD ”. There is no evidence that any review has been carried out
later. Various annexes are provided, the date of which does not appear, specifically
These annexes are the following: 1.b) RAT contracting EDPE
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 61
61/136
- Annex 1.c) RAT risk assessment- EDPE contracting
- Annex 1.e) Impact Assessments -Risk Assessments
- Annex 1.f) Impact evaluations - Reports
The document contained in annex 1.b RAT, contracting EDPE, whose date does not
It consists, includes a treatment purpose not included in the Activity Register
of treatment sent to this Agency on June 17, 2020. Specifically
said treatment that is now included has the following content:
Responsible: EDP Energía SAU
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
to hiring ”,
Description: “Scoring of customers in the B2C segment prior to the
contracting according to the internal pending debt and information from
solvency (ASNEF). "
Category of data holders: "Clients and potential clients."
Category of personal data processed: "Identifying data and economic data."
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
Period of conservation of personal data: “5 years from the end of the
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
contract will be maintained until its cancellation or the limitation period of the actions
pertinent legal recovery. "
Data transfers (data recipients, other than those in charge of the treatment):
“ASNEF is jointly responsible for the treatment, according to the signed agreement
with ASNEF. "
Categories in charge of treatment: The box has no content.
International data transfer: No
Annex 1.c) under the name “RAT Risk Assessment- EDPE Contracting”, whose
date is also not reflected in the document, it contains a risk analysis, in the form
of matrix, the same as that presented on June 17, 2020, although they have added
two columns under the title “treatment requires PIA”, the two titled “Nº of
EDP-W29 criteria ”, the first indicates a number that seems to correspond to
its title and the second indicates the need to carry out an evaluation of
impact. In said matrix there is also a new treatment whose purpose is the
"Scoring clients in the B2C segment prior to hiring."
Various documents entitled impact evaluations are provided, whose date
Nor is it recorded, these impact evaluations are the following:
-Risk assessment of B2C client scoring prior to hiring,
in which, among other threats, the following are indicated:
- “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated
adequately ”, whose probability is set as high, with an impact rated as
very high and resulting in inherent risk High. Regarding the controls implemented
Faced with this threat, it is stated that “the legal basis of the treatment is to satisfy a
legitimate interest (fraud prevention) ”.
- “At the time of data collection, the minimum information is not provided
provided to the person or no information is provided. " In this case
it is considered that neither the probability nor the impact “does not apply, nor is there a risk
inherent, the controls being the “Data Protection clause included in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 62
62/136
contract signed with the client with all the information required by the RGPD ”and the
"Information provided to the client prior to carrying out the scoring process"
-Evaluation of channel leads to be converted by telemarketing.
-Evaluation of risks Telemarketing upselling and dropouts.
-CAC channel risk assessment to clients or potential clients (inbound).
-Evaluation Channel OOCC clients and potential clients.
-Risk evaluation of third-party stores for sale to potential customers.
-Evaluation of External Sales Forces through Stands at Fairs and Centers
Commercial.
In all these impact evaluations, threats are considered among others
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
illegal or has not been properly formulated ”and“ at the time of collection of the
data is not provided the minimum information provided to the person or is not
provides no information "In both cases the probability is valued as high,
the impact as very high and the inherent risk high. Controls are mentioned
adopted, referring to the legitimizing basis of the treatment in the first of the cases
and to the "Data Protection clause included in the contract signed with the client
with all the information required by the RGPD ”in the second. They are described among the
checks in progress for both threats on all channels except channel
OOCC, “the implementation of a new contracting procedure through
representative, incorporating the sending of an SMS / Email message through which the
provides the basic information necessary in terms of data protection to the owner of the
contract."
The date on which the actions in progress were incorporated into the
corresponding impact evaluations.
FOURTEENTH: On 03/11/2021, a resolution proposal was issued in the
following sense:
FIRST: That the Director of the Spanish Agency for Data Protection
sanction the entity EDP ENERGÍA, SAU, for a violation of article 25 of the
RGPD, typified in article 83.4.a) and classified as serious for the purposes of
prescription in article 73.d) of the LOPDGDD, with a fine in the amount of
500,000 euros (five hundred thousand euros).
SECOND: That the Director of the Spanish Agency for Data Protection
sanction the entity EDP ENERGÍA, SAU, for a violation of article 13 RGPD,
typified in article 83.5.b) and classified as mild for prescription purposes in the
Article 74.a) of the LOPDGDD, with a fine of 1,000,000 euros (one
million euros).
THIRD: That, due to lack of evidence, in application of the principle of presumption of
innocence, it is declared not attributable to EDP ENERGÍA, SAU, the violation of the
established in articles 6 and 22 of the RGPD.
FIFTEENTH : EDP ENERGÍA, SAU has been notified of the aforementioned proposal
resolution, said entity submitted on 03/15/2021 a document in which it was
it requested an extension of the term to formulate allegations. Granted the extension of
term, on 04/08/2021, a written statement of allegations was received at this Agency, in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 63
63/136
that it is requested that the file of the sanctioning procedure be agreed or,
alternatively, the substantial reduction of each proposed sanction to its amount
minimum or its substitution even, by the warning, in its case. Bases its
petitions in the considerations summarized below:
ACQUISITION OF THE COMPANY SUBJECT TO THE SANCTIONING RECORD
On a preliminary basis and for clarification purposes, EDP ENERGÍA informs
of this Agency that on December 1, 2020, Total Gaz Electricité Holdings
France (“Grupo Total”) acquired 100% of the shares of EDP ENERGÍA. What
As a result of the foregoing, the migration of the website has been carried out
*** URL.1 to a new transitory domain (www.edpresidencialbytotal.es) and they have
modified email accounts that were previously under the
domain @ edpenergia.es.
FIRST.- ALLEGED BREACH OF ARTICLE 25 OF THE RGPD:
(i)
The contracting process through a representative is in accordance with the
normative:
The arguments presented in the allegations to the proposal of
resolution, relating to the freedom of form of the mandate contract in accordance with
provided for in the civil code, in particular it insists that “In this case, it does not seem
that such a wide freedom of form is compatible with obtaining evidence of
the existence of the representation or mandate, beyond the manifestations of the
agent, protected by good contractual faith. Likewise, there is little
understandable that a separate consent is required for the treatment of
your data or a confirmation of the order by the principal, since this
would imply denaturing the representation, inasmuch as it would be absurd that who is
designated for the conclusion of a contract in favor of a third party cannot facilitate
the data of the person on whose behalf it acts, or that confirmation is necessary
separated from it to authorize said communication, since the need to
Addressing the represented person directly would make the representative's intervention useless,
since it would be meaningless. (the underline is from the entity that formulates
the allegations)
Likewise, and in relation to the possibility that the represented party may provide
additional consents to the hiring itself, it should be noted that this
possibility may well have been authorized by the represented in a way
specific, but as the same freedom of form governs for the granting of this
power (which the norm does not oblige in any case to provide in writing), nor is it
its reliable accreditation is required at the time of hiring ”.
Certainly, article 1725 of the Civil Code provides that the third party may request the
agent that gives him knowledge of his powers to determine if the contracting
is within their perimeter or if you are assuming the risk that the
The principal does not subsequently ratify the actions of the agent. But this regulation is
translates into a burden for the agent, not for the third party, since the interests
that is to be safeguarded are those of the latter, and not those of the president nor
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 64
64/136
of the principal. Therefore, for the third party it is optional to ask the agent to
give knowledge of the powers with which it claims to act.
In the vision that the AEPD manages in the Resolution Proposal, this obligation
would be aimed, however, not to protect the interest of the third party in terms of
object of the contract made by the agent, but to preserve the interest of the
principal regarding the legitimacy of the agent to express the will of the
principal regarding the processing of their personal data by the third party.
However, this consequence cannot be extracted from the regulation of the Civil Code.
in terms of the mandate contract, in which - as we have just seen - the interest to
protect with the exhibition of powers of the agent is strictly that of the third party, and
not that of the principal, which, in the Civil Code scheme, is safeguarded at
through the power of ratification, the granting of which or not always remains in the hands
of the principal.
Thus, the risks referred to in the Proposal for Resolution (“can be
generate various risks, being able to be mentioned, as an example, the one consisting of
a processing of data of the represented without legitimation, the risk of impersonation of
identity or economic or other damages that may be caused to the
interested party ”) are not such: in the event that the agent has exceeded the
exercise of the mandate, the principal will not be bound by that action, except
his subsequent ratification, from which no harm may actually be suffered unless
that accepts - expressly or tacitly - what has been done by the agent a posteriori
From here on, and as optional power of the third party that contracts with the
agent, if and how the third party exercises that power depends on his will and the
circumstances of the hiring. In this sense, the fact that in hiring in
the channel of EDP ENERGÍA's own commercial offices requires the representative to
accreditation of their status as such, does not prove anything at all, unlike what
that says the Motion for a Resolution. Given that EDP ENERGÍA, as a third party that
contracts with the authorized person, has the power to carry out this verification or not, the
who does it on some occasions and not on others, or who does not do it the same in all
hiring channels, it is not a source of any obligation - which is not imposed or
by law or by contract - but a simple manifestation of the exercise of a permit.
At the doctrinal and jurisprudential level, the exercise of rights of the
personality through voluntary representation, particularly when it comes to
articulate the ad hoc authorization for specific acts of interference. That possibility is
must be understood as reinforced when the mandate to exercise a right of the
personality is linked to the empowerment to enter into a contract, of which said
Exercise is a conditioning or complementary element. Thus, the agent o
representative of an artist mandated to celebrate on behalf of his client
a lease for services to perform in a concert hall or
record a disc, it is commonly mandated to authorize the organizer of the
show or record company for the use of the artist's voice and image.
Similarly, those authorized to contract with EDP ENERGÍA on behalf of another
person, appear in the first place as subjects mandated for the concertation of the
supply contract, and concomitantly, because it is a factor
inherent in the hiring itself, they are also inherent to authorize employment and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 65
65/136
treatment of the personal data of its clients. In this sense, it turns out
It should be noted that there is no doubt that the processing of data from the
represented that is necessary for the execution of the contract of which the represented
becomes a party, it should be considered a fully lawful treatment in light of the
Article 6.1.b) of the RGPD.
But in addition, as long as it is possible to establish that the president has standing to
take all relevant decisions within the framework of the recruitment process for the
that has been empowered, the consent that said agent provides on the
data processing of the represented party and that EDP ENERGÍA collects for one or more
specific purposes within the framework of the contracting process, allows to consider
The processing of the data thus obtained is equally lawful, ex article 6.1.a) of the RGPD
or any other basis of legitimacy. And it is that, who hires on behalf of another - a
Perhaps it is assumed that he acts in such condition - he must be able to provide the same
Consents regarding personal data that the interested party himself if he were
who will enter into the contract, and this whether the contract is concluded on-site in a
business office as if held by telephone.
It must be concluded, contrary to what the AEPD indicates in the Proposal for Resolution,
what:
(i)
EDP ​​ENERGÍA is not obliged to carry out with authorized third parties
that contract through the telephone channel or external sales forces
any verification of the existence and scope of its mandate, nor to
fortiori, this verification must be analogous to the one that eventually
carry out with those who contract through their own commercial offices;
(ii)
(ii) in the power to contract the service through an authorized third party
resides the power to give the consents inherent to the process of
contracting, including those related to the processing of personal data;
(iii)
and (iii) the legality of the treatment by EDP cannot be questioned
ENERGY of the personal data of those who contract with it through
from an authorized third party, either through its own commercial offices or by
through the telephone channel or through external sales forces, by the
simple fact of having contracted through an authorized third party, in
so much so that the legal basis for the processing of personal data of a
person acting through representation should be the same as
when acting on his own behalf.
(ii) EDP ENERGÍA has correctly assessed the real risks and implemented the
appropriate mitigating measures.
It reiterates that the risk assessments provided in this procedure are
in accordance with the data protection regulations and the AEPD guides, in force in the
timing of the analysis, and identify the actual risks applicable to the
different hiring processes.
The AEPD, in its Resolution Proposal, refers to hypothetical or theoretical risks
that he cites, in addition, merely as an example and of those that does not offer greater detail or
Explanation.
As explained in the previous point and in the Allegations to the Initiation Agreement,
These risks are non-existent or lack a sufficient entity for their
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 66
66/136
consideration. Thus, it can be affirmed against the list contained in the Proposal for
Resolution - not exhaustive since the list of the AEPD is a mere title
example -, among others: (i) that there is no risk of identity theft in
so much so that there is representation and mandate, (ii) that there is no economic damage to
those interested in that the cost is assumed by EDP ENERGÍA in any case; or (iii) that
there is no risk of a lack of legitimation basis as EDP ENERGÍA can
assume, in accordance with the aforementioned civil legislation and in accordance with the framework
legal applicable to these contracts, the existence of authorization to the agent
for the processing of data and (iv) that, in case of excess, the interests of the
principal are safeguarded by their right to ratify or not what has been acted upon by the
agent outside the limits of the mandate.
For this reason, EDP ENERGÍA has correctly assessed its own real risks
of the different contracting channels in accordance with a sound legal analysis
-and doctrinally and jurisprudentially supported- of the figure of the mandate in the
Spanish legal system and has implemented the appropriate mitigating measures
in relation to such risks. The risk analysis carried out is therefore consistent
and it was carried out in accordance with the legal institute of the civil mandate and its jurisprudence.
To the extent that the consistency of the analysis carried out has been established, the
AEPD must assess the analysis in accordance with these consolidated civil criteria or, if
on the contrary, the AEPD considers that a different legal criterion should be adopted and
contrary to that of civil regulations and its established jurisprudence, it must substantiate
in some way its legal basis in order to allow EDP ENERGÍA to understand it
and defense. In any case, the interpretation of the mandate by EDP ENERGÍA
in accordance with the regulations, jurisprudence and civil doctrine -including that relating to
personality rights - must be interpreted in good faith and excludes any
guilt on your part.
(iii) Hiring through a representative constitutes a very high proportion
minority of all contracts made by EDP ENERGÍA
It is essential to point out that contracting through a representative constitutes
a minority part of the total contracts carried out by EDP ENERGÍA. On
Specifically, of the total contracts that EDP ENERGÍA made in 2019, less than
16% corresponds to hiring through representatives of which in
less than 1.7% the representative and the represented would not have a relationship of
relationship.
Therefore, when the AEPD states that EDP's contracting procedure
ENERGÍA violates the principle of data protection by design, it does so
erroneously, in strict defense terms, as if the procedure
contracting in its entirety will violate said principle. Furthermore, when it comes to
quantify the sanction, the AEPD refers to EDP's global billing volume
ENERGY to quantify it, when it should exclusively take into account, and in its
case, the billing data (volume) generated by the eventual breach
alleged - relating exclusively to hiring by representation.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 67
67/136
It is striking that the volume of business taken in
consideration by this Agency is the year 2018, when it should consider the
business volume for the year 2019, as this is the “previous financial year”. From
In fact, for other issues, the Agency does take into account the 2019 data (for example
for the number of clients, which is also reflected on page 35 of the Proposal) and,
However, for the issue of turnover, consider 2018, clearly detrimental
of my represented, since the 2018 figure is more than double that of 2019
(in 2018 the turnover was 1,236,124,000 euros, while in 2019 it was
only 589,929,000 euros).
It should also be taken into account that, in any case, the AEPD could have invoked the
article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD (“the benefits
obtained as a consequence of the commission of the offense ”) to graduate the sanction
proposal. Therefore, in the hypothetical and eventual case that it is considered infringed
Article 25 of the RGPD, the maximum business volume obtained by EDP ENERGÍA
to take into account should be approximately 7,650,0002 euros, which is the amount
obtained “as a consequence of the [eventual] infringement”, that is, in the contracting
by representation, and not in the global hiring. In this sense, the volume of
Annual business hiring through a representative would represent 0.11%
(approximately) of the total annual business volume of the entire client portfolio
of EDP ENERGÍA.
Likewise, as the AEPD is well aware, of the aforementioned eight (8) claims,
there is only one sanctioning precedent for this entity, and must take into account
Consideration that the AEPD includes in its writing a procedure that has not yet
been resolved in a firm way (PS / 00109/2019), to the extent that it is
being the subject of the corresponding contentious-administrative appeal before the Chamber of
the contentious-administrative of the PS / 00236/2020 Brief of allegations to the
Proposal for Resolution 12/37 National High Court. It should also be mentioned that
even more so when, as has been repeatedly exposed to the AEPD by EDP
ENERGÍA, in the aforementioned case there was an evident use of good faith
contract of this entity, who assumed the cost of some services that had been
enjoyed by the client, who after months of using and paying for them, claimed that no
he had hired them.
That the AEPD's proposed sanction of five hundred thousand (500,000) euros has been
made in the Proposal for Resolution erroneously by attending to a factor not
provided for in the regulations (the volume of business and the status of large company) and by
take into account the volume of recruitment and the global profits of EDP
ENERGY -which include both direct contracting (majority) and contracting by
representation (minority) -, which has nothing to do with “the benefits obtained as
consequence of the commission of the offense ”to which the
article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD. Therefore, in a way
subsidiary and in the hypothetical case that the AEPD questions the validity of the mandate
civil law for the contracting procedures and declare the offense committed, the
quantification of the eventual sanction should be significantly corrected to have
take into account the real volume of business generated by contracting by representation
exclusively.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 68
68/136
In an administrative procedure of a sanctioning nature, counting how it did
the AEPD with objective and sufficient quantifying criteria in relation to the volume
(marginal) that the representation supposes, it is especially relevant the fulfillment
of the principles of proportionality of the sanction and legality and should, therefore,
have taken into account: (i) That the part that corresponds to the procedures of
representation hiring is a small and very limited part of the
EDP ​​ENERGÍA's global contracting procedure, and, therefore, it must be taken into account
account of the low magnitude of the contracting of the use of this type of
hiring at EDP ENERGÍA, being a minority hiring type. What's more,
as stated in the information provided in this procedure, there are
only eight (8) claims before the Agency during the years 2018-2019
(with respect to a total of 105,606 contracts made through
representative), which reflects the low relevance and materialization of the risks
attributed by the AEPD to the contracting process implemented by EDP ENERGÍA
Failure to comply with the principle of proportionality of the sanction proposed by the
Proposal for a Resolution -based on erroneous premises-, being as it is a principle
constitutional and basic law in criminal law and administrative sanctioning law,
generates a defenselessness to EDP ENERGÍA that must be corrected. The huge
difference between the 1,236,124,000 euros taken as a reference by this Agency, or
589,929,000 euros, which is the figure that the Agency should have taken into account
(for being the business volume of the year 2019), and the 7,650,000 euros of volume of
approximate business obtained by EDP ENERGÍA in 2019 as a consequence
hiring by representation should have a significant impact -reducing-
of an eventual sanction with respect to that contained in the Proposal.
Lastly, and without prejudice to the foregoing, despite the fact that EDP ENERGÍA does not consider
that their action deserves any legal reproach, in response to the suggestions
expressed by the AEPD, EDP ENERGÍA informs the AEPD that it has proceeded to
reinforce the recruitment process through an online representative with the
protocol that was already provided to the AEPD on July 16, 2020. This protocol,
that was submitted to the AEPD on a voluntary basis and before the beginning of this
sanctioning procedure, was aimed precisely at collaborating with this
Agency to reach an agreed procedure in matters of representation and that
satisfy the proposals that the AEPD may have. In the Arguments to the Agreement
of Start, EDP ENERGÍA also responded to the doubts raised by the AEPD in
regarding its content and implementation and confirmed that it is a procedure
with double verification by SMS and in compliance with the best standards of the
market. For these purposes, the AEPD must take into account:
(i) that EDP ENERGÍA proactively contacted in July 2020, without success, with the
AEPD to present a new protocol that proposed changes in the procedure
hiring by representation. Far from being considered, as does the
Proposal for a Resolution, negatively and against EDP ENERGÍA, that
proactivity as a sign of acknowledgment of guilt - the arguments of legality have already
previously stated-, the cooperation proposal with the AEPD should
be valued as a sign of good faith and of EDP ENERGÍA's firm commitment to the
compliance with data protection regulations and the improvement of its processes as well
as a mitigating circumstance in the graduation of the sanction (article 83.2.f) of the
GDPR);
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 69
69/136
(ii) that despite not obtaining a response other than the opening of this proceeding,
EDP ​​ENERGÍA, in light of the AEPD's comments on the Initiation Agreement and the
Proposed Resolution, has eliminated from its contracting procedure for
representation the possibility of requesting consents for marketing purposes
and commercials to which the AEPD refers on pages 107, 108 and 109 of the
Proposal. Attached as Documents No. 1 and No. 2 example of contract and script of
locution for the telephone channel that evidence this elimination. As in
EDP ​​ENERGÍA has adopted measures to adjust its procedure to the proposals
of the AEPD, this circumstance, in accordance with article 83.2.c) of the RGPD, must also
be considered as an extenuating circumstance for the graduation of an eventual
sanction, and
(iii) that EDP ENERGÍA confirms to the AEPD that the new protocol -with the content
communicated in July 2020- it is already implemented for all
hiring, since last January. It is attached again to this writing as
Document No. 3, the contract protocol for the aforementioned representative.
In document number 1 under the title durable support, a company acting as
Trusted third party certifies that the data included in the document are those that
They are recorded in your electronic communications and processes record. Such data is the
sending an e-mail with an associated URL, in relation to a contract,
informing the recipient that a person has made the contracting on their behalf
related to your energy supply / services. It is provided as a document
I enclose the contract, in which there are no references to consents for the
sending commercial communications or for the realization of profiling, and the
general contracting conditions.
Document 2 has the following content
Registration (representative) ML - Spanish
"[XXX] we are going to record your agreement. It is [hh: mm] on [dd] of [mm] of
[20XX]. [name and surname] with DNI [DNI number], such as
[husband / wife / child / attorney-in-fact / representative] and on behalf of the owner [name and
surname / company name] with DNI / CIF [DNI / CIF number] telephone [telephone] and mail
email [email] accepts EDP Residencial's offer for the address [address of
supply] consisting of [plan conditions -dto en la luz-] for [CUPS LUZ:
ES…] on the current EDP Residential price of electricity [price of power
(€ / kW month) and energy term price (€ / kWh)] and / or [plan conditions - gas discount]
for [GAS CUPS: ES…] and current EDP Residential gas price [term price
availability (€ / month) and energy term price (€ / kWh)]; and / or Works [annual price
of the service, conditions of the promotion plan works].
[If the collection date is not chosen] The chosen payment method is [direct debit
bank account in your current account / in the account ...] and will be charged on the indicated date
on the invoice.
[If the collection date is chosen] The chosen payment method is [direct debit
in your current account / in the account ...] and will be charged on a specific date, the
days [DD] of the month. In that case, the payment period may be less than or greater than the
20 days established in the regulations ".
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 70
70/136
On behalf of the client and after passing an analysis of the risk of the operation,
We will take the necessary steps to activate the access contracts, at the moment
from which the new contract will come into force.
The contract / s is / are not permanent and will have a duration of one year,
Extendable for the same period unless it is reported in advance of 15 days. This
in accordance with the above information and conditions of the contract / s? [Yes / Ok].
Thank you.
In a few days, your client will receive the contract (including document of
withdrawal) in duplicate, of which you will only have to return us signed one of the
copies in the self-postage envelope, you do not need a stamp, which we will attach to you.
Your client has 14 calendar days to exercise their right to
withdrawal. However, if you request it, we can start the procedures now.
In that case, if you subsequently withdraw from the contract, you must pay the amount
corresponding to the supply period provided. Do you want your recruitment to be
processed immediately? [OTHERWISE]
With the entry into force of the contract, your client will receive the invoice from EDP
Residential with all our advantages.
Your personal data and that of your client may be processed by EDP
Residential for the management of their contracts, fraud prevention, realization of
profiles based on customer information and EDP Residencial, sending of
personalized communications about related products or services, as well as
participate in sweepstakes, promotions and quality surveys, being able to oppose in
any moment.
[Read only legal persons calling on behalf of a business] In addition,
so that we can advise you with the best proposals: • Can you allow us to present you
to your client offers related to energy after the end of the contract,
or send you information on non-energy products and services, typical of companies
Collaborators? [YES / NO] • Can you allow us to complete the commercial profile of your
represented with information provided by third parties, to send you proposals
personalized? [OTHERWISE]
Shortly, the Distributor's technicians will contact you [remember
who must deliver the Individual Gas Installation Certificate, when they go to
register]. [Altas Gas] For your safety, we remind you of the legal obligation to
collaborate with your Distribution Company, facilitating access to its facilities.
This request has been registered with the code [we indicate the code] "
THIRD.- ALLEGED BREACH OF ARTICLE 13 OF THE RGPD
(i)
Regarding the information provided in the CAC Inbound Channel.
It indicates that it provides the information regarding the processing of personal data to
through a multi-layered system. Thus he reiterates that in all calls
incoming messages, a voiceover is automatically reproduced that informs of the following
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 71
71/136
“This call can be recorded. The data you provide us will be processed by
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
or query. You can exercise the rights of access, rectification, deletion, opposition,
limitation and portability at any time. See the Privacy Policy at
our website edpenergia.es or press 0 "
It indicates that the address provided to users has been updated in the locution,
currently indicating edp-residencialbytotal.es/privacidad, so that, if the user
type that address in the browser, access -directly and easily- to the
information related to data protection.
The interested party can consult the second layer through the privacy policy of
the web page or by pressing 0. In this case, a voiceover is reproduced whose content is
the next:
"The use of this TELEPHONE CHANNEL does not oblige the user to provide any information
about himself. However, to use certain services or access certain
content, users must previously provide some personal data.
In the event that the user provides personal information, we inform you that the
data will be PS / 00037/2020 Brief of allegations to Resolution Proposal 15/37
treated by EDP Energía, SAU and EDP Comercializadora, SAU, with registered office at
Oviedo, Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
hereinafter "EDP", as data controllers, as established by the Regulation
General Data Protection ((EU) 2016/679), hereinafter "RGPD", and its regulations on
growth.
Specifically, your data may be processed, when the user so requests, to manage the
attention and follow-up of requests and inquiries directed through the website, as well as
for conducting surveys and participating in raffles, games and promotions.
The data requested will be mandatory and limited to those necessary to proceed with
the provision and / or management of the requested service, which will be conveniently informed in
the time of collection of your personal data. In case of not providing them or not
provide them correctly, the service will not be provided.
In these cases, the user guarantees that the personal data provided is true and is
is responsible for communicating any changes to them.
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration in the
itself, the data processing carried out is based on the legal relationship derived from
your request.
The processing of data for conducting surveys is based on the legitimate interest of EDP
in order to improve the quality of the services provided to customers and / or users, being able to
oppose said treatments at any time, without affecting the legality of the
treatments carried out previously.
In no case may they be included in the forms contained in the TELEPHONE CHANNEL
personal data corresponding to third parties, unless the applicant
had previously obtained your consent in the terms required by article
7 of the RGPD, responding exclusively to the breach of this obligation and
any other regarding personal data.
The personal data of the users registered on the website may be transferred to the
Public Administrations that by law correspond, to other companies of the business group
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 72
72/136
for internal administrative purposes, and to the providers of the data controller
necessary for the proper fulfillment of contractual obligations.
Personal data will be kept for the duration of your supply contract with
EDP, in all other cases, during the time necessary to answer your requests or to
analyze the content of your responses to surveys. Once the relationship is over
contractual, answered their requests or analyzed their responses, as appropriate in
each case, your personal data will be erased, keeping the rest of the information
anonymized for statistical purposes only. Notwithstanding the foregoing, the data may
be kept for the period established to comply with the legal obligations of
maintenance of the information and, at most, during the prescription period of the
corresponding legal actions, and the data must be kept blocked during the
mentioned limitation period. After this period, the data will be deleted.
In application of the provisions of article 32 of the RGPD, EDP undertakes to comply with the
security obligations of those data provided by users, trying to establish
all technical means at your disposal to avoid loss, misuse, alteration, access not
authorized and theft of the data that the user provides through it, taking into account the
state of technology, the nature of the data provided and the risks to which they may
be exposed. Notwithstanding the foregoing, the user must be aware that the measures
security in the TELEPHONE CHANNEL are not impregnable.
EDP ​​will treat the user's data confidentially, at all times, keeping the
mandatory duty of secrecy regarding them, in accordance with the provisions of the regulations
of application.
The user can exercise their rights of access, rectification, deletion, opposition,
limitation and portability, as well as the revocation of the consents granted
previously, in the terms established by law, communicating it in writing to EDP, at the
following address: LOPD Communication Channel, Plaza del Fresno, nº2, 33007 Oviedo.
Likewise, you can exercise these rights by sending an email with your data
personal to *** EMAIL . 2 . In both cases, a photocopy of the holder's ID must be attached.
or document that proves your identity.
Likewise, you may contact the EDP Data Protection Officer, at the
following postal address: Plaza del Fresno, 2 33007 Oviedo or by email
*** EMAIL.1 , in the event that you understand that any of your rights related to the
data protection, or where appropriate, file a claim with the Spanish Agency for
Data Protection at the address Calle de Jorge Juan, 6, 28001 Madrid ".
In the hiring process, the following is reported again: “Your data
personal and those of its client will be treated by EDP Comercializadora SAU and
EDP ​​Energía SAU for the management of its contracts, fraud prevention, execution
of profiles based on customer and EDP information, as well as the performance of
personalized communications about directly related products or services
with their contracts, being able to oppose them at any time ”.
Therefore, it is not possible to blame a lack of information to those interested in the
incoming calls while the information referred to in the first informational layer
(ie, the one provided at the beginning of each call) complies with the information
necessary of article 11 of the LOPDGDD (that is, identity of the person in charge, purposes of
treatment and possibility of exercising rights) and a direct means and
easy to access the rest of the information (by accessing the website or
pressing 0). It is important to note that the speech of the first informational layer is
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 73
73/136
automatically plays at the beginning of each incoming call and, therefore,
Therefore, it is mandatory to listen to all interested parties who make a call. For
For this reason, all those interested before reaching the contract have already been
informed about the possibility of exercising their rights and how to access the
rest of information about the treatment of your data. Also, before the
contracting, EDP ENERGÍA reminds interested parties -through a second
locution- part of the basic information on data protection.
In accordance with article 13.4 of the RGPD, the obligation to inform does not apply
to the extent that the interested party already has the information; in the case that we
occupies, taking into account that the initial speech is reproduced automatically
In each call, it is sufficiently proven that any interested party who
puts in contact with EDP ENERGÍA through the CAC Inbound Channel receives the
information regarding the protection of personal data. In this sense, the Group of
Article 29 (currently known as the European Data Protection Committee)
indicated in its Guidelines on transparency under Regulation (EU) 2016/67
("Transparency Guidelines") that it should be understood that article 13.4 of the RGPD
It is applicable in those cases in which the information had been
provided, for example, in the previous six months. Regarding the Canal
CAC Inbound, not only would have spent a time clearly less than 6 months but
the time span can be measured in minutes, so it is clear that the
interested party knows, knows and remembers perfectly the information on protection of
data without it being necessary to reiterate this information
(ii)
Regarding the information provided in the Telemarketing channels and
Leads
It points out that this Agency questions the means to access the second layer
informative (ie, the General Conditions available on the website
edpenergia.es) be "simple and immediate"
It indicates that EDP ENERGÍA has accredited in this procedure what
following:
• First of all, the information on data protection (i) is clearly
identified within the general contracting conditions of EDP ENERGÍA
(in section 16 and entitled LOPD) and (ii) occupies one of the four
pages of the document, so its location is not lossy for the
interested.
Please inform this Agency that you have created a separate document containing,
exclusively, the data protection information of the conditions
general contracting, which is easily accessible through its own
website and at the following address: *** URL.5 ; and that also, the conditions
General contracting regulations continue to include the clause related to the treatment
of personal data, so that the interested party has various means to
through which you can access information easily.
• Secondly, it alleges that the way in which the information on the
The second layer of information can be diverse and, as such, has been recognized by the
data protection authorities. As indicated in the Allegations to the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 74
74/136
Initiation Agreement, when the contracting occurs, the conditions are sent
general contracting - which includes the specific clause regarding
Data Protection-; therefore, making this information available to
through the website should be understood as an alternative system and
complementary.
In this sense, the Transparency Guidelines expressly indicate that
“When the first contact with an interested party is by telephone, this
information [first informational layer] could be provided during the call with the
interested party and he could receive the rest of the information required under the
Article 13 or 14 by an additional means other than, for example, by sending you a
copy of the privacy policy by email or a link to the
online privacy statement / notice of the person in charge ”.
In accordance with the criteria of the competent authorities, including the AEPD, EDP
ENERGÍA would not have committed an infringement of the duty of transparency, as long as
that the complete information on data protection (with the required content
by the regulations) is contained within the general contracting conditions
which are sent to the interested party after hiring. The Transparency Guidelines
They also indicate that, depending on the circumstances of the collection and treatment
of the data, a data controller could be forced to use
additionally, other possible ways of transmitting the information to the
stakeholders applicable to the relevant settings as long as the information from the
first informational layer is transmitted in the first modality used to
communicate with the interested party. For this reason, EDP ENERGÍA complies with its
obligation of transparency when providing the information of the first informative layer
by telephone and the second layer of information in writing (either document
physical or electronic). It is also important to note that the most
transparent and suitable for the interested party to receive information about the treatment
of your personal data is including it together with the information about the
contracting the services, insofar as this is the circumstance with which the
relates the processing of your data and is, in addition, a document that the
interested party will retain during their contractual relationship with EDP ENERGÍA.
(iii)
Regarding the content of the information provided by telephone and in the
general conditions:
• Specification of the data controller:
The AEPD questions the clarity with which the interested party knows which entity acts
as responsible for the treatment, however, as accredited in the conditions
general contracting of EDP ENERGÍA (provided as evidence 6) of this
procedure, the client is informed about the identity of the person responsible for the
treatment through the privacy policy in relation to the conditions of
hiring:
Privacy policy: "the data will be processed by EDP Comercializadora SAU and
EDP ​​Energía SAU ”.
Specific conditions of the contract:
"The customer contracts, for the supply indicated, the supply of gas with EDP
Comercializadora, SAU and the supply of electricity and / or services
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 75
75/136
complementary with EDP ENERGIA, SAU, (hereinafter joint and / or
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
Specific that are collected below and the General Conditions in annex ”.
As explained in the allegations to the Initiation Agreement, information is included
on both entities while, depending on the service requested by the
interested party (gas and / or electricity), one or another entity will be responsible for the treatment
(or both if the interested party hires both services). Therefore, the
interested party -which has full capacity to contract and, therefore, is
assumes that you should be able to understand the terms and conditions that
govern such contracting, you are aware at all times that, depending on how you contract
the gas and / or electricity supply service, your data will be processed by one or
both entities.
• Purposes and bases of legitimation
It is alleged that neither article 13 of the RGPD nor any other legal precept requires that the
privacy policy list each purpose specifically indicating the basis of
legitimation that results from application. Even so, when it comes to treatments
subject to consent, if it is expressly indicated which they are.
In any case, as already indicated in the Allegations to the Initiation Agreement,
in the case of the bases of legitimation of "contractual performance" and "legitimate interest",
It is obvious to anyone who hires the supply services of
EDP ​​ENERGÍA that the treatments closely linked to the execution of the
contract such as “manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service ”find their basis of legitimacy in the execution of the
contract, being the other treatments assignable to the legitimate interest (e.g. the
carrying out fraud prevention actions or sending communications
commercial). Legitimate interests are clearly stated and placed in
relationship with the purposes pursued (that is, fraud prevention and
marketing, in relation to the sending of commercial communications
personalized) and since there is an identification between the reported purpose and the
pursued self-interest, making a separate allusion would be redundant.
• Profiling
It is stated in the allegations that in the Resolution Proposal, the AEPD considers
that, in relation to "profiling", it is not clear what its purpose is or
the legitimate interest that supports the treatment. In this sense, the AEPD states in
the Proposed Resolution as follows: “In this case, in the opinion of this
Agency, the information requirements described above. EDP ​​ENERGÍA, SAU, is
It limits to informing about the "profiling", but does not offer information
on the type of profiles to be made, the specific uses to which they will be
allocate these profiles or the possibility that the interested party can exercise the right
of opposition in application of article 21 of the RGPD. "
However, profiling is associated with sending communications
personalized commercials: “will be treated (...) for the purpose of (...) carrying out
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 76
76/136
profiles, personalized business communications based on information
provided by the Client and / or derived from the provision of the service by the / s
Marketer / s and related to products and services related to the supply and
energy consumption, maintenance of facilities and equipment ”.
While the wording could have included “for the submission of” (that is, the text
out "as well as making profiles for sending commercial communications
based on information provided by the Client (...) ”), this absence does not
It must be understood as that EDP ENERGÍA violates article 13 of the RGPD.
• Exercise of rights:
It is alleged that in the opinion of the AEPD, it should be expressly indicated which are the
treatments to which the right of opposition applies. However, as I already know
stated in the Allegations to the Initiation Agreement, the obligation to detail the
specific treatments to which the interested party has the right to oppose not only is it not
an obligation contained in the RGPD, the LOPDGDD or any other regulation of
application, but also the AEPD in its guides and tools (among others, the Guide
for the fulfillment of the duty to inform2 or the Facilita tool3) does not indicate that
The informative clauses on the right to object must specify the
treatments on which the right of opposition applies, not even as an example of
Good practice. In any case, EDP ENERGÍA expressly indicates that the interested party
You may object to some voluntary treatments such as promotion,
profiling, automated decision-making and conducting
commercial offers.
It points out that the motion for a resolution indicated that: “It is imprecise to indicate
that the interested party may oppose the automated decision-making of their
personal information. These can only be carried out by the person in charge in the
assumptions provided for in article 22 of the RGPD, based in the present case on the
consent of the interested party, so he must be able to know that he can revoke
the consent given for the adoption of such decisions in any
moment, without prejudice to being informed of the rights conferred by the
Article 22 to the interested parties. "
It is alleged that the semantic and technical nuance associated with the terms "opposition" and
“Revocation” in the context of the exercise of rights cannot have an impact on the
interested, because with both terms the user achieves the same objective, which is that
a treatment specifically identified in the policy stops occurring. Even more,
the term used by EDP ENERGÍA (opposition) in the context of this type of
treatments is understood in the regulations and by the market itself more broadly
-and therefore more guarantee- since it allows the user to eliminate a treatment whether
based on consent, is based on legitimate interest.
• Treatments based on consent:
The AEPD considers that the information on the treatments subject to consent
it is not completely clear. However, this part cannot agree with
this interpretation for the following reasons:
In the first place, the AEPD questions that in point (IV) it is not clear as to what
data refers to the phrase "the results obtained from the aggregation of the data
indicated ”and argues the existence of confusion as to whether the aggregated data
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 77
77/136
are those referred to in point (II) and / or in point (III). However, as manifested
in the Allegations to the Initiation Agreement, from reading it is clear that "the results
obtained from the aggregation of the indicated data ”refers to the indicated data
above, that is, the data referred to in point (II) and (III), since it is evident that
the use of the anaphoric term "indicated" refers to the data referred to in the points
previous.
Second, the AEPD states that the difference in data processing
advertising this point with the previous points is not obvious. However, the
difference is clear:
the advertising treatment derived from point (I) refers to offers of "services
financial, payment protection services, automotive or related and electronics,
own or third parties, offered by EDP and / or participation in contests
promotional, as well as for the presentation of related commercial proposals
to the energy sector after the end of the contract ”, that is, services offered by
EDP ​​ENERGÍA not related to the contracted services but to the sector
energy or other sectors such as financial or automotive and in addition to
generic - not personalized;
▪ point (II) refers to “personalized products and services”, that is, offers
tailored to the customer's business profile; Y
▪ point (IV) refers to “making personalized offers, specifically aimed at
to achieve the contracting of certain products and / or services from EDP or third parties
entities ”, that is, to the realization of personalized offers with an objective
specifically to achieve the sale of certain products or services, being the
personalization not only with respect to the client but also with respect to the concrete
service or product offered.
The AEPD's criticism of the granularity offered by EDP ENERGÍA cannot
be understood in the light of their own recommendations and those of the European Committee on
Data Protection, which require precisely such detail and granularity.
FOUR.- COOPERATION AND PROACTIVE ATTITUDE OF EDP ENERGÍA.
EDP ​​ENERGÍA is studying and analyzing the implementation of the measures
timely for the adoption and adaptation to the recommendations, better
practices and the criteria established by the AEPD both in this procedure and
in its guides and publications (in addition to the improvements already implemented to
referenced above), in order to improve all its protection policies of
data, clauses and general conditions through which information about the
treatment of the personal data of your clients and potential clients
FIFTH.- BREACH OF THE PRINCIPLE OF INTERDICTION OF THE
ARBITRARINESS.
It is noted that certain recommended practices (and even applied by the AEPD in
their own privacy policies) have served in this case to argue and
motivate the alleged infractions committed by EDP ENERGÍA (for example, the
presentation of the information regarding the exercise of rights of the interested parties
collected in the Second Allegation). These aspects that, a priori, the AEPD recommends
and puts into practice, considering them examples that conform to the regulations
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 78
78/136
applicable, are used as infringing elements to justify the alleged
breach of different legal precepts by EDP ENERGÍA.
SIX.- LACK OF GUILT IN THE PERFORMANCE OF EDP ENERGÍA.
By virtue of all the foregoing, the actions of EDP ENERGÍA cannot
be considered guilty in the eventual commission of administrative offenses in
matter of data protection that is imputed to him. In the administrative field
sanctioning is not enough that the conduct is typical and unlawful (which in this case,
neither is it), but it is also an inescapable requirement that he be guilty, that is,
consequence of an action or omission attributable to the person responsible for fraud or fault
inexcusable, without being admissible any kind of strict liability that
exempt the Administration from fully certifying the requirement of guilt or
intentionality in the commission of the offense. (Judgments of the Supreme Court of 9
July 1994, May 16, 1995, December 12, 1995, January 12 and 19,
1996, April 15, 1996, among many others.)
It is also worth mentioning that the appreciation of the subjective element of the
offense is determined by the degree of predictability it had for the subject
affected that their conduct could be considered typical and unlawful and, therefore,
liable to be sanctioned. The subjective element of guilt can only
concur when, in view of the existing situation at the time of the
conduct, the subject could reasonably anticipate that he was committing a
infringement Sentences of the Hon. Third Chamber of the Supreme Court of May 8
from 2003 - ref. Aranzadi RJ 4209—, of July 7, 2003 - ref. Aranzadi RJ 5832—,
and of January 28 and 27, 2010 - ref. Aranzadi RJ 1362 and 1357.
Likewise, the doctrine of contentious-administrative courts has excluded the
concurrence of the essential guilty element when the subject who has
objectively committed the offense has acted based on a reasonable
interpretation of the legal system.
A reasonable interpretation of the applicable regulations, even if it is not ultimately
considered correct by the courts, excludes guilt, especially in
those cases in which the applicable legal norms are not clear or univocal.
SEVENTH.- SUBSIDIARILY, THE PROPOSED SANCTIONS ARE
MANIFESTLY DISPROPORTIONATE AND SHOULD BE APPLIED
ATTENUATING CIRCUMSTANCES.
In short, analyzing each of the alleged infractions that are attributed to EDP
ENERGY, it can only be interpreted that there is an absolute disproportionality in the
interpretation made by the AEPD in the Resolution Proposal, not only because
lacks motivation when considering the alleged offense committed, but rather
the fact that the proposed sanctions escape any criteria valued with
prior character by the AEPD itself. In this sense, it should be added that the amounts of
Previous penalties imposed in similar factual events are not comparable
to the proposals in this case.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 79
79/136
Extenuating circumstances must be applied: Indeed, any sanction that is
imposed on EDP ENERGÍA would have to be set in accordance with articles 83.2 of the
RGPD and 76.2 of the LOPDGDD, which contemplate relevant instruments so that the
Administration adjusts the proportionality of the sanctions. In the present case, such and
as stated in the Allegations to the Initiation Agreement, concur
more than enough the following extenuating circumstances summarized here:
• The nature, seriousness and duration of the offense: according to article 83.2.a) of the
RGPD, the assessment of this circumstance must take into account “the nature,
scope or purpose of treatment ”(...) and“ the level of damages that may have
suffered ”. In this sense, what is attributed to EDP ENERGÍA is the need to
improve some aspects of its data protection policies, without in any way
In this case, the texts used so far can be understood to have generated
a high level of damages. Likewise, the treatments provided in these
policies - which are known to stakeholders - are not particularly
sensitive, neither by the type of data processed nor by the characteristics of the
treatment activities. Therefore, it is not only not appropriate to consider as
circumstance aggravating the nature of this offense but, the foregoing must
considered as a mitigating circumstance applicable to the present procedure.
• Intentionality or negligence in the infringement: EDP ENERGÍA has not shown
intentionality or negligence. The AEPD, in its Resolution Proposal, indicates
that “the defects indicated in the information provided show the lack of diligence
of EDP ENERGÍA in complying with transparency obligations ”. For
Therefore, what this Agency seems to refer to is the absence of all the diligence that,
According to said Authority, it would be expected from EDP ENERGÍA. However, it does not seem that
said statement can be understood as "intentionality or negligence" in its
action insofar as, as has been stated in the Allegations to the Agreement of
Inception and in these allegations, EDP ENERGÍA has carefully observed
the guides, guidelines and tools made available by the AEPD itself and the
European Data Protection Committee for the fulfillment of its obligations of
Data Protection. For this reason, EDP ENERGÍA's diligence must be taken into account
counts as an extenuating circumstance.
• The high link between the activity of the offender and the performance of treatment of
personal data: EDP ENERGÍA is dedicated, as stated by the AEPD in the Proposal for
Resolution, to the supply of electricity, an activity that is not intensive in the
processing of personal data and that although it is true that the development of the
EDP ​​ENERGÍA's activity involves the processing of personal data, this is
instrumental form without its activity being based on the exploitation of personal data.
In this sense, the low link between EDP ENERGÍA's activity in the treatment
personal data should be considered an extenuating circumstance.
• Any measure taken to alleviate damages: as stated
In the knowledge of the AEPD, EDP ENERGÍA is immersed in the review and
improvement of its procedures and clauses in order to adapt and implement the
recommendations made by this Agency, avoiding that
any type of damage or harm to the interested parties. Proof of this is that some of
the recommendations of this Agency are already implemented, such as the
improving access to information on data protection, which is already available
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 80
80/136
at the address edp-residencialbytotal.es/rgpd as well as the new protocol of
contracting through a representative, which was already contributed to the procedure by
last July 16, 2020 and it has already been implemented last January.
• Degree of cooperation with the authority: EDP ENERGÍA has shown from the beginning
of this procedure a completely collaborative attitude with the AEPD, as
as has been accredited in this writing. In the Allegations to the Agreement of
Home provides more complete information regarding cooperation
shown by EDP ENERGÍA.
• Categories of data and affectation of the rights of minors: the data subject
treatment are not special categories of data and the data have not been affected.
rights of minors (EDP ENERGÍA's clients are always older than
age with capacity to contract).
• Continued nature of the offense: as has been proven, EDP ENERGÍA,
from the moment it has been made aware of the improvements that, in the opinion of the
AEPD, could be adopted in its policies, has proceeded to analyze its texts and
procedures. Therefore, it cannot be understood that it is an infringement of
continuing character, although this Agency must understand that in corporate groups
complex processes of change and adaptation of procedures cannot be done
immediately. However, not for that reason the alleged infraction that is imputed
it should be understood as "continued".
• Status of a large company and its turnover: the fact that EDP
ENERGY is considered a large company cannot be used as a
aggravating circumstance as it is not a circumstance foreseen neither in the RGPD nor in the
LOPDGDD. In addition, in this sense, the Supreme Court (judgment of April 4,
November 2015, appeal 100/2014) has stated in recent jurisprudence but
consolidated statement that "it is not feasible, in any case, to presume malicious conduct by the
mere fact of the special circumstances surrounding the taxpayer of the
taxation (economic importance, type of advice received, etc.) (...). [It
that the public power cannot do, without violating the principle of guilt that
derives from art. 25 CE [see, for all, the Judgment of this Section of June 6,
2008 (rec. Cas. For the unification of doctrine no. 146/2004), FD 4], is to impose a
sanction to a taxpayer (or confirm it in the administrative or judicial phase of
recourse) due to its subjective circumstances -even if it is a legal person,
has great financial means, receives or can receive the most competent of the
advice and is habitually or exclusively dedicated to the activity taxed by the
unfulfilled norm ”. For this reason, it is neither legal nor constitutional to assess the
large company status as an aggravating circumstance. Likewise, the AEPD also
refers to “its business volume” (a fact that is not considered as
aggravating circumstance neither in the RGPD nor in the LOPDGDD). When it comes to quantifying the
sanction, the AEPD refers to the global billing volume of EDP ENERGÍA for
quantify it, when it should exclusively take into account, and where appropriate, the data
billing generated by the eventual alleged breach -in the case of the
Article 25 of the RGPD, relating exclusively to contracting by representation.
In this sense, the AEPD, in its investigation within the framework of the procedure, requested and
obtained concrete data on the volume of hiring by representation and the
the smallest part that corresponds to the overall activity of EDP ENERGÍA, and should
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 81
81/136
In any case, having taken it into account in the Proposal for Resolution, which has not
happened. Likewise, as has been indicated in the First Allegation, the volume
of business derived from contracting with a representative supposes approximately
0.11% of the global business volume. For its part, as regards the
sanction associated with the alleged violation of article 13 of the RGPD, the AEPD neither
it should have taken into consideration the global turnover of its activity.
Benefits obtained as a consequence of the infringement: the alleged commission of the
The alleged infringement has not generated any type of economic benefit, direct or
indirectly, to EDP ENERGÍA. In any case, if this Agency considers otherwise, the
The benefit should be calculated according to the criteria that have been indicated in the
First Claim, taking into account that the volume of business derived from the
contracting through a representative represent only 0.11% of the business volume
overall and that the proposed sanction represents a disproportionate amount in relation to
the benefits obtained
. • High volume of data and treatments: contrary to what this Agency indicates
in its Proposal for Resolution, the alleged infractions attributed to EDP
ENERGÍA does not affect “all the data processing carried out by the entity EDP
ENERGÍA SAU ”, but only to treatment related to clients. In fact, the
AEPD itself recognizes in the section on "High number of interested parties" that
"[T] he infringement affects all the entity's natural person customers", but not
indicates no other stakeholder group. Likewise, with regard to the
contracting by third parties on behalf of its owner, it is relevant to point out that said
Contracting only affects 0.11% of EDP ENERGÍA's business volume
so it is evident that the volume of data and treatments affected is minimal.
For this reason, the small number of treatments affected, and especially, in
relationship with contracting through a representative, must be taken into account as
extenuating circumstance.
• Recent acquisition of EDP ENERGÍA: as we have indicated in the claim
Preliminary of this writing, EDP ENERGÍA has recently been acquired by the
Total Group. By virtue of article 76.2.e) of the LOPDGDD, in conjunction with article
83.2.k) of the RGPD, understands this part that this
circumstance when, where appropriate, modulate and mitigate the potential sanction-sanction
that in any case this part understands that it is not applicable. Although the mentioned
precept includes the assumptions in which the structural modification is a merger by
absorption, in application of the principle of teleological interpretation, its regulation must
be extended to other structural modifications made after the
commission of the offense and that result in the imposition of sanctions
disproportionate and burdensome to the new entity that did not commit the initial offense
PROVEN FACTS
1 . It appears in the file that EDP ENERGÍA, SAU uses the following channels
to formalize the contracting of their services:
A. Telephone Channel, with partial or definitive closure of the contracting process
through a phone call. It includes the following subchannels:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 82
82/136
- CAC Inbound: Call reception, from customers to EDP. On
In general, they are already EDP customers who are identified from the beginning of the call
through a security protocol, although they can also be received
calls from potential customers.
- Telemarketing: Issuance of calls, from EDP to databases
own customers for upselling or abandonment recovery. Used
to make the call the telephone number that appears in the file
of the client, and that has been provided by said person previously.
- LEADS: Issuance or reception of calls, about users who have
expressed an interest in any platform or website (sweepstakes,
promotions, offer comparators, blogs, advertising agencies, etc.)
leaving their basic data to be contacted or contacting themselves at
the phone number shown to them. Usually such users still
they do not have active contracts with EDP.
B. Web channel, closed by means of a digital form. The user accesses through
a website and start a hiring process totally online, without interaction with
agents.
C. Distributors, with face-to-face or digital closing of the contracting process,
including:
- EDP's own Commercial Offices. Normally already EDP clients who
they proactively go to the office, although they can also be clients
potentials.
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to
make their purchases and are interested in EDP's offer.
D. External Sales Forces, with in-person closing of the contracting process,
including:
- Stands at Fairs, Shopping Centers, etc. In general new clients that
they go to such events or places and are interested in EDP's offer.
- Home visits with prior request. Clients or potential clients who have
provided your data and consent to receive proposals from an agent of
EDP ​​at home.
2. The contracting procedures implemented in those cases in which the
Contracting is carried out by a third party on behalf of the owner are the following:
A) Telephone channels:
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
As a representative, you are asked about your relationship with the owner and if you have
authorization of said person. 2) Once the previous point has been confirmed, they are requested
identification data of the representative, and all the data of the owner necessary to
formalize the hiring. 3) Finally the Consent is read and recorded in audio
Representative express. 4) The holder of the contract, for informational purposes, is sent
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 83
83/136
in duplicate, with a stamped envelope, the contractual documentation in compliance
of the provisions of the consumer and user protection regulations.
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
hiring as a representative is asked about their relationship with the owner. 2) A
Once the previous point has been confirmed, identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. 3) Then
the Express Consent of the representative is read and recorded in audio. 4) Finally
durable support is sent to the phone / sms provided by the representative, and is expected
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
duplicate, with a stamped envelope, the contractual documentation in compliance with the
provided in the consumer and user protection regulations.
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
representative is asked about his relationship with the owner. 2) Once the
previous point, identification data of the representative is requested, and all the data of the
holder necessary to formalize the contract. 3) It is then read and recorded in
audio the Express Consent of the representative. 4) Then support is sent
durable to the phone / sms provided by the representative, and awaits your confirmation.
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
franked, the contractual documentation in compliance with the provisions of the
consumer and user protection regulations. 6) In this channel, by the mode of
contracting and the characteristics of the clients who use it, it is in progress,
as a pilot test, communication via SMS or e-mail to the represented (in cases of
not related to the representative to study its effectiveness and receptivity.)
B. Distributors:
In the case of contracts made in EDP's own Commercial Offices (in
third-party stores there is no possibility of contracting in the name and on behalf of
a third) the procedure is as follows:
1) In those cases in which the user indicates that he wishes to make a contract
as a representative of a third party, you are asked about your relationship with the owner. 2) A
Once the information is obtained, the identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. Likewise,
requires a photocopy of the NIF, both the representative and the represented. 3)
The presentation of an authorization document is also required.
completed and signed by both interested parties (representative and owner).
C. External Sales Forces:
In the case of contracts made by external sales forces (fair stands,
shopping centers and home visits, provided there is prior request by
of the interested party), in the contract the identification data of the representative will be collected,
Also requesting the data of the owner necessary to formalize the contract.
In the contract, it is expressly specified that the representative declares to have
of sufficient powers to sign the contract on behalf of the client to whom it is
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 84
84/136
is responsible for informing of all the conditions thereof. It is required, on the other
part of a photocopy of the representative's NIF.
Next, an audio verification of the hiring is recorded where you are
indicates on two occasions to the representative, the fact that he acts on behalf of the
holder of the supply and the relationship-kinship that binds them is confirmed.
To prove the representation, the contracting stub is formalized where the
representative declares to have sufficient powers to sign the contract in
name of the client who is responsible for informing of all the conditions of
this. Likewise, a copy of the representative's NIF is provided.
3 . The record shows that the documentation used by EDP ENERGÍA,
SAU to prove the representation of the owner when signing a contract is the
following:
A. Telephone Channel:
In the three subchannels of the telephone channel (evidences 2, 3 and 4, CAC Inbound channels,
Telemarketing and Leads respectively) the representative is requested, during the
recording of the contracting procedure, confirmation of the following aspects:
of your identity and ID, of your performance on behalf of the owner, of the relationship with
the represented (as husband, wife, child, attorney, representative); of identity
(name, surname, DNI) of the represented, and telephone and email. The
Documentation accrediting the representation of the contract holder consists of the
recordings in which the representative makes the aforementioned confirmations. On
In the case of telemarketing and LEADS channels, a
sms / email with the following text “EDP Offer: Please, answer with a YES to this
SMS to accept and activate discounts. " (evidences 10 and 12).
B. Distributors: In the case of EDP ENERGÍA's own commercial offices,
SAU is requested completed and signed by both interested parties
(representative and owner) a document of express authorization in which the
data of both persons and copies of their NIF.
In the channel own commercial offices (evidence 5) the representation is accredited
by means of a document called "representative management authorization template",
in it the owner (identified with his name and ID or CIF), in his own name or
representation of the company authorizes the representative also identified with his
name and ID to carry out different procedures (registration / cancellation, change of ownership,
change of direct debit and / or other procedures) must be indicated in the box
contiguous to each one of them which or which are the authorized procedures. Saying
document requires the signature of the authorizer and the authorized person. Also, said document
contains the following warning “TO BE VALID, THIS AUTHORIZATION
IT MUST BE PRESENTED ACCOMPANIED BY A PHOTOCOPY OF THE HOLDER'S ID AND
OF THE AUTHORIZED. WHEN IT IS AN AUTHORIZATION GRANTED BY A
REPRESENTANTE DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF
OWNERS, FOUNDATIONS, SCHOOLS, ALSO WILL BE REQUIRED
PHOTOCOPY OF THE WRITING OF POWER OF ATTORNEY ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 85
85/136
C. External Sales Forces: In the case of external sales forces (stands of
fairs, shopping centers and home visits, provided there is prior request by
part of the interested party), a document is used to prove the representation
called sales book (evidence 6). In this checkbook, they contain
spaces to fill in the data of the contract holder (name, surname,
telephone and email) and representative data (name, NIF and address) and
include several boxes to mark that the representative is representative in the capacity of
spouse / registered partner, ascendant / descendant or attorney-in-fact) below such
boxes a text indicates that “it declares to have sufficient powers to subscribe
this contract on behalf of the client who is responsible for informing
all the conditions of the same. " A verification recording is made where
confirms with the representative the data of the represented, as well as the relationship or
kinship that unites them (evidence 16)
It is evident in the evidence presented that in the hiring subchannels
telephone representatives are informed that “On behalf of their client, and
After passing an analysis of the risk of the operation, we will take the necessary steps
to activate the access contracts, at which point the
new contract being terminated the previous one. "
5. It is established that during the hiring process, in the hiring channels
By telephone, the representative's consent is requested on behalf of the represented
to carry out other treatments such as sending offers related to the
energy adapted to your profile after the end of the contract or send you at any
information on non-energy products or services of companies or
collaborators of EDP. (evidences 2, 3 and 4).
During this process, the consent of the representative is also requested in
name of the represented to complete the commercial profile with information on bases
of third-party data, in order to send you personalized proposals and the
possibility of contracting or not certain services.
In the channel of external forces, the possibility of providing such
consents. As evidence 6 shows under the heading
CLIENT / REPRESENTATIVE, after noting that the information related to the protection of
data can be read on the back, allows you to mark the following consents,
marking the joint box for each of them:
 I consent to the processing of my personal data once the relationship has ended
contractual, to carry out commercial communications adapted to my profile
of products and services related to the supply and consumption of energy. In addition,
I consent to the aforementioned treatments during the term and after the end of the
contract, on non-energy products and services, both of the Group companies
EDP ​​and third parties.
 I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 86
86/136
6. Evidence 2, 3 and 4 show that during the telephone contracting process
the following information is provided to the representative: "Your personal data and those of your
represented will be treated by EDP Comercializadora SAU and EDP Energía SAU to
the management of your contracts, fraud prevention, profiling based on
customer and EDP information, as well as communication
personalized information on products or services directly related to their
contracts, being able to oppose them at any time ".
In the telemarketing and leads channel evidences 3 and 4 the following is added "Les
We remind you that you can exercise your access rights at any time,
rectification, opposition, deletion, limitation and portability, through any of
the routes indicated in the General Conditions that can be consulted on our website
*** URL.1 . "
This information does not appear in evidence 2 corresponding to the CAC inbound channel .
In the own offices channel, the information provided is as follows (evidence 5)
"Interested parties are informed that the personal data provided in
This form will be treated as the data controller by EDP ENERGÍA,
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
for the processing of authorized management.
The personal data that you provide us will be used, in the manner and with the
limitations and rights recognized by the General Data Protection Regulation
(EU) 2016/679.
The interested parties whose data are subject to treatment may exercise their rights
of access, rectification, deletion, portability, limitation and opposition to treatment
of these data, proving your identity, by email addressed to *** EMAIL. 2 or
by writing addressed to the person responsible for the treatment at the address Plaza del
Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can contact the
EDP ​​Data Protection Officer, at the same postal address or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection "
In the External Forces Channel, the sales book provides the following
information. On the back of the first page there is a section, entitled
"Basic Information on Data Protection": which includes the following:
"Personal data will be processed by EDP COMERCIALIZADORA,
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
Responsible for the Treatment, for the maintenance, development, compliance and
management of the contractual relationship, fraud prevention, profiling
based on information provided by the Client and / or derived from the provision of the
service by EDP, as well as sending commercial communications, related to
products and services related to the supply and consumption of energy,
maintenance of facilities and equipment, and that can be customized in
based on your Client profile, as reported in the General Conditions, being able to
object at any time to the sending of commercial communications.
Additionally, the Client gives his explicit consent for the treatments of
personal data collected on the front. Without prejudice to consents
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 87
87/136
provided, the client may exercise, at any time, their access rights,
rectification, opposition, deletion, limitation and portability, through any of
the routes indicated in the General Conditions. "
In the part of general conditions the following information regarding
personal data protection:
“LOPD Purposes of the processing of personal data. According to
provided in current regulations, the client is informed that all data
provided in this contract are necessary for the purposes of its formalization.
Said data, in addition to those obtained as a result of the execution of the
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
C / General Concha, 20, 48001, Bilbao and by EDP ENERGÍA, SAU with address at
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
in order to manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service, to carry out actions to prevent
fraud, as well as profiling, personalized commercial communications
based on information provided by the Client and / or derived from the provision of the
service by EDP and related to products and services related to the
supply and consumption of energy, maintenance of facilities and equipment.
These treatments will be carried out in strict compliance with the legislation
current and insofar as they are necessary for the execution of the contract and / or the
satisfaction of EDP's legitimate interests, provided that the latter are not
other rights of the client prevail.
Provided that the client has explicitly accepted it, their personal data will be
treated, even once the contractual relationship has ended and provided that there is no
Produces opposition to said treatment, to:
(I) The promotion of financial services, payment protection services, automotive
or related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract, (II) The preparation of
Commercial profiles of the Client by aggregating the databases of
third parties, in order to offer the Client personalized products and services,
thus improving the customer experience, (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (IV)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers, specifically aimed at achieving the
contracting of certain products and / or services from EDP or from third parties
depending on whether the client has consented to it or not, being in any case treated
data whose age will not exceed one year. In the event that said process was carried out
carried out in an automated way, the client will always have the right to obtain intervention
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
resulting decision.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 88
88/136
Categories of data processed
By virtue of the contractual relationship, EDP may process the following types of data
personal: (I) Identifying data (name, surname, ID, postal address, address
email address, supply point, etc.), (II) Identification codes or keys
User and / or Client, (III) Personal characteristics data (date of birth,
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
of these, (VI) Economic, financial, solvency and / or insurance data.
Personal data will be kept for the duration of the contractual relationship
and at most, during the statute of limitations for legal actions
corresponding, unless the Client authorizes its treatment for a longer period,
applying organizational and security measures from the beginning of the treatment
to ensure the integrity, confidentiality, availability and resilience of data
personal
Communications and recipients of personal data.
All personal data derived from the provision of the service and those obtained in
By virtue of this contract, they may be communicated to the following entities:
i)
The corresponding distribution company, producing with it a
permanent exchange of information for the adequate provision of the
service, including the request for access to your network, readings (which in the case
remote-managed meter will be hourly) and / or consumption estimate, control
quality of supply, request for supply cuts, modifications in
power, etc.
ii)
The Organizations and Public Administrations that by Law correspond.
iii)
Banks and financial entities for the collection of services rendered.
iv)
Other companies of the business group, solely for administrative purposes
internal and the management of the products and services contracted.
v)
National equity solvency and credit services (Asnef-Equifax,
...) to which in case of non-payment, without just cause by the Client,
You will be able to communicate the debt, as well as fraud prevention services,
for the sole purpose of identifying erroneous or fraudulent information provided
during the hiring process.
saw)
EDP ​​suppliers necessary for the adequate compliance with the
contractual obligations, including those that may be located outside
of the European Economic Area, in which case it is duly
adequate international data transfer.
Rights of the data owner
The client will have at all times the possibility of exercising freely and
completely free of charge the following rights:
i)
Access your personal data that is processed by
EDP.
ii)
Rectify your personal data that is processed by EDP
that are inaccurate or incomplete.
iii)
Delete your personal data that is processed by EDP
iv)
Limit EDP's treatment of all or part of its
personal information.
v)
Oppose certain treatment and decision-making
automated data processing, requiring the intervention
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 89
89/136
human rights in the process, as well as to challenge the decisions that
are finally adopted by virtue of the processing of your data.
saw)
Port your personal data in an interoperable format and
self-sufficient.
vii)
Withdraw at any time, the consents granted
previously.
In accordance with current regulations, the user can exercise their rights
requesting it in writing, and together with a copy of a reliable accreditation document
identity, at the following postal address: Plaza del Fresno, 2, 33007 Oviedo or
in the email *** EMAIL . 2 .
Likewise, you can contact the data protection officer of
EDP ​​at the following postal address Plaza del Fresno, 2, 33007 Oviedo or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection, at the address Calle de Jorge Juan,
6, 28001. Madrid "
7. It is established that the number of contracts signed in 2018 and 2019 by third parties
representing natural persons is the following:
A.1 - CAC INBOUND
Year Channel Representation
No. Contracts
2018 CAC Relationship
1,536
2018 CAC Unrelated
436
2019 CAC
Relationship
1,351
2019 CAC Unrelated
295
A.2 - TELEMARKETING
Channel Year
Representation
No. Contracts
2018 TELEMARKETING
Relationship
2,708
2018 TELEMARKETING
No kinship
114
2019 TELEMARKETING
Relationship
1,910
2019 TELEMARKETING
No kinship
83
A.3 - LEADS
Channel Year
Representation
No. Contracts
2018 LEADS
Relationship
17,040
2018 LEADS
No kinship
2,719
2019 LEADS
Relationship
17,808
2019 LEADS
No kinship
3,496
B. Web: Hiring with a representative is not contemplated.
C. Distributors (own commercial offices):
Year Channel Representation
No. Contracts
2018 OOCC Relationship
261
2018 OOCC Unrelated
64
2019 OOCC Relationship
244
2019 OOCC Unrelated
52
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 90
90/136
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
Year Channel Representation
No. Contracts
2018 FVE
Relationship
43,008
2018 FVE
No kinship
523
2019 FVE
Relationship
11,945
2019 FVE
No kinship
13
8 . It is established that it is in the investigation file E / 5549/2019, origin of the present
sanctioning procedure, the document referred to by EDP ENERGÍA, SAU in
their allegations, presented by EDP COMERCIALIZADORA, SAU, dated 16
July 2020, in which it states that "it has revised the procedure to be followed in the
contracting by third parties on behalf of the owner, in order to strengthen said
procedure and reduce the risks of possible identity theft carried out
in bad faith by the contracting party in this type of process, taking into account,
additionally, the particular needs identified as a result of the state of
alarm decreed last March and that has necessarily required that
all contracts are carried out in a non-face-to-face way.
That in order to inform the AEPD of the specific actions that are
are being carried out in relation to this matter by EDP, in compliance
of their duty of proactive compliance (accountability), we attach the
"Contracting procedure by third parties on behalf of the owner", so that they have
visibility on the modifications that are being implemented in these processes
in order to meet your request in this regard, as well as to highlight the
EDP's proactivity regarding its suggestion of adaptation of said
process." The procedure to follow is detailed below in said
written, consisting of sending the client a communication, by email
or SMS, once the contract has been formalized by the agent in cases where there is no
have written authorization.
This document is declared reproduced in this act for evidentiary purposes.
9. EDP ​​ENERGÍA, SAU provides in response to the request made by this
Agency within the framework of research activities extract from the Registry of
Treatment Activities that includes the records related to the activities that are
performed in the field of contracting products and / or services and the analysis of
risks carried out in relation to the treatments carried out in the context of the
contracting products and / or services.
The risk analysis is contained in an Excel document, it does not contain a date
nor signature. 15 risk factors are listed; 1. Information commercially
sensitive, 2. Commercial Communications, 3. Data Origin (external source or
internal), 4. Data transfers. 5, Treatment Managers. 6. Transfers
international 7. Scoring / Profiling activities. 8.Decisions
automated. 9. Systematic monitoring of headlines. 10. Categories
special data. 11. Large-scale data processing. 12.
Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders.
14. Application or use of innovative technologies.15. Unavoidable treatment /
Restriction of the exercise of rights or access to the service. Regarding the valuation
potential of inherent risk, the risk scale has 4 levels: low, with a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 91
91/136
score from 0 to 12; average score from 13 to 25; tall from 26 to 38 and very tall
from 39 to 51. The assessment or weight given to each of the factors of
risk is from 1 to 4. In the risk analysis, for each of the
sales channels a yes or no in each of the 15 risk factors above
listed. The sum of the weight attributed to each of the factors for
each channel determines the inherent risk. The result of inherent risk is
medium in all the contracting channels, except in the web channels and
external forces through home visits in which the outcome of the
inherent risk is low. Risk correction measures are not indicated.
These documents are declared reproduced in this act for evidentiary purposes.
10. It is clear that to access the General Conditions, which are referred to in the
telephone processes to obtain the rest of the information regarding the treatment of
personal data, on page *** URL.1 the following process must be followed:
-Access through the internet browser to the address *** URL.2
- Introduction in the search engine of the text page itself: "General Conditions"
-The website shows, under the following address: *** URL . 3, 2 tabs one
called Related Information and Other Documents.
-The "Documents" tab of the Search Results is selected. Is
offers a total of 78 results, the third of which corresponds to the
"General contracting conditions".
-The "General contracting conditions" are selected and automatically
open a new browser window pointing to the following internet address:
*** URL.4 , where the document can be downloaded.
11 .The following documents are provided in support of the allegations made:
Annex 1.a) Risk analysis methodology and implementation of DPIAs
- Annex 1.b) RAT contracting EDPE
- Annex 1.c) RAT risk assessment- EDPE contracting
- Annex 1.e) Impact Assessments -Risk Assessments
- Annex 1.f) Impact evaluations - Reports
Appendix 2 :
- EDP Privacy by Design by Default Methodology
- Operational Instruction Privacy by Design & Privacy by Default
- Privacy by Design & Privacy by Default form
- Privacy By Design Procedure Flowchart.
Annex 4:
- Examples of requests for the exercise of rights.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 92
92/136
The Risk Analysis Methodology and DPIAS (DATA PRIVACY
ASSESSMENTS) contains on its first page a version history, being the
date of the initial version 11/24/2017 and the last one on 05/11/2018 revision date
prior to the applicability of the RGPD. It is accompanied by various annexes whose date
not included or provided.
The document contained in annex 1.b RAT, EDPE, whose date does not appear, includes
a treatment purpose not included in the register of treatment activities
sent to this Agency on June 17, 2020. Specifically, said treatment
that is now included has the following content:
Responsible: EDP Energía, SAU
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
to hiring ”,
Description: “Scoring of customers in the B2C segment prior to the
contracting according to the internal pending debt and information from
solvency (ASNEF). "
Category of data holders: "Clients and potential clients."
Category of personal data processed: "Identifying data and economic data."
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
Period of conservation of personal data: “5 years from the end of the
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
contract will be maintained until its cancellation or the limitation period of the actions
pertinent legal recovery. "
Data transfers (data recipients, other than those in charge of the treatment):
“ASNEF is jointly responsible for the treatment, according to the signed agreement
with ASNEF. "
Categories in charge of treatment: The box has no content.
International data transfer: No
Annex 1.c) under the name “RAT Risk Assessment- EDPE Contracting”, whose
The date is not reflected in the document either, it contains the risk analysis, in the form of
matrix, the same as the one presented on June 17, 2020, with the same content, if
either two columns have been added under the title "treatment requires PIA", both
entitled "No. of EDP-W29 criteria", the first indicates a number that seems
correspond to its title and the second indicates the need to carry out a
Impact evaluation. In this matrix there is also a new treatment whose
The purpose is the “Scoring of customers in the B2C segment prior to the
hiring ”.
Various documents entitled impact evaluations are provided, whose date
Nor is it recorded, these impact evaluations are the following:
-Risk assessment of B2C customer scoring prior to the
contracting, in which, among other threats, the following are indicated:
- “The basis that legitimizes the treatment is not adequate, it is illegal or it has not been
formulated properly ”, whose probability is set as high, with a
impact rated as very high and resulting in inherent risk High. On
Regarding the controls implemented against this threat, it is stated that “the
legal basis of the treatment is to satisfy a legitimate interest (prevention of
fraud)".
- “At the time of data collection, the information is not provided
minimum expected to the person or no information is provided. " On
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 93
93/136
This assumption is considered to “not apply” neither the probability nor the impact, nor
there is an inherent risk, the controls being the “Protection clause of
data included in the contract signed with the client with all the information
required by the RGPD ”and the“ information provided to the client prior to the
carrying out the scoring process "
-Evaluation of channel leads to be converted by telemarketing.
-Evaluation of risks Telemarketing upselling and dropouts.
-CAC channel risk assessment to clients or potential clients (inbound).
-Evaluation Channel OOCC clients and potential clients.
-Risk evaluation of third-party stores for sale to potential customers.
-Evaluation of External Sales Forces through Stands at Fairs and Centers
Commercial.
In all these impact evaluations, threats are considered, among others
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
illegal or has not been properly formulated ”and“ at the time of collection of the
data is not provided the minimum information provided to the person or is not
provides no information "In both cases the probability is valued as high,
the impact as very high and the inherent risk high. Controls are mentioned
adopted, referring to the legitimizing basis of the treatment, in the first case,
and "Data Protection clause included in the contract signed with the client with
all the information required by the RGPD ”, in the second. They are described among the
checks in progress for both threats on all channels except channel
OOCC, “the implementation of a new contracting procedure through
representative, incorporating the sending of an SMS / Email message through which the
provides the basic information necessary in terms of data protection to the owner of the
contract."
The date on which the actions in progress were incorporated into the
corresponding impact evaluations.
These documents are declared reproduced in this act for evidentiary purposes.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679,
of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of
Individuals with regard to the Processing of Personal and Free Data
Circulation of this Data (General Data Protection Regulation, hereinafter
RGPD) recognizes each Control Authority, and as established in the articles
47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the
Director of the Spanish Data Protection Agency is competent to initiate and
solve this procedure.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 94
94/136
Article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in their development and, as long as they do not contradict them, in a
subsidiary, by the general rules on administrative procedures. "
II
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the
Council of April 27, 2016, regarding the protection of natural persons in the
regarding the processing of personal data and the free circulation of these data
(General Data Protection Regulation, hereinafter RGPD), under the rubric
"Definitions", provides the following:
"2)" treatment ": any operation or set of operations carried out on
personal data or personal data sets, whether by procedures
automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction ”.
7) "data controller" or "controller": the natural or legal person,
public authority, service or other body that, alone or together with others, determines the
purposes and means of the treatment; whether the law of the Union or of the Member States
determines the purposes and means of the treatment, the person responsible for the treatment or
Specific criteria for their appointment may be established by Union law.
or of the Member States "
Article 24.1 of the RGPD provides for the responsibility of the person responsible for the
treatment that “Taking into account the nature, scope, context and purposes of the
treatment as well as risks of varying probability and severity to the rights and
freedoms of natural persons, the data controller will apply measures
appropriate technical and organizational techniques in order to ensure and be able to demonstrate that the
treatment is in accordance with this Regulation. These measures will be reviewed and
will update when necessary . "
In this case, it is established that EDP ENERGÍA, SAU is responsible for the
data processing, referred to in the factual background of this agreement
initiation of the sanctioning procedure, since, according to the definition of the article
4.7 of the RGPD, it is who determines the purpose and means of the treatments carried out with
the purposes indicated in the documentation provided relative to the hiring of their
services, therefore, in its capacity as data controller, it is obliged to
comply with the provisions of article 24 transcript of the RGPD and especially regarding the control
effective and continuous of “appropriate technical and organizational measures in order to guarantee and
to be able to demonstrate that the treatment is in accordance with this Regulation "
Likewise, article 25. 1 of the RGPD establishes that “ Taking into account the state of
the technique, the cost of the application and the nature, scope, context and purposes of the
treatment, as well as the risks of varying likelihood and severity posed by the
treatment for the rights and freedoms of natural persons, the person responsible for the
treatment will apply, both at the time of determining the means of treatment
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 95
95/136
as at the time of the treatment itself, technical and organizational measures
appropriate, such as pseudonymisation, designed to effectively apply the
data protection principles, such as data minimization, and integrating the
guarantees necessary in the treatment, in order to meet the requirements of this
Regulation and protect the rights of the interested parties. "
For these purposes, the provisions of the following recitals of the
GDPR:
74. “The responsibility of the person responsible for the treatment for
any processing of personal data carried out by himself or on his own. On
In particular, the person responsible must be obliged to apply timely and effective measures and
must be able to demonstrate the compliance of the processing activities with the
this Regulation, including the effectiveness of the measures. These measures must have
take into account the nature, scope, context and purposes of the processing as well as the
risk to the rights and freedoms of natural persons. "
75. “The serious and serious risks to the rights and freedoms of natural persons
variable probability, may be due to the processing of data that could cause
Physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social damage; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevent exercising control over your personal data; in cases where the data
personal treaties reveal ethnic or racial origin, political opinions, religion
or philosophical beliefs, union membership and the processing of genetic data,
data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in the cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
job performance, financial status, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or
use personal profiles; in the cases in which personal data of
vulnerable people, in particular children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested. "
76. “The probability and severity of the risk to the rights and freedoms of the
stakeholder should be determined with reference to the nature, scope, context and
the purposes of data processing. Risk should be weighted on the basis of a
objective evaluation by which it is determined whether the treatment operations of
data pose a risk or if the risk is high. "
Therefore, the controller must carry out an analysis of the
risks that the data processing carried out may have for the rights and
freedoms of natural persons, implementing technical and organizational measures
appropriate to apply the principles of data protection and integrate the guarantees
necessary in the treatment in order to comply with the requirements of the RGPD, being able to
demonstrate that the treatment is in accordance with the provisions of the aforementioned standard.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 96
96/136
The data protection principles are contained in article 5 of the
RGPD, the first of which should be highlighted here regarding the legality of the
treatment. In accordance with article 5.1.a of the RGPD “Personal data will be: a)
treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
loyalty and transparency '). The second number of article 5 provides that “The
responsible for the treatment will be responsible for compliance with the provisions of the
paragraph 1 and capable of demonstrating it ('proactive responsibility'). "
The legality of the treatment implies that personal data can only be
treated by the person responsible for the treatment when any of the bases
legitimating entities listed in article 6 of the RGPD.
Taking into account the documentation provided by the person responsible for the treatment,
It should be noted that the contracting of electricity services by EDP
ENERGÍA, SAU can be carried out through different channels, these being the
following:
A- Telephone, which includes the following sub-channels: CAC Inbound, Telemarketing and
Leads.
B. Web Channel.
C. Distributors, which includes EDP's own Commercial Offices and third-party stores.
D. External Sales Forces, which can be: Stands at Fairs, Centers
Commercial, etc., or home visits with prior request.
According to said documentation, the contracting of the service can be carried out
with a customer representative, except for the web channel and sub-channel
third-party stores where it is not allowed. Examination of procedures
contracting the service described by the person in charge and the documentation provided
show that when the service is contracted through
representative is not required to prove the representation he claims to hold.
This absence of accreditation has a single exception when the hiring of the
service is carried out in the sub-channel of our own commercial offices in which a
document certifying the authorization granted for contracting by the
represented together with the presentation of his DNI (evidence 5). .
Thus, to the extent that a procedure has not been implemented that allows
certify the representation of the person who makes a contract on behalf of a
third, various risks may be generated and may be mentioned, by way of
For example, the one consisting of a data processing of the represented without legitimation, the
risk of identity theft or economic or other damages that are
may cause the interested party as a result of the change of company
service provider with the consequent cancellation of the original contract or the
change of ownership of the contract or the type of contract with the company
supplier, without the interested party having consented to such changes.
Secondly, in the documentation provided, it is observed that in the channel of
telephone contracting (CAC inbound, Telemarketing and leads subchannels) together with the
hiring the service, consent is requested to carry out other
treatments, such as sending energy-related offers tailored to the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 97
97/136
customer profile upon completion of the contract or referral at any time of
information on non-energy products or services of collaborating companies or
EDP. This request is made to the representative as is clear from the own
literality of the text of evidence 2, 3 and 4 submitted, according to which the
this one: “May we present to your client offers related to energy
adapted to your profile after the end of the contract, or send you at any time
information of non-energy products and services, of Collaborating Companies or of
EDP? " (Evidence 2)" Can you allow us to present your client with related offers
with the energy after the end of the contract, or send you at any time
information on products and services of the financial, insurance and
automotive, Collaborating Companies or EDP? " (evidence 3). "Allows us
present you with energy-related offers tailored to your profile after the
termination of the contract, or send you at any time product information and
non-energy services, of Collaborating Companies or EDP? (evidence 4).
In none of the three cases, as can be seen from the analysis of the
procedures followed by the person in charge in the hiring processes,
requests proof that the representative has been authorized to provide such
consent on behalf of the principal.
Nor is it proven that the representative has been authorized by his client.
to consent to the processing of data for advertising purposes that has been done above
reference, if it does so, when the hiring process is carried out
carried out through the channel of commercial offices owned by EDP ENERGÍA, SAU and
that no such possibility is contemplated in the document presented as evidence 5, in
which contains the authorizations for various treatments by the
representative, it should be taken into account that it must, where appropriate, be a
specific mandate without being deduced from a general authorization for others
treatments.
In the case of contracting through the external forces channel, evidence 6, at the
that the person in charge calls sales check, contains, in the box entitled
"Client / representative", a box to consent to the processing of personal data,
in the following terms: "I consent to the processing of my personal data once
once the contractual relationship has ended, to carry out commercial communications
adapted to my profile of products and services related to the supply and consumption of
Energy. Likewise, I consent to the aforementioned treatments during the term and after
the termination of the contract, on non-energy products and services, both of the
EDP ​​Group companies and third parties. " In said contract or sales stub,
as it has been called by the person in charge, it also appears, after the spaces
destined to the data of the representative who “declares to have powers
sufficient to sign this contract on behalf of the client to whom it is
is responsible for informing of all the conditions of the same. " Nor in this
hiring procedure requires an accreditation of the representation that is
claims to hold to contract or give consent for other treatments in
name of the represented, being the representation merely declared by the
representative.
Neither in these cases has a procedure been implemented that allows to accredit
that the representative had the authorization of the principal to consent to such
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 98
98/136
treatments, producing the risk of data processing of the represented without
legitimation, being exposed to the reception of publicity even after
the contractual relationship has ended. In the case of the external sales forces channel,
increases the risk, since the contract is not even sent to the represented, but
that the copy is given to the representative who is responsible for informing the
represented.
Thirdly, it is observed in the documentation in this procedure
that at the time of contracting through the telephone channel, in all
subchannels, the representative is requested permission to “complete the commercial profile of the
represented with information from third-party databases, in order to send you
commercial proposals and the possibility of contracting or not certain services "
(evidence 2, 3 and 4). As in the previous case, it is not proven that the
representative is authorized by the represented to consent to such treatment.
The same can be said when consent for this treatment is given by
the representative in the channel own commercial offices, since there is also no
in the document that reflects the authorizations granted to the representative
(evidence 5), specific authorizations for the representative to provide his
consent for such treatments.
In the case of the external forces channel, in the so-called sales book, it appears
a box to give consent, which is formulated as follows:
"I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services. " Likewise, no accreditation of the authorization of the
represented to consent to these treatments, considering that
his statement in this regard is sufficient. Moreover, just as it was revealed
above, the risk for the represented is increased since the check book
sales (evidence 6) it appears that a copy of the document is delivered to the
representative who is responsible for informing the principal.
Neither in these cases has a procedure been implemented that allows to accredit
that the representative had the authorization of the principal to consent to such
treatments, leaving the interested party exposed to profiling with
information from third party databases or decisions are made
automated with respect to him without having consented.
In the allegations to the agreement to initiate this proceeding, it was stated that
the freedom of form in the manner established in the Civil Code for the contract of
mandate is incompatible with obtaining evidence of the existence of the
representation or mandate, beyond the representations of the president, protected
in good contractual faith. However, as this Agency has indicated in the
resolution proposal, nothing prevents one of the parties to a contract from requiring
who acts as agent of the other party the accreditation of the representation that
claims to show off, proof of this is that EDP ENERGÍA, SAU itself requires it in its
contracting procedure in the channel own commercial offices, requiring the
representative a document certifying the authorization granted for the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 99
99/136
hiring by the represented signed by both, which must be accompanied by the
DNI of both the representative and the represented. It is now alleged by said entity
that it is not obliged to carry out with authorized third parties that contract through the
telephone channel or external sales forces no verification of the existence
and scope of its mandate, on the basis that the possibility of verifying the
powers of the principal constitute a burden for the agent, not for the third party,
since the interests to be safeguarded, within the framework of civil law,
they are those of the latter, and not those of the agent, nor those of the principal. It is alleged
also, that in the power to contract the service through an authorized third party
resides the power to give the consents inherent to the hiring process,
including those related to the processing of personal data.
This Agency cannot share such arguments, the regulations for the protection of
personal data focuses on the protection of this right of the interested parties, of
so that your data can only be processed when there is legitimacy,
without which no data processing can be carried out. In the event that we
occupies the legitimation may derive from the existence of a contract or the provision
of a consent for certain treatments, so that if the contract is
made by a third party on behalf of the interested party or such consents are
provided by a third party on behalf of the interested party, the data controller must
act diligently to verify that whoever claims to be
authorized to act on behalf of another, indeed he is and that that
authorization extends not only to the execution of a contract, but to the provision
of consents for other different data processing that are requested
during the hiring process. In the latter case, all the more reason can
doubt the existence of such authorization by the interested party to consent
treatments on your behalf, taking into account that consent requests
For the sending of commercial communications and the realization of profiling,
carried out during the telephone contracting process, unexpectedly, in
so that it is difficult to think that the principal has previously authorized the
representative to give such consents. In the same way, it is doubtful
that in a process of contracting in the channel external forces, which must be remembered
refers to the hiring in stands of fairs or shopping centers, there is a
prior authorization to consent to treatments on behalf of the represented, since such
The request is also made during the hiring process, aggravating the
risk for the interested party inasmuch as the contract is not even sent, but is
gives a copy to the representative who is responsible for informing the represented party.
In this way, the first of the risks to assess is precisely the legitimacy for
each treatment, and in particular, and in the event of acting through a representative
the risks that the data subject has for the data processing without the proper
legitimation, in the event that the representative lacks the power to allow such
treatments.
The risk analysis initially presented does not consider the aforementioned risks
above, limiting itself to mentioning commercial communications as risks
and scoring / profiling, risks that are not even considered for the channel
external sales. The risk analysis presented with the allegations to the agreement
The startup does not contemplate such risks either, being substantially the same as the previous one.
including only two columns that under the same title "No. of EIPD criteria-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 100
100/136
WP29 ”point out in one of them the supposed number of criteria and the need to
carry out a DPIA.
Several impact evaluations are provided with the allegations, one for each of the
sales channels, in which threats are considered, among others, the
two following: “the basis that legitimizes the treatment is not adequate, it is illegal or it is not
has been properly formulated ”and“ at the time of data collection, there was no
provides the minimum information provided to the person or is not provided
no information ”In both cases the probability is valued as high, the impact
as very high and the inherent risk as high. The adopted controls are mentioned,
that with respect to the first threat are constituted by the reference to the base
legitimizing the treatment and in the case of the second it is indicated as control
adopted the following: "Data Protection clause included in the signed contract
with the client with all the information required by the RGPD ”. They are described among the
checks in progress for both threats on all channels except channel
OOCC to clients or potential clients, “the implementation of a new procedure of
hiring through a representative, incorporating the sending of a message
SMS / Email through which the necessary basic information is provided regarding
data protection to the contract holder. " There is no record of the date on which he joined
impact evaluations of this ongoing action.
EDP ​​ENERGÍA, SAU alleges that the AEPD intends to justify the start of this
sanctioning file in the alleged non-existence of documentation that never
Has been requested. And it points out that it has a methodology for identification, analysis and
risk management, both to identify inherent risks, and specifically
to assess the need to carry out Impact Assessments, including
as an annex the supporting documentation that amply proves that it complies
fully and fully with these obligations.
In this regard, it should be taken into account that the obligations established in the
Articles 24 and 25 of the RGPD do not constitute mere formal obligations, but rather
as stated in article 24 "the person in charge will apply technical and organizational measures
appropriate in order to guarantee and be able to demonstrate that the treatment is in accordance with the
these Regulations. " And article 25 also reiterates that " the person responsible for the
treatment will apply, both at the time of determining the means of treatment
as at the time of the treatment itself, technical and organizational measures
appropriate, such as pseudonymisation, designed to effectively apply the
data protection principles, such as data minimization, and integrating the
guarantees necessary in the treatment, in order to meet the requirements of this
Regulation and protect the rights of the interested parties. " It is also a
dynamic obligation, each modification of the technical and organizational measures must
also be subject to a risk analysis to determine whether said modification
is suitable for effectively applying data protection principles and integrating
the necessary guarantees in the treatment.
In the present case, regardless of when it has been included in each
Impact evaluation between the controls in progress the implementation of this new
hiring procedure through a representative, since said date does not
It is clear that it is not until July 16, 2020 that a
writing stating that “it has reviewed the procedure to be followed in contracting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 101
101/136
by third parties on behalf of the owner, in order to strengthen said procedure and reduce the
risks of possible identity theft carried out in bad faith by the party
contracting party in this type of process, taking into account, additionally, the
particular needs identified as a result of the state of alarm decreed on the
last March and that has necessarily required that all
hiring are carried out in a non-face-to-face way.
That in order to inform the AEPD of the specific actions that are
are being carried out in relation to this matter by EDP, in compliance
of their duty of proactive compliance (accountability), we attach the
"Contracting procedure by third parties on behalf of the owner", so that they have
visibility on the modifications that are being implemented in these processes
in order to meet your request in this regard, as well as to highlight the
EDP's proactivity regarding its suggestion of adaptation of said
process." Said letter did not indicate the date of implementation of such measures.
In EDP ENERGÍA SAU's allegations, it is stated that “the protocol of
The proposed contract has been brought to the attention of the AEPD on
July 2020, presented in any case before receiving the written Start Agreement
of Sanctioning Procedure, being a Request for information with number
common for EPD ENERGÍA and EDP COMERCIALIZADORA without the
AEPD has ruled on it with the corresponding legal report
assessment, as requested, in order to implement a system that
was fully in accordance with the criteria and interpretations of the AEPD, limiting
so far to be included in the Initiation Agreement sent to EDP ENERGÍA
certain considerations in relation to it. " It also states that “In
Regarding the date of implantation, it depends precisely on the opinion that
the AEPD states about this procedure, since it would not make sense to put it
ongoing if the supervisory authority considers that it does not meet its criteria for
consider it an appropriate procedure, taking into account the economic costs
associated with this implementation, in addition to the resources of time and dedication
necessary for the deployment of these measures. "
The allegations to the motion for a resolution indicate that the procedure has been
implemented in January 2021. It also adds that it has been removed from its
contracting procedure by representation the possibility of requesting
consents for marketing and commercial purposes referred to in the
AEPD, attached some documents to evidence this elimination. Without prejudice to
that this Agency values ​​positively that the possibility of requesting
such consents, the procedure followed in the channels
telephone numbers, in which the deletion consists in indicating “[Read only legal persons
calling on behalf of a business] Also, so that we can advise you
with the best proposals: • Do you allow us to present your client with offers
related to energy after the end of the contract, or send you information on
non-energy products and services, typical of Collaborating Companies? [OTHERWISE] •
Will you allow us to complete the commercial profile of your client with information
provided by third parties, to send you personalized proposals? [OTHERWISE]." The
Data protection regulations do not protect legal persons, so that
it is beyond her that consent is requested to carry out a profiling
of these with information provided by third parties to send you proposals
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 102
102/136
personalized. In any case, it is not indicated what treatment will be given to the
authorizations provided by a representative of natural persons to send
commercial communications and profiling requested prior to
the adoption of said measure. On the other hand, the analysis of
risk from which the modification of the contracting procedure or the
justification on the suitability of the measures adopted to minimize them.
Reiterating the breach of the principle of proactive responsibility required by the
Regulation.
All of this goes to show that no measures had been taken to verify the
existence of authorization to contract or to lend on behalf of the represented
consent for other treatments until January of this year in which it was implanted
as they expose a new procedure, to verify the reality of the
representation and it has been eliminated, without indicating from what date, the possibility of
request authorization from the representative to carry out data processing
other than the contract such as the sending of commercial communications and the realization of
commercial profiles, thus breaching the obligations established in article 25
that are not limited to formal aspects, but to the effective implementation of
appropriate technical and organizational measures, measures which in turn should be subject to
of the corresponding risk analysis to determine its aptitude to achieve the
pursued result.
On the other hand, in relation to what is stated in the allegations to the commencement agreement, in
that it was indicated that such measures had not been implemented as this
The Agency had not issued a legal report to evaluate them, as it results from the
provided for in the RGPD is responsible, in compliance with its obligations to
proactive responsibility, who must implement the technical and organizational measures
necessary, as expressed in articles 24 and 25 of the RGPD, or as indicated in
the terms of recital 73 of the same standard: "In particular, the person responsible
must be obliged to apply timely and effective measures and must be able to demonstrate the
compliance of the processing activities with this Regulation, including the
effectiveness of the measures ”and it is up to the person responsible to assess whether such
measures are adequate. Second, this Agency is not required to issue
any legal report on such actions, which also in the event that
could be issued voluntarily, it is not binding, so there is no
justify, in the absence of a legal report from the AEPD, the breach of the
Responsible party's obligations.
Likewise, in the allegations to the commencement agreement, EDP ENERGÍA indicated,
SAU the application of the non bis in idem principle because it considers that the assessment of
the commission stems from events that, prior to the present
procedure, have been previously analyzed by the AEPD. In this respect it is
remember that the ruling of the Constitutional Court 77/2010, of October 19 comes
to point out with respect to said principle that “as we have affirmed the aforementioned triple
identity of subject, fact and foundation "constitutes the assumption of application of the
constitutional prohibition of incurring bis in idem, be it substantive or procedural, and
defines the content of the fundamental rights recognized in art. 25.1 CE, already
that these do not prevent the concurrence of any sanctions and procedures
sanctioners, not even if they are aimed at the same facts, but rather
These fundamental rights consist precisely in not suffering from a double
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 103
103/136
sanction and in not being subjected to a double punitive procedure, by the same
facts and with the same foundation "Such allegation cannot be admitted, since there is no
appreciate here that it is about the same facts and grounds as in procedures
previous followed against EDP ENERGÍA, SAU, since they were charged with
either the violation of article 6.1 of Organic Law 15/1999, of December 13, of
Protection of Personal Data or the violation of article 6.1 of the
RGPD, for treating the personal data of the claimants without legitimacy.
Consequently, in accordance with the findings set forth, the aforementioned
facts could be a possible violation of article 25 of the RGPD, which gives
place to the application of the corrective powers that article 58 of the RGPD grants to the
Spanish Agency for Data Protection.
III
The number 11 of article 4 of the RGPD defines consent as “ All
manifestation of free, specific, informed and unequivocal will by which the
interested party accepts, either through a statement or a clear affirmative action, the
processing of personal data concerning you "
For their part, articles 6 and 7 of the RGPD refer, respectively, to the “Legality
of the treatment ” and the “ Conditions for consent ”:
Article 6 of the RGPD. "1. The treatment will only be lawful if at least one of the
the following conditions:
a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
responsible for the treatment;
d) the treatment is necessary to protect vital interests of the interested party or of another
Physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party who require the protection of personal data, in particular when the
interested is a child.
The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.
2. Member States may maintain or introduce more specific provisions
in order to adapt the application of the rules of this Regulation with respect to the
treatment in compliance with section 1, letters c) and e), setting moreover
specifies specific treatment requirements and other measures that ensure a
lawful and equitable treatment, including other specific situations of
treatment according to chapter IX.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 104
104/136
3. The basis of the treatment indicated in section 1, letters c) and e), must be
established by:
a) Union law, or
b) the law of the Member States that applies to the controller.
The purpose of the treatment must be determined in said legal basis or, as
relating to the treatment referred to in paragraph 1, letter e), will be necessary for the
fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred to the person in charge of the treatment. Said legal basis may contain
specific provisions to adapt the application of the rules of this
Regulation, among others: the general conditions that govern the legality of the treatment
by the person in charge; the types of data being processed; the interested
affected; the entities to which personal data may be communicated and the purposes
of such communication; the limitation of the purpose; the terms of conservation of the
data, as well as operations and treatment procedures, including
measures to guarantee a lawful and equitable treatment, such as those related to other
specific treatment situations in accordance with Chapter IX. Union law
or Member States will meet a public interest objective and will be proportional
to the legitimate end pursued.
4. When the treatment for a purpose other than that for which the data were collected
personal data is not based on the consent of the interested party or on the Law
of the Union or of the Member States that constitutes a necessary measure and
proportional in a democratic society to safeguard the stated objectives
in article 23, paragraph 1, the data controller, in order to determine
if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:
a) any relationship between the purposes for which the data was collected
personal and the purposes of the planned further processing;
b) the context in which the personal data was collected, in particular for what
Regarding the relationship between the interested parties and the person responsible for the treatment;
c) the nature of the personal data, specifically when categories are processed
special personal data, in accordance with article 9, or personal data
relating to convictions and criminal offenses, in accordance with article 10;
d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or
pseudonymisation ”.
Article 7 of the RGPD .
"1. When the treatment is based on the consent of the interested party, the person in charge
must be able to demonstrate that he consented to the processing of his data
personal.
2. If the consent of the interested party is given in the context of a written statement
that also refers to other matters, the request for consent will be submitted
such that it is clearly distinguishable from other subjects, intelligibly and clearly
easy access and using clear and simple language. No part will be binding
of the declaration that constitutes an infringement of these Regulations.
3. The interested party will have the right to withdraw their consent at any time. The
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 105
105/136
Withdrawal of consent will not affect the legality of the treatment based on the
consent prior to its withdrawal. Before giving consent, the interested party
you will be informed of it. It will be as easy to withdraw consent as it is to give it.
4. When evaluating whether consent has been freely given, it will be taken into account in the
as much as possible the fact whether, among other things, the performance of a contract,
including the provision of a service, is subject to consent to the treatment of
personal data that are not necessary for the execution of said contract ”.
It takes into account what is expressed in recitals 32, 40 to 44 and 47 of the RGPD in
relation with the provisions of articles 6 and 7 above. From what is expressed in
these recitals, the following should be noted:
(32) Consent must be given by a clear affirmative act that reflects a
manifestation of free, specific, informed, and unequivocal will of the interested party
accept the processing of personal data concerning you, as a
written statement, including by electronic means, or an oral statement.
This could include checking a box on a website on the internet, choosing parameters
technicians for the use of information society services, or any
other statement or conduct that clearly indicates in this context that the data subject
accepts the proposal for the processing of your personal data. Therefore, the silence, the
Check boxes or inaction should not constitute consent. The
Consent must be given for all processing activities carried out with the
same or the same ends. When the treatment has several purposes, the
consent for all of them. If the consent of the interested party has to be given to
following a request by electronic means, the request must be clear, concise and not
unnecessarily disturbing the use of the service for which it is provided.
(42) When the treatment is carried out with the consent of the interested party, the
data controller must be able to demonstrate that he has given his
consent to the treatment operation. In particular in the context of a
written statement made on another matter, there must be assurances that the
interested party is aware of the fact that he gives his consent and of the extent to which
that makes. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071),
an elaborate model declaration of consent must be provided
previously by the person responsible for the treatment with an intelligible formulation and
easy access that uses clear and simple language, and does not contain clauses
abusive. For the consent to be informed, the interested party must know how
minimum the identity of the person responsible for the treatment and the purposes of the treatment
which personal data is intended for. Consent should not be considered
freely provided when the interested party does not have a true or free choice or not
You can deny or withdraw your consent without suffering any harm.
(43) (…) It is presumed that consent has not been freely given when no
allow the separate authorization of the different data processing operations
personal despite being appropriate in the specific case, or when compliance with a
contract, including the provision of a service, is dependent on consent,
even when this is not necessary for such compliance.
It is also necessary to take into account the provisions of article 6 of the LOPDGDD:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 106
106/136
"Article 6. Treatment based on the consent of the affected party
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
The consent of the affected party is understood to be any manifestation of free will,
specific, informed and unequivocal for which it accepts, either through a
declaration or a clear affirmative action, the processing of personal data that
concern.
2. When it is intended to base the treatment of the data on the consent of the
affected for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them.
3. The execution of the contract may not be subject to the consent of the affected party to the
processing of personal data for purposes that are not related to the
maintenance, development or control of the contractual relationship ” .
In accordance with the above, data processing requires the existence of a
legal basis that legitimizes it, such as the consent of the interested party provided
validly.
From the analysis of the gas service contracting procedures established by
EDP ​​ENERGÍA, SAU, it is clear that in the contracting carried out through the
telephone subchannels (CAC Inbound, Telemarketing and Leads) are requested from
representative permission to “complete the business profile of represented with
information on third-party databases, in order to send you commercial proposals
and the possibility of contracting or not certain services ”(evidence 2, 3 and 4).
Evidence 2, 3 and 4 show that the following information is provided to the contractor
“Your personal data and that of your client will be processed by EDP Comercializa-
dora SAU and EDP Energía SAU for the management of their contracts, fraud prevention,
creation of profiles based on customer and EDP information, as well as the realization of
zation of personalized communications about products or services directly
related to their contracts, being able at any time to oppose the same
more. "Your consent is then requested in the following terms:
"Additionally, so that EDP can advise you with the best proposals
tas:
Will you allow us to complete the commercial profile of your client with information from
third-party data sessions, in order to send you personalized proposals and the
possibility of contracting or not certain services? [OTHERWISE]"
Regarding the sales channel by external sales forces, in the
sales (evidence 6), the following consent request is included along with a
box to check the same:
"I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services. "
It is considered that the consent thus given is not adjusted to the provisions of the
RGPD and in the LOPDGDD. Consent is requested with deficient information,
As long as neither what third-party databases are going to be consulted nor what type of data are indicated
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 107
107/136
are going to be collected, so that the interested party is completely unaware of what
is consenting. Nor is it determined who will be responsible for the
treatment, a generic reference is made to EDP, without the client having
contracted a service only with one of the two entities (EDP
COMERCIALIZADORA SAU or EDP ENERGÍA, SAU) know if you are consenting
that such treatments are carried out by both entities or only the one of which
is a customer. Nor is it clear what type of services will be allowed to contract or not.
Such deficiencies do not allow the interested party to know the consequences of their
decision and thus assess the convenience of giving consent or not.
A single consent is also requested for two different purposes, although
both are automated, one of them is the sending of personalized advertising and, the
another, to give permission for the person in charge to determine whether or not to allow
certain services, so such consent cannot be considered to be
specific in the terms of articles 4.11 and 6.1.a) of the RGPD and 6.1 of the
LOPDGDD.
Regarding the automated decision regarding “to allow or not the hiring of a
service ”must also take into account the provisions of article 22 of the RGPD
according to which:
" 1. Any interested party shall have the right not to be the subject of a decision based on
only in automated processing, including profiling, which
produces legal effects on him or significantly affects him in a similar way.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for the conclusion or execution of a contract between the interested party and
a data controller;
b) is authorized by the law of the Union or of the Member States that
apply to the person responsible for the treatment and also establish adequate measures
to safeguard the rights and freedoms and the legitimate interests of the interested party, or
c) is based on the explicit consent of the interested party.
3. In the cases referred to in section 2, letters a) and c), the person responsible for the
treatment will adopt the appropriate measures to safeguard the rights and
freedoms and legitimate interests of the interested party, at least the right to obtain
human intervention by the person in charge, to express their point of view and
challenge the decision.
4. The decisions referred to in paragraph 2 shall not be based on the categories
special personal data referred to in article 9, paragraph 1, except that
Article 9 (2) (a) or (g) applies, and measures have been taken
adequate to safeguard the rights and freedoms and the legitimate interests of the
interested."
In accordance with the provisions of said precept, insofar as the decisions
automated systems will produce legal effects on the interested party or will affect
meaningful way, consent must be explicit, so obtaining it is not
can be done in the same way as to obtain general consent,
having to be obtained in a reinforced way. To this must be added that Article 13 of the
RGPD in letter f) requires that significant information be provided to the interested party
on the applied logic, as well as the importance and expected consequences of
said treatment for the interested party. This information is not provided which, in addition,
may make it difficult for the interested parties to exercise their rights and especially
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 108
108/136
of those expressly included in art. 22 of the RGPD: right to obtain intervention
human rights on the part of the person in charge, to express their point of view and to challenge the
decision.
Alleges EDP ENERGÍA, S.AU. that consent is provided based on the
good practices enunciated by the AEPD and ratified by the LOPDGDD, so
that the interested parties are transferred through the double layer system, also alleges
that with respect to the absence of identification of the sources of third parties or
categories of data, such information may be derived from the information
provided to the client in the first layer (by clearly identifying that the treatment
will be made with third-party sources) as in the second layer, whose content
It appears in the section called "general conditions of the contract", whose
content indicates: “(II) The elaboration of commercial profiles of the Client by means of the
aggregation of EDP databases with data from databases
from third parties, in order to offer the Client personalized products and services,
thus improving the Customer experience. (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (iv)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers specifically aimed at achieving the
contracting of certain EDP products and / or services. "
It indicates that as reflected in the cited text, EDP ENERGÍA has identified with
broad detail the types of data that are treated for the detailed purposes, being the
sources consulted for this an obvious derivation of the above. Finally alleges
that being the origin of the data the interested party, it only corresponds to the
Entity inform in accordance with the provisions of article 13 RGPD, provision that
does not establish, in any of its precepts, the obligation to identify or the source
nor the typology of the data. Only in the event that said treatment had been
come to effect, the Entity should have reported such extremes, since
Only at that time would the provisions of article 14 RGPD apply.
These claims cannot be shared, the double layer system is not intended
in the LOPDGDD as a mechanism that may lead to a breach of the
provided for in article 4.11 of the RGPD, according to which consent must be free,
specific, informed and unequivocal. It is worth remembering here what was indicated by the Committee
European Data Protection in the document "" Guidelines 05/2020 on the
consent in accordance with Regulation 2016/679 ”approved on May 4,
2020, which updates the Consent Guidelines under the Regulation
2016/679, adopted by the Article 29 Working Group and approved
by the European Data Protection Committee at its first plenary meeting. Points
said document in point 3.3.1. Minimum content requirements for the
consent is "informed":
"In order for consent to be informed, it is necessary to inform the interested party
certain elements that are crucial to be able to choose. Therefore, the CEPD is of the opinion that
At least the following information is required to obtain valid consent:
i. the identity of the person responsible for the treatment,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 109
109/136
ii. the end of each of the treatment operations for which the
consent,
iii. what (type of) data is to be collected and used,
iv. the existence of the right to withdraw consent,
v. information on the use of the data for automated decisions of
in accordance with Article 22 (2) (c), where relevant, and
saw. information on the possible risks of data transfer due to the
absence of a decision on adequacy and adequate guarantees, as stated
described in article 46. "
In the present case, the identity of the person responsible for the
treatment, since it is collected on behalf of EDP, it is a
ambiguous information, since EDP ENERGÍA, SAU's client does not know if it is
consenting to the data processing being carried out by EDP
COMERCIALIZADORA SAU and EDP ENERGÍA, SAU or only by the former
entity with which you are contracting. On the other hand, at no time are you informed
which are the third-party databases from which data will be obtained, or
even in the second layer, being inadmissible that he should deduce it himself
client of the categories of data that it deals with. Nor can it be admitted that only in
the assumption that the treatment had been carried out should be reported to the
interested party of what data are going to be treated, since only in such case would it result from
Article 14 of the RGPD applies. On the contrary, it is essential that the interested party
know what types of data are going to be collected and used, so such information,
This is the data from third-party databases that will be used and, obviously, which databases
They are those, it is an essential element so that the interested party knows what he is consenting to.
Claims that consent is specific cannot be shared
because there is a single purpose, such as the generation of a commercial profile,
whose use is limited to two interrelated contexts: (i) the first, to lead to
carry out the assessment of the possibility of contracting and, (ii) the second, to issue the
corresponding commercial offers to the user in question. Requests for
consent to allow the completion of the commercial profile mention two purposes
differentiated, one the sending of personalized commercial proposals, described with
this generic nature, which may include any unrelated commercial proposal
to its services and another, the possibility of contracting or not certain services, entering
the latter, where appropriate, in the field of automated decisions.
Nor can it be admitted, as EDP ENERGÍA, SAU alleges, that the information relating to
the elaboration of profiles and automated decisions, complies with what is required by the
Article 13 of the RGPD, since it informs about the existence of automated decisions,
including profiling and provides meaningful information on the logic
applied, as well as the importance and expected consequences of such treatment
for the interested party.
In this sense, it is necessary to take into account what is stated in the Guidelines on decisions
individual automated and profiling for the purposes of the Regulation
2016/679 adopted by the Working Group on Data Protection of article 29
on October 3, 2017, last revised and adopted on February 6, 2018
and approved by the European Data Protection Committee at its first meeting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 110
110/136
plenary, which refers to the significant information on the logic applied in the
following terms:
" Significant information on" applied logic "
The growth and complexity of machine learning can make it difficult
understand how an automated decision-making or profiling process works.
The data controller must find simple ways to inform the interested party about
the underlying logic or criteria used to arrive at the decision. The GDPR requires that the
responsible for the treatment offers meaningful information on the logic applied, not
necessarily a complex explanation of the algorithms used or the disclosure of the entire
algorithm.
However, the information provided must be sufficiently exhaustive so that the
interested party understands the reasons for the decision.
Example
A controller uses the credit rating to evaluate and reject a
loan application from a person. The rating may have been provided by a
credit reference body, or have been calculated directly from information
held by the person responsible for the treatment.
Regardless of the source (information about the source must be provided to the interested party in
under article 14, paragraph 2, letter f), when the personal data have not been obtained
from the interested party), if the controller is based on this qualification,
You must be able to explain this qualification to the interested party, as well as the reasons for it.
The controller must explain that this process helps them make decisions
fair and responsible on loans. It should also provide details about the
main characteristics considered when making the decision, the source of this
information and relevance. This may include, for example: • information provided by the
interested in the application form;
• information on the behavior of accounts, including payment arrears; and •
information from official public records, such as fraud information or records of
insolvency. Likewise, the person responsible for the treatment must include information to warn the
interested that the credit rating methods used are periodically checked
to ensure that they remain fair, effective and impartial. The person responsible for
treatment must offer contact information for the interested party to request the
reconsideration of the rejected decisions, in accordance with the provisions of the
article 22. "
This document also indicates the «Importance» and «consequences
planned »that“ This term suggests that information should be provided on the
planned or future treatment, and how the automated decision may affect the
interested. In order for this information to be meaningful and understandable, they must
offer real and tangible examples of the kind of possible effects. "
In the present case, in the opinion of this Agency, such requirements are not met: no
It is reported what type of products or services it will allow to contract, the
logic to apply to make this decision, limiting itself to indicating that a
set of data that “allow to know in greater detail the risks associated with the
contracting ”, therefore not knowing what type of products or services can be
allow hiring or the logic to apply for making said decision is not
You can know its importance or the expected consequences.
On the other hand, this Agency does not share the allegation that there is a competition
medial between these violations and the violation of article 13 of the RGPD. It fits this
In this regard, cite the judgment of July 16, 2019 of the National High Court, in which
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 111
111/136
it is stated that “Thus, as regards the existence of a medial contest between the two
infractions, which would determine the imposition of a single sanction, this Chamber has
repeatedly declared (judgments of January 29 and June 24, 2014
(resource 562/12 and 141/2013), among others, that both offenses are independent
and there is no medial relationship that is intended between the two, but rather: «[...] they can
be carried out with absolute independence, since they present their own substantivity and are
autonomous from each other, since they protect data protection principles
different, in one case the unequivocal consent that requires all treatment of
personal data (article 6.1 LOPD), and, in another, the quality of said personal data
(article 4.3 LOPD), in order to safeguard the power of disposal of the owner of the
themselves, which integrates the fundamental right to data protection (...) Of the
In the same way, it must be considered that the three infractions of article 6, 13 and 22 of the
RGPD are independent infringements, in this sense it should be taken into account that
Information constitutes an essential element of consent, in accordance with
the provisions of article 4.11 of the RGPD, being determinant of its existence, of
so that its absence will result in the consent being invalid, thus being able to
violate both article 6 and, where appropriate, 22 when the treatment is
based on the explicit consent of the interested party. On the other hand, there is a
principle of general transparency regarding all the processing carried out
the interested party and that is reflected in the provisions of articles 12 to 14. In this way
it may be the case that assumptions occur, in which in addition to the
non-existence of informed consent, the principle of transparency is violated
in general for all the treatments carried out by the interested party,
thus violating the provisions of articles 12 to 14, without implying a
medial infraction contest.
EPD ENERGÍA, SAU alleges that the treatment related to the creation of a profile
commercial based on the information of third parties for the referral of information
advertising is not, in practice, being carried out, nor at the date of issuance of the
present allegations, nor prior to them. It also alleges that,
even though EDP ENERGÍA includes the possibility of profiling and adopting
automated decisions, the only profiling performed, is related to the qualification of
clients regarding fraud prevention, treatment for which there is
legal authorization and is based on the legitimate interest of EDP ENERGÍA, with
the purpose of safeguarding the success of the contracts made by EDP
ENERGY, as well as preventing customers, whose sole purpose is to consume the service
energy without paying the bills, become part of the client portfolio. Without
detriment to the foregoing, the owners of the data are informed that said profiling is
reviewed and finally processed by EDP ENERGÍA staff, which is why no
can be considered as an automated decision in itself, taking into account in this
meaning to the literal wording of the concept established by the authorities. In other words,
nor is there any data processing based on automated decisions, nor is there
any manifestation about said treatments, since outside of the strictly
necessary to continue with the service and those provided by law, are not
carried out, which is why, not only can it not be considered that there are
non-compliance with article 22 of the RGPD, as the requirements are met
collected by the regulations, but there are not, nor can there be data owners who
may have been affected by such treatments.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 112
112/136
The purpose of this procedure at this point is to examine the
consent for the enrichment of profiles with third-party databases to
effects of sending advertising communications and possible decisions
automated systems that produce legal effects or significantly affect the
interested party and that are also based on their consent. Therefore
The profiling carried out will not be the object of a pronouncement in this procedure
for the prevention of fraud, which EDP ENERGÍA, SAU bases on the interest
legitimate, neither with regard to its legitimacy nor in relation to whether there are
automated decisions based on such profiling.
The instruction of the procedure has not made it possible to verify that EDP ENERGÍA, SAU
has carried out profiling incorporating data from third party databases or
data processing based on automated decisions that produce effects
legal or significantly affect the interested party who had consented to such
treatments, as requested during the hiring process.
This Agency considers that in the event that it was intended to carry out the
treatments mentioned in the previous paragraph, these should be adjusted to the
expressed demands and the requirements that make it possible to consider that the
Consent has been validly given and all the
Requirements required in accordance with article 22 of the RGPD.
Consequently, it is deemed appropriate that due to lack of evidence, taking into account the
principle of presumption of innocence expressly included for the proceedings
administrative penalties in article 53.2.b) of Law 39/2015, of 1
October, of Common Administrative Procedure of Public Administrations,
which recognizes the interested party the right “ To the presumption of non-existence of
administrative responsibility until proven otherwise ”, it is not considered
attributable to EDP ENERGÍA, SAU the violation of the provisions of articles 6 and
22, considered as possible infractions in the agreement to initiate this
sanctioning procedure.
IV
Article 12.1 of the RGPD provides that “ The person responsible for the treatment will take the
appropriate measures to provide the interested party with all the information indicated in the
Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22
and 34 related to the treatment, in a concise, transparent, intelligible and easily
access, with clear and simple language, in particular any information directed
specifically to a child. The information will be provided in writing or by others
means, including, if applicable, by electronic means. When requested by the
interested party, the information may be provided verbally provided that the
identity of the interested party by other means. "
Articles 13 and 14 list the categories of information to be provided
when the personal data is obtained from the interested party and when the data
personal data have not been obtained from the interested party, respectively.
When personal data is collected directly from the interested party, the information
It must be provided at the same time that data collection takes place.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 113
113/136
It has article 13 of the RGPD
"Information that must be provided when personal data is obtained from the
interested
1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined and the legal basis
of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person responsible or a third party;
e) the recipients or categories of recipients of personal data, in their
case;
f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate warranties and the means of obtaining a copy of these or
to the fact that they have been borrowed.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this deadline;
b) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability
of the data;
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to be
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.
3. When the data controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information on that other purpose
and any additional relevant information pursuant to section 2.
4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 114
114/136
to the extent that the interested party already has the information. "
Article 14
" Information to be provided when personal data has not been obtained
Of the interested
1. When the personal data have not been obtained from the interested party, the person in charge
of the treatment will provide you with the following information:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined, as well as the basis
legal treatment;
d) the categories of personal data in question;
e) the recipients or categories of recipients of personal data, in their
case;
f) where appropriate, the intention of the person responsible to transfer personal data to a
recipient in a third country or international organization and the existence or absence
of an adequacy decision of the Commission, or, in the case of transfers
indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
reference to adequate or appropriate guarantees and means of obtaining a
a copy of them or the fact that they have been loaned.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party with the following information necessary to guarantee
a fair and transparent data processing with respect to the interested party:
a) the period during which the personal data will be kept or, when that is not
possible, the criteria used to determine this deadline;
b) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person responsible for the treatment or of a third party;
c) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, and to oppose the treatment, as well as the right to portability
of the data;
d) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent before its withdrawal;
e) the right to file a claim with a supervisory authority;
f) the source from which the personal data come and, where appropriate, if they come from
public access sources;
g) the existence of automated decisions, including profiling, to which
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.
3. The person responsible for the treatment will provide the information indicated in sections 1 and
two:
a) within a reasonable period of time, once the personal data has been obtained, and more
take within a month, taking into account the specific circumstances in which
said data is processed;
b) if the personal data are to be used for communication with the interested party, to
at the latest at the time of the first communication to said interested party, or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 115
115/136
c) if it is planned to communicate them to another recipient, at the latest at the time
that the personal data are communicated for the first time.
4. When the data controller plans the further processing of the data
personal data for a purpose other than that for which they were obtained, will provide the
data subject, before said further processing, information on that other purpose and
any other relevant information indicated in section 2.
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent
in what:
a) the interested party already has the information;
b) the communication of such information is impossible or involves an effort
disproportionate, in particular for processing for archival purposes in the interest
public, scientific or historical research purposes or statistical purposes, subject to
the conditions and guarantees indicated in article 89, paragraph 1, or to the extent
that the obligation mentioned in paragraph 1 of this article may
make it impossible or seriously impede the achievement of the objectives of such treatment. On
such cases, the person in charge will adopt adequate measures to protect the rights,
freedoms and legitimate interests of the interested party, including making public the
information;
c) the obtaining or the communication is expressly established by the Law of the
Union or Member States that applies to the controller and that
establish adequate measures to protect the legitimate interests of the data subject, or
d) when personal data must continue to be confidential about the
basis of an obligation of professional secrecy regulated by Union law or
of the Member States, including an obligation of secrecy of a statutory nature.
For its part, article 11, numbers 1 and 2 of the LOPDGDD provides the following:
" Article 11. Transparency and information to the affected 1. When personal data
are obtained from the affected party, the person responsible for the treatment may comply with the
duty of information established in article 13 of Regulation (EU) 2016/679
providing the affected party with the basic information referred to in the following section and
indicating an electronic address or other means that allows you to access in a
simple and immediate to the rest of the information.
2. The basic information referred to in the previous section must contain, at the
less: a) The identity of the person responsible for the treatment and of their representative, in their
case. b) The purpose of the treatment. c) The possibility of exercising rights
established in articles 15 to 22 of Regulation (EU) 2016/679. If the data
obtained from the affected party were to be processed for profiling,
Basic information will also include this circumstance. In this case, the
affected must be informed of their right to oppose the adoption of decisions
individual automated that produce legal effects on him or affect him
significantly similarly, when this right concurs in accordance with the
provided for in Article 22 of Regulation (EU) 2016/679 ”.
In relation to this principle of transparency, it also takes into account the
expressed in Recitals 39, 58, 60 and 61 of the RGPD.
(39) “All processing of personal data must be lawful and fair. For the people
it should be made absolutely clear that they are collecting, using, consulting
or otherwise processing personal data that concerns them, as well as the extent
in which said data is or will be processed. The principle of transparency requires that all
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 116
116/136
information and communication regarding the processing of said data is easily
accessible and easy to understand, and that simple and clear language is used. Saying
The principle refers in particular to the information of the interested parties about the identity
of the person responsible for the treatment and the purposes thereof and the information added to
guarantee fair and transparent treatment with regard to natural persons
affected and their right to obtain confirmation and communication of the data
personal concerns that are subject to treatment. Natural persons
must be aware of the risks, rules, safeguards and rights
relating to the processing of personal data as well as the way to enforce their
rights in relation to the treatment. In particular, the specific purposes of the
processing of personal data must be explicit and legitimate, and must
be determined at the time of collection. Personal data must be
adequate, relevant and limited to what is necessary for the purposes for which they are
treaties. This requires, in particular, ensuring that their
conservation period. Personal data should only be processed if the purpose of the
treatment could not reasonably be accomplished by other means. To ensure that
personal data is not kept longer than necessary, the person responsible for the
Treatment must establish deadlines for its deletion or periodic review. Must
take all reasonable steps to ensure that they are rectified or deleted
personal data that are inaccurate. Personal data must be a
a way that ensures adequate data security and confidentiality
personal data, including to prevent unauthorized access or use of said data and
of the equipment used in the treatment. "
(58) “The principle of transparency requires that all information directed to the public or the
is concise, easily accessible and easy to understand, and that a
clear and simple language, and, in addition, where appropriate, is displayed. This information could
be provided in electronic form, for example, when addressed to the public, through
a website. This is especially relevant in situations where proliferation
number of agents and the technological complexity of the practice make it difficult for the
interested to know and understand if they are being collected, by whom and for what purpose,
personal data concerning you, as in the case of online advertising.
Since children deserve specific protection, any information and
Communication whose treatment affects them must be facilitated in clear language and
simple that is easy to understand. "
(60) “The principles of fair and transparent treatment require that the
interested in the existence of the treatment operation and its purposes. The responsible
of the treatment must provide the interested party with any additional information
necessary to guarantee fair and transparent treatment, taking into account the
specific circumstances and context in which personal data is processed. I know
must also inform the interested party of the existence of profiling and of
the consequences of such elaboration. If the personal data is obtained from
interested parties, they should also be informed of whether they are obliged to provide them and of the
consequences should they fail to do so. Such information may be transmitted in
combination with standardized icons that offer, in an easily visible way,
intelligible and clearly legible, an adequate overview of the treatment
provided. Icons presented in electronic format must be legible
mechanically."
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 117
117/136
(61) “The interested parties should be provided with information on the treatment of their
personal data at the time it is obtained from them or, if obtained from another
source, within a reasonable time, depending on the circumstances of the case. If the
personal data can be legitimately communicated to another recipient, it must
inform the interested party at the time they are communicated to the recipient for the first
time. The person responsible for the treatment that plans to process the data for a purpose that does not
be the one for which they were collected must provide the interested party, before said
further processing, information on that other purpose and other necessary information.
When the origin of the personal data cannot be provided to the interested party due to
various sources have been used, general information should be provided. "
Examining the information provided by EDP ENERGÍA, SAU, it is observed that the
It does not meet the requirements of article 13 of the RGPD.
1 In the first place, when contracting is carried out through the subchannels
CAC Inbound, Telemarketing and Leads, the information is provided by telephone from the
as follows, as can be seen from the evidence provided:
In the CAC Inbound channel, the person who makes the contracting by phone is indicated
following: “Your personal data and that of your client will be processed by EDP
Comercializadora SAU and EDP Energía SAU to manage their contracts,
fraud prevention, profiling based on customer information and
EDP, as well as the realization of personalized communications about products or
services directly related to their contracts, being able at any time
moment to oppose them. "(Evidence 2, CAC Inbound channel hiring.)
In the Telemarketing and Leads contracting sub-channels, in addition to the information
that appears in the previous paragraph, the following information is added: “We remind you
that they may exercise their rights of access, rectification, or opposition at any time.
deletion, deletion, limitation and portability, through any of the indicated channels
in the General Conditions that can be consulted on our website *** URL.1 . " (evi-
dences 3 and 4)
Said information is not in accordance with the provisions of article 13 of the RGPD in
in relation to the provisions of article 11 of the LOPDGDD, as well as in the first of the
sos the information is incomplete since during the hiring process in the
Canal CAC Inbound is not informed of the possibility of exercising the rights established
two in articles 15 to 22 of the RGPD, nor is it indicated who hires an address
electronic or other means that allows easy and immediate access to the rest of the
you information.
It is alleged that at the beginning of the call the following phrase is heard "This call
can be recorded. The data you provide us will be processed by EDP Energía,
SAU and / or EDP Comercializadora, SAU for the management of your request or inquiry.
You can exercise the rights of access, rectification, deletion, opposition, limitation and
portability at any time. Check the Privacy Policy on our website
edpenergia.es or press 0 ”. It also considers that according to article 13.4 of the RGPD,
The obligation to inform does not apply to the extent that the interested party already
has the information and that in the case that concerns us, taking into account that the
initial speech is played automatically on each call, there is enough left
It has been accredited that any interested party who contacts EDP ENER-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 118
118/136
GÍA, through the CAC Inbound Channel, receives information related to data protection
personal coughs.
Such allegations cannot be shared, in the opinion of this Agency an in-
formation in a fragmented and dispersed way that does not comply with the provisions of
articles 13 of the RGPD and 11 of the LOPDGDD, as well as in the initial locution that according to
alleges, in any case, when the call is initiated, the interested party is informed of the transaction.
processing of your data for the generic purposes of “managing the request or consulting
ta ”you are informed of the possibility of exercising the rights recognized by the RGPD and
You are directed to the privacy policy on the website or you are instructed to dial 0. In
that second locution, the purposes are extended to those of conducting surveys and
participation in raffles, games and promotions, without, on the other hand, being informed of
the legal basis for participation in sweepstakes games and promotions, but does not contain any
Any reference to purposes other than those mentioned in this paragraph.
In the information that is provided in the framework of telephone contracting in the channel
CAC Inbound, according to evidence 2, other different purposes are listed, so-
The mind makes reference to the possibility of opposing personal communications
made on products or services directly related to the contracts, and
the interested party is not directed to the General Contract Conditions, which contain
They would, apart from the deficiencies that this Agency has observed in them, the
specific information related to such purposes.
It is not satisfied with the possibility of reporting by layers, that the interested party must
go to different phrases to know the basic information referred to in the
Article 11 of the LOPDGDD, so that the interested party must deduce from a first
locution that can exercise rights other than opposition to co-communications.
commercial, the only one that is informed at the time of hiring. By another pair-
you, none of the aforementioned phrases refers the interested party to the general conditions
contract where the required information is found in accordance with article 13
related to the purposes mentioned during the hiring in the CAC In-
bound, but refer generically to the privacy policy of the website,
that does not contemplate that specific information.
On the other hand, the electronic address indicated in evidence 3 and 4, in the
co of telephone contracting in the Telemarketing and Leads channels, does not allow ac-
assign in a simple and immediate way to such information, thus violating the provisions of
Article 11.1 of the LOPDGDD. From the examination of the search process for the
General provisions (as documented in the ninth number of the events)
It follows that the address provided does not lead directly to the required information.
gible in accordance with article 13 of the RGPD, but to the website of the interested party, where
a search must be carried out that, in addition, yields several similar results and
requires looking at the general conditions (which include numerous aspects relating to
to contracting) the information related to data protection, so it cannot
be considered that such electronic address allows immediate access to such information
training or access is easy for anyone.
It is alleged by EDP ENERGÍA that in order to meet the aforementioned general conditions
a simple search is enough to access them directly, using to
This is done in the search engine available on the website. Performing the search for "conditions
contracting "or" general contracting conditions ", are published as the first
results the documents related to the general contracting conditions.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 119
119/136
Such allegation cannot be shared, even using the page's own search engine.
gina the information is not directly accessible, as demonstrated in the
search process documented by this Agency.
In this regard, it should be recalled that the “Guidelines on transparency under the
Regulation 2016/679 ", adopted on 11/29/2017 and revised on 04/11/2018." approve-
given by the European Data Protection Committee at its first plenary meeting,
they point out that “Both articles 13 and 14 refer to the obligation by which
the data controller "will provide all the information indicated below"
to the interested party. The key word in this expression is "will facilitate." This means that the
data controller must take active measures to provide the information
tion in question to the interested party or actively direct the interested party to the location of this
(eg by direct link, use of a QR code, etc.). The interested party does not
you should have to actively search for the information covered by such articles between
information of another type, such as the conditions of use of a website or
an app." On the other hand, although this Agency positively values ​​that it has
created a direct access to the information required by article 13 of the RGPD, this does not
invalidates the fact until its creation, after the proposed resolution,
access to information lacked that element of immediacy and simplicity required
by article 11 LOPDGDD.
It is also alleged that an infringement of the duty of transparency was not committed.
while the complete information on data protection (with the content of
required by the regulations) is contained within the general conditions of con-
treatment that are sent to the interested party after hiring. This cannot be shared
argument, the information must be provided to the interested party at the time it is obtained
have the data, without being able to defer that moment to the reception of the contract.
Article 13 of the RGPD determines in its first section when the
information by providing that “ When personal data is obtained from an interested party
relating to him, the person responsible for the treatment, at the moment in which these are obtained
gan, will provide you with all the information indicated below: (…) ”, (the underlining is
the AEPD). The LOPDGDD allows said information to be provided in layers,
providing the interested party during the data collection basic information, whose
content determines, and allowing to indicate an electronic address or other means that
allow easy and immediate access to the rest of the information. The element
immediacy is essential to comply with article 13 of the RGPD, of
so providing the information days later when a contract is received, not
complies with the requirement to provide the information that according to said precept
it must be communicated "at the time the data of the interested party is obtained".
In this same sense, the aforementioned "Guidelines on transparency under the
Regulation 2016/679 ”state that“ Regardless of the formats used,
In this tiered approach, WP29 recommends that the first 'tier' (that is,
the main means by which the person in charge interacts for the first time with the interested party)
regularly transmit the most important information (mentioned in the section
36), namely the details of the purposes of the treatment, the identity of the controller and the
existence of the rights of the interested party, together with information on the greater
cusion of the treatment or the treatment that could surprise the interested party. For example-
For example, when the first contact with an interested party is by telephone, this information
mation could be facilitated during the call with the interested party and he could receive the
rest of the information required under article 13 or 14 by other additional means
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 120
120/136
otherwise, for example, by sending you a copy of the privacy policy by e-mail.
tronic or a link to the online privacy statement / notice of the person in charge. " It is-
E-mail or link to the privacy statement, have the same effect-
mind in that element of immediacy, which allows to comply with what is foreseen in
Article 13.
In this regard, the considerations contained in the dicta-
menu of the State Council to the preliminary draft of the Organic Law on Data Protection
of a personal nature, in which the following was indicated regarding the information by
layers:
“(…) If the information is provided in another format, or through different“ layers ”, it will not be
will be violating the principle of transparency, but the person in charge must assess whether
the principle has been adequately fulfilled or if some type of additional measure is required
protection of rights, (…) ”. And it added “(…) Without prejudice to the foregoing,
It should be remembered that Article 13 requires that all the information that must be
supplied to the interested party is provided at the time the data is obtained
personal object of treatment. Despite the direct applicability of this provision
of the Regulations, it would be convenient for Article 12 of the preliminary draft to specify that
This "layered" information method cannot in any case imply a delay
in the provision of information considered "non-basic."
2 .On the other hand, with regard to the information provided both by telephone
(evidences 2,3, and 4) as in the general conditions (evidence 6 and document of
general conditions of the website) the following is observed:
A. Regarding the person responsible for the treatment, it is indicated in evidence 2, 3, 4 and 5
that the data will be "processed by EDP Comercializadora SAU and EDP Energía SAU"
which does not necessarily correspond to the entity with which you are contracting,
since when only the energy service is contracted or only that of
gas, the person responsible will be one or the other, without being correctly informed in such cases
to the interested party about who is responsible for the treatments. The same reproach
It should be done to the information provided in the general conditions in which
indicates “Said data, in addition to those obtained as a result of the execution of the
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
C / General Concha, 20, 48001, Bilbao and by EDP ENERGÍA, SAU with address at
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers "
It is also an inaccurate information, since they will be responsible
one or another entity depending on the contracted service or, where appropriate, each of the
entities for the respective treatments derived from the contract and the possible
consents granted, without this information being clear to the client. TO
this imprecision in the determination of the person in charge is added to refer
generically to EDP in the rest of the information provided, so that the
The interested party does not know in the case of other treatments which is the responsible entity.
In this regard, EDP ENERGÍA, SAU alleges that the customer is informed about the
identity of the person responsible for the treatment through the privacy policy in relation to
tion with the contracting conditions: Privacy policy: “the data will be processed
two by EDP Comercializadora SAU and EDP Energía SAU ”. Specific conditions
of the contract: "The customer contracts, for the supply indicated, the supply of gas
with EDP Comercializadora, SAU and the supply of electricity and / or services
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 121
121/136
complementary with EDP ENERGIA, SAU, (hereinafter jointly and / or individually
te, as appropriate, referred to as “EDP”) in accordance with the Specific Conditions
which are set out below and the General Conditions in the annex ”. Therefore, the
interested party -which has full capacity to contract and, therefore, it is presumed-
ne that you should be able to understand the terms and conditions that govern di-
hiring, you are aware at all times that, depending on how you contract the service
gas and / or electricity supply, your data will be processed by one or both entities
dades.
This allegation cannot be shared by this Agency, as stated by EDP
ENERGÍA, SAU can only be admitted that what the client knows is the entity with
who has contracted the services, but not the person in charge of the different treatment
of data that can be made, since as previously stated, in other
evidence and in the contracting conditions themselves, it is stated that both entities
des are responsible for data processing (evidence 2.3 and 4 and 5) and the
generic EDP formula that includes both.
Regarding other explanations by EDP ENERGÍA, SAU such as the absence of activities
of one of the entities and the possible sale to third parties, already carried out as stated,
do not justify the inaccuracy of the information, since it is contracted on behalf of two entities
different communities, regardless of whether one is active or not, an aspect that
is relevant from the point of view of data protection, since said entity
dad continues to act as the controller.
B. Regarding the purposes and legitimizing bases of data processing, it is
indicate in the general conditions the following "manage, maintain, develop,
complete and control the contracting of electricity and / or gas supply and / or
complementary services of and / or gas and / or complementary services of revision and / or
technical assistance and / or points program, and / or service improvement, to carry out
of fraud prevention actions, as well as profiling,
personalized commercial communications based on information provided by the
Client and / or derived from the provision of the service by EDP and related to
products and services related to the supply and consumption of energy,
maintenance of facilities and equipment. These treatments will be carried out
in strict compliance with current legislation and to the extent that they are
necessary for the performance of the contract and / or the satisfaction of legitimate interests
of EDP, provided that other rights of the client do not prevail over the latter. "
This Agency considers that it is not easy for anyone, without
knowledge of data protection matters, differentiate which treatments
derive from the contract and which are based on the legitimate interest of the person responsible.
Nor is it indicated what is the legitimate interest that the person in charge attributes to himself. Result
essential for the exercise of the rights of the interested parties to know the legal basis
on which the treatment is based, in particular to be able to exercise your right to
opposition to the treatment when it is based on the legitimate interest of the
responsible in accordance with the provisions of article 21 of the RGPD.
In this sense, the Guidelines on Transparency under the
Regulation (EU) 2016/679, adopted on November 29, 2017 by the Group of
Article 29 work that “The specific interest in question must be identified in
benefit of the interested party. As a matter of good practice, the person responsible for the treatment
The data subject can also provide the interested party with the information resulting from the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 122
122/136
deration »that must be carried out in order to be able to benefit from the provisions of article
6, section 1, letter f), as a lawful basis for the treatment, prior to any
collection of the personal data of the interested parties. To avoid information fatigue,
This may be included within a structured privacy statement / notice in ni-
veles (see section 35). In any case, the position of the GT29 is that the information
The information addressed to the interested party must make it clear that he or she can obtain information
Read the weighting test upon request. This is essential for the
transparency is effective when interested parties doubt whether the weighting test
tion has been carried out fairly or they wish to make a claim. "
This Agency does not share the argument that neither Article 13 nor any other provision
The legal concept requires that the privacy policy list each purpose, indicating the specific
specifically the basis of legitimation that results from application, the wording of the
Article 13 requires that the interested party be informed of “the purposes of the treatment to which
allocate the personal data and the legal basis of the treatment ”, that is, the use of the
singular already makes it clear that the legal basis of each treatment must be indicated. The
Transparency is closely linked to the legality of the treatment, article 5.1.a) of the
RGPD indicates as one of the principles related to the treatment the principle of legality,
loyalty and transparency. The legal basis determines the legality of the treatment, so
The person in charge must inform the interested party in each case that there is a legal basis
appropriate authority to carry out said treatment in accordance with article 6 of the RGPD, without
that it is admissible that the interested party has to interpret the privacy policy to
determine what may be the legitimizing basis for each treatment .
This Agency also does not agree with the allegation that “for any person
na it may be evident that treatments such as “manage, maintain, develop, comply with
define and control the contracting of electricity and / or gas supply and / or services
complementary services of and / or gas and / or complementary services of revision and / or assistance
technical and / or points program, and / or service improvement ”are closely related
n related to the execution of the contract, the rest being assignable to the legitimate interest.
In this sense, it is worth remembering what is stated in the aforementioned “Guidelines
ces on transparency under Regulation 2016/679 ”. In them the
scope to be attributed to the elements of transparency established in article
Article 12 of the RGPD, according to which the data controller will take the measures
appropriate to “provide the interested party with all the information indicated in articles 13 and
14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the
treatment, in concise, transparent, intelligible and easily accessible form, with a language
clear and simple gage ”, which must be related to what was expressed in the Consideration
Section 39 of the aforementioned Regulation. From what is stated in said Guidelines, it is worth highlighting
at this time the following: “The requirement that the information be“ intelligible ”wants
re to say that it must be understandable to the average member of the target audience.
Intelligibility is closely linked to the requirement to use clear language
And simple. A data controller who acts with proactive responsibility co-
You will know the people about whom you collect information and you can use this knowledge
to determine what said audience is likely to understand… ”. In the
In this case, the services provided by EDP ENERGÍA, SAU are aimed at all
citizens, so that it cannot be presumed that anyone can enter
tend when it comes to one legal basis or another. In this sense, the allegations themselves
tions point out that their clients do not distinguish between opposition and revocation of the
feeling, which shows that, in general, they lack knowledge
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 123
123/136
technicians in the field and cannot distinguish between different legal bases,
that involve an exercise of rights in a different way.
Regarding the information on the legitimate interest that the person in charge attributes to himself,
EDP ​​ENERGÍA, SAU alleges that they are clearly displayed and posted
in relation to the purposes pursued, that is: fraud and merchandise prevention
cadotecnia, in relation to the sending of personalized commercial communications.
In these cases, it is obvious that there is an identification between the informative purpose
gives and self-interest pursued, so making a separate allusion to the latter
it would be redundant.
This claim cannot be admitted, within the treatments indicated by EDP
the basis of which is their legitimate interest, the "profiling" is mentioned regarding
of which neither the legitimate interest nor the purpose is indicated.
In this sense, the Guidelines of the Working Group on Article
29 on automated individual decisions and profiling for the purposes of
Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what
following:
“The transparency of the treatment is a fundamental requirement of the GDPR.
The profiling process is usually invisible to the person concerned. Works
creating derived or inferred data about people ("new" personal data
that have not been directly provided by the interested parties themselves). People
have different levels of understanding and it may be difficult for them to understand the
The techniques of the profiling processes and automated decisions ”.
“Taking into account the basic principle of transparency that underpins the RGPD, the
data controllers must ensure that they explain to people in a manner
clear and simple operation of profiling or self-decision making
nuanced.
In particular, when the treatment involves decision-making based on the
profile creation (regardless of whether they fall within the scope of the
provisions of article 22), the user should be made aware of the fact that the treatment is intended to
purposes of both a) profiling and b) adoption of a decision on the
base of the generated profile
Recital 60 establishes that providing information about the preparation of
files is part of the transparency obligations of the data controller
according to article 5, paragraph 1, letter a). The interested party has the right to be informed
by the data controller, in certain circumstances, about their rights
opposition to 'profiling' regardless of whether they have
made individual decisions based solely on automated processing
The basis for profiling ”.
"The person in charge of the treatment must explicitly mention to the interested party details
on the right of opposition according to article 21, paragraphs 1 and 2, and present them clearly
rally and apart from any other information (Article 21, paragraph 4).
According to article 21, paragraph 1, the interested party can object to the treatment (including
profiling) for reasons related to your particular situation. The
data controllers are specifically obliged to offer this right
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 124
124/136
in all cases in which the treatment is based on article 6, paragraph 1, letters
e) of) ”.
In this case, in the opinion of this Agency, the information requirements are not met.
previously described. EDP ​​ENERGÍA, SAU, limits itself to reporting on the “performance of
profiles ”, but it does not offer information on the type of profiles to be made,
the specific uses to which these profiles are to be put or the possibility that the
The person concerned can exercise the right of opposition in application of article 21 of the
GDPR.
The claim that profiling is associated with
sending personalized commercial communications. As indicated
When determining the purposes in the first paragraph of the general conditions, the
the following are: “manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service, to carry out actions to prevent
fraud, as well as profiling, personalized commercial communications
based on information provided by the Client and / or derived from the provision of the
service by EDP and related to products and services related to the
supply and consumption of energy, maintenance of facilities and equipment "
clearly separating the purpose of profiling from that of sending
commercial communications.
In the same way, as evidenced by evidence 2, 3 and 4 during
In the telephone contracting process through a representative, the representative is informed of
that: “Your personal data and that of your client will be processed by EDP Comer-
cializadora SAU and EDP Energía SAU for the management of their contracts, prevention of
fraud, profiling based on customer and EDP information, as well as
the realization of personalized communications about products or services directly-
related to their contracts, being able at any time to oppose the
themselves. "It is also reported with respect to profiling as a treatment
treatment or different and separate treatments of the sending of personalized communications
on products or services directly related to the contracts, such as
try the use of the conjunctive phrase “as well as”.
In any case, even when it could be taken for granted, that EDP ENER-
GÍA, SAU was to link both purposes, the way in which information is given in
fringe the principle of transparency, as stated in recital 60 “The principles
Fair and transparent treatment principles require that the interested party be informed of the existence of
tenance of the processing operation and its purposes. The person responsible for the treatment must
provide the interested party with any additional information necessary to guarantee
fair and transparent treatment, taking into account the circumstances and the
specific text in which personal data is processed. You must also inform the
interested party regarding the existence of profiling and the consequences of
cha elaboration. "
C. The general conditions also provide the following information regarding
of the treatments based on the consent of the interested party:
“As long as the client has explicitly accepted it, their personal data will be
treated, even once the contractual relationship has ended and provided that there is no
Produces opposition to said treatment, to:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 125
125/136
(I) The promotion of financial services, payment protection services, automotive
or related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract, (II) The preparation of
Commercial profiles of the Client by aggregating the databases of
third parties, in order to offer the Client personalized products and services,
thus improving the customer experience, (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (IV)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers, specifically aimed at achieving the
contracting of certain products and / or services from EDP or from third parties
depending on whether the client has consented to it or not, being in any case treated
data whose age will not exceed one year. In the event that said process was carried out
carried out in an automated way, the client will always have the right to obtain intervention
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
resulting decision.
Nor is it easy for anyone without specialized knowledge in-
tend what type of treatments are going to be carried out based on the consent
In particular, the wording of point IV is not clear at all: it is unknown to
which data is referred to by “the results obtained from the aggregation of the data
indicated ”that could be both those contained in number III above and those obtained
nests of third-party bases or all of them. The purpose of the treatment seems to indicate
that these are advertising treatments other than those indicated in the first two
different numbers, without the difference being evident with respect to them. On the other hand, it does not
The last paragraph of this point IV is understandable, when mentioning the rights that the
Article 22 of the RGPD recognizes the interested parties when self-determination decisions are made
nuances that produce legal effects on them or significantly affect them in
similar way.
The allegations provide an explanation of the purposes of the different
treatments and the data to be treated that seek to clarify said aspects, however,
It is not in them that such points should be clarified, but rather it is the information provided
which must be clear and understandable to the interested party, breaching-
I know with the information provided, in the opinion of this Agency, the provisions of article
12 of the GDPR.
D . The general conditions inform as follows regarding the rights
Of the interested:
"Rights of the data owner
The client will have the possibility of exercising freely at all times
and completely free the following rights:
i)
Access your personal data that is processed by EDP.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 126
126/136
ii)
Rectify your personal data that is processed by EDP that
are inaccurate or incomplete.
iii)
Delete your personal data that are processed by EDP.
iv)
Limit the treatment by EDP of all or part of your data
personal.
v)
Oppose certain treatments and self-decision making
nuances of your personal data, requiring human intervention
in the process, as well as to challenge the decisions that are ultimately
adopted by virtue of the processing of your data.
saw)
Port your personal data in an interoperable and self-sufficient format.
tea.
vii)
Withdraw at any time, the consents previously granted-
mind."
Said information, although it includes all the rights that the RGPD grants to the interested party.
do, must be adapted to the specific treatments carried out by the person in charge. So and
as indicated in the aforementioned Guidelines on Transparency under the Regulation
(EU) 2016/579: “This information must be specific to the treatment scenario and
include a summary of what the right implies and how the interested party can act
to exercise it, as well as any limitation to the right. "
The allegation that the obligation to detail the specific treatments cannot be accepted.
to which the interested party has the right to oppose not only is it not a re-
caught in the RGPD, the LOPDGDD or any other applicable regulations, but
In addition, the AEPD in its guides and tools (among others, the Guide for compliance with
the duty to inform2 or the Facilita tool3) does not indicate that the reporting clauses
information on the right of opposition should specify the treatments on the
that applies the right of opposition. The provisions of the Guidelines must be reiterated here
of the Article 29 Working Group on automated individual decisions and
profiling for the purposes of Regulation 2016/679, adopted on 10/03/2017 and
revised on 02/06/2018, which indicate the following:
"The person in charge of the treatment must explicitly mention to the interested party details
on the right of opposition according to article 21, paragraphs 1 and 2, and present them clearly
rally and apart from any other information (Article 21, paragraph 4). "
Therefore, it is not enough to mention the right to oppose “certain tra-
treatments ”, but should be informed that these treatments, in the present
put, they are those that the person in charge bases in article 6.1.f), that is, in the
existence of a legitimate interest prevailing over the interests, rights and freedoms
of the interested party, and it must be clear to the interested party what these treatments are
against which you can exercise your right to object.
Nor can it be shared that this interpretation violates the principle of
termination of the arbitrariness alleged when EDP ENERGÍA considers that the presentation
of the information regarding the exercise of rights, as presented in your information
This is a recommended practice and even applied by the Spanish Agency.
ñola of Data Protection in its privacy policy. In this regard, you must have-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 127
127/136
It is taken into account that this Agency does not carry out treatments based on the provisions of the
Section 6.1.f, in particular those related to direct marketing.
It is imprecise to indicate that the interested party can oppose the adoption of a decision.
automated use of your personal data. These can only be carried out
by the person in charge in the cases provided for in article 22 of the RGPD, based on
in the present case in the consent of the interested party, so he must be able to
know that you can revoke the consent given for the adoption of such decisions
sions at any time, without prejudice to also being informed of the rights
chos conferred by article 22 to the interested parties.
It cannot be shared, regarding this imprecision regarding the exercise of rights,
the allegation that the semantic and technical nuance associated with the terms "opposition" and
“Revocation” in the context of the exercise of rights cannot have an impact on the
interested, because with both terms the user achieves the same objective, which is that
a treatment specifically identified in the policy ceases to occur and that the
term used by EDP ENERGÍA (opposition) in the context of this type of treatment
terms is understood in the regulations and by the market itself more broadly - and
therefore more guarantee- since it allows the user to eliminate a treatment is
based on consent, is based on legitimate interest. The regulations are clear to the
mitigate both rights and when they can be exercised in articles 7 and 21.1.2 of the
RGPD, which requires correlatively that the interested party have knowledge of the base
legal treatment. This cannot be justified in a presumed greater guarantee for the
interested parties the incorrect information provided on the exercise of rights of the
interested.
Consequently, in accordance with the evidence presented, the facts described
in this Legal Basis constitute a violation of the principle of
transparency regulated in article 13 of the RGPD, which gives rise to the application of the
corrective powers that article 58 of the aforementioned Regulation grants to the Agency
Spanish Data Protection.
V
In the event of an infringement of the provisions of the RGPD, between
the corrective powers available to the Spanish Agency for the Protection of
Data, as a control authority, article 58.2 of said Regulation contemplates the
following:
“2 Each supervisory authority shall have all the following corrective powers
listed below:
(…)
d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each
particular case;" .
According to the provisions of article 83.2 of the RGPD, the measure provided for in the letter
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 128
128/136
d) above is compatible with the sanction consisting of an administrative fine.
SAW
In the present case, the breach of the principle of
privacy by design established in article 25 of the RGPD, and the principle of
transparency regulated in article 13 of the RGPD with the scope expressed in the
Previous Foundations of Law, which implies the commission of paths
offenses typified in articles 83.4 and 83.5 of the same rule as under the
heading " General conditions for the imposition of administrative fines" provides
the next:
4 “Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11,
25 to 39, 42 and 43; "
5. "Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
b) the rights of the interested parties in accordance with articles 12 to 22; (…) ”.”
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
offenses the acts and conducts referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law ” .
For the purposes of the limitation period, articles 73 and 74 of the LOPDGDD
indicate:
Article 73. Violations considered serious.
" 1 Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
d) The lack of adoption of those technical and organizational measures that result
appropriate to effectively apply the principles of data protection from
the design, as well as the non-integration of the necessary guarantees in the treatment, in
the terms required by article 25 of Regulation (EU) 2016/679. "
Article 74. Infractions considered minor.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 129
129/136
"They are considered minor and will prescribe a year the remaining offenses of character
merely formal of the articles mentioned in sections 4 and 5 of article 83
of Regulation (EU) 2016/679 and, in particular, the following: a) Failure to comply with the
principle of information transparency or the data subject's right to information
for not providing all the information required by articles 13 and 14 of the Regulation
(EU) 2016/679 ".
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state :
"1. Each supervisory authority will guarantee that the imposition of fines
administrative pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute title for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the nature of
za, scope or purpose of the processing operation in question as well as the number of
number of affected stakeholders and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to pa-
bundle the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in particular
cular if the person in charge or the person in charge notified the infringement and, if so, in what measure
gives;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;
j) adherence to codes of conduct under article 40 or to certification mechanisms
fication approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly-
mind, through the infraction. "
For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD
has:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 130
130/136
established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have induced the commission
of the offense.
e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "
In accordance with the transcribed precepts, in order to set the amount of the
fine sanctions to be imposed in the present case on the defendant, as responsible for
offenses typified in article 83.5.a) and b) of the RGPD, the fine should be graduated
that would correspond to impose for each one of the imputed infractions as follows:
1. Infringement for breach of the provisions of article 25 of the RGPD, typified
in article 83.4.a) and classified as serious for the purposes of prescription in article
73.1.d) of the LOPDGDD:
In this case, considering the seriousness of the violations found, it is appropriate
the imposition of a fine.
It is not possible to accept the request made by EDP ENERGÍA, SAU for the
impose other corrective powers, specifically, the warning, which is
intended for natural persons and when the sanction constitutes a burden
disproportionate (recital 148 of the RGPD).
For the same reasons, and considering the graduation criteria of the
sanctions indicated below, the petition for
imposition of a sanction in its minimum degree.
In accordance with the transcribed precepts, in order to set the amount of the
fine sanctions to be imposed in the present case on EPD ENERGÏA, SAU, as
responsible for infractions typified in article 83.4.a) and 83.5.b) of the RGPD,
It is necessary to graduate the fine that would correspond to impose for each one of the infractions
charged as follows:
1. Infringement for breach of the provisions of article 25 of the RGPD, typified
in article 83.4.a) and classified as serious for the purposes of prescription in article
73.1.d) of the LOPDGDD:
It is estimated that the following factors concur as aggravating factors that
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 131
131/136
reveal greater unlawfulness and / or culpability in the conduct of the EDP entity
ENERGÍA, SAU:
- The nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operations of which
trafficking: The offense results from the absence of an effective implementation of
technical and organizational measures to eliminate the risks generated by the
treatment of services and obtaining consent for other purposes
des when acting through representative.
- The intentionality or negligence appreciated in the commission of the offense.
The deficiencies in such procedures for contracting and obtaining
consent for other purposes should have been advised by a
entity of the characteristics of EDP ENERGÍA, SAU and avoided when designing
your processes.
- The continuing nature of the offense. The offense has its origin in a
incorrect design of contracting procedures through
representative, which have been used since at least 2018, without
these have been modified or corrective measures have been implemented until the
month of January of the current year in which a protocol of
hiring through a representative.
- The high link between the activity of the offender and the performance of
processing of personal data. The operations that constitute the
business activity carried out by EDP ENERGÍA, SAU as
commercialization of electricity services to individuals imply
personal data processing operations.
It cannot be considered as mitigating, as alleged by the person in charge, that
the data processing is carried out in an instrumental way without your
activity is based on the exploitation of personal data, in this regard
takes into account that authorizations have been obtained from the representative in
name of the represented to carry out advertising treatments of
non-energy products or services of EDP companies or collaborators
ENERGY .
- The status of a large company of the responsible entity and its volume of
deal. The entity's turnover according to the information obtained
has been 1,236,124,000 euros in 2018. It is alleged that they have had
take into account the data of 2018 and not those of 2019 being the turnover
of that year of 589,929,000 euros.
It is alleged that being considered a large company or the volume of
billing are not circumstances foreseen as aggravating nor in the RGPD
nor in the LOPDGDD.
Such allegation cannot be shared, article 83.1 of the RGPD provides that
"Each control authority will guarantee that the imposition of fines
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 132
132/136
administrative regulations pursuant to this article for infractions of the
these Regulations indicated in paragraphs 4, 5 and 6 are in each case
individual effective, proportionate and dissuasive. " Saying number 2
Article establishes that when deciding to impose an administrative fine and
its amount in each individual case will be duly taken into account: (…) k)
any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided,
directly or indirectly, through the offense. "
For these purposes, as an aggravating factor, the
consideration of the entity as a large company what is found
linked among other aspects to its turnover, to the extent
that it has greater means to comply with the obligations
imposed by the GDPR.
Regarding the volume of business taken into account in the procedure,
took the one that was available at the time of the initiation agreement,
without being questioned up to now by EDP ENERGÍA, SAU. Not
However, even if it is true that the volume corresponding to the year
2019 is the one that appears in the allegations to the motion for a resolution, such
This data does not modify the condition of a large company of said entity .
- High volume of data and treatments that constitutes the object of the
proceedings. The volume of contracts signed by third parties on behalf of
of natural persons increased during the year 2019 amounted to 37,197.
- Any previous infringement committed by the person in charge or the person in charge of the
treatment; EDP ​​ENERGÍA, SAU has been sanctioned in the
procedures PS / 00101/2018 and PS / 00363/2018, for violation of article
6.1 of Organic Law 15/1999, and PS / 00109/2019 for the violation of the
Article 6.1 of the RGPD.
It is alleged by the person in charge that the AEPD refers to the global billing volume
of EDP ENERGÍA to quantify the infringement when it should take into account
exclusively, and where appropriate, the billing data generated by the eventual
alleged non-compliance - in the case of article 25 of the RGPD, relating exclusively
to the hiring by representation, being the amount obtained by hiring by
representation of approximately 7,650,000 euros.
In this regard, it should be taken into account that article 83.4 provides that “The
Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year ”, by
Consequently, this Agency understands that the total annual business volume is the one that
operates as a limit to the amount of the infringement, and not the profit obtained, which
constitutes one more aggravating element. In this regard, it should be noted that the
2% of the turnover of said entity during 2019 according to the data indicated,
supposes a figure of 11,798,580 euros, so the amount in which the
The amount of the fine, far removed from this maximum amount, is weighted.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 133
133/136
On the other hand, said entity requests that the fact of
that special categories of data are not processed, nor data of minors, in this regard
It should be considered that the processing of such data may constitute, where appropriate, a
aggravating, but the fact that such data is not processed in itself does not constitute
a mitigating factor, without, on the other hand, by the person responsible for the treatment justifying in
In no way because such a circumstance should be taken into account in this sense.
The fact that the entity has been
object of sale to another company, article 76.2.e) of the LOPDGDD states that it may
take into account “the existence of a process of merger by absorption subsequent to the
commission of the offense, which cannot be attributed to the absorbing entity ”
seeks here an analogical interpretation of this precept so that it extends
said circumstance to other "structural modifications" carried out later
to the commission of the offense, an interpretation that cannot be admitted, when the
LOPDGDD wants to refer to structural modifications in general, it does so,
while in the aforementioned precept it makes exclusive reference to the merger by
absorption .
It alleges that the measures taken should also be considered mitigating
to alleviate the damage, such as the implementation of a new protocol for
hiring and the degree of cooperation with the administration and the degree of
collaboration with the AEPD. These elements are taken into account so that they are not
has made use of another of the corrective powers that this Agency may use as
It is the imposition of measures in the terms provided in article 58.2 of the RGPD.
Considering the exposed factors, the valuation of the fine for the
The offense charged is 500,000.00 euros.
2. Infringement for breach of the provisions of article 13 of the RGPD, typified
in article 83.5.b) and classified as mild for prescription purposes in article
74.a) of the LOPDGDD:
The following graduation criteria are considered concurrent:
- The nature, severity and duration of the offense: The deficiencies
valued in the information provided to the interested parties affect the
substantive aspects of the principle of transparency.
It is alleged that the imputed is the need to improve some aspects of their
data protection policies without in any case the texts used
can be understood to have generated a high level of damage and
damages, which should be considered as a mitigating factor. This claim
cannot be accepted, these are not simple information defects
offered without major importance, said information violates aspects
fundamental principles of the principle of transparency as
manifest in the present proceeding.
- The intentionality or negligence appreciated in the commission of the offense.
The defects indicated in the information provided show the lack of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 134
134/136
diligence of EDP ENERGÍA, SAU in complying with the obligations
transparency imposed by the RGPD.
The allegation that in his actions he has followed the
guides and guidelines of the AEPD and the European Data Protection Committee
which shows his diligence, on the contrary, in the fundamentals of
law contains the many aspects in which the guidelines of the
European Data Protection Committee have not been taken into account in its
performance.
- The high link between the activity of the offender and the performance of
processing of personal data. The operations that constitute the
business activity carried out by EDP ENERGÍA, SAU as
electricity services trading company involve operations of
processing of personal data.
It cannot be considered as mitigating, as alleged by the person in charge, that
the data processing is carried out in an instrumental way without your
activity is based on the exploitation of personal data. As i know
is derived from the facts set forth in this proceeding and from the
general contracting conditions, consents are collected for
carry out third-party advertising treatments in various sectors
(financial, payment protection automotive and related, electronics….)
- The continuing nature of the offense, interpreted by the National High Court
as a permanent offense.
- The status of a large company of the responsible entity and its volume of
deal. The entity's turnover according to the information obtained
has been 1,236,124,000 euros in 2018. It is now alleged that the
business volume for the year 2019 is 589,929,000 euros.
Regarding the allegation that being considered a large company or the
billing volume are not circumstances foreseen as aggravating nor
in the RGPD nor in the LOPDGDD, this Agency reiterates as indicated
previously in the determination of the aggravating factors of the infraction of the
Article 25 before the same allegation.
- High volume of data and treatments that constitutes the object of the
proceedings. The infringement affects all data processing carried out
by the entity EDP ENERGÍA, SAU
- High number of interested parties. The violation affects all customers
natural persons of the entity. According to the supervision report of the
changes of marketer, corresponding to the first quarter of 2019, from
the National Commission of Markets and Competition the number of points
supply of the entity in the domestic sphere amounted to 1,129,534
constituting 4% of the total electricity sector in this domestic sphere.
The claim that it is not a high volume cannot be accepted
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 135
135/136
of treatments because other groups other than their
customers. The high number of natural person clients of the entity
responsible is sufficient element to consider this circumstance as
an aggravating one.
Regarding other factors that the controller considers to be
taken into account as mitigating factors, such as the fact that they are not treated
special categories of data or data of minors or the sale of all the
shares to another company, it is only possible to refer to what was expressed by this Agency before
the same allegations in relation to the violation of article 25 of the RGPD.
It alleges that the measures taken should also be considered mitigating
to alleviate the damage, such as the improvement of access to information on
data protection, which is already available at the address edp-
residentialbytotal.es/rgpd and the degree of cooperation with the authority. The alleged
improvement affects only one of the defects noted in relation to the
transparency of the procedure, whose positive assessment by this Agency cannot
suppose an extenuating sanction taking into account that such measure has been
taken once the present sanctioning procedure has been initiated.
Considering the exposed factors, the valuation of the fine for the
Infringement charged is 1,000,000.00 euros
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation graduation of the sanctions whose existence has been accredited,
the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE the entity EDP ​​ENERGIA, SAU . , with NIF A33543547 , for
an infringement of article 25 of the RGPD, typified in article 83.4.a) and qualified
as serious for the purposes of prescription in article 73.d) of the LOPDGDD, a fine
for an amount of 500,000 euros (five hundred thousand euros).
SECOND: IMPOSE the entity EDP ​​ENERGIA, SAU, for a violation of the
article 13 RGPD, typified in article 83.5.b) and classified as mild for the purposes of
prescription in article 74.a) of the LOPDGDD, a fine of 1,000,000
euros (one million euros).
THIRD: DECLARE, due to lack of evidence in application of the principle of
presumption of innocence, not attributable to EDP ​​ENERGIA, SAU ., infractions of
the provisions of articles 6 and 22 of the RGPD.
FOURTH: NOTIFY this resolution to EDP ​​ENERGIA, SAU .
FIFTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 136
136/136
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency
Spanish Data Protection Agency in the bank CAIXABANK, SA. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es


</pre>
</pre>

Latest revision as of 09:44, 12 May 2021

AEPD (Spain) - PS/00236/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 13 GDPR
Article 22 GDPR
Article 25 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 04.05.2021
Fine: 1500000 EUR
Parties: EDP ENERGÍA, S.A.U.
National Case Number/Name: PS/00236/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined an energy company €1,500,000 for not providing sufficient information to data subjects under Article 13 GDPR, and for not implementing adequate measures to avoid or mitigate risks related to the data processing under Article 25 GDPR.

English Summary

Facts

After receiving several complaints regarding the collection and processing of data of an energy company, the Spanish DPA (AEPD) launched an investigation.

In the first place, they found that the controller allowed for contracting their services in the name of another person (as a representative) without properly verifying the identity and validating the representation power. This made it possible for the representative, for example, to consent to commercial communications, including being subject to automated decision-making for personalized commercial offers, or the transfer of the data to third parties without the controller verifying whether they had the power to do so.

This also carried some risks, such as the possibility of contracting in others' names without having such power, leading to the creation of a binding contract without the permission or knowledge of any person that the representative claims to represent. This could lead to identity fraud or economic damages.

These risks were not considered by the controller in its initial assessment; only risks regarding scoring/profiling and commercial communications were considered.

Some additional clauses were implemented during the investigation, although the exact moment is not proven.

Also, the DPA found that the information required by Article 12, 13 and 14 GDPR provided to the clients was not in line with the regulation.

Holding

Infringement of Article 25 GDPR

The AEPD held that the controller should have had a system to verify the representation powers of the representative contracting in other's name, so the lawfulness of the legal basis for processing is verified. The representative must have a legitimate power to contract; otherwise, the legitimate basis used for the processing will not be lawful.

Additionally, the consent powers should be expressively given by the representee, as consent shall be informed and specific. And, the DPA remarks, it is difficult to thing of a representee giving express instructions on that to the representative, as consent is asked for at the same time as contracting, without previous warning or explanation.

The AEPD also remarks that the accountability principle makes the controller responsible for implementing the necessary measures, and that such obligation is not only a formal obligation; such measures must be effective and adequate. The obligation is also dynamic, so the controller has to modify them if necessary when identifying new risks.

The controller, however, had not implemented adequate measures to avoid the mentioned risks. Therefore, the AEPD concluded that there had been a violation of Article 25 GDPR.

Infringement of Articles 6 and 22 GDPR

The AEPD also analyzed whether the controller was carrying out automated decision-making without consent, as the GDPR related information that was provided by the controller stated (differently for each method of contracting) that:

  • The personal data provided may be used to manage the contracts, for fraud prevention, for the execution of a commercial profiles of the client and to subsequently carry out personalized commercial communications.
  • Data obtained from third-party databases may be used to create commercial profiles of the clients, what may lead to an automated decision-making for sending personalized commercial communications.

The DPA alleged that consent was not being collected properly, as it lacked information about the identity of the controller, the categories of data, the third-party recipients, etc. Also, there was no proper information, in relation to Article 14, about data collected from third parties.

The DPA also regarded that the information given about automated decision making did not comply with Article 22 requirements, that requires the logic of the system to be explained, but also the importance and consequences of such decisions, the foreseen processing of data in this regard, as well as comprehensive information given, for example, in form of examples. Additionally, there was no specific consent for automated decision making.

However, the controller alleged that there was no actual automated decision making, as every final decision was taken by a human. Also, they said that for things such as fraud prevention, they were relying on a legitimate interest, not on the consent of the client. They also clarified that they were not currently doing any kind of automated decision making for consumer profiles.

In addition, the DPA could not prove that the controller was using data from third-party databases.

For all these reasons, the AEPD considered that there was no evidence of a violation of Article 6 and 22 GDPR.

The DPA also discussed, based on the controller's allegations, whether, similarly to their decision on Equifax, the infringement of Articles 6 and 22 were instrumental to the infringement of Article 13 (that is to be discussed later) – and therefore only a fine based on the main infringement could be imposed –. However, the AEPD disregarded this argument, as they considered that, even if the infringements could be related to each other, all of them could be committed independently, are were thus not a means for committing the others.

Infringement of Article 13

The AEPD found that not all the requirements from Article 13 GDPR were met. For instance, the information provided via some of the contracting channels did not offer information on the data subjects rights, nor offered a way to access to the entirety of the information on a second layer. Therefore, the information offered was in general (although it varied, depending on the contracting channel that was used) fragmented and scattered, and did not meet what Article 13 requires.

For example, when the contract was made via phone, the only possibility to obtain the most basic information was either to be redirected to another call or to go to the privacy policy, without being informed at the moment of contracting about the rights that the data subject is entitled to. When contracting via electronic means, the data subject could not easily obtain such information, but was redirected to the contracting agreement and to a non-easily-accessible information that had to be thoroughly looked for on the controller's website.

According to Article 13 GDPR, all this information has to be directly given to the data subject by the controller, not being possible that the controller offers this information in a generic way yet the data subject needs to actively look for it. This is also in line with the transparency obligation: the information needs to be offered at the moment of the collection of the data; not afterwards.

This is normally done by providing the information in layers. The AEPD explains that, for example, in case of phone contracting, the basic information (purposes, identity of the controller, data subjects rights, and most relevant information about a particular processing) could be provided during the call itself, sending afterwards the rest of the information via email, or via a link to the privacy policy. Additionally, the AEPD remarks, the fact that layers are used to provide information cannot lead to a delay in the provision of the less relevant information, what also needs to be done in the moment of the collection of the data.

The AEPD also analyzed the content of the information provided. Firstly, the the way that the data subject is informed about the identity of the controller is problematic. The controller, EDP, is divided into two different companies: EDP Energy and EDP Marketer. The information provided states that "the data will be processed by EDP Energy and EDP Marketer", who are both said to be controllers. However, there is no specific reference to which company processes which data and for what purposes, which leads to a confusing and imprecise information. The privacy policy, after clarifying the existence of both controllers, only uses the generic name (EDP) without further specification.

The AEPD also noted that it is difficult, with the information provided, to identify how processing activities relate to each legal basis alleged by the controller. Therefore, it is not clear for which processes the controller is relying on a legitimate interest. It is not possible to identify what are the legal basis that are been relied upon for each processing activity. This should be clearly provided in the information. Also, what particular legitimate interest or interests are wielded by the controller is not clarified (although later the controller made clear that such interests were fraud prevention and marketing).

The AEPD remarks that the information must be provided in a concise, transparent, understandable and easily-accessible manner. This is also related to the transparency requirement set forth by Article 5(1)(a) GDPR.

The AEPD also notes that it is not clear what consequences has the creation of commercial profiles of the clients, and whether this processing can be objected, in accordance to Article 21, and regardless whether it can be considered profiling in accordance to Article 22 GDPR. The DPA also mentions the fact that it is unclear what processing activities will be derived from consent, as the information provided is not specific or understandable to a regular person (e.g. the processing for providing personalized offers, based on the resulting of the aggregate of the indicated data).

In relation to information regarding Article 21, the DPA states that the controller should provide information about what particular processing activities may be subject to the right to object, in connection with the alleged legitimate interest. The mere statement of the existence of such right, referring to "a right to object to certain processing activities" is not enough.

The AEPD also remarks that, to guarantee the exercise of the rights, it is necessary for the data subject to be informed about what legal basis is used for each processing, so the data subject clearly knows for which processing activity has given consent, therefore being able to withdraw it, and for which processing activities a legitimate interest is used, so the data subject can object to such processing.

With basis on those grounds, the AEPD found a violation of Article 13 GDPR.

Sanction

For assessing the quantity of the fine, the DPA took into account the following circumstances:

  • The seriousness of the violations.
  • The lasting in time of the violations and their nature: they result from a lack of adequate measures from the controller.
  • The either intentionality, either negligence of the controller, who should have spotted the risks and problems.
  • The fact that the infringements existed since 2018.
  • The relation between the infringements and the controller's core business activity.
  • The size of the company: being their revenue from 2018 €1,236,124,000.
  • The amount of data processed and procession activities carried out: contracts with 37.197 natural persons were carried out in 2019.
  • Previous infringements from the controller in different proceedings (PS/00101/2018, PS/00363/2018, PS/00109/2019), regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR.
  • The fact that the infringements related to Article 25 GDPR did not include the processing of sensitive data.

Based on all this, the AEPD decided to fine the controller (EDP Energía) €1,500,000:

  • €500,000 for the violation of Article 25 GDPR.
  • €1,000,000 for the violation of Article 13 GDPR.

This sanction was issued at the same time and in the same manner than the sanction against EDP Marketer, the other company from the EDP group.

Comment

In their allegations, the organizational structure of the group of the controllers is clarified. The existence of two companies comes from procedural and formal issues that arose when the group was bought. Currently, only EDP Marketer has employees and actual management and operative capacity, therefore being EDP employees the only ones accessing the data. In practice, all processing activities are carried out by EDP Marketer, either as a joint controller or as a processor of EDP Energy.

This structure was in principle going to be rearranged, but was paralyzed by the start of negotiations for the sale of the group.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
1/136
 Procedure No.: PS / 00236/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: Various claims have been submitted to this Agency
against the entity EDP ENERGÍA, SAU in which the
processing of personal data without the consent of the interested party. Sayings
treatments are produced within the framework of the contracting of electricity services
supposedly carried out by a representative of the client, without said entity
can prove the existence of such representation and have given rise to various
actions of this Agency, among which it is worth mentioning the initiation of various
sanctioning procedures such as procedures PS / 00101/2018,
PS / 00363/2018 or PS / 00109/2019, which have concluded by declaring the existence of a
infringement of the provisions of the data protection regulations.
SECOND: In view of the antecedents mentioned in the previous number, the day
June 3, 2019, the Director of the Spanish Data Protection Agency urged
the General Subdirectorate of Data Inspection the initiation of previous actions of
investigation in order to prove, where appropriate, the existence of a regular conduct and
continued possible violation of data protection regulations by
EDP ​​ENERGÍA, SAU
THIRD: On June 13, 2019, a
claim against EDP ENERGÍA SAU for the processing of personal data without
consent of the interested party in contracting the supply of electricity.
Said claim made by Doña AAA refers to the hiring of
supply of electrical energy with the company EDP ENERGÍA, SAU carried out on 9
January 2019 in the name of the claimant without her consent. The claim
was admitted for processing by agreement of the Director of the Protection Agency
of data dated September 10, 2019.
FOURTH: On December 17, 2019, the General Subdirectorate of Inspection
formulates a request to EDP ENERGÍA, SAU to facilitate the following
information:
1. Specification of the contracting channels (telephony, internet, distributors
own or subcontracted, sales force with own home visits or
outsourced, etc.…) of the services marketed by EDP ENERGÍA, SAU to
Physical persons.
2. Description of the contracting procedure followed through each of the
previous channels when the contract is made by a third party in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/136
representation of the natural person who owns the contract. In this regard, it is requested to provide,
in addition to all the information it deems appropriate for the purposes of documenting the
procedure, the following:
2.1. Copy of documents (model forms, contracts, arguments
telephone numbers, etc.) used to collect the personal data of the owner and the third party
that acts by representing it, indicating the channel or channels for which it is used
each.
2.2. Description of the procedures enabled through each of the channels
contract so that a third party can prove the representation of a holder to the
sign a contract with EDP ENERGÍA, SAU
2.3. Specification of the procedure followed by EDP ENERGÍA, SAU for
store the evidence that proves the capacity of representation of the third party in
the procedures in which this type of contracting is carried out, indicating the
channel or channels for which each is used.
2.4. Attach models and / or examples of type evidence collected under the
procedure followed in section 2.3.
3. Information on the number of contracts signed in 2018 and 2019 by third parties in
representation of the owners of the services (natural persons) with distinction of:
3.1. By virtue of what this representation is supported (power, degree of kinship, etc.)
3.2. Procedure or formula for accreditation of the representation followed.
3.3. Recruitment channel for telephony, internet, own distributors or subcontractors,
sales force with own or outsourced home visits, etc.…)
FIFTH : On January 13, 2020, the entry in the AEPD of the
answering brief from EDP ENERGÍA, SAU to the request for information
previous. In this document the following is stated:
“FIRST- Specification of the contracting channels (telephony, internet,
own distributors or subcontractors, sales force with own home visits or
outsourced, etc.…) of the services marketed by EDP ENERGÍA, SAU to
Physical persons.
EDP ​​has different channels to formalize the contracting, distinguishing the
following:
A. Telephone Channel, with partial or definitive closure of the contracting process
through a phone call. It includes the following subchannels:
- CAC Inbound: Call reception, from customers to EDP. In general they are
and EDP customers who are identified from the beginning of the call through a
security protocol, although customer calls can also be received
potentials.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/136
- Telemarketing: Issuance of calls, from EDP to already owned databases
customers for upselling or churn recovery. It is used for the realization of
the call the telephone number that appears in the client's file, and that has been
provided by said person previously.
- LEADS: Issuance or reception of calls, about users who have expressed a
interest in any platform or web page (raffles, promotions, comparators of
offers, blogs, advertising agencies, etc.) leaving your basic data to be
contacted or contacting themselves at the phone number shown.
These users usually do not yet have active contracts with EDP.
B. Web channel, closed by means of a digital form. The user accesses through
a website and start a hiring process totally online, without interaction with
agents.
C. Distributors, with face-to-face or digital closing of the contracting process,
including:
- EDP's own Commercial Offices. Usually already EDP clients who come
proactively to the office, although it can also be about potential clients.
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to perform
their purchases and are interested in EDP's offer.
D. External Sales Forces, with in-person closing of the contracting process,
including:
- Stands at Fairs, Shopping Centers, etc. In general, new clients who come
to such events or places and are interested in EDP's offer.
- Home visits with prior request. Clients or potential clients who have
provided your data and consent to receive proposals from an EDP agent to
address.
SECOND.- Description of the contracting procedure followed through each
one of the above channels when the contracting is carried out by a third party in
representation of the natural person who owns the contract.
A. Telephone Channel:
Next, the procedures implemented in EDP in
those cases in which the contracting is carried out by a third party in
representation of a natural person by telephone:
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
As a representative, you are asked about your relationship with the owner and if you have
authorization of said person. 2) Once the previous point has been confirmed, they are requested
identification data of the representative, and all the data of the owner necessary to
formalize the hiring. 3) Finally the Consent is read and recorded in audio
Representative express. 4) The holder of the contract, for informational purposes, is sent
in duplicate, with a stamped envelope, the contractual documentation in compliance
of the provisions of the consumer and user protection regulations.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/136
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
hiring as a representative is asked about their relationship with the owner. 2) A
Once the previous point has been confirmed, identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. 3) Then
the Express Consent of the representative is read and recorded in audio. 4) Finally
durable support is sent to the phone / sms provided by the representative, and is expected
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
duplicate, with a stamped envelope, the contractual documentation in compliance with the
provided in the consumer and user protection regulations.
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
representative is asked about his relationship with the owner. 2) Once the
previous point, identification data of the representative is requested, and all the data of the
holder necessary to formalize the contract. 3) It is then read and recorded in
audio the Express Consent of the representative. 4) Then support is sent
durable to the phone / sms provided by the representative, and awaits your confirmation.
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
franked, the contractual documentation in compliance with the provisions of the
consumer and user protection regulations. 6) In this channel, by the mode of
contracting and the characteristics of the clients who use it, it is in progress,
as a pilot test, communication via SMS or e-mail to the represented (in cases of
not related to the representative to study its effectiveness and receptivity.)
B. Web: The option of contracting with a representative is not offered.
C. Distributors:
In the case of contracts made in EDP's own Commercial Offices (in
third-party stores there is no possibility of contracting in the name and on behalf of
a third) the procedure is as follows:
1) In those cases in which the user indicates that he wishes to make a contract
as a representative of a third party, you are asked about your relationship with the owner. 2) A
Once the information is obtained, the identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. Likewise,
requires a photocopy of the NIF, both the representative and the represented. 3)
The presentation of an authorization document is also required.
completed and signed by both interested parties (representative and owner).
D. External Sales Forces:
In the case of contracts made by external sales forces (fair stands,
shopping centers and home visits, provided there is prior request by
of the interested party), in the contract the identification data of the representative will be collected,
Also requesting the data of the owner necessary to formalize the contract.
In the contract, it is expressly specified that the representative declares to have
of sufficient powers to sign the contract on behalf of the client to whom it is
is responsible for informing of all the conditions thereof. It is required, on the other
part of a photocopy of the representative's NIF.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/136
Next, an audio verification of the hiring is recorded where you are
indicates on two occasions to the representative, the fact that he acts on behalf of the
holder of the supply and the relationship-kinship that binds them is confirmed.
Therefore, to prove the representation, the contracting stub is formalized
where the representative declares to have sufficient powers to sign the
contract on behalf of the client who is responsible for informing of all
conditions of this. Likewise, a copy of the representative's NIF is provided.
In this regard, it is requested to provide, in addition to all the information that it considers appropriate
For the purposes of documenting the procedure, the following:
2.1. Copy of documents (model forms, contracts, arguments
telephone numbers, etc.) used to collect the personal data of the owner and the third party
that acts by representing it, indicating the channel or channels for which it is used
each.
A. Telephone Channel:
A.1 - CAC INBOUND
The data collection is carried out in the system of each of the providers,
following the order that corresponds according to the type of client, contracted product
or campaign.
Documents:
1) Sales data template (Evidence 1)
2) Express Consent Sales representative CAC (Evidence 2)
Evidence 2 contains the following:
"[XXXXXX] we're going to record your agreement. Okay?
It is [hh: mm] on the day [dd] of [mm] of [20XX], and Mr./Ms. [Name and surname]
with DNI [DNI number], as [husband / wife / child / attorney / representative] and in re-
presentation of the holder [name and surname / company name] with ID / CIF [number
DNI / CIF] phone [phone] and email [email] has called and accepts the
EDP's offer for management [supply address] consisting of [con-
plan conditions -dto en la luz-] for [CUPS LUZ: ES…] on the EDP price
current electricity price [power price (€ / kW month) and energy term price
(€ / kWh)] and / or [plan conditions - gas discount] for [CUPS GAS: ES ...] and
current EDP gas price [price term availability (€ / month) and term price
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
promotion works].
[If the collection date is not chosen] The chosen payment method is [direct debit
bank account in your current account / in the account ...] and will be charged on the date
indicated on the invoice.
[If the collection date is chosen] The payment method chosen is [direct debit bank
caria in your current account / in the account ...] and will be charged on a date
Specifically, the days [DD] of the month. In that case, the payment period may be shorter
greater than or greater than the 20 days established in the regulations ".
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/136
"On behalf of the client, and after passing a risk analysis of the transaction
ration, we will take the necessary steps to activate the access contracts,
moment from which the new contract will come into force, being resolved
previous.
The contract / s will have a duration of 1 year, extendable for the same period
Except for a complaint in advance of 15 days. Are you satisfied with the above
mation and conditions of the contract / s? [Yes / Ok].
In a few days you will receive the contract including a withdrawal document for
duplicate, of which you will only have to return us signed one of the copies in
The self-postage envelope does not need a stamp, which we will attach to it.
You have 14 calendar days to exercise your right of withdrawal. Not obs-
Therefore, if you request it, we can start the procedures now. Then,
If you subsequently withdraw from the contract, you must pay the corresponding amount
tooth to the borrowed supply period. Do you want your contract to be processed
you immediately? [OTHERWISE].
You will still receive an invoice from your current company for a probable period-
less than normal. From there, from the entry into force of the contract
You will receive the invoice from EDP with all our advantages.
Your personal data and that of your client will be processed by EDP Comer-
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
fraud prevention, profiling based on customer information and
EDP, as well as the realization of personalized communications about products
coughs or services directly related to their contracts, being able in any-
want to oppose them ".
"Additionally, so that EDP can advise you with the best
proposals:
Will you allow us to present energy-related offers to your client?
adapted to your profile after the end of the contract, or send you at any
information on non-energy products and services, from companies
Collaborators or EDP? [OTHERWISE]
Will you allow us to complete the commercial profile of your client with information
of third-party databases, in order to send you personal proposals-
and the possibility of contracting or not certain services? [OTHERWISE]
Your request has been registered with the code that I am going to indicate. If you wish,
you can make a note of [COD. CIG] ".
A.2 - TELEMARKETING
The data collection is carried out in the system of each of the providers,
following the order that corresponds according to the type of client, contracted product
or campaign.
Documents:
1) Sales data template (Evidence 1)
2) Express Consent Sales representative TLMK (Evidence 3)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/136
The text of evidence 3 is as follows:
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
agreement?. [Yes].
Well, it is [hh: mm] on the [dd] day of [mm] of [20XX
[Mr / Mrs] [name and surname] with DNI [DNI number] as [husband / wife / child / attorney-in-fact
address / representative] and on behalf of the owner [name and surname / reason
social] with ID / CIF [ID / CIF number], phone [phone] and email [email]
accepts EDP's offer for the address [supply address] consisting of
in for [CUPS LUZ: ES ………… ..] on the current EDP price of electricity
[power price (€ / kW month) and energy term price (€ / kWh)] and / or [conditions
purposes of the plan - gas discount] for [CUPS GAS: ES ……………………….] and price
Gas EDP in force [price term availability (€ / month) and term price
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
promotion works]. The chosen form of payment is [direct debit at
your current account / in the account ………] and will be charged [on the date indicated
on the invoice / on A SPECIFIC DATE, THE DAYS (DD) OF THE MONTH. ON
IN THIS CASE, THE PAYMENT PERIOD MAY BE LESSER OR HIGHER THAN
THE 20 DAYS ESTABLISHED IN THE REGULATIONS]. In the name of his repre-
sitting down, and after passing an analysis of the risk of the operation, we will make the
tions necessary to activate the access contracts, from the moment
which will enter into force the new contract, being resolved the previous one.
The contract / s will have a duration of 1 year, extendable for the same period
Except for a complaint in advance of 15 days.
Are you satisfied with the above information and conditions of the contract / s? "
[Yes / Ok]. "Thank you."
In a few days you will receive the contract (including withdrawal document) for
duplicate, of which you will only have to return us signed one of the copies in
The self-postage envelope does not need a stamp, which we will attach to it.
You have 14 calendar days to exercise your right of withdrawal in the
form that you consider appropriate. However, we can initiate the procedures during
within that period if you request it, in which case if you withdraw from the contract
must pay the amount proportional to the borrowed part of the supply. From-
Whether your hiring is processed immediately? [OTHERWISE]
You will still receive an invoice from your current company for a probable period-
less than normal. With the entry into force of the contract you will receive the invoice
from EDP with all our advantages.
Your personal data and that of your client will be processed by EDP Comer-
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
fraud prevention, profiling based on customer information and
EDP, as well as the realization of personalized communications about products
coughs or services directly related to their contracts, being able in any-
want time to oppose them.
Additionally, so that from EDP we can advise you with the best
proposals:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/136
Will you allow us to present energy-related offers to your client?
after the end of the contract, or send you at any time information on
products and services of the financial, insurance and automotive sectors,
Collaborating Companies or EDP?
[OTHERWISE]
Will you allow us to complete the commercial profile of your client with information
of third-party databases, in order to send you personal proposals-
and the possibility of contracting or not certain services?
[OTHERWISE]
We remind you that you can exercise your rights to
access, rectification, opposition, deletion, limitation and portability, through
any of the routes indicated in the General Conditions that may
check on our website *** URL.1.
[Only in case of gas contracting] ”For your safety we remind you of the obligation
legal obligation to collaborate with your Distribution Company by facilitating access to
your instalations."
In order to process your request we need you to confirm the acceptance of this
offer that has the Code, please take note: “CIG CODE”.
A.3 - LEADS
The data collection is carried out in the system of each of the providers,
following the order that corresponds according to the type of client, contracted product
or campaign.
Documents:
1) Sales data template (Evidence 1)
2) Express Consent Sales Representative LEADS (Evidence 4)
The content of evidence 4 is as follows:
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
agreement?. [Yes].
Well, it is [hh: mm] on the day [dd] of [mm] of [20XX] and [Mr / Mrs] [name
and surnames] with DNI [DNI number] has requested the call from EDP and as
[husband / wife / child / attorney-in-fact / representative] and on behalf of the owner
[name and surname / company name] with DNI / CIF [DNI / CIF number], telephone [telephone]
and email [email] accepts EDP's offer for the address [address
of supply] consisting of [plan conditions -dto in the light for [CUPS
LIGHT: ES ………… ..] on the current EDP price of electricity [price of
power (€ / kW month) and energy term price (€ / kWh)] and / or [conditions of the
gas discount plan] for [CUPS GAS: ES ……………………….] and EDP price
gas current [price term availability (€ / month) and term energy price
(€ / kWh)]; and / or It works [annual price of the service, plan conditions
promotion works]. The chosen form of payment is [direct debit at
your current account / in the account ………] and will be charged [on the date indicated
on the invoice / on a specific date, the days (dd) of the month. in that case the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/136
payment period may be less or more than the 20 days established in the
normative]. On behalf of your client, and after passing a risk analysis
of the operation, we will take the necessary steps to activate the contracts of
access, moment from which the new contract will come into force, leaving
solved the above.
The contract / s will have a duration of 1 year, extendable for the same period
Except for a complaint in advance of 15 days.
Are you satisfied with the above information and conditions of the contract / s? "
[Yes / Ok]. "Thank you."
In a few days you will receive the contract (including withdrawal document) for
duplicate, of which you will only have to return us signed one of the copies in
The self-postage envelope does not need a stamp, which we will attach to it.
You have 14 calendar days to exercise your right of withdrawal in the
form that you consider appropriate. However, we can start the procedures
during that period if you request it, in which case if you desist from the
contract must pay the amount proportional to the borrowed part of the
supply. Do you want your hiring to be processed immediately? [OTHERWISE]
You will still receive an invoice from your current company for a period
probably lower than normal. With the entry into force of the contract you will receive
the EDP invoice with all our advantages.
Your personal data and that of your client will be processed by EDP
Comercializadora SAU and EDP Energía SAU to manage their contracts,
fraud prevention, profiling based on customer information
and EDP, as well as the realization of personalized communications about
products or services directly related to their contracts, being able
at any time oppose them.
Additionally, so that from EDP we can advise you with the best
proposals:
May we present you with energy-related offers tailored to your
profile after the end of the contract, or send you at any time
information of non-energy products and services, of companies
Collaborators or EDP?
[OTHERWISE]
Will you allow us to complete the commercial profile of your client with information
of third-party databases, in order to send you proposals
personalized services and the possibility of contracting or not certain services?
[OTHERWISE]
We remind you that you can exercise your rights to
access, rectification, opposition, deletion, limitation and portability, through
any of the routes indicated in the General Conditions that may
check on our website *** URL.1.
B. Web: The option of contracting with a representative is not offered.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/136
C. Distributors:
In the case of EDP's own commercial offices, data collection is carried out
in the system of each of the suppliers, following the corresponding order
according to the type of client, contracted product or campaign.
Documents provided:
1) Sales data template (Evidence 1)
2) Representative management authorization template (Evidence 5)
Regarding the content of the evidence 5, the document contains three
Differentiated boxes. The first one indicates that "the HOLDER (D. ,,,, DNI or CIF) in
proper name or representation of the company. " The second box indicates that
“AUTHORIZES (D. ,,,, DNI ... or CIF) to carry out the management of (indicates 4 possibilities:
registration / cancellation, change of ownership, change of direct debit, and / or other procedures)
the box next to each of them must be marked. In the third box,
collect "SIGNATURE" and leave the spaces corresponding to the place, date (day, month and
year) and space for the signature of the authorizing and authorized.
Next, the following legend is highlighted with a red background:
"NOTE: TO BE VALID, THIS AUTHORIZATION MUST BE PRESENTED
ACCOMPANIED BY PHOTOCOPY OF THE HOLDER'S AND THE AUTHORIZED'S ID.
WHEN IT IS AN AUTHORIZATION GRANTED BY A REPRESENTATIVE
DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF OWNERS,
FOUNDATIONS, SCHOOLS, ..., IN ADDITION, A PHOTOCOPY OF THE
TIMELY POWER OF ATTORNEY ”.
The following text follows;
"Interested parties are informed that the personal data provided in
This form will be treated as the data controller by EDP ENERGÍA,
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
for the processing of authorized management.
The personal data that you provide us will be used, in the manner and with the
limitations and rights recognized by the General Data Protection Regulation
(EU) 2016/679.
The interested parties whose data are subject to treatment may exercise their rights
of access, rectification, deletion, portability, limitation and opposition to treatment
of these data, proving your identity, by email addressed to
cclopd@edpenergia.es or by writing to the person responsible for the treatment at the
Address Plaza del Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can put
in contact with the EDP Data Protection Officer, at the same address
postal or email dpd.es@edpenergia.es, if you understand
violated any of your rights related to data protection, or in your
case, file a claim with the Spanish Agency for Data Protection "
D. External Sales Forces:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/136
In the case of external sales forces (fair stands, shopping centers and
home visits, provided there is a prior request by the interested party), the
Data collection is done on a paper stub. This data is digitized in
Channel Management Tool (HGC).
For verification, data collection is carried out in the system of the supplier of
check.
Documents:
1) Sales receipt (Evidence 6)
2) Sales data template (Evidence 1)
3) Verification script (Evidence 7)
With regard to evidence 6, which the defendant calls the
sales, the document, under the title "contract for the supply of energy and / or services",
It contains on its first page three boxes.
In the first one there are spaces to fill in the data related to the point of
supply (address, electricity cup, gas cup) and separately check boxes
the contracting of a light + gas contract or one of the two services individually. I know
They also contain spaces to fill in the data of the contract holder
(name, surname, telephone and email) and representative data (name,
NIF and address and several boxes are included to mark that the representative is in
status of spouse / registered partner, ascendant / descendant or attorney-in-fact) below
of such boxes, a text indicates that “it declares that it has sufficient powers to
sign this contract on behalf of the client who is responsible for
inform of all the conditions of the same. "
Below this box is the following legend; "The client hires, for the
supply indicated, the gas supply with EDP Comercializadora, SAU and the
supply of electricity and / or complementary services with EDP Energía, SAU,
(hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) with
in accordance with the Specific Conditions set out below and the
General Conditions in annex.
The client requests that the provision of the supply / supplies and / or services be
start during the withdrawal period contemplated in the general conditions. "
In the second box entitled specific conditions of the contract and in which
Separately depending on whether it is gas or light, certain information is contained on
rates and in which there are spaces to be completed and boxes to mark
relating to the services that are contracted, it appears both in the gas part and in the
light a box that must be marked to indicate that the owner is changing. I also know
includes a space to fill in the data related to the current account for
direct debit charges (this space is common to all contracted services)
Below this box is the following text: “EDP reserves the right to
waive this contract if the actual supply data does not comply with the
declared by the client at the time of hiring. " Below is a box for
mark that "The client expressly declares to know and accept the above
Specific conditions." And another to mark that “The client declares to have been
informed and received the annex with the General Conditions, which he accepts. " It adds
then that “The client, if he / she had the status of consumer, has the RIGHT
TO DESIST this contract if it had been formalized remotely or outside the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/136
establishments of the marketer as indicated in the general conditions
and acknowledges that the corresponding withdrawal document has been delivered to the
effect." Below is a box to mark that “The client declares to have
received the withdrawal document and have been informed of it. "
In the third box, under the heading CLIENT / REPRESENTATIVE after noting that the
information related to data protection can be read on the back, allows you to mark
the following consents:
 I consent to the processing of my personal data once the relationship has ended
contractual, to carry out commercial communications adapted to my profile
of products and services related to the supply and consumption of energy. In addition,
I consent to the aforementioned treatments during the term and after the end of the
contract, on non-energy products and services, both of the Group companies
EDP ​​and third parties.
 I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services.
On the back of the first page there is a section entitled “Basic information
on Data Protection ”: which contains the following:
" Personal data will be processed by EDP COMERCIALIZADORA,
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
Responsible for the Treatment, for the maintenance, development, compliance and management
tion of the contractual relationship, fraud prevention, profiling based on
in information provided by the Client and / or derived from the provision of the service by
part of EDP, as well as sending commercial communications, related to products and
services related to the supply and consumption of energy, maintenance of ins-
facilities and equipment, and that can be customized based on your profile of
Client, as reported in the General Conditions, being able to oppose in any-
any time to send commercial communications. Additionally, the Client
gives your explicit consent for the processing of personal data collected
on the obverse. Without prejudice to the consents given, the client may exercise,
at all times, your rights of access, rectification, opposition, deletion, limitation
tion and portability, through any of the channels indicated in the Conditions
General. "
In the part of general conditions the following information regarding
personal data protection:
“ LOPD Purposes of the processing of personal data. According to
provided in current regulations, the client is informed that all data
provided in this contract are necessary for the purposes of its formalization.
Said data, in addition to those obtained as a result of the execution of the
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
c / General Concha, 20, 48001, Bilbao and by EDP ENERGÍA, SAU with address at
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/136
in order to manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service, to carry out actions to prevent
fraud, as well as profiling, personalized commercial communications
based on information provided by the Client and / or derived from the provision of the
service by EDP and related to products and services related to the
supply and consumption of energy, maintenance of facilities and equipment.
These treatments will be carried out in strict compliance with the legislation
current and insofar as they are necessary for the execution of the contract and / or the
satisfaction of EDP's legitimate interests, provided that the latter are not
other rights of the client prevail.
Provided that the client has explicitly accepted it, their personal data will be
treated, even once the contractual relationship has ended and provided that there is no
Produces opposition to said treatment, to:
(I) The promotion of financial services, payment protection services, automotive
or related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract, (II) The preparation of
Commercial profiles of the Client by aggregating the databases of
third parties, in order to offer the Client personalized products and services,
thus improving the customer experience, (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (IV)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers, specifically aimed at achieving the
contracting of certain products and / or services from EDP or from third parties
depending on whether the client has consented to it or not, being in any case treated
data whose age will not exceed one year. In the event that said process was carried out
carried out in an automated way, the client will always have the right to obtain intervention
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
resulting decision.
Categories of data processed
By virtue of the contractual relationship, EDP may process the following types of data
personal: (I) Identifying data (name, surname, ID, postal address, address
email, supply point, etc . ), (II) Identification codes or keys
User and / or Client, (III) Personal characteristics data (date of birth,
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
of these , (VI) Economic, financial, solvency and / or insurance data.
Personal data will be kept for the duration of the contractual relationship
and at most, during the statute of limitations for legal actions
corresponding, unless the Client authorizes its treatment for a longer period,
applying organizational and security measures from the beginning of the treatment
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/136
to ensure the integrity, confidentiality, availability and resilience of data
personal
Communications and recipients of personal data.
All personal data derived from the provision of the service and those obtained in
By virtue of this contract, they may be communicated to the following entities:
i)
The corresponding distribution company, producing with it an in-
permanent exchange of information for the adequate provision of the service,
among them the request for access to your network, the readings (which in the case of
remote-managed controller will be hourly) and / or consumption estimation, quality control
supply, request for supply cuts, modifications in the pos-
tencia, etc.
ii)
The Organizations and Public Administrations that by Law correspond.
iii)
Banks and financial entities for the collection of services rendered.
iv)
Other companies of the business group, solely for administrative purposes
internal and the management of the products and services contracted.
v)
National equity solvency and credit services (Asnef-Equifax,
...) to which in case of non-payment, without just cause by the Client,
You will be able to communicate the debt, as well as fraud prevention services,
with the sole purpose of identifying erroneous or fraudulent information provided during-
you the hiring process.
saw)
EDP ​​suppliers necessary for the adequate fulfillment of the obligations
contractual arrangements, including those that may be located outside the State
European Economic space, in which case it is duly adequate
international data transfer.
Rights of the data owner
The client will have the possibility of exercising freely at all times
and completely free the following rights:
i)
Access your personal data that is processed by
EDP.
ii)
Rectify your personal data that is processed by
EDP ​​that are inaccurate or incomplete.
iii)
Delete your personal data that is processed by EDP
iv)
Limit EDP's treatment of all or part of its
personal information.
v)
Oppose certain treatment and decision-making
automated data processing, requiring human intervention
mana in the process, as well as to challenge the decisions that are final-
adopted by virtue of the processing of your data.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
15/136
saw)
Port your personal data in an interoperable format and auto-
enough.
vii)
Withdraw at any time, the consents granted
previously.
In accordance with current regulations, the user can exercise their
rights by requesting it in writing, and together with a copy of a certified document
accrediting identity, at the following post-
such: Plaza del Fresno, 2, 33007 Oviedo or by email
*** EMAIL . 1 .
Likewise, you can contact the protection delegate
of EDP data at the following postal address Plaza del Fresno, 2,
33007 Oviedo or in the email *** EMAIL.1 , in the event that
understands that any of their rights related to the protection of
data, or, where appropriate, file a claim with the Agency
Spanish Data Protection, at the address Calle de Jorge Juan,
6, 28001. Madrid "
Evidence 7 refers to a sales process with express online verification.
SCRIPT VERIFIER-AGENT
Part 1 (Agent call to number *** PHONE.1 or *** PHONE.2 )
VERIF - EDP ​​Verifications, good morning. Can you tell me your phone number to
perform verification?
AGE - Good morning, my phone is XXXXX.
VERIF-I proceed to issue the outgoing call.
Part 2 (Outgoing call from the verifier to the agent's phone)
VERIF: Good morning, can you tell me ID ?. XXXXX Can you tell me your name and surname and
collaborating company? If the tool returns the collaborator's data (and the
itself is active) we will check if they match, if so we continue, in
If they do not match, we will ask you again for the data / s that do not match for
reconfirm the discrepancy, if you continue we will indicate: «We cannot carry out the
verification, the data you provide us is inconsistent »). In case the
tool does not return anything to us, we will ask you again for your ID and if you continue
Without appearing we indicate: «We cannot carry out the verification, your company has not
accredited ».
VERIF- Can you tell me the name, surname and ID of the signer? XXXXX How many
contracts have you signed? XXXX (maximum 6 contracts per call) made at the Stand
of EDP in CC XX / in the store of the collaborator XX
VERIF-Is the signer the owner of the contracts? In case of being the owner, request
contact telephone number and province. If you sign as a representative, request a name,
Surname and DNI of / the holders (maximum 3) and contact telephone number and main province
of each holder.
VERIF-Can you tell me the phone number of the signer to carry out the verification?
XXXXX
VERIF-I proceed to issue the call to start the verification.
Part 3 (Outgoing call from verifier to verification phone)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/136
VERIFY CUSTOMER- Good morning, I am XXXX from the company *** COMPANY.1
collaborator of EDP. For security reasons I inform you that this call is
being recorded, do you confirm that it is SIGNING NAME with DNI XXXX and that
has just signed XX contracts at the collaborator's EDP stand / store (in case of
sign as representative indicate “in representation of name-surname HOLDER
DNI) Yes / No . What relationship-kinship do you have with the owner? (this question I don't know
performed when the owner is a company).
- Tenant, I have the rented house. Request that it happen to the agent and
tell you that a tenant cannot sign as a representative. KO verification.
-Family or attorney-in-fact: continue verification.
Perfect, please pass me on to the agent to take some information and carry out the
verification, thank you.
2.2. Description of the procedures enabled through each of the channels
contract so that a third party can prove the representation of a holder to the
sign a contract with EDP ENERGÍA, SAU
A. Telephone Channel:
A.1 - CAC INBOUND
Recording of the legal text where the representative confirms the data provided from the
represented.
A.2 - TELEMARKETING
Recording of the legal text where the representative confirms the data provided from the
represented and durable support via sms / email where the representative confirms
new said data.
A.3 - LEADS
Recording of the legal text where the representative confirms the data provided from the
represented and durable support via sms / email where the representative confirms
new said data.
Additionally, in the pilot test of this channel, another
sms / email informing of the representative's action.
B. Web: The option of contracting with a representative is not offered.
C. Distributors:
In the case of EDP's own commercial offices, it is requested to fill out and
signed by both interested parties (representative and owner) a document of
express authorization in which the data of both persons and copies of their
NIF.
D. External Sales Forces:
In the case of external sales forces (fair stands, shopping centers and
home visits, provided there is a prior request by the interested party), the
compilation, the hiring stub is kept where the representative declares
have sufficient powers to sign the contract on behalf of the client to
who is responsible for informing of all the conditions of this.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
17/136
Likewise, the verification recording is available and kept where they are confirmed
with the representative the data of the represented, as well as the relationship / kinship that
unites them.
2.3. Specification of the procedure followed by EDP ENERGÍA, SAU for
store the evidence that proves the capacity of representation of the third party in
the procedures in which this type of contracting is carried out, indicating the
channel or channels for which each is used.
A. Telephone Channel:
A.1 - CAC INBOUND
The recording is stored linked to the commercial management system of
Contacts where the request is registered.
A.2 - TELEMARKETING
The recording and durable media are stored in the recording system.
Channel commercial management.
A.3 - LEADS
The recording and durable media are stored in the recording system.
Channel commercial management.
B. Web: The option of contracting with a representative is not offered.
C. Distributors
In the case of EDP's own Commercial Offices, the authorization document
It is stored linked to the Contacts commercial management system
where the request is registered.
D. External Sales Forces:
The recruitment stub and the recording of the verification call are located
stored digitally in the Canales commercial management system.
For its part, the paper copy is sent to the supplier commissioned by EDP of the
custody of said documents.
2.4. Attach models and / or examples of type evidence collected under the
procedure followed in section 2.3.
A. Telephone Channel:
A.1 - CAC INBOUND
An example is provided with the recordings (Evidence 8) It is an audio with the
recording of a service contract in a specific case carried out through
representation. Its content is the same as in evidence 2.
A.2 - TELEMARKETING
Examples of recordings and durable supports are provided (Evidence 9 and 10,
respectively) Evidence 9 consists of an audio with the recording of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/136
contracting services with a client representative. Play the content
of evidence 3. Evidence 10 is a document with the following text:
"Confirmation of acceptance of communication by sms:
On 2019-04-26 15:50:06 an SMS was sent from the phone number
+ *** PHONE. 3 with the text:
EDP ​​Offer : *** OFFER. 1 Please respond with a YES to this SMS to
accept and
activate discounts. Thanks. Details:
http://edpconfirma.es/OOUSEAVSXK
to the recipient's phone number *** PHONE . 4. Said message was
responded with notification ID OOUSEAVSXK, on ​​2019-04-26
15:50:46 and with the text: If which we accept as valid for processing
of the product offered in the document shown below. I know
Indicate below personal data of the contractor and of the offer and the
following information: Your personal data will be processed by EDP
Comercializadora SAU and EDP Energía SAU to manage their contracts,
fraud prevention, profiling based on customer information
and EDP, as well as the realization of personalized communications about
products or services directly related to their contracts, being able
at any time oppose them.
We remind you that you can exercise your rights to
access, rectification, opposition, deletion, limitation and portability, through
any of the routes indicated in the General Conditions that can
check our website *** URL.1 . "
A.3 - LEADS
Examples are provided with recordings and durable media (Evidence 11, 12,
and 13, respectively)
B. Web: The option of contracting with a representative is not offered.
C. Distributors:
Regarding our own Commercial Offices, a model document is attached.
authorization completed by the representative in favor of the represented
(Evidence 14).
D. External Sales Forces:
With regard to the evidence generated by external sales forces, is attached
hiring stub model where the representation is collected (Evidence 15),
as well as the recording in which it is confirmed, as well as the relationship-kinship
that links them (Evidence 16).
THIRD. - Information on the number of contracts signed in 2018 and 2019 by
third parties on behalf of the owners of the services (natural persons) with
distinction of: 3.1. By virtue of what this representation is supported (power, degree of
kinship, etc.) 3.2. Procedure or formula for accreditation of representation
Following. 3.3. Recruitment channel for telephony, internet, own distributors or
subcontractors, sales force with own or subcontracted home visits, etc. ...)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/136
In relation to the request for information regarding the number of contracts signed in
the years 2018 and 2019 by third parties on behalf of individuals, it is put into
knowledge of the AEPD the following information related to each of the channels:
A. Telephone Channel:
A.1 - CAC INBOUND
Year Channel Representation
No. Contracts
2018 CAC Relationship
1,536
2018 CAC Unrelated
436
2019 CAC
Relationship
1,351
2019 CAC Unrelated
295
A.2 - TELEMARKETING
Channel Year
Representation
No. Contracts
2018 TELEMARKETING
Relationship
2,708
2018 TELEMARKETING
No kinship
114
2019 TELEMARKETING
Relationship
1,910
2019 TELEMARKETING
No kinship
83
A.3 - LEADS
Channel Year
Representation
No. Contracts
2018 LEADS
Relationship
17,040
2018 LEADS
No kinship
2,719
2019 LEADS
Relationship
17,808
2019 LEADS
No kinship
3,496
B. Web: Hiring with a representative is not contemplated.
C. Distributors (own commercial offices):
Year Channel Representation
No. Contracts
2018 OOCC Relationship
261
2018 OOCC Unrelated
64
2019 OOCC Relationship
244
2019 OOCC Unrelated
52
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
Year Channel Representation
No. Contracts
2018 FVE
Relationship
43,008
2018 FVE
No kinship
523
2019 FVE
Relationship
11,945
2019 FVE
No kinship
13
SIXTH : In writing dated May 29, 2020, sent on June 1, 2020,
formulates a new information request to EPD ENERGÍA, SAU requesting the
which is related below:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
20/136
1. Copy of the content included in the Register of Treatment Activities (article
30 of the RGPD) regarding personal data processing activities
carried out in the context of contracting services with EDP ENERGÍA, SAU
2. Copy of the content included in the Risk Analysis or Assessment carried out by the
entity in compliance with article 32 of the RGPD regarding the processing of
personal data made in the context of contracting services with EDP
ENERGÍA, SAU
3. Enter the information previously provided by the entity to the AEPD, registered
with the number 001390/2020, it is specified on a recurring basis (see evidence 2, 3, 4,
6, 10, 12, 14, 15) that personal data will be processed for all
purposes described, in addition to EDP ENERGÍA, SAU, by another legal entity
(EDP COMERCIALIZADORA, SAU). The following information is requested in this regard:
3.1. Reason that justifies that both entities process the personal data collected.
3.2. Detail of the circumstances that condition, if any, that the treatments
made on specific personal data are executed by one or the other
entity.
3.3. Detail, where appropriate, the procedures and mechanisms used to
guarantee the separation of personal data processed by one and another entity of
so that each one only has the possibility of treating what corresponds to it according to
of the legitimate purpose pursued at all times.
SEVENTH: On June 17, 2020, this Agency has a written entry of
EDP ​​ENERGÍA, SAU in which the following is stated regarding the last
question raised in the request of this Agency referred to in point
previous:
"THIRD.- Enter the information previously provided by the entity to the AEPD,
registered with the number 001387/2020, it is specified on a recurring basis (see
evidences 2, 3, 4, 6, 10, 12, 14, 15) that personal data will be processed for the
set of purposes described, in addition to EDP ENERGÍA, SAU, on the other
legal person (EDP ENERGÍA, SAU). In this regard, the following is requested
information:
3.1. Reason that justifies that both entities process the personal data collected.
3.2. Detail of the circumstances that condition, if any, that the treatments
made on specific personal data are executed by one or the other
entity.
As these two questions are directly related to each other, the answer is given
joint to them. In relation to the evidence provided and that
correspond to supports that are used to carry out the contracting through
of the different channels, reference is made to both EDP ENERGÍA and EDP
ENERGÍA SAU (EDP ENERGÍA), because the company with which they are contracted
The services will be one or the other depending on the product and / or service requested, being
highly probable that the same client when requesting the contracting of the supply
electric and gas, you are contracting with both companies at the same time.
For this reason, the “dual” contract has been drawn up and structured in such a way that a
client can obtain discounts or additional advantages for the fact of contracting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
21/136
both energies with two companies of the same business group, and in order to
keep the discounts updated in each of the energies and information
derived, it is necessary for both societies to know whether the energy initially
contracted with the other Group company remains active in order to maintain and
correctly manage the discounts / benefits applied.
For this reason, and in order to provide the maximum possible transparency to a process
carried out eminently in writing, such as the contracting of services
energy, is why in the clause on data protection it is reported that
the personal data provided during the hiring process will be processed by
both entities, always respecting the functions of each one in accordance with the
contract signed in each case and particularly the type of energy services that
are finally hired.
On the other hand, and regardless of the above, we inform you of this
Agency that the existence of two companies within the Group with the role of entities
trading companies is due to a purely formal issue, a consequence of the
corporate structure and shareholding composition of the companies acquired by the
EDP ​​Group at the time of its establishment in Spain, but not
corresponds to the operational functioning of said marketers, since
only one of them, EDP ENERGÍA, currently has employees and capacity
management and operational. Thus, in practice, all treatments are
carried out by said entity, either as data controller or as
responsible for the treatment of EDP ENERGÍA. Additionally, indicate that the Group
EDP ​​had planned the corporate reorganization of EDP ENERGÍA and EDP ENERGÍA and
the adaptation of its corporate structure with that of its actual operation and its
business operations. This reorganization has currently been affected by
a TOTAL sale process in which both companies are immersed, and that
materialize, could alter or terminate said integration.
3.3. Detail, where appropriate, the procedures and mechanisms used to
guarantee the separation of personal data processed by one and another entity of
so that each one only has the possibility of treating what corresponds to it according to
of the legitimate purpose pursued at all times.
As already stated, all users with access to the system are employees of
EDP ​​ENERGY.
In this way, EDP agents access the personal data of the clients of
said entity as data controllers or, they have access to the
personal data of EDP ENERGÍA clients, as Manager of the
Treatment, in compliance with the provision of customer management services of
EDP ​​ENERGÍA entrusted to it by EDP ENERGÍA, being managed in
quality of the two different roles they occupy under contract regulation
that we make available to this Agency. " (SIC)
Along with this response, an extract from the Registry of Treatment Activities is provided.
which includes the records relating to the activities carried out in the field of
contracting of products and / or services and the risk analysis carried out regarding the
treatments that are carried out in the context of contracting products and / or
services.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
22/136
The risk analysis is contained in an Excel document, it does not contain a date or
firm. 15 risk factors are listed; 1. Commercially sensitive information, 2.
Commercial Communications, 3. Data Origin (external or internal source), 4. Assignments
of data. 5, Treatment Managers. 6. International transfers. 7. Activities
scoring / profiling. 8. Automated decisions. 9. Systematic monitoring of
Headlines. 10. Special categories of data. 11. Large-scale data processing.
12. Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders. 14.
Application or use of innovative technologies 15. Unavoidable Treatment / Restriction
exercise rights or access service. Regarding the potential risk assessment
inherent, the risk scale has 4 levels: low, with a rating from 0 to 12;
average score from 13 to 25; high from 26 to 38 and very high from 39 to 51. The assessment or
The weight given to each of the risk factors is from 1 to 4. In the analysis of
risks, a yes or no is marked for each of the sales channels in each of the
15 risk factors listed above. The sum of the weight attributed to each of
the factors for each channel determine the inherent risk. The result of risk
inherent is medium in all contracting channels, except in web channels and
external forces through home visits in which the risk outcome
inherent is low. Risk correction measures are not indicated.
EIGHTH: On July 16, 2020 you have entry into this Agency, within the framework
of the investigation file E / 5549/2019, written by EDP COMERCIALIZADORA,
SAU stating that “In the framework of the above-referenced procedure, it was required
to EDP by the AEPD to clarify, among other points, certain
information regarding the contracting procedures implemented in EDP
carried out with the intervention of a third party authorized by the owner, as well as attending the
suggestion made in previous procedures communicated by the AEPD in
which suggested making modifications in the way in which this
type of hiring.
2. That, for all of the above, EDP has reviewed the procedure to be followed in the
contracting by third parties on behalf of the owner, in order to strengthen said
procedure and reduce the risks of possible identity theft carried out
in bad faith by the contracting party in this type of process, taking into account,
additionally, the particular needs identified as a result of the state of
alarm decreed last March and that has necessarily required that
all contracts are carried out in a non-face-to-face way.
3. That in order to inform the AEPD of the specific actions that are
are being carried out in relation to this matter by EDP, in compliance
of their duty of proactive compliance (accountability), we attach the
"Contracting procedure by third parties on behalf of the owner", so that they have
visibility on the modifications that are being implemented in these processes
in order to meet your request in this regard, as well as to highlight the
EDP's proactivity regarding its suggestion of adaptation of said
process."
The following aspects are detailed in three sections below: purpose,
contracting procedure with third parties and data and interests of those affected.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/136
In the first section, called the purpose after exposing the situation, it states the
following proposal: “A contracting procedure that, through correct use
and technology insurance, facilitate the contracting of EDP services by
clients through a third party acting under a mandate under the terms of Title IX
of the Fourth Book of the Civil Code, protecting in any case the rights of the client and
agent about your personal data, which will only be treated in accordance with
an adequate basis of legitimacy and in compliance with the principles of the RGPD,
ensuring that they are informed about the treatment and that they can exercise their
rights at all times, as well as to act in case of identifying any action
irregular."
In the second section relating to the contracting procedure with third parties,
distinguishes the procedure followed with a representative with written authorization from the
followed by agent with verbal authorization. In the first case, the
next steps: the agent is informed, the data and authorization are collected and the
contracts on behalf of the client. In the case of the agent with verbal authorization, the
The steps to follow are as follows: EDP proceeds to the information at the
agent and data collection, to be hired by the agent in the name and
representation of the client, sending the client information on the contracting and
possibility of the client to disavow the contract.
Regarding the information to the agent and the collection of the data, it consists of,
as set forth, in the following:
- Services are offered and explained
- It is informed about the need to collect certain data for contracting, as well
as well as the use that will be made of them and the place where more
information about it.
- The data of the agent and the client are requested
- The agent provides EDP with his own data and those of the client and confirms that it is
empowered to negotiate and sign the contract on behalf of the client
- The contract includes all the information required by the applicable regulations and in
relationship with the processing of personal data derived from the hiring.
Regarding the hiring by the agent on behalf of the client
differentiates the hiring in own commercial offices and outside the establishment
mercantile, in which the information is collected in the contract and delivered in support
durable or digital to the agent and remote contracting (by phone)
distinguishing between incoming calls to EDP's CAC, in which the
conversation or outgoing calls (telemarketing, outgoing calls
EDP ​​providers) in which the conversation is recorded, and the contract is sent in
durable support to the president (It is clarified that the conversations are recorded after
have previously informed the user that the conversation is going to be recorded.
The following is noted regarding the step related to sending information to the client
about hiring.
-Once the contract is formalized by the agent, when there is no
written authorization, is sent to the client, by email or SMS, depending on the
communication channel available in each case, a communication in which
It includes: o Confirmation of the contract made through your agent,
including the agent's data or URL link to access the contract signed by
the agent on his behalf (with guarantees of content integrity and accreditation
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
24/136
of the exact date of realization) where you can exercise your right to disallow
hiring in a simple and intuitive way (with a single click) View, print, or
download the contract and withdrawal document
The contract collects all the information about the treatment of the client's data by
part of EDP, in addition to the details of the contracted services.
Clarifies that the contracting procedure based on double authentication factor
It has been designed taking into consideration the procedure approved by the
National Markets and Competition Commission for carrying out portability and
hiring in the telecommunications sector, a sector very similar in
that the contracting procedure refers to.
The communication is made through a trusted third party that accredits the shipment
of the SMS / mail as follows:
-SMS message:
EDP ​​XXXXXXXX. NAME REP SURNAME REP has contracted energy / services in
your name. Before 14 days you can disallow it. Details: *** URL.2
-E-MAIL Message:
SUBJECT: Hiring of NAME TIT SURNAME TIT with EDP
Hello, we inform you that NAME REP SURNAME REP has made on your behalf
the XXXXXXXX contracting related to your energy supply / services. Have
14 days to disallow said management.
See details at: *** URL.2
The step related to the "Possibility for the client to reject the contract" consists of
in the following:
A link is sent to the client, through which they access a portal from which they are
It allows:
- View contract with the possibility of downloading or printing it or
- Disallow the hiring with a single click. Evidence is generated that
guarantees the traceability of the action (exact moment of the realization, as well as
integrity of associated evidence) or
- Download the withdrawal document.
Regarding the third section, data and interests affected, it is indicated what
following:
It has been determined that to achieve the purpose of the treatment, it is essential to
treatment of the following categories of personal data:
-With written authorization
Customer data: Identification (includes copy of DNI), Contact, Services
contracted, Bank details, Supply point data
Mandatory data: Identification (includes a copy of the DNI), Relationship with the owner
(yes / no), Contact
- With verbal authorization:
Customer data: Identification, Contact, Contracted services, Bank details,
Supply point data.
Mandatory data: Identification, Relationship with the owner (yes / no), Contact.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/136
NINTH: Information is obtained on the volume of sales of the entity being the
results of the turnover during the year 2018 of 1,236,124,000 euros. The
Capital according to the information obtained from the Mercantile Registry is 1,000,000
euros.
Information is obtained on the number of clients of the entity. According to the report of
supervision of the changes of marketer, corresponding to the first quarter of
2019, of the National Markets and Competition Commission, the number of
supply points of the entity as of March 31, 2019, corresponding to the scope
domestic, amounted to 1,129,534, constituting 4% of the total electricity sector in
said domestic environment.
TENTH: The internet site indicated in evidence 3 and 4 ( *** URL.1 ) is accessed at
object of downloading the General Conditions of Contract.
The procedure followed to download the document that contains the Conditions
General Contracting, as stated in the diligence of the acting inspector, has
been the following:
-Access through the internet browser to the address *** URL.1 .
- Introduction in the search engine of the text page itself: "General Conditions"
-The website shows, under the following address: *** URL . 3, 2 tabs one
called Related Information and Other Documents.
-The "Documents" tab of the Search Results is selected. Is
offers a total of 78 results, the third of which corresponds to the
"General contracting conditions".
-The "General contracting conditions" are selected and automatically
open a new browser window pointing to the following internet address:
*** URL . 4 .
-Download the document
The content of the general conditions in the "LOPD" section coincides with the
transcribed as evidence 6, with the same LOPD title within the conditions
general, in the fourth number of this Agreement for the Initiation of the procedure
sanctioner.
ELEVENTH: On July 31, 2020, the Director of the Agency
Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the
entity EDP ENERGÍA, SAU, in accordance with the provisions of article 58.2 of the
Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016,
Relating to the Protection of Natural Persons with regard to the Treatment of
Personal Data and the Free Circulation of this Data (General Regulation of
Data Protection, hereinafter RGPD), for the alleged infringement of article 25
of the RGPD, typified in article 83.4.a) of the aforementioned Regulation; for the alleged
infringement of article 6 of the RGPD typified in article 83.5.a) of the aforementioned
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/136
Regulation; for the alleged violation of article 22 of the RGPD, typified in the
Article 83.5.b) of the aforementioned Regulation; and for the alleged violation of article 13 of the
RGPD, typified in article 83.5.b) of the aforementioned Regulation, determining that the
The penalty that may correspond would amount to a total of 3,500,000.00 euros, without
detriment to the result of the investigation.
TWELFTH: The aforementioned initiation agreement has been notified, the investigated entity
filed on August 7, 2020, writing requesting an extension of the term to the
object of presenting allegations. Once the extension of the term was granted, they presented the
allegations dated 08/25/2020 which are briefly the following:
FIRST: ALLEGED BREACH OF THE PRIVACY PRINCIPLE BY
DESIGN IN THE HIRING PROCESSES THROUGH A REPRESENTATIVE .
The AEPD intends to justify the initiation of this sanctioning file in the alleged
lack of documentation that has never been requested. In this regard,
It should be noted that EDP ENERGÍA has a methodology for identifying, analyzing
and risk management, both to identify inherent risks, as well as
specifically to assess the need to carry out the Assessments of
Impact, alleges that it includes as an annex the supporting documentation that proves,
more than enough, that EDP ENERGÍA fully and fully complies with these
obligations and which is specified in the following: - “Risk Analysis Methodology and
conducting Impact Evaluations "-" Record of Treatment activities and
risk assessment of the treatments related to the contracting of EDP
ENERGY ”-“ Privacy Impact Assessment: Channel of Leads to Convert by
Telemarketing ”-“ Privacy Impact Assessment: Telemarketing to clients for
upselling or abandonment recovery ”-“ Privacy Impact Assessment: Channel
CAC to Clients Or Potential Clients (Inbound) ”-“ Impact Evaluation of
Privacy: OOCC Channel to clients or potential clients (Reactive sale) ”-
"Privacy Impact Assessment: Third-party Stores Channel for sale to customers
potentials (Reactive Selling) ”-“ Privacy Impact Assessment: Forces of
external sales through stands at fairs and shopping centers (reactive sales) ”-
"Evaluation of Privacy Impact: Treatment activity: Carrying out
Scoring of B2C Clients prior to hiring ”.
Likewise, and as a consequence of the measures adopted as a result of the
recommendations derived from risk analysis and impact assessments
carried out by EPD ENERGÍA, a large number of
procedures for compliance with data protection obligations from
the design and by default that are provided as annex 2.
Specifically, the following procedures are included in this Annex 2
related to Privacy by Design and by Default, which are part of the
System of Government, Risks and Regulatory Compliance of data protection of
EDP: • Data Protection Methodology from Design and EDP's Default •
Operational instruction Privacy By Design and Privacy by Default of the commercial area •
Form for characterization and registration of treatment activities for analysis
Privacy by Design and Privacy by Default • Flow chart of the Privacy By Design process
and Privacy by Default.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
27/136
It is really striking that the AEPD gives the relevance it gives to the fact
concrete that EDP ENERGÍA had not taken into account in its analysis of
risks, the specific analysis of the risks associated with the possibility of contracting
through a representative, when the AEPD itself, in its own "Practical Guide to
Risk Analysis in the processing of data subject to the RGPD ”(published in its
web (https://www.aepd.es/sites/default/files/2019-09/guiaanalisis-de-riesgos-rgpd.pdf)
does not include any direct or indirect reference to the need to evaluate the
specific risk in relation to data processing, either in contracts or in
other processes, carried out by authorized third parties.
Second, it alleges that all the data processing carried out by
EDP ​​ENERGÍA were analyzed to verify their degree of compliance with the
obligations related to RGPD, proposing measures for its correct
adaptation, regardless of the need for evaluations
impact or not. Delving into the specific risk related to the contracting carried out
through third parties, it must be indicated that the content of the analyzes carried out was
updated at the time, taking into account the considerations that the AEPD has
transferred to EDP ENERGÍA in the administrative procedure related to this
issue that began at the end of 2019 and that, we understand, is the cause of the
sanctioning procedure in which we find ourselves at the moment.
Indeed, as we have already had the opportunity to present within the framework of said
sanctioning procedure previously initiated by the AEPD, the processes of
contracting through authorized third parties had not been identified by
EDP ​​ENERGÍA as an inherent risk factor that was relevant, taking into account
account that: 1) The practically non-existence of claims by clients in
related to this motive. 2) Until now, EDP ENERGÍA did not have any
sanctioning file opened for this cause. 3) The contracting carried out through
third party as verbal agent is expressly recognized in the Code
Civil of 1889.
Although the potential risks identified by the AEPD are perfectly possible,
the probability of materialization of said risks, in the specific case of EDP
ENERGY, was practically nil and that therefore his diligence, with regard to the
carrying out the risk analysis, has been amply accredited.
Specifically, this fact is based on the very low number of claims for
this reason that EDP ENERGÍA has received. Indeed, the number of complaints
for contracting through third parties, it amounts to 8 cases with respect to a total of
105,606 contracts made, as stated in the information provided in the
own file, which we understand, that as surely the
AEPD with EDP ENERGÍA, in probabilistic terms, could be considered a
value that, objectively, does not require an independent assessment and
detailed. And it is not only that in absolute numbers the existing precedents in
EDP ​​ENERGÍA's case were practically nil (8 cases out of 105,606
contracting), but as the AEPD knows very well, of the aforementioned eight (8)
claims, there is only one sanctioning precedent for this entity,
taking into consideration that the AEPD includes in its writing a procedure
that has not yet been firmly resolved (PS / 00109/2019), insofar as
it is being subject to the corresponding contentious-administrative appeal
before the Contentious-Administrative Chamber of the National Court.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/136
It states that the possibility of entering into a contract between two parties through the
intermediation of a third party is an exclusive question of Civil Law, so the
need, or not, of formalities associated with the accreditation of the representation has
to be governed by the provisions of the Civil Code and, where appropriate, by the provisions of the
consumer protection regulations. In this regard, the requirement by the
AEPD that the representation alluded to by the representative is recorded in a medium that
allow its accreditation could be considered logical in an isolated interpretation of
data protection regulations, but it loses meaning when put in context
with the rest of the legal system, more specifically, with the provisions of the Code
Civil, which contemplates, among others, the possibility of hiring by representative
included in article 1259, or the figure of the "mandate", regulated in articles 1709
to 1739 of the same and that establish that: «by the mandate contract a
person to provide a service or do something for the account or commission of another »and
for which total freedom of form is allowed, establishing that "the mandate may
be express or tacit "and that, likewise," acceptance may also be express or
tacit, deduced this last one of the acts of the agent chief executive ». In this case, it does not seem
that such a wide freedom of form is compatible with obtaining evidence of
the existence of the representation or mandate, beyond the manifestations of the
agent, protected by good contractual faith. Likewise, there is little
understandable that a separate consent is required for the treatment of
your data or a confirmation of the order by the principal, since this
would imply denaturing the representation, inasmuch as it would be absurd that who is
designated for the conclusion of a contract in favor of a third party cannot facilitate
the data of the person on whose behalf it acts, or that confirmation is necessary
separated from it to authorize said communication, since the need to
Addressing the represented person directly would make the representative's intervention useless,
since it would be meaningless.
Likewise, and in relation to the possibility that the represented party may provide
additional consents to the hiring itself, it should be noted that this
possibility may well have been authorized by the represented in a way
specific, but as the same freedom of form governs for the granting of this
power (which the norm does not oblige in any case to provide in writing), nor is it
Your reliable accreditation is required at the time of hiring. About this
In particular, it should be noted that to date no assumptions have occurred in the
that any type of incidents have been reported by those represented
related to the granting of said consents.
Regarding other risks identified by the AEPD, it must be indicated that the
The risk of identity theft is very low, since the representative identifies himself
personally by reliable means when the hiring is face-to-face and
providing your DNI data when you do it remotely. However, as well
the AEPD knows the risk theory, it does not hold that the existence of a low risk
may be considered a non-existent risk. In this sense, the risks of there being
identity theft do not differ from those that correspond to the
contracting in their own name, since the same checks are carried out for
avoid this, based on the risks and threats detected in relation to each form
hiring. Therefore, it cannot be taken for granted that this risk was not
taken into consideration by EDP Specifically, this fact is based on the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/136
very low number of claims for this reason that EDP ENERGÍA has received, nor
that no mitigation measures have been adopted, as stated
It will be explained below in the explanation regarding the contracting procedure.
On the other hand, with regard to potential economic damages, although this
It is a question more linked again to the civil sphere of contracting than to the
protection of personal data, it must be indicated that in cases where the
cancellation of contracts for any reason, EDP ENERGÍA assumes the costs of
the services provided, so that there would be no economic damage to the
affected, proof of this is that EDP ENERGÍA has so far not received
no claim for the alleged damages wielded by the AEPD
Regarding the way in which the contracting is carried out, as already stated and stated
both in the information made available to that Agency and in the Background
In fact of the Initiation Agreement, the contracting of the services is preceded by a
series of guarantees that allow to identify the author of the contracts, following the
common practices throughout the supply service contracting sector and by
companies known as "Utilities", both in person and remotely,
this information being recorded, so that, in the event of any
incidence, there is evidence of who is the person who has carried out the
hiring. Against the insignificance that the AEPD intends to grant to the
statement of the representative, perfectly identified, on his condition of
representative of the person in whose name it contracts, it should be noted that this
manifestation has binding legal consequences, which, as already stated,
are subject to regulation and are expressly recognized by our
Legal System, and that imply responsibilities, both from the point of view of
civil view, as well as criminal, so it is not a “mere manifestation”, like the
He came to name the AEPD in the Fundamentals of Law of his writing of initiation of
sanctioning procedure, but it is a legal act, such as the
own consent of the owner, defined by the RGPD itself as a "manifestation
of will ”. Therefore, it does not seem that a legal defense can be defended
discrimination of the relevance of some manifestations versus others, due to the fact that
that are included or not within a specific regulation, or manifested from a
form, or other. Likewise, as stated in the Factual Background, although
later it seems to be obviated in the Fundamentals of Law, in all cases
in which the contracting is carried out remotely, it is indicated that: “To the contract holder, to
informative purposes, it is sent to you in duplicate, with a stamped envelope, the
contractual documentation in compliance with the provisions of the regulations of
protection of consumers and users ”. That is why, in any case, the owner
You have the possibility of knowing the terms in which the
hiring.
Notwithstanding all of the above, as a result of the sanctioning procedures opened in
the year 2019, and following the criteria transferred by the AEPD in the resolution of the
PS / 00109/2019 (do not sign on the day of the presentation of this brief, due to being appealed)
EDP ​​ENERGÍA has proceeded to identify the risk related to the
intervention of third parties in the contracting, making the corresponding analysis
detailed information on this issue and proposals for improvement have been drawn up, in order to give
compliance with the AEPD considerations so that in the procedures
of contracting the person in whose name it is contracted is always informed. The
The proposed contracting protocol has been made known to the AEPD in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
30/136
dated July 16, 2020 and registration number 025308/2020, submitted in any case
before receiving the written Agreement for the Initiation of Sanctioning Procedure, being
a Request for information with a common number for EPD ENERGÍA and EDP
MARKETING COMPANY without the AEPD having ruled on it to date
to the same with the corresponding legal valuation report, as it is
requested, in order to implement a system that was fully compliant with the
criteria and interpretations of the AEPD, limiting itself so far to include in the
Initiation Agreement sent to EDP ENERGÍA certain considerations in
relationship with it. Specifically, the doubts raised in relation to the
proposed procedure, which we understand are the only ones that the AEPD has, are the
following: 1) It is not clear if it applies to all contracting channels, including the
Leads subchannel to which no reference is made; 2) situations are not contemplated
in which the represented can not be informed by the indicated means (mail
email or SMS); 3) the client is not informed of the consents given by the
representative for other treatments with purposes other than hiring the
service requested during the hiring process, nor the possibility of revoking
such consents. 4) no effective dates for the implementation of this
process.
Again, incomprehensibly, instead of requesting additional information from EDP
ENERGY in relation to the proposed procedure, the AEPD chooses to interpret
negatively the information whose content is not clear to you. However, and as
We understand that the will of the AEPD, like that of EDP ENERGÍA, is to achieve a
procedure that allows not only to comply with the different modalities of
contracting provided for in the Civil Code, recognized by consumer authorities
and the competent courts in contractual matters, but also to the
considerations of the AEPD, then we proceed to clarify those that
We understand would be the only doubts of the AEPD in relation to the modifications to the
procurement procedure submitted: 1) The proposed procedure will be applied to
all the contracting channels with which EDP ENERGÍA works, including the
Leads and any other that EDP ENERGÍA implements in the future. 2) Regarding the
doubt raised about what would happen in the event that the contracting person does not
does not have any of the means provided to carry out the confirmation of the
contracting (email or SMS), indicate that the alternatives will be: a. Do it
the owner himself b. Presenting written authorization and copy of the DNI of
representative and represented 3) Regarding the consents granted and the
possibility of revoking them, it should be noted that the communication gives access to the
contractual documentation, where each of the consents are recorded. The
Once this information is known, the user has the possibility of modifying them. Not
However, as a result of the comment of the AEPD in which it questions the validity of the
Authorization of the representative for the authorization of additional consents to the
contracting, EDP ENERGÍA proposes to allow representation only for this purpose and
will collect additional consents directly from the owner. 4) Regarding the
date of implantation, it depends precisely on the opinion that on this
procedure manifested by the AEPD, since it would not make sense to start it if
the supervisory authority considers that it does not meet its criteria to consider it a
appropriate procedure, taking into account the economic costs associated with this
implementation, in addition to the resources of time and dedication necessary for the
deployment of these measures.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
31/136
It is alleged that the alleged breach of the obligations of article 25 RGPD, and
the consequent quantification of possible sanction to impose on its client
derived from said alleged breach, lack any basis for its
consideration. In addition, and, in any case, the quantification of said possible sanction
it lacks any hint of being proportionate.
SECOND. - ALLEGED BREACH IN RELATION TO THE
CONSENT PROVIDED BY THE INTERESTED PARTY .
It alleges that it is interested in stating that the treatment relating to the creation of
a commercial profile based on the information of third parties for the referral of
advertising information is not, in practice, being made, nor at the date of
issuance of these allegations, nor prior to them. For the
Therefore, the treatment that could potentially have been carried out, has not had
place in no case, at any time, so, even though it can be questioned
From the point of view of the other requirements of the RGPD, it is not possible to attribute to EDP
ENERGY carrying out unlawful conduct that may be punishable
derived from the mere obtaining of the consents related to a treatment of
data that, to date, has been non-existent and therefore has not generated the
alleged damage to the fundamental rights of citizens wielded by this
Agency.
The commission of the offense of reference, regulated in article 83.5 (a) RGPD and in
72.1.b) of the LOPDGDD, necessarily requires that the
caused a treatment and that it has not been identified or has not been
regularized the basis of adequate legitimation, stating: “1. Depending on what
established in article 83.5 of Regulation (EU) 2016/679 are considered very serious and
The infractions that suppose a substantial violation will prescribe after three years
of the articles mentioned therein and, in particular, the following: (…) b. The
processing of personal data without the concurrence of any of the conditions of legality
of the treatment established in article 6 of Regulation (EU) 2016/679 ”.
In relation to informed consent, in the Agreement to Start the Procedure
Sanctioner to consider that the required consent is invalid, is part of
the consideration that the information provided to the interested party is not
sufficient, inasmuch as it is not indicated, nor what third-party bases will be consulted, nor
what type of data will be collected, so that the interested party does not know
absolutely what it is that you are consenting to. And it is appreciated that a single
consent for two different purposes.
In this regard, it is alleged that the information is provided in response to the good
practices stated by the AEPD itself and ratified by the LOPDGDD, so that
the interested parties are transferred through the double layer system, so that
the interested party can reinforce the information provided through the consultation that consists
in the same, through the different mechanisms that are granted for this purpose
(informative locution, back of the physical document or EDP ENERGÍA website.
In relation to the absence of clear identification of the sources of third parties or the
categories of data, it should be noted that such information can be derived from the
information provided to the customer in the first layer (by clearly identifying that the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/136
treatment will be carried out with third-party sources) as in the second layer, whose
content is contained in the section called "general conditions of the contract",
whose content indicates: “(II) The elaboration of commercial profiles of the Client
by aggregating EDP databases with data from
databases of third parties, in order to offer the Client products and services
personalized, thus improving the Customer experience. (III) The adoption of
automated decisions, such as allowing the hiring, or not, of certain
products and / or services based on the Client's profile and particularly, on data
such as, the history of defaults, the history of hiring, permanence,
locations, consumption data, types of devices connected to the energy network, and
similar data that allow to know in greater detail the risks associated with the
hiring. (iv) Based on the results obtained from the aggregation of the
data indicated, EDP may make personalized offers and specifically
aimed at achieving the contracting of certain EDP products and / or services. "
As reflected in the cited text, EDP ENERGÍA has broadly identified
detail the types of data that are treated for the detailed purposes, the sources being
consulted for this an obvious derivation of the above.
The indication made on obtaining third-party sources is, therefore,
sufficient content for the user to be fully aware that their
authorization will mean the possibility that the authorized entity can obtain said
information. It must be remembered that there is no legal requirement that, in the
At the time of collecting the data of the interested party, the questioned information must
be contemplated directly in the consent requested. That is, being the
origin of the data the interested party, it only corresponds to the Entity to inform
in accordance with the provisions of article 13 RGPD, a provision that does not establish, in
none of its precepts, the obligation to identify neither the source nor the typology of
the data. Only in the event that said treatment had been
carry out, the Entity should have reported such extremes, since only in
At that time, the provisions of article 14 RGPD would apply. Taking into account
of the non-materialization of said enrichment, this information did not become
transferred to the interested party, not including data in EDP ENERGÍA databases
unrelated to those that have been provided or generated on the occasion of the relationship
contractual maintained between the parties.
In addition, it should be noted that, in the event of obtaining data
from a third party, would be the one who, in his capacity as transferor of the data,
would be obliged to legitimize the communication of the data on the basis of the
consent of the interested party, without prejudice that EDP ENERGÍA would also do so, in
fulfillment of its information obligation once obtained data from
of a third party in accordance with the provisions of the RGPD. In this sense, said
situation could only occur, in the event that the interested party himself, exercising his
right to disposition of the data and with full awareness of it, there would be
expressed your authorization for your personal data to travel to another company,
as would be EDP ENERGÍA, who could only make use of them, in the
assuming that he had also expressed his consent, by means of the
marking the box or express indication, indicating that "Yes" in case of
be done by phone.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/136
On the other hand, in relation to the alleged accumulation of treatment purposes,
by stating that the interested party would authorize the sending of advertising and, secondly, the
use so that EDP ENERGÍA can assess the viability of contracting by
said user. In relation to this point, we must state that the valuation
made by the AEPD starts from an erroneous premise, considering that they are dealing with
two differentiated treatments, in a case in which it is clear that it is a question of
a single purpose, such as the generation of a commercial profile, the use of which is
It is limited to two contexts linked to each other: (i) the first, to carry out the assessment
of the possibility of contracting and, (ii) the second, to issue the corresponding offers
commercials to the user in question.
In this way, both assumptions are necessarily interrelated,
as there is no doubt that it would be meaningless to design a client profile, based on
the data provided by the user and those derived from the service provided, for the
referral of a commercial offer that was sent to an interested party who did not comply
the internal parameters of the Entity to carry out a contract at the moment
of your request.
In relation to this aspect, it is well known by this company that the RGPD requires
that the consents that are collected are specific, as well as
unanimous criterion of the control authorities to point out that the grouping of purposes
related to each other, as would happen in this case, has full place in said
concept, without such grouping giving rise to the consideration, per se, that it has not been
specifically obtained consent. In this area, the approach
on which the AEPD sustains the breach attributed to EDP ENERGÍA,
The regulation established by the LOPGDD, in whose article 6.2 states that: “2.
When it is intended to base the processing of the data on the consent of the
affected for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them. " To the light
of the above, there is an evident specific regulation that enables the grouping of
purposes that the AEPD is now questioning
As an additional matter, it is indicated by this Agency that the consent obtained
It is not in accordance with the regulations, considering that it is not explicit, but
obtained in the same way as a general consent, although there are no
clearly identified the reasons why it would not meet the criteria
issued. For these purposes, the inclusion of the analyzed consent is carried out in a
separate context to the acceptance of the procurement itself, so that either
It is collected in a box in those contexts in which there is documentary support
for this, or in an informative locution that is read and that must be
expressly ratified by the interested party to understand that it has been provided.
In this regard, in the absence of clarity in the regulations on the ways that will allow
determine that a consent deserves the consideration of explicit (understood
as a reinforced consent to the one already required by the RGPD), in the aforementioned
Guideline 5/2020 mentions several nuances that help in this clarification. From
it is extracted that, in addition to meeting the requirements defined in the
Article 7 GDPR, the validity of an explicit consent does not require the attention of
exact requirements, being able to be valid both in written documents, as well as in
telephone recordings.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/136
At this point, it is interesting to emphasize an essential question: although there is neither
legal precept or opinion from the control authorities that determine
clearly the requirements to consider that the consent obtained is
explicit, nor the differences that correspond to the “regular” consent, it is
attributed to EDP ENERGÍA, and to any other entities that act as
those responsible for the treatment, the task of defining at their own discretion in which situations
will understand that such requirement has been fulfilled.
Said casuistry cannot but cause serious legal uncertainty, which in the
assumption that concerns us is not solved, not even with the foundation that
It is stated in the writing of the Agreement to Start the sanctioning procedure, since in
At no time is it clearly stated which factor, element or action has not been
executed by EDP ENERGÍA, to determine that its conduct has resulted
unlawful and deserves a sanction of such magnitude. Accordingly, the
request to the client for an obvious action, such as the verbal indication that yes
consent or the marking of a box, the content of which clearly states the purposes
for which the data will be used, which is unrelated to any other
acceptance and that it is not subject to other purposes, should be considered as a
explicit consent in order to comply with the obligation imposed by the
data protection regulations.
In view of the aforementioned points, EDP ENERGÍA complies with all
of the legally required requirements, of what necessarily has to be concluded
that the Entity's work to collect the consent of the client, in such a way
explicit, they have been rigorously cared for. It is proof of this that, both in the
telephone channels, such as those in which they are conducted in writing, the
Obtaining consent is carried out in a way different from that of the
contracting, it is stated that it is additional to the same and it is understood collected,
only, in cases where the client ticks the box or clearly states
that yes it consents. From all this it is only possible to conclude that the collection process
consent has been made in light of the criteria required by the
applicable regulations, being therefore adjusted to Law.
Thus, the process of obtaining consents that EDP ENERGÍA comes
using is not something new for the AEPD, who has had the opportunity to analyze
the same prior to the beginning of this sanctioning file, in those
files (information requirements and / or sanctioning procedures)
opened due to a claim from a user. Within the framework of these, the
AEPD had full knowledge of the contracting process and the typology of
consents that were collected from the interested parties, having provided the
contracts by EDP ENERGÍA as evidence of compliance. Needless to say, the
The final result of both turned out to be that of their file (see the
claims with reference E / 00915/2019, which was not even admitted for processing, and the
file E / 02714/2019), without making additional assessments on the
compliance with the regulations, which leaves nothing more than to delve into the confusion that
has this part before the very serious accusations made against EDP ENERGÍA by
this Agency.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/136
Additionally, and without prejudice to the arguments presented, the
presumption made in the Agreement to Initiate Sanctioning Procedure, in which
the assessment of the infractions is carried out taking as a premise a double
attribution: (i) the first, derived from the absence of adequate information and, (ii) the
second, as a consequence of the execution of a non-consensual treatment. To these
effects, it should be noted that, even if it is considered that the information provided
the interested party is deficient, this fact cannot lead to the determination of a
infringement of article 6 RGPD, since the treatment that would be carried out takes
as a starting point the adequate legitimizing base. As it is, the definition
made by EDP ENERGÍA regarding the legal basis that would allow it to process the data
for the purposes that have already been mentioned, it would strictly adhere to legitimation
that corresponds. In other words, EDP ENERGÍA carries out the actions
necessary to obtain the corresponding consent of the interested party,
granting him the possibility of granting it or not, voluntarily, through the
marking of the box provided or express indication in cases where these are
collected by phone call. For all these reasons, a
conduct that could be legally reprehensible to EDP ENERGÍA, taking into account
that has rigorously subscribed the terms required by the standard, when proceeding to
request the interested party an action of express will, free, unequivocal and not
conditioned to another end. And for that reason it is not possible to impute to my client the commission of
any infringement of those typified in article 83.5.a) RGPD, in relation to your
Article 6.
THIRD. - ALLEGED BREACH IN RELATION TO THE
DATA PROCESSING RELATED TO AUTOMATED DECISIONS AND
PREPARATION OF CUSTOMER PROFILES.
Third, the Agreement for the Initiation of Sanctioning Procedure, establishes in its
Legal Basis IV a series of alleged breaches related to the
apparent lack of compliance by EDP ENERGÍA with the obligations
derived from the provisions of article 22 of the RGPD, regarding the consideration by
part of the AEPD of the existence of an impediment, the obstruction or the
repeated attention to the exercise of the rights established in articles 15 to 22
of Regulation (EU) 2016/679 in relation to automated decisions and the
elaboration of customer profiles, typified in article 83.5.b) RGPD and, qualified
as a very serious breach for the purposes of prescription in article 72.1.k) of the
LOPDGDD. Specifically, the AEPD maintains that:
1) EDP ENERGÍA does not grant users the possibility to exercise their right
relative to not being the subject of automated decisions, as well as not granting the user the
due information regarding this right,
2) The user is unaware of the possibility of refusing to adopt this type of
decisions.
In this way, the sanction proposed by the AEPD is based on the fact that the
information that is provided by EDP ENERGÍA to the owners of the data is
insufficient and imprecise, without prejudice to the fact that the AEPD acknowledges that EDP
ENERGÍA facilitates and makes available to users the documents with
information regarding compliance with data protection regulations, both in the
time of hiring, as in durable support at the end of the hiring.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 36
36/136
First, with respect to the information provided by EDP ENERGÍA in
relationship with the legitimizing basis (consent in the case at hand)
We must emphasize that the information that is provided to users regarding the
treatments that, being additional to the contracting itself, require the
User consent, is duly provided to users.
Specifically, in the so-called Evidence 6 presented by EDP ENERGÍA during the
substantiation of the informative file of which the present sanctioning file
brings cause, the following is reflected in the supply contract model
boxes: "You can read the information regarding the processing of your personal data at
the reverse. I consent to the processing of my personal data once the
☐
contractual relationship, to carry out commercial communications adapted to
my profile of products and services related to the supply and consumption of energy.
Likewise, I consent to the aforementioned treatments during the term and after the
termination of the contract, on non-energy products and services, both of the
EDP ​​Group companies and third parties. I consent to the processing of my data
☐
personal data for the elaboration of my commercial profile with information from
databases of third parties, for the adoption, by EDP, of decisions
automated in order to send personalized commercial proposals, as well
as to allow, or not, the contracting of certain services "In this case, and
expanding information regarding the treatment of user data in the
general conditions, we find the following information; "Whenever the client
you have explicitly accepted it, your personal data will be processed, even once
once the contractual relationship has ended and as long as there is no opposition to said
treatment, for: (I) The promotion of financial services, protection services of
payments, automotive or related and electronic, own or third parties, offered by EDP and / or
participation in promotional contests, as well as for the presentation of
commercial proposals related to the energy sector after the end of the contract,
(II) The preparation of commercial profiles of the Client by aggregating the
databases of third parties, in order to offer the Client products and services
personalized, thus improving the customer experience, (III) The adoption of
automated decisions, such as allowing the hiring, or not, of certain
products and / or services based on the Client's profile and particularly, on data
such as, the history of defaults, the history of hiring, permanence,
locations, consumption data, types of devices connected to the energy network, and
similar data that allow to know in greater detail the risks associated with the
hiring. (IV) Based on the results obtained from the aggregation of
the indicated data, EDP may make personalized offers, and specifically
aimed at achieving the contracting of products and / or services from EDP or third parties
entities depending on whether the client has consented to it or not, being in any case
processed data whose age will not exceed one year. In the event that said process is
carried out in an automated way, the client will always have the right to obtain
human intervention by EDP, admitting the challenge and where appropriate
assessment of the resulting decision.
From these fragments, it can only be concluded that (i) both for the elaboration of
profiles, such as for data processing adopting automated decisions EDP
ENERGÍA requests the explicit and specific consent of the user, without being able to
be interpreted that automated decision-making is treated on another basis
legitimizing, as well as that (ii) the information related to the elaboration of profiles and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 37
37/136
automated decisions, complies with what is required by article 13 of the RGPD, since
that informs about the existence of automated decisions, including the elaboration of
profiles and provides meaningful information on the logic applied, as well as the
importance and expected consequences of said treatment for the interested party . For
all this and taking into account the first aspect raised by the AEPD regarding the
alleged breach committed by EDP ENERGÍA in relation to the information
provided to users to obtain specific consent, there is no
any interpretation regarding the lack of information and confusing treatment by
of EDP ENERGÍA, which includes the information corresponding to the treatments
specific, providing all the information required in the RGPD.
Second, in relation to the information provided to the owners of the data
Regarding the exercise of rights, it should be noted that EDP ENERGÍA informs
expressly to users in the information provided to them of their right
specific to "oppose" to "the adoption of automated decisions of your data
personal, requiring human intervention in the process, as well as to challenge
the decisions that are finally adopted by virtue of the processing of your data ”.
In this sense, the AEPD considers that EDP ENERGÍA fails to comply with its obligation to
inform the owners of the data by the mere fact that in the information
provided does not appear, expressly and literally, the right to "revoke the
consent ”, appearing in its place the verb that grants the right of the
holders of the data to "oppose" to "the adoption of automated decisions of their
personal data, requiring human intervention in the process, as well as
challenge the decisions that are finally adopted by virtue of the treatment of
your data". We are sure that the semantic and technical nuance associated with both
verbs "opposition" and "revocation", both the experts that the AEPD has,
as the ones that EDP ENERGÍA has, are able to differentiate them
with each other, and determine that they are two legal concepts, but it will also be
with us that Agency, that the average user (a concept widely used by
part of that Agency throughout the procedure at hand) is hardly going to
to be able to differentiate these concepts. In the present case, what is really
important is the effect that the user's request has in practice, which, in
definitively, it is the one that is relevant to the owner of the data, and that generates effects
positive or negative to their fundamental rights, this being what really
protects the RGPD, and not the use of one verb or another, even more so when they
they can be used synonymously.
In this case, the only thing that is intended to be used in the information provided to the
users the term "opposition" with respect to automated decisions, is to be able to
provide the user with a clear, concise and transparent understanding of the information that
is made available to you, and facilitating, in the event that the request of said interested party
conforms to the regulatory requirements, the exercise of the different
Rights. Thus, according to the definition contained in the Dictionary of the RAE, revoke
means "to leave without effect"; and oppose, “put something against something else to prevent its
effect ”, so except for those who have knowledge in the matter and
can appreciate the nuance that differentiates one and the other, the truth is that, for the purposes of
most of the population, both terms would be synonymous and would suppose, in the
practice, the same.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 38
38/136
Without prejudice to all the above, we must highlight, by the
relevance that this has in this allegation, the information contained in Clause 16
of the General Contracting Conditions, relative to data protection. On
said clause, in the section corresponding to "Rights of the owner of the data"
makes express reference to the possibility of revoking the consent that previously
have granted, thus, it is expressly indicated “(VII) Withdraw, at any time,
the consents granted ”.
It refers to its internal procedure, and states that therefore, not only the
Users are informed at all times of the possibility of revoking the
consents granted, but EDP ENERGÍA itself, as a procedure
internally and in order that those in charge of managing requests have the
necessary knowledge in relation to the different possibilities, reflect with
express nature of said right, regardless of the technical term used, since
that the main purpose is to inform and that the user knows the possibility of not being
subject to automated decisions. Thus, the internal procedure referenced
previously, it even includes response models to be able to attend with character
general, the various requests. All this, without prejudice to the fact that each of the
requests are treated in a particular way and in accordance with the specific circumstances of
affect the specific case, and it is necessary to adapt said model of
response depending on the specific casuistry of each request. It is provided as
Annex 3 the procedure related to the management and answering of the
Rights.
In view of the above, the AEPD attends to the lack of knowledge of the average user,
as an argument to consider the informative clauses as not very transparent,
This aspect, however, considers it to be substantially essential since it only relates
as a valid exercise the opposition of the interested party. Taking into account that the right
related to not being the subject of automated decisions is collected with
independent and express nature in the general contracting conditions,
requiring, where appropriate, the explicit and specific consent of the user, and
being the same duly informing in a specific way, as
is justified in the evidence provided, as well as the possibility of opposing
to be subject to automated decisions, it is surprising to say the least that the
AEPD considers that EDP ENERGÍA does not comply with article 22 RGPD for not
offer the client the possibility of literally "revoking consent", that is,
strictly formal and semantic aspect, that an average user without knowledge in
matter does not have the capacity to understand the difference with the word "opposition",
the Agency understanding that it is not valid to report the possibility of "opposing",
as a synonym, to said treatment, which is what EDP actually performs
ENERGY .
In line with the foregoing, it should be noted that EDP ENERGÍA, in no case has
denied the exercise of rights that have not been requested / drafted with
precise character, directing in case of doubt the request to the user, so that the same
can be resolved effectively, satisfactorily and without delay.
Likewise, as has already been stated in previous points, in relation to the
automated decisions, the client is offered the possibility of obtaining intervention
human rights, admitting challenge and, where appropriate, assessment of the resulting decision,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 39
39/136
reason why, in addition to informing about the possibility of not being the subject of
automated decisions, the client is empowered as an alternative to intervene
human. For all the above, it cannot be reasonably interpreted that the owner of the
the data may, even remotely, ignore the possibility or right to
that your data are not subject to automated decisions, nor that EDP ENERGÍA
put limitations, or do not make available to said interested parties the mechanisms
necessary to make the request, being able at any time to "oppose"
to said treatment, or rather, "revoke" the consent given for the
adoption of such decisions, as well as requesting human intervention, which otherwise
On the other hand, in the case of EDP ENERGÍA it always occurs, because although the consultation of
the information is automated, the final decision is made by an employee after
analyze the content of it.
It is provided as Annex 4, by way of example, exercises of right of opposition and of
revocation of consent that has been processed during the last year, to the
effects that the AEPD can know, first hand, what type of rights are
exercised by the holders, in what modality they are received, as well as specifically
how they are properly cared for by EDP ENERGÍA.
For the sake of completeness and in order to address the true scope of the offense, to
even though EDP ENERGÍA includes the possibility of profiling and adopting
automated decisions, the only profiling performed, is related to the qualification of
clients regarding fraud prevention, treatment for which there is
legal authorization and is based on the legitimate interest of EDP ENERGÍA, with
the purpose of safeguarding the success of the contracts made by EDP
ENERGY, as well as preventing customers, whose sole purpose is to consume the service
energy without paying the bills, become part of the client portfolio.
Notwithstanding the foregoing, the owners of the data are informed that said profiling is
reviewed and finally processed by EDP ENERGÍA staff, which is why no
can be considered as an automated decision in itself, taking into account in this
meaning to the literal wording of the concept established by the authorities. In other words,
nor is there any data processing based on automated decisions, nor is there
any manifestation about said treatments, since outside of the strictly
necessary to continue with the service and those provided by law, are not
carried out, which is why, not only can it not be considered that there are
non-compliance with article 22 of the RGPD, as the requirements are met
collected by the regulations, but there are not, nor can there be data owners who
may have been affected by said treatments, so we refer to the
broad jurisprudence previously enunciated in this section as it is fully
application to the case at hand.
This is enough so that there is no basis whatsoever in order to impute to my client
any infringement of those typified in article 83.5.b) RGPD in relation to your
cited Article 22, however, for dialectical purposes and in the unlikely event that
If the commission of said infringement could be considered proven, we state what
follows in relation to the amount of the sanction provided for said alleged infringement
in the Agreement to initiate the sanctioning procedure.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 40
40/136
Make a series of considerations on the evaluation criteria collected in the
RGPD, understanding that the aggravating factors considered in the initiation agreement by the
AEPD would not concur in this specific case, concluding that it has not been substantiated
severity, nor the criteria that allow setting such a high amount of
sanction to the present assumption.
FOURTH.- ALLEGED BREACH IN RELATION TO THE DUTY OF
TRANSPARENCY.
The AEPD, in its Agreement to Initiate Sanctioning Procedure, attributes to EDP
ENERGY the violation of Article 13 of the RGPD, assuming a breach of
duty of information that is proper to him as responsible for the treatment, typified in
article 83.5.b) and classified as mild for the purposes of prescription in article 74.a)
of the LOPDGDD. Specifically, it considers the existence of said infringement due to:
1) lack of information to interested parties about the possibility of accessing information
enforceable in article 13 of the RGPD.
2) the web address provided does not lead directly to the required information
in accordance with article 13 of the RGPD, without allowing immediate access to the
information, nor is access easy for anyone. EDP ​​ENERGÍA no
has no choice but to state, again, and as he has done and demonstrated in the
rest of the alleged breaches alleged by this Agency, which cannot
share the appraisals made by the AEPD, so below
identify the reasons why they understand that EDP ENERGÍA
fully complies with the requirements of the regulations for the protection of
data in terms of transparency in relation to the information provided to the
holders of personal data in the contracting processes.
Regarding the CAC inbound channel, on which it is stated that the information
provided is incomplete, it should be noted that in the case of incoming calls there is at the
the call starts, before the recording starts - and regardless of the
management that the person who calls the customer service department of the
entity-, a telephone announcement where information is provided, among other aspects, of the
rights that assist data subjects, as well as where to find information
additional, so that users receive this information whenever they call,
which not only means that this information is provided to them in the call in which they go
to carry out the contracting of the supply, but also when they are already customers and are going to
carry out any procedure (either a consultation, request a change of power,
make a payment, request a fractionation or file a claim).
In this sense, it should be noted that the RGPD itself expressly provides in its
point 13.4 that: “The provisions of paragraphs 1, 2 and 3 will not be applicable
when and to the extent that the interested party already has the information ”. Therefore,
customers receive all the required information in a first layer of information
verbal, which can be completed by accessing the EDP ENERGÍA website or by
direct in the call itself, depending on the management carried out.
Thus, this information is provided in layers, distinguishing on the one hand the layer
1. “This call can be recorded. The data you provide us will be processed by
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
or query. You can exercise the rights of access, rectification, deletion, opposition,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 41
41/136
limitation and portability at any time. See the Privacy Policy at
our website edpenergia.es or press 0 "
And on the other, layer 2, which collects the information in a more detailed way, which is activated
automatically if the user dials 0, following the prompts
of the first layer: "The use of this TELEPHONE CHANNEL does not oblige the user to
provide any information about yourself. However, to use certain
services or access certain content, users must provide
previously some personal data. In the event that the user provides
personal information, we inform you that the data will be processed by
EDP ​​Energía, SAU and EDP Comercializadora, SAU, with registered office in Oviedo,
Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
hereinafter "EDP", as data controllers, as established by the
General Data Protection Regulation ((EU) 2016/679), hereinafter "RGPD", and
its implementing regulations.
Specifically, your data may be processed, when the user so requests, to
manage the attention and follow-up of requests and inquiries directed through the
website, as well as for conducting surveys and participating in sweepstakes,
games and promotions. The data requested will be mandatory and limited to
those necessary to proceed with the provision and / or management of the requested service, which
You will be conveniently informed at the time of collecting your data from
personal character. In case of not providing them or not providing them correctly, you will not be
may provide the service.
In these cases, the user guarantees that the personal data provided is
truthful and is responsible for communicating any changes to them.
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration
In it, the data processing carried out is based on the relationship
legal derived from your request.
The processing of data for conducting surveys is based on legitimate interest
of EDP in order to improve the quality of the services provided to customers and / or
users, being able to oppose said treatments at any time, without
This affects the legality of the treatments carried out previously.
In no case may they be included in the forms contained in the CHANNEL
TELEFONICO personal data corresponding to third parties, except
that the applicant had previously obtained his consent in the
terms required by article 7 of the RGPD, responding exclusively to the
breach of this obligation and any other in terms of character data
personal.
The personal data of the users registered on the website may be transferred to
the Public Administrations that by law correspond, to other companies of the group
business for internal administrative purposes, and to the suppliers of the person responsible
of the treatment necessary for the adequate fulfillment of the obligations
contractual.
Personal data will be kept for the duration of your contract of
supply with EDP, in all other cases, during the time necessary to answer the
your requests or to analyze the content of your responses to surveys. A
Once the contractual relationship has ended, their requests answered or their
responses, as appropriate in each case, your personal data will be erased,
keeping the rest of the information anonymized solely for the purposes
statistics. Notwithstanding the foregoing, the data may be kept for the period
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 42
42/136
established to comply with the legal obligations of maintenance of the
information and, at most, during the statute of limitations for legal actions
corresponding data, and the data must be kept blocked during the aforementioned
statute of limitations. After this period, the data will be deleted.
In application of the provisions of article 32 of the RGPD, EDP undertakes to
comply with the security obligations of the data provided by users,
trying to establish all the technical means at its disposal to avoid the loss,
misuse, alteration, unauthorized access and theft of the data that the user provides to
through it, taking into account the state of technology, the nature of the data
facilitated and the risks to which they may be exposed. Without prejudice of the previous,
the user must be aware that the security measures in the CHANNEL
TELEPHONE are not impregnable.
EDP ​​will treat the user's data confidentially, at all times, keeping
the mandatory duty of secrecy regarding them, in accordance with the provisions of the
applicable regulations.
The user can exercise their rights of access, rectification, deletion, opposition,
limitation and portability, as well as the revocation of the consents granted
previously, in the legally established terms, communicating it in writing to
EDP, at the following address: LOPD Communication Channel, Plaza del Fresno, nº2,
33007 Oviedo. Likewise, you can exercise these rights by sending an email
email with your personal data to *** EMAIL . 2 . In both cases,
Attach a photocopy of the holder's DNI or document that proves their identity.
Likewise, you can contact the Data Protection Delegate of
EDP, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection at the address Calle de Jorge Juan,
6, 28001 Madrid "
Next, it is indicated by that Agency that “The provisions in
Article 11.1 of the LOPDGDD in the other two telephone channels (Telemarketing and
Leads), nor is the interested party informed that they can access all the information required
in accordance with article 13 RGPD at the indicated email address ”. However,
Such statement is made after reproducing the AEPD the texts in which the
clients of the identity of the person responsible for the treatment, the purposes of the treatment,
as well as the rights that they can exercise and the web where to obtain information
additional. Therefore, it does not seem that such a statement corresponds to the reality of the
facts, so we understand that the Agency will be pleased to modify and eliminate this
alleged breach in its resolution proposal writing.
The analysis continues, referring to the general conditions of
contracting to which the information is sent, indicating that those hosted on the web
they are not easily accessible. In this regard, it is interesting to specify that:
1) Article 11 of the LOPGDD refers to the fact that this information must be provided to the
interested party "indicating an electronic address or other means that allows access from
simply and immediately to the rest of the information ”and that, in this case, as stated
informs the interested party in the locution, after contracting a copy of the
contract in which, obviously, the general contracting conditions are included,
therefore, direct access to said information is provided. Complementarily,
this information is available on the web at all times.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 43
43/136
2) Faced with the alleged difficulty alluded to by the AEPD to find the aforementioned
general conditions contrasts the fact that, as exemplified, a simple
search to access them directly, using the search engine
available on the website. Searching for "contracting conditions"
or “general contracting conditions”, the first results are published
documents related to the general contracting conditions that are of
application both in Spanish, in Galician, in Catalan, and in Basque, leaving
clearly identified the documentation that refers directly to the document
in PDF format, as evidenced in the following address: *** URL.3 .
3) Regarding the fact that it is “required to search in the general conditions (which
include numerous aspects related to contracting) the information related to the
data protection ”, it must be made clear that the general conditions
are composed of four pages, of which practically one of them is
is exclusively dedicated to providing information on the treatment of
personal data made by EDP ENERGÍA, as we are sure that the
AEPD has been able to verify during the process of preparing its written statement
proposed sanction.
In relation to this alleged non-compliance, it is worth mentioning the guidelines
facilitated by the Article 29 Working Group, in which it recommends including the
access to information related to the processing of personal data through
of means in which the interested party can immediately recognize where and how
access this information, (direct links or in the form of an answer to a question
in natural language, in the frequently asked questions section, or pop-up windows).
However, it also states that "depending on the circumstances of the collection
and data processing, a data controller could be obliged to
use additionally. […] ”. Other possible ways of transmitting the information to the
Interested parties derived from the following environments other than personal data could
include the following modes, listed below, applicable to the
relevant environments. a) On paper, for example, when entering into contracts by means
postcards: written explanations, brochures, information in contractual documents,
cartoons, infographics, or flow charts; b) By phone: explanations
verbal words directly from one person to allow for conversation and
answer to questions, or automated or prerecorded information with the possibility of
hear more detailed additional information;
The Article 29 Working Group solely and exclusively provides this information to
recommendation mode, without in any case being considered a bad practice,
nor of course a regulatory breach the fact of making the publication to
through a simple method that, taking into account that the service requires the
conclusion of a contract, the essential method and format and therefore that prevails in this
This assumption is the same as indicated in the GT29's own guidelines, through the
medium in paper and telephone support. All this, without prejudice to keeping accessible
through the web for all those interested who decide to carry out and attend the
content in an intuitive and simple way and without prejudice to the obligation to deliver in
durable support all the contractual information both with the previous information, as
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 44
44/136
with the contract itself. In this sense, we can see that the possibility of
linking "immediately" is susceptible to being interpreted.
The AEPD itself on its website makes it the interested party who must "hit" or
"Find out" which of the treatments included in the registry of activities of the
entity are the ones that really affect their relationship with the AEPD, since the
purposes are included within the description of each of them and not in the
privacy policy accessed.
Regarding the identity of the person responsible for the treatment, the
information already provided after the request for additional information of June 3,
2020 in which EDP ENERGÍA was required, for this purpose, within the Requirement of
Information E / 05549/2019 in which it was explained that the fact that the
information from both entities is due to the fact that it cannot be known prior to
contracting the services that will be requested by the interested party (gas and / or
electricity) nor, therefore, by which of the companies they will be provided, so this
It can only be specified when said services are identified by the own
client. highly probable that the same client when requesting the hiring of the
electricity and gas supply, is contracting with both companies.
For this reason, the so-called “dual” contract of
way that a client can obtain discounts or additional advantages for the fact of
contract both energies with two companies of the same business group, and in order to
keep discounts on each energy (electricity and gas) up-to-date
and derived information, it is necessary for both companies to know if energy
initially contracted with the other Group company remains active in order to be able to
maintain and correctly manage the discounts / benefits applied.
Consequence of the foregoing, the clause on data protection informs
that the personal data provided during the hiring process may be
treated by only one of the entities or both entities, depending on the type of
energy services that are contracted. Therefore, there is no inconcretion, but
the explanation of who is the specific person responsible for the treatment in each case is
It literally contains the first section of the contract, which identifies the
parties, as stated in Evidence 6 provided in the response to the Request
of Information made to this company during the processing of the aforementioned
informative file of which the present sanctioning file brings cause: "The
customer contracts, for the supply indicated, the supply of gas with EDP
Comercializadora, SAU and the supply of electricity and / or services
complementary with EDP ENERGÍA, SAU, (hereinafter joint and / or
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
Specific that are collected below and the General Conditions in annex. "
Therefore, customers know which company will process their data depending on the
requested supply (electricity or gas), something we understand fits perfectly
clear and is derived from both the sales agents' explanations and the tenor
literal of the first clause of the contract. In case of being both services, the data
will be processed by both entities.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 45
45/136
To date, neither in the field of data protection, nor in relation to any of
the regulations applicable to the regulated electricity or gas sectors, or the
Regarding the defense of consumers, there has been no request for
additional information, claim, or complaint in this regard, nor by the own
consumers, nor by the multiple regulators that control and
supervise the activity of trading companies, so it seems obvious
that the information provided does not create problems for customers or other regulators
of the country, more than the AEPD itself.
Additionally, we reiterate two essential aspects in the sector's own operations
in which EDP ENERGÍA carries out its activity, the exposure of which was contemplated in the
information previously sent: 1) The existence of two companies within
of the Group with the role of trading entities is due to a question
merely formal, consequence of the corporate structure and shareholding composition
of the companies acquired by the EDP Group at the time of its establishment
in Spain, but that does not correspond to the operational functioning of said
trading companies, given that only one of them, EDP COMERCIALIZADORA, has
currently with employees and management and operational capacity. Thus, in
In practice, all treatments are carried out by said entity, either as a
responsible for the treatment or as person in charge of the treatment of EDP ENERGÍA.
2) The EDP Group had planned the corporate reorganization of EDP
COMMERCIALIZADORA and EDP ENERGÍA and the adaptation of their corporate structure
with that of its actual operation and its business operations. This reorganization is
has currently been affected by a TOTAL sale process in which both
societies are immersed, and that, if materialized, could alter or terminate said
integration.
For all of the above, it understands that transparency is perfectly justified in
in relation to how the information is provided, as well as the fact that it is
perfectly understandable to the average customer.
The AEPD continues its analysis referring to the purposes and legitimizing bases of the
treatment. First of all, reference is made to those reported treatments
whose legitimizing basis is the contract itself -existing contractual relationship- or the
legitimate interest of the company.
On this matter, it is stated that “It is not easy for anyone, without
knowledge of data protection matters, differentiate which treatments
derive from the contract and which are based on the legitimate interest of the person responsible ".
This assessment is debatable, since it may be evident to anyone
that treatments such as “manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or service improvement ”are closely related to the execution of the
contract, the rest being assignable to legitimate interest. In this regard, we can
contrast this information with that provided by the AEPD itself regarding its
treatments when these have diverse bases of legitimation, as is the case of the
called "HR Management", published on its website ( *** URL.4 ), in which information
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 46
46/136
it can be seen that various bases of legitimation are identified, without indicating what
specific purpose refers to each of them.
Therefore, although this part has nothing to object about the fact that the AEPD's criterion
may be a good practice regarding the level of transparency, it seems
to consider the fact of not having reached this level of management of the
information, cannot be considered a breach of the norm, especially if
we take into account that not even the body that issues the guidelines
transparency (and that he is now proposing a sanction of nothing more and nothing less
than one million euros for this reason), has considered such a distinction necessary in its
website, as has been duly evidenced.
With regard to the alleged omission by EDP ENERGÍA to report
"What is the legitimate interest attributed to the person in charge", it should be noted that the
They are clearly exposed and put in relation to the purposes that are
pursue, that is: fraud prevention and marketing, in relation to the sending of
personalized commercial communications. In these cases it is obvious that there is a
identification between the reported purpose and the self-interest pursued, so
making a separate allusion to the latter would be redundant.
Similarly, by way of illustration, it should be noted that the direct competitors of
EDP ​​ENERGÍA uses informational formulas similar to those implemented in my
represented, without, to date, any proceedings against them having been known
On the other hand, the high number of requests for rights received on the channels
willing to do so demonstrate that customers fully understand the content
information and the rights that assist them, and are perfectly clear what
is what they want to achieve with their request and EDP ENERGÍA, executes said
requests in all cases, always with a marked character of compliance with the
regulations and protection of the fundamental rights of users.
Regarding the need to report on the weighting carried out for
assess whether the legitimate interest is preponderant in this case, it is relevant to mean that
These two assumptions have been addressed by the legislator himself, who in the
Recital 47 of the RGPD expressly refers to the possibility of carrying out these
treatments based on the legitimate interest of the person responsible for the treatment.
Specifically, it provides that: "the processing of personal data
strictly necessary for the prevention of fraud is also an interest
legitimate of the person responsible for the treatment in question. Data processing
personal data for direct marketing purposes may be considered to be carried out by
legitimate interest ”.
The AEPD itself has also ruled on the latter in its report 195/2017
stating that “if the data came only from the information that
provided by the entity in relation to the products or services contracted by the
client, without it being completed with the one originating from other different sources,
certainly the conduct of the entity, consisting of conducting a profiling
for the referral of offers of products or services to their clients, it would be
less invasive of the rights and interests of the clients, being able in this case
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 47
47/136
consider the applicability of the provisions of article 6.1 f) of the Regulation
general of data protection ”.
Therefore, in both cases the weighting of legitimate interest has already been
carried out, both by the legislator, as well as by the Control Authority and, therefore, the
reason given by the GT29 to recommend its publication so that those affected
may file a claim with said authority when they “doubt whether the
weighting test has been carried out fairly ”would be meaningless in this regard.
case, having to raise said claim before the Court of Justice itself.
Justice of the European Union, in order to examine the legality of the provision
introduced in the RGPD, or where appropriate, before the control authority itself and / or
competent national courts. In any case, GT29 itself identifies this
possibility as a good practice and, as stated in the report itself, its
The objective is “to indicate the approach that, in the opinion of the WG29, those responsible for
treatment they must assume in terms of acting with transparency. It is not, for
Therefore, of a legal obligation whose defective fulfillment may entail
a sanction, as is already the case with many other issues that the AEPD is
trying to sanction in this procedure, lacking the slightest principles of
typification, guilt and proof, these facts that never cease to amaze us in what
which we understand is an action that should be subject to compliance
integrity and rigorous by the sanctioning Administration.
The AEPD continues its analysis stating that the treatments for which it is requested
consent, assessing that it is not easy for a person to understand
no specialized knowledge. However, it offers no explanation for
reach that conclusion (beyond a vague reference to the fourth point).
Against the criteria of the AEPD, we understand that the information is given in a
simple language, understandable for anyone. The information contained in
This second layer must be related to the requested consents.
The first consent says: “I consent to the processing of my personal data once
once the contractual relationship has ended, to carry out communications
commercial adapted to my profile of products and services related to the supply and
energy consumption. Likewise, I consent to the aforementioned treatments during the
validity and after the end of the contract, on non-energy products and services,
both from EDP Group companies and from third parties. "
In the second layer, this information is expanded indicating which are the sectors to be
those belonging to third parties on whom communications can be sent "(I) The
promotion of financial services, payment protection services, automotive or
related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract. "
As can be seen, not a single technical term is used to make it difficult to
understanding of these texts, and the conditions of consent are fully
clear.
The second consent requested says: "I consent to the processing of my data
personal data for the elaboration of my commercial profile with information from
databases of third parties, for the adoption, by EDP, of decisions
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 48
48/136
automated in order to send personalized commercial proposals, as well
as to allow, or not, the contracting of certain services. "
The second layer details the content of this consent, indicating: (II) the
possibility of processing personal data of third parties to be added to your profile (III) the
contractual information used by EDP ENERGÍA in the preparation of the profile (IV)
the detail of the purposes of the aggregation of this information.
Finally, the rights of the interested parties are informed in the case of
that automated decision-making occurs in these processes. Therefore, the
EDP ​​ENERGÍA's clear objective is to allow interested parties to have a knowledge
detailed description of the uses for which consent is requested in the absence of will or
any fraud to hide the information. Likewise, the AEPD points out that there is a
lack of clarity in the information provided regarding the aggregation of
information from third parties, as it is not distinguished if it refers to the purpose related to the point
(II) (the possibility of processing personal data of third parties to be added to your
profile) or (III) (the contractual information used by EDP ENERGÍA in the
profiling). In this regard, it seems obvious that the word aggregation is
sufficiently concise, and refers to the sum of both information. The word
Adding is in common use on a day-to-day basis and, according to the RAE, means: “unite or
join some people or things to others ”. In this case, it is clearly inferred from the context
that it would be a question of combining the data that EDP ENERGÍA already has, with which it could
obtain from third parties.
Beyond this, it is unknown what is the specific information whose understanding
It can be complex, as no clarification is provided on this matter. EDP
ENERGÍA has always tried to use clear and understandable language and
there are no technicalities that can complicate the reading of the text, something that seems to
now the AEPD, considers a negative action that penalizes the good faith of EDP
ENERGY in relation to compliance with regulations.
Finally, the AEPD refers to the information regarding the exercise of rights,
with respect to which, as in the previous cases, it does not seem to be sufficient either
for the AEPD the information provided in this regard. Thus, under the heading "Rights
of the data owner ”EDP ENERGÍA informs that:“ The client will count on all
moment with the possibility of exercising freely and completely free of charge the
following rights: i) Access your personal data that are processed by
EDP. ii) Rectify your personal data that is processed by EDP that
are inaccurate or incomplete. iii) Delete your personal data that are processed
by EDP. iv) Limit the treatment by EDP of all or part of your data
personal. v) Oppose certain treatments and decision-making
automated data processing, requiring human intervention in the
process, as well as to challenge the decisions that are finally adopted by virtue of
of the processing of your data. vi) Port your personal data in a format
interoperable and self-sufficient. vii) Withdraw at any time, the consents
previously granted.
In accordance with current regulations, the user can exercise their rights
requesting it in writing, and together with a copy of a reliable accreditation document
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 49
49/136
identity, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or at
the email *** EMAIL . 2 .
Likewise, you can contact the data protection officer of
EDP, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection at the address Calle de Jorge Juan,
6, 28001 Madrid. "
The AEPD considers insufficient the mention made by EDP ENERGÍA regarding the
possibility of opposing "certain treatments" without specifying one by one what
treatments we are referring to, insofar as the AEPD states that
"It must be clear to the interested party which are the treatments that can be
object of opposition ”.
This party does not share this assessment, since this supposed obligation that the
AEPD highlights and seems to impose EDP ENERGÍA is not required by the RGPD, nor
has no legal support, which, as that Agency knows well, is a condition
"Sine qua non" to be able to sanction-
Moreover, and for the sake of completeness, this part would like to highlight again
that the formula used by EDP ENERGÍA is precisely the one recommended by the
own AEPD in its multiple guides and tools related to the duty of information
in accordance with the RGPD, and even on the AEPD's own website, something that, again, not
ceases to surprise this party, since that Agency considers a violation of the
RGPD, proposing for said infringement a penalty of one million euros, for a
alleged non-compliance in relation to a certain practice that she herself
recommended to perform. Along these lines, it should be noted
1) The Guide for the fulfillment of the duty to inform, in which the
following example
2) 2) The FACILITA Tool, of the AEPD, intended for entities to carry out
the adequacy in accordance with the RGPD, including the informative clauses
in accordance with applicable regulations (fictitious data have been included):
3) Report on privacy policies on the internet. Adaptation to the RGPD, where
the AEPD itself exposes as a valid example to adapt the policy of
privacy to the GDPR.
4) Privacy policy of the AEPD, does not collect the alleged information
which is now required of EDP ENERGÍA, and includes formulas such as “when
proceed "
Consequently, EDP ENERGÍA cannot be criticized for not including a
information that is not even indicated as good practice in the guides
prepared for the adequate fulfillment of their obligations by the
responsible for the treatment, and that neither the AEPD itself complies with its
Privacy and other information clauses used on its website.
Nor does it seem to make sense to refer to “It is imprecise to point out that the
interested party can oppose the automated decision-making of their data
personal ”. It is obvious that the information provided using the word "oppose" is
understood as a right both when the treatment is legitimized in an interest
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 50
50/136
legitimate as in a consent (in any case the possibility of
object at any time to the consents granted). The proof is that
When exercising their rights, the interested parties rarely use any of these
terms and are limited to requesting the "unsubscribe" or directly request that they stop using their
data for certain purposes, without using formalities as has been
evidenced in this procedure through the contribution of innumerable examples.
Additionally, this party is interested in showing once again that the AEPD
has had the opportunity to analyze both the general contracting conditions,
such as the information provided in the different contracting processes of which
EDP ​​ENERGÍA has available during the different information requirements and in its
case sanctioning procedures that the AEPD has initiated so far, without
that until now, the AEPD has ruled on possible breaches
of the duty of transparency, having proceeded to file multiple files
in which this documentation was subject to review by the AEPD.
Therefore, having made this information known to the AEPD and
having been analyzed by the latter, without having spoken out against the
itself, EDP ENERGÍA continued to use these documents and procedures
in the legitimate confidence that it was adjusted to the regulatory requirements, in the
extent to which the AEPD, having access to and first-hand knowledge of these
alleged breaches, did not indicate at any time to EDP ENERGÍA that
there was any irregularity, now proposing a penalty of one million euros
for an alleged breach, of which he would have known years ago, but
that it no longer considered not to sanction but not even to warn EDP ENERGÍA. In this
In this sense, it should be noted that the purpose of this supervisory authority is none other than
guarantee compliance with regulations, so in the absence of justification
legal that motivates the opening of Sanctioning Procedure on some aspects
that were previously known and even subject to a file, cannot have
subsequently the imposition of a sanction of the amount that is exposed.
As a conclusion of all the above, it cannot be interpreted that EDP ENERGÍA
It fails to comply with its duties contained in article 13 of the RGPD.
Makes a series of comments on the evaluation criteria related by the
AEPD in the agreement to initiate the sanctioning procedure, considering that no
concur in the present case.
FIFTH.- ON THE AGREEMENT TO START THE SANCTIONING FILE AND THE
ASSESSMENT OF THE POSSIBLE PENALTY. LEGAL BASIS AND
PROPORTIONALITY OF THIS.
A. BREACH OF THE PRINCIPLE OF INTERDICTION OF ARBITRARITY.
In relation to this principle we must attend to two specific questions:
1) The recommendations and publications of the AEPD,
2) The amounts of the sanctions that have taken place in previous cases
Similar.
First of all, certain practices recommended and even applied by the AEPD
relating to the collection of consent and the information to be provided to
interested parties, have served in this case to argue and motivate the alleged
offenses committed by EDP ENERGÍA.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 51
51/136
These criteria are reflected both in the way of jointly compiling the
purposes whose legitimating basis is the consent of the user, as stated
in the Second Allegation, as well as in the presentation of the information related to the
exercise of rights of the interested parties included in the Fourth Allegation. These
aspects, which a priori the AEPD recommends and puts into practice, considering them
examples that are adapted to the applicable regulations, are used as elements
offenders to justify the alleged breach of different legal precepts by
EDP ​​ENERGY.
All this and said in strict defense terms, not only implies that the AEPD
considers insufficient what the Authority itself has incorporated into its clauses
informative, thus resulting in insufficient information in accordance with the RGPD,
rather, the fact of modifying the adopted criterion invalidating aspects without
motivation, or any justification, implies a clear situation of legal uncertainty,
contrary to the constitutional principle of prohibition of arbitrariness contained in the
article 9.3 of the Spanish Constitution; principle that implies that the authorities do not
can make arbitrary decisions, understanding by such, those that suppose a
infringement of the principle of equal treatment of the administered before the application of
the law and the objectively determined rules.
Second, the amounts of the previous sanctions in cases of fact
Similar are not comparable to the proposals in this case.
Specifically, we must bring up the Penalty Procedure
PS / 00097/2019, in which, after having analyzed the contracting system and the
information provided to each of the intervening parties, both the representative,
as the represented, the file of the file is dictated, thus validating all the
documents that accompanied the procedure, that is, the related documentation
to the hiring process.
Likewise, it should be noted that, last March 2019, EDP ENERGÍA, also
received file of actions of the request for information E / 04707/2018,
initiated after complaint filed by Mr. BBB . In this case, the AEPD resolves
that it is not appropriate to process the claim received, considering, therefore, the
contracting procedure and documentation provided, in accordance with Law.
As in the first section of this point, the proposed sanctions, carried out
Without motivation, or due justification, they go against legal certainty, a principle
constitutional established in article 9.3 of the Spanish Constitution, as well as against
the principle of legal foundation. In other words, any decision made by
the AEPD must be objective, well-founded and typified.
In this sense, it is worth mentioning the Judgment of the Supreme Court of the 3rd Chamber
of the Contentious-administrative, Section 3, Judgment of May 13. 2015, Rec.
28/2013, in which the interested party, appeals in cassation, stating among others
allegations the infringement of the principles of interdiction of arbitrariness, security
legal and equality established in articles 9.3 and 14 CE, pursuant to article
88.1.d) LJCA and the Court uphold said motivation. Of this resolution, it is worth highlighting
the next:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 52
52/136
“C) The constitutional requirement of the reasons for the judgments, included in the
Article 120.3, in relation to 24.1, of the Constitution, appears justified, without further ado
to emphasize the ends to whose achievement it tends, which, above all, aspires to
patent the submission of the Judge or Court to the rule of Law and contributes to achieving the
conviction of the parties in the process about justice and the correctness of a decision
judicial, facilitating the control of the sentence by the Superior Courts, and operates
as a guarantee or preventive element against arbitrariness.
d) The breadth of the reasons for the judgments has been qualified by the doctrine of the
Constitutional Court, indicating that it does not authorize to demand judicial reasoning
exhaustive and detailed of all the aspects and perspectives that the parties
may have of the question to be decided, but must be considered sufficiently
motivated those judicial decisions that are supported by reasons that
make it possible to know what the essential legal foundational criteria have been
of the decision, that is, the "ratio decidendi" that it has determined (judgments of the
Constitutional Court 14 / 1991,28 / 1994,145 / 1995 and 32/1996, among many others). A) Yes
It has been recognized by the Constitutional Court itself when it refers to the fact that it is not
an exhaustive or exhaustive examination of the arguments of the parties is necessary, and
when it even allows argumentation by references to reports or other
resolutions. The Judgment of the Constitutional Court nº 122/94 of April 25, affirms
that this right to motivation is satisfied when the judicial decision in a manner
explicit or implicit contains reasons or elements of judgment that allow knowing the
criteria on which the decision is based "."
As a result of the foregoing, it should be noted that the AEPD identifies as an example of a sanction, the
Penalty procedure with file number PS / 0025/2019, since
supposes a procedure of EDP COMERCIALIZADORA, SAU that is in
contentious and therefore does not become firm. Therefore, it cannot be considered a
file that affects the diligence operated by EDP ENERGÍA, nor can it be
considered as an antecedent, since this sanction is not yet final.
Likewise, with respect to the rest of the files brought up in the Agreement
of Initiation of Sanctioning Procedure, PS / 00101/2018, PS / 00363/2018 or
PS / 00109/2019. In Ref .: PS / 00236/2020 EDP ENERGÍA Penalty Procedure
54 as for the first file, the same despite having been paid for soon
payment, in no case EDP ENERGÍA accepted the facts and the infringement that had
been charged, having debated the interpretation of the AEPD throughout the entire
Penalty Procedure, which is why such payment could not be interpreted as
break-in. In the case of file PS / 00363/2018, as in the previous one, in
Each of EDP ENERGÍA's responses defends both the legitimacy of the
treatment, such as the contracting procedure, a procedure that the AEPD does not
had described at no time as not very transparent, insufficient and imprecise,
characteristics considered by the AEPD that are given in this procedure
taking into account that the same information has been used in each of the
files
B. LACK OF PROPORTIONALITY.
At this point, it should be remembered that the principle of proportionality is a principle
General of Law. Reason why, the AEPD must take this principle into account
both when determining the evaluation criteria, and when determining the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 53
53/136
applicable sanction, a principle that, as can be seen from the procedure, from the beginning
of the investigation and said in the strictest sense of defense, it has not been
applied by the AEPD in the Agreement to Start the Penalty Procedure.
In short, analyzing each of the alleged infractions that are attributed to me
represented, it is only possible to interpret that there is an absolute disproportionality in
the interpretation made by the AEPD in this Agreement for the Beginning of
Penalty Procedure, not only because it lacks motivation when it comes to
consider the alleged offense to have been committed, but because of the fact that the sanctions
Proposals escape any criteria previously assessed by the company itself.
AEPD.
And therefore, at least the correction by the AEPD corresponds, in case of
not consider the due cancellation and archiving of the proceedings, assuming therefore
a substantial reduction of each potential infraction to its minimum degree, reaching
even upon warning, due to the absence of any non-compliance, lack of motivation and
disproportionality.
C. DUPLICITY OF SANCTIONS AND COMPLIANCE WITH THE "NE BIS IN PRINCIPLE
IDEM"
An aspect is derived from the Agreement to Initiate Sanctioning Procedure that has
been pointed out at various points in the present allegations thereto, and
whose relevance cannot be ignored. Thus, the infractions that are indicated are
reiterations of the same facts, whose estimation would cause a notorious
duplicity in the sanctions imposed, either because they address circumstances
previously examined by the AEPD or because it estimates the concurrence
multiple infringements on the same fact.
In the first place, this Agency has pointed out the concurrence of a
infringement derived from the provisions of article 25 RGPD by estimating that they have not been
carried out the appropriate actions, referring to the adequacy of the
procedures that are implemented for contracting by third parties. Without prejudice to
the arguments that have been expressed in the corresponding First allegation, to
to which we refer for brevity, it is relevant to note that the appreciation of the
commission of infringement derives from events that, prior to it,
have been previously analyzed by the AEPD. This has meant that, considering the
concurrent casuistry in the same, this was sanctioned in a procedure that,
the date, is appealed.
From the foregoing, it should necessarily follow that the imposition of the
infringement causes the production of new facts that motivate the imposition of
the proposed sanctions. Well, neither is this the casuistry that concerns us,
there have been no new claims or circumstances that have led to the AEPD
to this Agreement for the Initiation of Sanctioning Procedure. Certainly the
imposition of the sanction that is proposed would suppose that, before a fact that has been
evaluated and resolved or punished by the corresponding authority, be it again
examined from the same perspective or, on the contrary, that, in the absence of
materialization of said risk, said sanction would be imposed based on conducts
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 54
54/136
that could potentially lead to non-compliance, but whose production is, to
the date, nonexistent.
Secondly, the AEPD makes use of different normative precepts to
sanction the same act, by simultaneously constituting the commission of three
infractions, although each of them is based on non-compliance with the
duty of information regulated in article 13 of the RGPD
In this sense, as has already been advanced in the previous allegations, although the
Agreement to Initiate Sanctioning Procedure part of the applicability of three
differentiated offenses, corresponding to articles 6, 13 and 22 of the RGPD,
all of them are based on deficient information and ignorance of the
user of the object of the consent request. Thus, the argumentation that embodies
to substantiate your consideration regarding obtaining consent
insufficient, it is indicated that:
"It is considered that the consent thus given is not adjusted to the provisions of
the RGPD and the LOPDGDD. A consent with information is requested
deficient, inasmuch as it does not indicate which third-party databases will be consulted or what
type of data will be collected, so that the interested party is completely unaware
which is what you are consenting to. Nor is it determined who will be responsible
treatment, a generic reference is made to EDP, without the client having
contracted a service only with one of the two entities (EDP
COMERCIALIZADORA SAU or EDP ENERGÍA, SAU) know if you are consenting
that such treatments are carried out by both entities or only the one of which
is a customer. Nor is it clear what type of services will be allowed to contract or not.
Such deficiencies do not allow the interested party to know the consequences of their
decision and thus assess the convenience of giving consent or not. " (Page 46
of the Agreement to Initiate Sanctioning Procedure).
Similarly, regarding the alleged violation of article 22 RGPD, relating to the
commission of automated decisions, the AEPD in its own written Agreement of
Initiation of Sanctioning Procedure, after collecting the aspects related to the
treatment of data in which there are automated decisions, collects the following:
“From all this it can be concluded that the consent given for such purposes does not
is in accordance with the provisions of article 4.7 of the RGPD as long as it is not
duly informed in general, the requirements are not met
specific information established in article 13.2 for decisions
automated and is not specific. The absence of such requirements determines that
the same is not valid so that the treatments based on it lack
legitimation, thus contravening the provisions of articles 6 and 22 of the RGPD. "
(Page 47 of the Agreement to Initiate Penalty Procedure).
In light of the foregoing, each insufficiency mentioned, derives cumulatively, to the
potential breach of article 13 of the RGPD, regarding the duty of information.
For these purposes, the presentation made by
that Agency of two infractions derived from the absence of legitimation basis
sufficient as it is not informed consent and, simultaneously, another infraction
due to the lack of transparency in the information provided. About it, well
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 55
55/136
It is known by the AEPD that our jurisprudence has reiterated in many
occasions as a fundamental principle of Law, that the same fact cannot be
sanctioned twice. The application of this principle non bis in idem supposes
a manifest impossibility of imposing two or more administrative sanctions, for a
same fact, whenever a factual identity occurs, it is attributed to a
same subject and are imposed on the basis of a common foundation in what is
refers to the protected legal asset.
Therefore, there is no doubt that, if the AEPD's assessment is applicable
of the commission of an infringement by EDP of the facts presented regarding
to the articles indicated, it will require the necessary concurrence of applicable laws. On
In this sense, it is essential to bring up the provisions of article 29.5 of the
LRJSP, which states that:
"When the commission of an offense necessarily results in the commission of another or
others, only the sanction corresponding to the most infringement must be imposed.
serious committed. "
Without prejudice to the scarce jurisprudence derived from said precept, as a result of its
previous regulation (Royal Decree 1398/1993, of August 4, approving the
Rules of Procedure for the Penalty Power), our Courts
have preached that, for the assessment of the aforementioned contest, the regulations
“(…) Requires, for the application of the medial contest, a necessary derivation of some
infractions with respect to the others and vice versa ”(Judgment of the Supreme Court of 8
February 1999).
In application of this precept, there are favorable judgments of the Chamber of
contentious-administrative law of the National Court that, in analysis of the matter
it concerns us, explained that:
"Accordingly, this Chamber considers that in the present case there is a
direct connection between the violation of article 6 (treatment of character data
without the consent of the affected party) and the violation of articles 4.3
(treatment of inaccurate data), both of the LOPD. Connection highlighted
due to the fact that the treatment of the complainant's data without his consent,
is carried out only in communication by letter (of the information
about the movements of the TPV of Cortefiel) to his old address, which is what gives
place to the complaint presented by him, and that by not correcting it (precisely because
said incorrect treatment did not have any economic or accounting reflection in said
Bank), is maintained in the different communications by letter made. That is, such
and as indicated by the plaintiff in the lawsuit, it turns out that the treatment that has
consisted, exclusively, of improperly including some data of the affected party in a
report of operations that do not refer to it, can only be produced without mediating its
consent, so that the non-consensual treatment of data of article 6.1 LOPD
It necessarily derives from the improper or erroneous treatment thereof (Art 4.3).
Therefore, the aforementioned article 4.4 of the Regulation for the
exercise of the sanctioning power, therefore, since both offenses are the same
gravity, it is necessary to impose a single sanction 60,101.21 Euros, which is considered
be in this case the one corresponding to the infringement of the principle of treatment not
consented, in which the infringement of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 56
56/136
data quality principle, both of article 44.3.d) LOPD. " (Judgment of 19
November 2009, rec 338/2009)
In light of this, even though the precepts of the
regulations that preceded the RGPD and would cover a differentiated scenario, there is no doubt
that the National Court appreciated the appropriateness of estimating the concurrence of
offenses based on a medial contest among the offenses contemplated
in the data protection regulations, when necessarily the commission of a
requires the production of the other. In this regard, said Hearing states that,
if there is a single action from which two offenses could be derived, it can only be
be taken into account the most serious. In the same way as in the aforementioned case,
in which the improper obtaining of a data necessarily caused a treatment of
inaccurate data, in the case that concerns us, the consideration by this AEPD of
an illegitimate obtaining for not complying with the principles defined by the RGPD for
determine that consent is informed and unequivocal, it must be subsumed
in the assessment pertinent to the duty to inform, not allowing in any way the double
assessment indicated in the penalty proposal.
Therefore, as stated by the AEPD in this procedure, there is no room,
apply different regulatory precepts (articles 6, 22 and 13 of the RGPD) in a way
independent, to sanction on a potential infraction directly related
with the fulfillment of the duty of information, having in any case eliminated the
sanctions proposed in the Penalty Procedure Agreement.
D. LACK OF RELEVANT EVIDENCE FOR IMPUTATION OF THE INFRINGEMENT
AND CORRESPONDING IMPOSITION OF THE PENALTY.
It is necessary to bring up the inquisitive principle or of dominant officiality in the
administrative procedure, which implies that the administrative authority is the
obliged to proceed to the verification of the alleged facts through the ex practice
office of the pertinent tests, thus dominating the principle of material truth. A) Yes
Therefore, in the administrative procedure it is an essential requirement that all
affirmations made are subjected to confrontation with the facts, falling
on the competent authority the accreditation of the same, in order to guarantee the
legal certainty required for the sole purpose of complying with the purposes of the
Public Administration .
Likewise, it is pertinent to point out the provisions of article 53 of Law 39/2015 of 1
October, of the Common Administrative Procedure of Public Administrations,
regarding the presumption of innocence and the non-existence of responsibility while
not to be proven otherwise.
For more abundance, reference should be made to the Judgment of the Court
Constitutional 76/1990, of April 26, 1990, Rec / 695/1985 that delimits the scope
and respect for the presumption of innocence in the sanctioning procedure and that indicates
the next:
“Indeed, it cannot raise any doubt that the presumption of innocence governs without
exceptions in the sanctioning system and must be respected in the imposition
of any sanctions, be they criminal, administrative in general or tax
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 57
57/136
in particular, since the exercise of ius puniendi in its various manifestations is
conditioned by art. 24.2 CE to test set and procedure
contradictory in which they can defend their own positions. In this sense, the
The right to the presumption of innocence entails: that the sanction is based on acts or
means of probative or incriminating charges of the contested conduct; that the load
of the evidence corresponds to the accuser, without anyone being obliged to prove their
own innocence; and that any insufficiency in the test result,
practiced, freely valued by the sanctioning body, should be translated into a
acquittal.
Likewise, we cannot affirm that the evidentiary activity carried out by the
Administration can be considered of charge, and, in the event that this body
so consider it, (STS of December 18, 2000- RJ 2000/92) it has been
fully disproved by means of the statements made by this party, thus
as well as through the documents attached to this lawsuit.
Similarly, the jurisprudential line followed by
Constitutional Court in its judgment of February 20, 1989, in relation to the
principles and guarantees of criminal judicial procedure applicable to the procedure
administrative sanctioning and, which indicates "Our doctrine and criminal jurisprudence have
been arguing that, although both may consider as manifestations of
a generic favor rei, there is a substantial difference between the right to presumption
of innocence, which develops its effectiveness when there is an absolute lack of evidence
or when those practiced do not meet the procedural guarantees and the principle
jurisprudential in dubio pro reo that belongs to the moment of the valuation or
evidentiary appreciation, and that has to judge when, that activity concurs
indispensable evidence, there is a rational doubt about the real concurrence of
objective and subjective elements that make up the criminal type in question "
Regarding these criteria, the Spanish Agency has ruled, agreeing on the
file of proceedings (E / 04684/2017) and stating the following literally:
“(…) For this reason, it is necessary to review in relation to the principle of presumption of
innocence that, to the Administrative Penalty Law, due to its specialty, are
application, with some qualification, but without exceptions, the inspiring principles of the
criminal order, being clear the full virtuality of this principle of presumption of
innocence. In this sense, the Constitutional Court, in Sentence 76/1990, considers
that the right to the presumption of innocence implies “that the sanction is based on
acts or means of proof of charge or incriminating the reproached conduct; what
The burden of proof rests with the accuser, without anyone being obliged to prove
his own innocence; and that any shortcomings in the test result
practiced, freely valued by the sanctioning body, should be translated into a
acquittal ”. In accordance with this approach, it is necessary to
account that they can only be sanctioned for acts constituting an infringement
administrative the natural and legal persons who are responsible for the
themselves by way of fraud or fault ”(…) Ultimately, the application of the principle of
presumption of innocence prevents the imputation of an administrative offense when
has obtained and verified the existence of a proof of charge accrediting the
facts that motivate this accusation. (…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 58
58/136
Finally, review the Judgment of May 25, 2001, issued on appeal
administrative litigation by this National Court, to number 29/2000,
pronounce on the imposition of a sanction based on a presumption
carried out by the Agency, and rules that “(…) the Chamber, as we went on to
reason, from the assessment of the evidence in the administrative file, it reaches
the conclusion that this integrating fact of the
type, that is, it is not proven that the Bank delivered to Mr. ... the respective extract,
This concrete fact provokes serious doubts, in the face of the required certainty ”. Y
concludes by stating that without denying that the events could have occurred as indicated in the
the complainant, neither can the possibility that the extract was not
given to the husband by the Bank, but that he obtained it by taking advantage of some
visit to the home or through the action of a relative, said in terms of
pure hypothesis ”.
In this same sense, the Superior Court of Justice of Madrid ruled in
Judgment of 02/21/2001, in which it states that “The only evidence of the prosecution, of which the
APD infers the responsibility of the appellant, it is the fact that it was the ex-husband
of Dña ... who will provide the lawyer with said extract that was contributed to the incident
modification of measures, and it must be agreed with the appellant that the possession of the
Extract, in the opinion of this Chamber, is insufficient circumstantial evidence to destroy its
presumption of innocence since, certainly, said extract could reach the possession of
D ... through channels other than direct delivery by the bank, for
what not being proven any of these hypotheses, this reasonable doubt
about the way in which the ex-husband obtained the bank account statement
The complainant must always operate for the benefit of the sanctioned, proceeding, in
Consequently, uphold his claim to annul the sanction imposed for lack of
sufficient proof of the appellant's participation in the delivery of the bank statement
to a person other than the account holder ”.
In short, appreciating the various criteria that the body has taken into account
competent in data protection when carrying out the file of
actions in those cases in which it is considered that there is a lack of evidence
and in which the jurisprudential lines outlined have been followed, this part
considers that the legal guarantees that any procedure should not have been protected
respect.
E. LACK OF LEGAL FOUNDATION
As we have stated throughout this writing, the alleged infractions
committed by my client, have not taken place, so it has not materialized,
nor is there any possibility that EDP ENERGÍA has infringed the aforementioned
articles following what is alleged by the AEPD in the Agreement to Start the Procedure
Sanctioner.
It should be noted that any sanctioning procedure and, where appropriate, the sanction
resulting, must be motivated, grounded, and even more decisive, must comply
with the due principle of legality, typicity. As a result of this aspect, it is brought up
the Sentence of the Superior Court of Justice of Catalonia, number 870/2019,
Rec: 454/2016, from which we extract the following:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 59
59/136
"The due effectiveness of the principle of typicity in administrative sanctioning matters
whose requirement certainly derives from our administrative order
sanctioner, also in tax matters, as a manifestation of the guarantees
formal and material that are contained in the constitutional principle of legality
sanctioning ex article 25.1 of the Constitution, and which previously included article 129 of
the already repealed Law 30/1992, of November 26, on the legal regime of
public administrations and the common administrative procedure, applicable to
this case additionally for temporary reasons (and today Article 27 of the Law
40/2015), as well as in this specific tax order, article 178 of the Law
58/2003, General Tax, taking into account the implicit content of the aforementioned precept
constitutional (Article 25.1 of the Constitution), despite its remarkable laconism
(Constitutional Court ruling number 34/1996, of March 11), in which
has highlighted the so-called material guarantee of the principle of legality (among others, and
Since the ruling of the Constitutional Court 42/1987, of April 7, the
Judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of June 8, 161,
200 and 219/1989, of December 21, 61/1990, of March 29, 207/1990, of December 17,
December, 120 and 212/1996, 133/1999, of July 14, 142/1999, of July 22, and 60 and
276/2000, of November 16), which is identified with the traditional principle of
typicity of the offenses and administrative sanctions and that requires a determination
previous and certain regulations of the specific conduct or conducts that by action or
omission is deemed to constitute a fault or an administrative offense, with
prohibition of any analogue or extensive interpretation in malam partem
(Constitutional Court ruling 125/2001, of June 4, citing the
Judgments of the Constitutional Court 81/1995, of June 5, 34/1996, of
March, 64/2001, of March 17, and 113/2002, of May 9), being likewise
jurisprudential doctrine already well consolidated which teaches that in the exercise of its
sanctioning administrative power the acting sanctioning administration does not
responds, properly, to the exercise of an administrative power of essence or of
discretionary trend but predominantly regulated for the application to each case
concrete sanctioning regulatory framework pre-established with a general character in the
applicable sanctioning legal system, which implies, from the outset, the
requirement of the necessary adequacy and rigor in the qualification of the facts
accused and in their punctual incardination and adequate subsumption in the offending type
legally defined for its correction, in such a way that the opposite, certainly,
it would be a determining factor of violation of the subjective fundamental right before
pointed out and all recognized by the current constitutional text ex article 25.1 of the
Constitution (rulings of the Constitutional Court 77/1983, of October 3, and
3/1988, of January 21), which, because it is susceptible to constitutional protection, would
incur in an eventual administrative sanctioning action that violates the same in
the defect of nullity of full right previously provided for by article 62.1. a) of the
Repeated Law 30/1992, applicable to the case for temporary reasons (today Article 47.1. a)
of Law 39/2015) "
For more abundance, article 89 of Law 39/2015, of October 1, on the
Common Administrative Procedure of Public Administrations, which includes the
following: 1. The investigating body will resolve the completion of the procedure, with
file of the proceedings, without the need to formulate the proposal for
resolution, when the procedural instruction shows that
any of the following circumstances concur:
a) The non-existence of the facts that could constitute the offense.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 60
60/136
b) When the facts are not proven.
c) When the proven facts do not manifestly constitute an infringement
administrative.
d) When there is no or it has not been possible to identify the person or persons
responsible or appear exempt from liability.
e) When it is concluded, at any time, that the infringement has prescribed.
In the present case, both a), b) and c) concur, which is why, no
Therefore, it would be possible to continue with the sanctioning procedure initiated, having to
resolve, where appropriate, the file of the proceedings, a request that we present to the
AEPD on a repeated basis, since as evidenced in the present
writing, nor have the offending acts been committed, nor are the
alleged infringing conduct, nor the interpretation and sanctions proposed by the
AEPD are motivated.
THIRTEENTH: Received the allegations made by EDP ENERGÍA, SAU
to the agreement to initiate the referral procedure, noted that in the document
attached to them called "annexes 1, 2 and 4" it is stated that "given the
technical limitations of the electronic office for the presentation of the content of the
Annexes 1, 2 and 4, these are presented by means of a link to a folder ”, indicating
a link to a website and a password, in writing, dated October 3,
2020, a period of 5 business days is granted to present the documentation that
It appears in said document in the Registry of this Agency through the Headquarters
Electronic, for the purposes of registering the documentation
presented, its origin and its integrity.
On October 8, 2020, the
following documents:
Appendix 1:
- Annex 1.a) Risk analysis methodology and implementation of DPIAs
- Annex 1.b) RAT contracting EDPE
- Annex 1.c) RAT risk assessment- EDPE contracting
- Annex 1.e) Impact Assessments -Risk Assessments
- Annex 1.f) Impact evaluations - Reports
Appendix 2 :
- EDP Methodology_Privacy by Design by Default
- Operational Instruction Privacy by Design & Privacy by Default
- PbD form
- Flowchart Procedure Privacy By Design and Privacy by Default
-
Regarding these documents:
- A risk analysis methodology is provided, whose history of
versions dates version 1.0 on 11/24/2017, indicating in the notes of
revision which is an "initial version-working document" and version 1.1 is
dated 05/11/2108 indicating the revision notes “revision prior to the
application of the RGPD ”. There is no evidence that any review has been carried out
later. Various annexes are provided, the date of which does not appear, specifically
These annexes are the following: 1.b) RAT contracting EDPE
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 61
61/136
- Annex 1.c) RAT risk assessment- EDPE contracting
- Annex 1.e) Impact Assessments -Risk Assessments
- Annex 1.f) Impact evaluations - Reports
The document contained in annex 1.b RAT, contracting EDPE, whose date does not
It consists, includes a treatment purpose not included in the Activity Register
of treatment sent to this Agency on June 17, 2020. Specifically
said treatment that is now included has the following content:
Responsible: EDP Energía SAU
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
to hiring ”,
Description: “Scoring of customers in the B2C segment prior to the
contracting according to the internal pending debt and information from
solvency (ASNEF). "
Category of data holders: "Clients and potential clients."
Category of personal data processed: "Identifying data and economic data."
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
Period of conservation of personal data: “5 years from the end of the
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
contract will be maintained until its cancellation or the limitation period of the actions
pertinent legal recovery. "
Data transfers (data recipients, other than those in charge of the treatment):
“ASNEF is jointly responsible for the treatment, according to the signed agreement
with ASNEF. "
Categories in charge of treatment: The box has no content.
International data transfer: No
Annex 1.c) under the name “RAT Risk Assessment- EDPE Contracting”, whose
date is also not reflected in the document, it contains a risk analysis, in the form
of matrix, the same as that presented on June 17, 2020, although they have added
two columns under the title “treatment requires PIA”, the two titled “Nº of
EDP-W29 criteria ”, the first indicates a number that seems to correspond to
its title and the second indicates the need to carry out an evaluation of
impact. In said matrix there is also a new treatment whose purpose is the
"Scoring clients in the B2C segment prior to hiring."
Various documents entitled impact evaluations are provided, whose date
Nor is it recorded, these impact evaluations are the following:
-Risk assessment of B2C client scoring prior to hiring,
in which, among other threats, the following are indicated:
- “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated
adequately ”, whose probability is set as high, with an impact rated as
very high and resulting in inherent risk High. Regarding the controls implemented
Faced with this threat, it is stated that “the legal basis of the treatment is to satisfy a
legitimate interest (fraud prevention) ”.
- “At the time of data collection, the minimum information is not provided
provided to the person or no information is provided. " In this case
it is considered that neither the probability nor the impact “does not apply, nor is there a risk
inherent, the controls being the “Data Protection clause included in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 62
62/136
contract signed with the client with all the information required by the RGPD ”and the
"Information provided to the client prior to carrying out the scoring process"
-Evaluation of channel leads to be converted by telemarketing.
-Evaluation of risks Telemarketing upselling and dropouts.
-CAC channel risk assessment to clients or potential clients (inbound).
-Evaluation Channel OOCC clients and potential clients.
-Risk evaluation of third-party stores for sale to potential customers.
-Evaluation of External Sales Forces through Stands at Fairs and Centers
Commercial.
In all these impact evaluations, threats are considered among others
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
illegal or has not been properly formulated ”and“ at the time of collection of the
data is not provided the minimum information provided to the person or is not
provides no information "In both cases the probability is valued as high,
the impact as very high and the inherent risk high. Controls are mentioned
adopted, referring to the legitimizing basis of the treatment in the first of the cases
and to the "Data Protection clause included in the contract signed with the client
with all the information required by the RGPD ”in the second. They are described among the
checks in progress for both threats on all channels except channel
OOCC, “the implementation of a new contracting procedure through
representative, incorporating the sending of an SMS / Email message through which the
provides the basic information necessary in terms of data protection to the owner of the
contract."
The date on which the actions in progress were incorporated into the
corresponding impact evaluations.
FOURTEENTH: On 03/11/2021, a resolution proposal was issued in the
following sense:
FIRST: That the Director of the Spanish Agency for Data Protection
sanction the entity EDP ENERGÍA, SAU, for a violation of article 25 of the
RGPD, typified in article 83.4.a) and classified as serious for the purposes of
prescription in article 73.d) of the LOPDGDD, with a fine in the amount of
500,000 euros (five hundred thousand euros).
SECOND: That the Director of the Spanish Agency for Data Protection
sanction the entity EDP ENERGÍA, SAU, for a violation of article 13 RGPD,
typified in article 83.5.b) and classified as mild for prescription purposes in the
Article 74.a) of the LOPDGDD, with a fine of 1,000,000 euros (one
million euros).
THIRD: That, due to lack of evidence, in application of the principle of presumption of
innocence, it is declared not attributable to EDP ENERGÍA, SAU, the violation of the
established in articles 6 and 22 of the RGPD.
FIFTEENTH : EDP ENERGÍA, SAU has been notified of the aforementioned proposal
resolution, said entity submitted on 03/15/2021 a document in which it was
it requested an extension of the term to formulate allegations. Granted the extension of
term, on 04/08/2021, a written statement of allegations was received at this Agency, in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 63
63/136
that it is requested that the file of the sanctioning procedure be agreed or,
alternatively, the substantial reduction of each proposed sanction to its amount
minimum or its substitution even, by the warning, in its case. Bases its
petitions in the considerations summarized below:
ACQUISITION OF THE COMPANY SUBJECT TO THE SANCTIONING RECORD
On a preliminary basis and for clarification purposes, EDP ENERGÍA informs
of this Agency that on December 1, 2020, Total Gaz Electricité Holdings
France (“Grupo Total”) acquired 100% of the shares of EDP ENERGÍA. What
As a result of the foregoing, the migration of the website has been carried out
*** URL.1 to a new transitory domain (www.edpresidencialbytotal.es) and they have
modified email accounts that were previously under the
domain @ edpenergia.es.
FIRST.- ALLEGED BREACH OF ARTICLE 25 OF THE RGPD:
(i)
The contracting process through a representative is in accordance with the
normative:
The arguments presented in the allegations to the proposal of
resolution, relating to the freedom of form of the mandate contract in accordance with
provided for in the civil code, in particular it insists that “In this case, it does not seem
that such a wide freedom of form is compatible with obtaining evidence of
the existence of the representation or mandate, beyond the manifestations of the
agent, protected by good contractual faith. Likewise, there is little
understandable that a separate consent is required for the treatment of
your data or a confirmation of the order by the principal, since this
would imply denaturing the representation, inasmuch as it would be absurd that who is
designated for the conclusion of a contract in favor of a third party cannot facilitate
the data of the person on whose behalf it acts, or that confirmation is necessary
separated from it to authorize said communication, since the need to
Addressing the represented person directly would make the representative's intervention useless,
since it would be meaningless. (the underline is from the entity that formulates
the allegations)
Likewise, and in relation to the possibility that the represented party may provide
additional consents to the hiring itself, it should be noted that this
possibility may well have been authorized by the represented in a way
specific, but as the same freedom of form governs for the granting of this
power (which the norm does not oblige in any case to provide in writing), nor is it
its reliable accreditation is required at the time of hiring ”.
Certainly, article 1725 of the Civil Code provides that the third party may request the
agent that gives him knowledge of his powers to determine if the contracting
is within their perimeter or if you are assuming the risk that the
The principal does not subsequently ratify the actions of the agent. But this regulation is
translates into a burden for the agent, not for the third party, since the interests
that is to be safeguarded are those of the latter, and not those of the president nor
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 64
64/136
of the principal. Therefore, for the third party it is optional to ask the agent to
give knowledge of the powers with which it claims to act.
In the vision that the AEPD manages in the Resolution Proposal, this obligation
would be aimed, however, not to protect the interest of the third party in terms of
object of the contract made by the agent, but to preserve the interest of the
principal regarding the legitimacy of the agent to express the will of the
principal regarding the processing of their personal data by the third party.
However, this consequence cannot be extracted from the regulation of the Civil Code.
in terms of the mandate contract, in which - as we have just seen - the interest to
protect with the exhibition of powers of the agent is strictly that of the third party, and
not that of the principal, which, in the Civil Code scheme, is safeguarded at
through the power of ratification, the granting of which or not always remains in the hands
of the principal.
Thus, the risks referred to in the Proposal for Resolution (“can be
generate various risks, being able to be mentioned, as an example, the one consisting of
a processing of data of the represented without legitimation, the risk of impersonation of
identity or economic or other damages that may be caused to the
interested party ”) are not such: in the event that the agent has exceeded the
exercise of the mandate, the principal will not be bound by that action, except
his subsequent ratification, from which no harm may actually be suffered unless
that accepts - expressly or tacitly - what has been done by the agent a posteriori
From here on, and as optional power of the third party that contracts with the
agent, if and how the third party exercises that power depends on his will and the
circumstances of the hiring. In this sense, the fact that in hiring in
the channel of EDP ENERGÍA's own commercial offices requires the representative to
accreditation of their status as such, does not prove anything at all, unlike what
that says the Motion for a Resolution. Given that EDP ENERGÍA, as a third party that
contracts with the authorized person, has the power to carry out this verification or not, the
who does it on some occasions and not on others, or who does not do it the same in all
hiring channels, it is not a source of any obligation - which is not imposed or
by law or by contract - but a simple manifestation of the exercise of a permit.
At the doctrinal and jurisprudential level, the exercise of rights of the
personality through voluntary representation, particularly when it comes to
articulate the ad hoc authorization for specific acts of interference. That possibility is
must be understood as reinforced when the mandate to exercise a right of the
personality is linked to the empowerment to enter into a contract, of which said
Exercise is a conditioning or complementary element. Thus, the agent o
representative of an artist mandated to celebrate on behalf of his client
a lease for services to perform in a concert hall or
record a disc, it is commonly mandated to authorize the organizer of the
show or record company for the use of the artist's voice and image.
Similarly, those authorized to contract with EDP ENERGÍA on behalf of another
person, appear in the first place as subjects mandated for the concertation of the
supply contract, and concomitantly, because it is a factor
inherent in the hiring itself, they are also inherent to authorize employment and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 65
65/136
treatment of the personal data of its clients. In this sense, it turns out
It should be noted that there is no doubt that the processing of data from the
represented that is necessary for the execution of the contract of which the represented
becomes a party, it should be considered a fully lawful treatment in light of the
Article 6.1.b) of the RGPD.
But in addition, as long as it is possible to establish that the president has standing to
take all relevant decisions within the framework of the recruitment process for the
that has been empowered, the consent that said agent provides on the
data processing of the represented party and that EDP ENERGÍA collects for one or more
specific purposes within the framework of the contracting process, allows to consider
The processing of the data thus obtained is equally lawful, ex article 6.1.a) of the RGPD
or any other basis of legitimacy. And it is that, who hires on behalf of another - a
Perhaps it is assumed that he acts in such condition - he must be able to provide the same
Consents regarding personal data that the interested party himself if he were
who will enter into the contract, and this whether the contract is concluded on-site in a
business office as if held by telephone.
It must be concluded, contrary to what the AEPD indicates in the Proposal for Resolution,
what:
(i)
EDP ​​ENERGÍA is not obliged to carry out with authorized third parties
that contract through the telephone channel or external sales forces
any verification of the existence and scope of its mandate, nor to
fortiori, this verification must be analogous to the one that eventually
carry out with those who contract through their own commercial offices;
(ii)
(ii) in the power to contract the service through an authorized third party
resides the power to give the consents inherent to the process of
contracting, including those related to the processing of personal data;
(iii)
and (iii) the legality of the treatment by EDP cannot be questioned
ENERGY of the personal data of those who contract with it through
from an authorized third party, either through its own commercial offices or by
through the telephone channel or through external sales forces, by the
simple fact of having contracted through an authorized third party, in
so much so that the legal basis for the processing of personal data of a
person acting through representation should be the same as
when acting on his own behalf.
(ii) EDP ENERGÍA has correctly assessed the real risks and implemented the
appropriate mitigating measures.
It reiterates that the risk assessments provided in this procedure are
in accordance with the data protection regulations and the AEPD guides, in force in the
timing of the analysis, and identify the actual risks applicable to the
different hiring processes.
The AEPD, in its Resolution Proposal, refers to hypothetical or theoretical risks
that he cites, in addition, merely as an example and of those that does not offer greater detail or
Explanation.
As explained in the previous point and in the Allegations to the Initiation Agreement,
These risks are non-existent or lack a sufficient entity for their
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 66
66/136
consideration. Thus, it can be affirmed against the list contained in the Proposal for
Resolution - not exhaustive since the list of the AEPD is a mere title
example -, among others: (i) that there is no risk of identity theft in
so much so that there is representation and mandate, (ii) that there is no economic damage to
those interested in that the cost is assumed by EDP ENERGÍA in any case; or (iii) that
there is no risk of a lack of legitimation basis as EDP ENERGÍA can
assume, in accordance with the aforementioned civil legislation and in accordance with the framework
legal applicable to these contracts, the existence of authorization to the agent
for the processing of data and (iv) that, in case of excess, the interests of the
principal are safeguarded by their right to ratify or not what has been acted upon by the
agent outside the limits of the mandate.
For this reason, EDP ENERGÍA has correctly assessed its own real risks
of the different contracting channels in accordance with a sound legal analysis
-and doctrinally and jurisprudentially supported- of the figure of the mandate in the
Spanish legal system and has implemented the appropriate mitigating measures
in relation to such risks. The risk analysis carried out is therefore consistent
and it was carried out in accordance with the legal institute of the civil mandate and its jurisprudence.
To the extent that the consistency of the analysis carried out has been established, the
AEPD must assess the analysis in accordance with these consolidated civil criteria or, if
on the contrary, the AEPD considers that a different legal criterion should be adopted and
contrary to that of civil regulations and its established jurisprudence, it must substantiate
in some way its legal basis in order to allow EDP ENERGÍA to understand it
and defense. In any case, the interpretation of the mandate by EDP ENERGÍA
in accordance with the regulations, jurisprudence and civil doctrine -including that relating to
personality rights - must be interpreted in good faith and excludes any
guilt on your part.
(iii) Hiring through a representative constitutes a very high proportion
minority of all contracts made by EDP ENERGÍA
It is essential to point out that contracting through a representative constitutes
a minority part of the total contracts carried out by EDP ENERGÍA. On
Specifically, of the total contracts that EDP ENERGÍA made in 2019, less than
16% corresponds to hiring through representatives of which in
less than 1.7% the representative and the represented would not have a relationship of
relationship.
Therefore, when the AEPD states that EDP's contracting procedure
ENERGÍA violates the principle of data protection by design, it does so
erroneously, in strict defense terms, as if the procedure
contracting in its entirety will violate said principle. Furthermore, when it comes to
quantify the sanction, the AEPD refers to EDP's global billing volume
ENERGY to quantify it, when it should exclusively take into account, and in its
case, the billing data (volume) generated by the eventual breach
alleged - relating exclusively to hiring by representation.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 67
67/136
It is striking that the volume of business taken in
consideration by this Agency is the year 2018, when it should consider the
business volume for the year 2019, as this is the “previous financial year”. From
In fact, for other issues, the Agency does take into account the 2019 data (for example
for the number of clients, which is also reflected on page 35 of the Proposal) and,
However, for the issue of turnover, consider 2018, clearly detrimental
of my represented, since the 2018 figure is more than double that of 2019
(in 2018 the turnover was 1,236,124,000 euros, while in 2019 it was
only 589,929,000 euros).
It should also be taken into account that, in any case, the AEPD could have invoked the
article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD (“the benefits
obtained as a consequence of the commission of the offense ”) to graduate the sanction
proposal. Therefore, in the hypothetical and eventual case that it is considered infringed
Article 25 of the RGPD, the maximum business volume obtained by EDP ENERGÍA
to take into account should be approximately 7,650,0002 euros, which is the amount
obtained “as a consequence of the [eventual] infringement”, that is, in the contracting
by representation, and not in the global hiring. In this sense, the volume of
Annual business hiring through a representative would represent 0.11%
(approximately) of the total annual business volume of the entire client portfolio
of EDP ENERGÍA.
Likewise, as the AEPD is well aware, of the aforementioned eight (8) claims,
there is only one sanctioning precedent for this entity, and must take into account
Consideration that the AEPD includes in its writing a procedure that has not yet
been resolved in a firm way (PS / 00109/2019), to the extent that it is
being the subject of the corresponding contentious-administrative appeal before the Chamber of
the contentious-administrative of the PS / 00236/2020 Brief of allegations to the
Proposal for Resolution 12/37 National High Court. It should also be mentioned that
even more so when, as has been repeatedly exposed to the AEPD by EDP
ENERGÍA, in the aforementioned case there was an evident use of good faith
contract of this entity, who assumed the cost of some services that had been
enjoyed by the client, who after months of using and paying for them, claimed that no
he had hired them.
That the AEPD's proposed sanction of five hundred thousand (500,000) euros has been
made in the Proposal for Resolution erroneously by attending to a factor not
provided for in the regulations (the volume of business and the status of large company) and by
take into account the volume of recruitment and the global profits of EDP
ENERGY -which include both direct contracting (majority) and contracting by
representation (minority) -, which has nothing to do with “the benefits obtained as
consequence of the commission of the offense ”to which the
article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD. Therefore, in a way
subsidiary and in the hypothetical case that the AEPD questions the validity of the mandate
civil law for the contracting procedures and declare the offense committed, the
quantification of the eventual sanction should be significantly corrected to have
take into account the real volume of business generated by contracting by representation
exclusively.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 68
68/136
In an administrative procedure of a sanctioning nature, counting how it did
the AEPD with objective and sufficient quantifying criteria in relation to the volume
(marginal) that the representation supposes, it is especially relevant the fulfillment
of the principles of proportionality of the sanction and legality and should, therefore,
have taken into account: (i) That the part that corresponds to the procedures of
representation hiring is a small and very limited part of the
EDP ​​ENERGÍA's global contracting procedure, and, therefore, it must be taken into account
account of the low magnitude of the contracting of the use of this type of
hiring at EDP ENERGÍA, being a minority hiring type. What's more,
as stated in the information provided in this procedure, there are
only eight (8) claims before the Agency during the years 2018-2019
(with respect to a total of 105,606 contracts made through
representative), which reflects the low relevance and materialization of the risks
attributed by the AEPD to the contracting process implemented by EDP ENERGÍA
Failure to comply with the principle of proportionality of the sanction proposed by the
Proposal for a Resolution -based on erroneous premises-, being as it is a principle
constitutional and basic law in criminal law and administrative sanctioning law,
generates a defenselessness to EDP ENERGÍA that must be corrected. The huge
difference between the 1,236,124,000 euros taken as a reference by this Agency, or
589,929,000 euros, which is the figure that the Agency should have taken into account
(for being the business volume of the year 2019), and the 7,650,000 euros of volume of
approximate business obtained by EDP ENERGÍA in 2019 as a consequence
hiring by representation should have a significant impact -reducing-
of an eventual sanction with respect to that contained in the Proposal.
Lastly, and without prejudice to the foregoing, despite the fact that EDP ENERGÍA does not consider
that their action deserves any legal reproach, in response to the suggestions
expressed by the AEPD, EDP ENERGÍA informs the AEPD that it has proceeded to
reinforce the recruitment process through an online representative with the
protocol that was already provided to the AEPD on July 16, 2020. This protocol,
that was submitted to the AEPD on a voluntary basis and before the beginning of this
sanctioning procedure, was aimed precisely at collaborating with this
Agency to reach an agreed procedure in matters of representation and that
satisfy the proposals that the AEPD may have. In the Arguments to the Agreement
of Start, EDP ENERGÍA also responded to the doubts raised by the AEPD in
regarding its content and implementation and confirmed that it is a procedure
with double verification by SMS and in compliance with the best standards of the
market. For these purposes, the AEPD must take into account:
(i) that EDP ENERGÍA proactively contacted in July 2020, without success, with the
AEPD to present a new protocol that proposed changes in the procedure
hiring by representation. Far from being considered, as does the
Proposal for a Resolution, negatively and against EDP ENERGÍA, that
proactivity as a sign of acknowledgment of guilt - the arguments of legality have already
previously stated-, the cooperation proposal with the AEPD should
be valued as a sign of good faith and of EDP ENERGÍA's firm commitment to the
compliance with data protection regulations and the improvement of its processes as well
as a mitigating circumstance in the graduation of the sanction (article 83.2.f) of the
GDPR);
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 69
69/136
(ii) that despite not obtaining a response other than the opening of this proceeding,
EDP ​​ENERGÍA, in light of the AEPD's comments on the Initiation Agreement and the
Proposed Resolution, has eliminated from its contracting procedure for
representation the possibility of requesting consents for marketing purposes
and commercials to which the AEPD refers on pages 107, 108 and 109 of the
Proposal. Attached as Documents No. 1 and No. 2 example of contract and script of
locution for the telephone channel that evidence this elimination. As in
EDP ​​ENERGÍA has adopted measures to adjust its procedure to the proposals
of the AEPD, this circumstance, in accordance with article 83.2.c) of the RGPD, must also
be considered as an extenuating circumstance for the graduation of an eventual
sanction, and
(iii) that EDP ENERGÍA confirms to the AEPD that the new protocol -with the content
communicated in July 2020- it is already implemented for all
hiring, since last January. It is attached again to this writing as
Document No. 3, the contract protocol for the aforementioned representative.
In document number 1 under the title durable support, a company acting as
Trusted third party certifies that the data included in the document are those that
They are recorded in your electronic communications and processes record. Such data is the
sending an e-mail with an associated URL, in relation to a contract,
informing the recipient that a person has made the contracting on their behalf
related to your energy supply / services. It is provided as a document
I enclose the contract, in which there are no references to consents for the
sending commercial communications or for the realization of profiling, and the
general contracting conditions.
Document 2 has the following content
Registration (representative) ML - Spanish
"[XXX] we are going to record your agreement. It is [hh: mm] on [dd] of [mm] of
[20XX]. [name and surname] with DNI [DNI number], such as
[husband / wife / child / attorney-in-fact / representative] and on behalf of the owner [name and
surname / company name] with DNI / CIF [DNI / CIF number] telephone [telephone] and mail
email [email] accepts EDP Residencial's offer for the address [address of
supply] consisting of [plan conditions -dto en la luz-] for [CUPS LUZ:
ES…] on the current EDP Residential price of electricity [price of power
(€ / kW month) and energy term price (€ / kWh)] and / or [plan conditions - gas discount]
for [GAS CUPS: ES…] and current EDP Residential gas price [term price
availability (€ / month) and energy term price (€ / kWh)]; and / or Works [annual price
of the service, conditions of the promotion plan works].
[If the collection date is not chosen] The chosen payment method is [direct debit
bank account in your current account / in the account ...] and will be charged on the indicated date
on the invoice.
[If the collection date is chosen] The chosen payment method is [direct debit
in your current account / in the account ...] and will be charged on a specific date, the
days [DD] of the month. In that case, the payment period may be less than or greater than the
20 days established in the regulations ".
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 70
70/136
On behalf of the client and after passing an analysis of the risk of the operation,
We will take the necessary steps to activate the access contracts, at the moment
from which the new contract will come into force.
The contract / s is / are not permanent and will have a duration of one year,
Extendable for the same period unless it is reported in advance of 15 days. This
in accordance with the above information and conditions of the contract / s? [Yes / Ok].
Thank you.
In a few days, your client will receive the contract (including document of
withdrawal) in duplicate, of which you will only have to return us signed one of the
copies in the self-postage envelope, you do not need a stamp, which we will attach to you.
Your client has 14 calendar days to exercise their right to
withdrawal. However, if you request it, we can start the procedures now.
In that case, if you subsequently withdraw from the contract, you must pay the amount
corresponding to the supply period provided. Do you want your recruitment to be
processed immediately? [OTHERWISE]
With the entry into force of the contract, your client will receive the invoice from EDP
Residential with all our advantages.
Your personal data and that of your client may be processed by EDP
Residential for the management of their contracts, fraud prevention, realization of
profiles based on customer information and EDP Residencial, sending of
personalized communications about related products or services, as well as
participate in sweepstakes, promotions and quality surveys, being able to oppose in
any moment.
[Read only legal persons calling on behalf of a business] In addition,
so that we can advise you with the best proposals: • Can you allow us to present you
to your client offers related to energy after the end of the contract,
or send you information on non-energy products and services, typical of companies
Collaborators? [YES / NO] • Can you allow us to complete the commercial profile of your
represented with information provided by third parties, to send you proposals
personalized? [OTHERWISE]
Shortly, the Distributor's technicians will contact you [remember
who must deliver the Individual Gas Installation Certificate, when they go to
register]. [Altas Gas] For your safety, we remind you of the legal obligation to
collaborate with your Distribution Company, facilitating access to its facilities.
This request has been registered with the code [we indicate the code] "
THIRD.- ALLEGED BREACH OF ARTICLE 13 OF THE RGPD
(i)
Regarding the information provided in the CAC Inbound Channel.
It indicates that it provides the information regarding the processing of personal data to
through a multi-layered system. Thus he reiterates that in all calls
incoming messages, a voiceover is automatically reproduced that informs of the following
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 71
71/136
“This call can be recorded. The data you provide us will be processed by
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
or query. You can exercise the rights of access, rectification, deletion, opposition,
limitation and portability at any time. See the Privacy Policy at
our website edpenergia.es or press 0 "
It indicates that the address provided to users has been updated in the locution,
currently indicating edp-residencialbytotal.es/privacidad, so that, if the user
type that address in the browser, access -directly and easily- to the
information related to data protection.
The interested party can consult the second layer through the privacy policy of
the web page or by pressing 0. In this case, a voiceover is reproduced whose content is
the next:
"The use of this TELEPHONE CHANNEL does not oblige the user to provide any information
about himself. However, to use certain services or access certain
content, users must previously provide some personal data.
In the event that the user provides personal information, we inform you that the
data will be PS / 00037/2020 Brief of allegations to Resolution Proposal 15/37
treated by EDP Energía, SAU and EDP Comercializadora, SAU, with registered office at
Oviedo, Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
hereinafter "EDP", as data controllers, as established by the Regulation
General Data Protection ((EU) 2016/679), hereinafter "RGPD", and its regulations on
growth.
Specifically, your data may be processed, when the user so requests, to manage the
attention and follow-up of requests and inquiries directed through the website, as well as
for conducting surveys and participating in raffles, games and promotions.
The data requested will be mandatory and limited to those necessary to proceed with
the provision and / or management of the requested service, which will be conveniently informed in
the time of collection of your personal data. In case of not providing them or not
provide them correctly, the service will not be provided.
In these cases, the user guarantees that the personal data provided is true and is
is responsible for communicating any changes to them.
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration in the
itself, the data processing carried out is based on the legal relationship derived from
your request.
The processing of data for conducting surveys is based on the legitimate interest of EDP
in order to improve the quality of the services provided to customers and / or users, being able to
oppose said treatments at any time, without affecting the legality of the
treatments carried out previously.
In no case may they be included in the forms contained in the TELEPHONE CHANNEL
personal data corresponding to third parties, unless the applicant
had previously obtained your consent in the terms required by article
7 of the RGPD, responding exclusively to the breach of this obligation and
any other regarding personal data.
The personal data of the users registered on the website may be transferred to the
Public Administrations that by law correspond, to other companies of the business group
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 72
72/136
for internal administrative purposes, and to the providers of the data controller
necessary for the proper fulfillment of contractual obligations.
Personal data will be kept for the duration of your supply contract with
EDP, in all other cases, during the time necessary to answer your requests or to
analyze the content of your responses to surveys. Once the relationship is over
contractual, answered their requests or analyzed their responses, as appropriate in
each case, your personal data will be erased, keeping the rest of the information
anonymized for statistical purposes only. Notwithstanding the foregoing, the data may
be kept for the period established to comply with the legal obligations of
maintenance of the information and, at most, during the prescription period of the
corresponding legal actions, and the data must be kept blocked during the
mentioned limitation period. After this period, the data will be deleted.
In application of the provisions of article 32 of the RGPD, EDP undertakes to comply with the
security obligations of those data provided by users, trying to establish
all technical means at your disposal to avoid loss, misuse, alteration, access not
authorized and theft of the data that the user provides through it, taking into account the
state of technology, the nature of the data provided and the risks to which they may
be exposed. Notwithstanding the foregoing, the user must be aware that the measures
security in the TELEPHONE CHANNEL are not impregnable.
EDP ​​will treat the user's data confidentially, at all times, keeping the
mandatory duty of secrecy regarding them, in accordance with the provisions of the regulations
of application.
The user can exercise their rights of access, rectification, deletion, opposition,
limitation and portability, as well as the revocation of the consents granted
previously, in the terms established by law, communicating it in writing to EDP, at the
following address: LOPD Communication Channel, Plaza del Fresno, nº2, 33007 Oviedo.
Likewise, you can exercise these rights by sending an email with your data
personal to *** EMAIL . 2 . In both cases, a photocopy of the holder's ID must be attached.
or document that proves your identity.
Likewise, you may contact the EDP Data Protection Officer, at the
following postal address: Plaza del Fresno, 2 33007 Oviedo or by email
*** EMAIL.1 , in the event that you understand that any of your rights related to the
data protection, or where appropriate, file a claim with the Spanish Agency for
Data Protection at the address Calle de Jorge Juan, 6, 28001 Madrid ".
In the hiring process, the following is reported again: “Your data
personal and those of its client will be treated by EDP Comercializadora SAU and
EDP ​​Energía SAU for the management of its contracts, fraud prevention, execution
of profiles based on customer and EDP information, as well as the performance of
personalized communications about directly related products or services
with their contracts, being able to oppose them at any time ”.
Therefore, it is not possible to blame a lack of information to those interested in the
incoming calls while the information referred to in the first informational layer
(ie, the one provided at the beginning of each call) complies with the information
necessary of article 11 of the LOPDGDD (that is, identity of the person in charge, purposes of
treatment and possibility of exercising rights) and a direct means and
easy to access the rest of the information (by accessing the website or
pressing 0). It is important to note that the speech of the first informational layer is
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 73
73/136
automatically plays at the beginning of each incoming call and, therefore,
Therefore, it is mandatory to listen to all interested parties who make a call. For
For this reason, all those interested before reaching the contract have already been
informed about the possibility of exercising their rights and how to access the
rest of information about the treatment of your data. Also, before the
contracting, EDP ENERGÍA reminds interested parties -through a second
locution- part of the basic information on data protection.
In accordance with article 13.4 of the RGPD, the obligation to inform does not apply
to the extent that the interested party already has the information; in the case that we
occupies, taking into account that the initial speech is reproduced automatically
In each call, it is sufficiently proven that any interested party who
puts in contact with EDP ENERGÍA through the CAC Inbound Channel receives the
information regarding the protection of personal data. In this sense, the Group of
Article 29 (currently known as the European Data Protection Committee)
indicated in its Guidelines on transparency under Regulation (EU) 2016/67
("Transparency Guidelines") that it should be understood that article 13.4 of the RGPD
It is applicable in those cases in which the information had been
provided, for example, in the previous six months. Regarding the Canal
CAC Inbound, not only would have spent a time clearly less than 6 months but
the time span can be measured in minutes, so it is clear that the
interested party knows, knows and remembers perfectly the information on protection of
data without it being necessary to reiterate this information
(ii)
Regarding the information provided in the Telemarketing channels and
Leads
It points out that this Agency questions the means to access the second layer
informative (ie, the General Conditions available on the website
edpenergia.es) be "simple and immediate"
It indicates that EDP ENERGÍA has accredited in this procedure what
following:
• First of all, the information on data protection (i) is clearly
identified within the general contracting conditions of EDP ENERGÍA
(in section 16 and entitled LOPD) and (ii) occupies one of the four
pages of the document, so its location is not lossy for the
interested.
Please inform this Agency that you have created a separate document containing,
exclusively, the data protection information of the conditions
general contracting, which is easily accessible through its own
website and at the following address: *** URL.5 ; and that also, the conditions
General contracting regulations continue to include the clause related to the treatment
of personal data, so that the interested party has various means to
through which you can access information easily.
• Secondly, it alleges that the way in which the information on the
The second layer of information can be diverse and, as such, has been recognized by the
data protection authorities. As indicated in the Allegations to the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 74
74/136
Initiation Agreement, when the contracting occurs, the conditions are sent
general contracting - which includes the specific clause regarding
Data Protection-; therefore, making this information available to
through the website should be understood as an alternative system and
complementary.
In this sense, the Transparency Guidelines expressly indicate that
“When the first contact with an interested party is by telephone, this
information [first informational layer] could be provided during the call with the
interested party and he could receive the rest of the information required under the
Article 13 or 14 by an additional means other than, for example, by sending you a
copy of the privacy policy by email or a link to the
online privacy statement / notice of the person in charge ”.
In accordance with the criteria of the competent authorities, including the AEPD, EDP
ENERGÍA would not have committed an infringement of the duty of transparency, as long as
that the complete information on data protection (with the required content
by the regulations) is contained within the general contracting conditions
which are sent to the interested party after hiring. The Transparency Guidelines
They also indicate that, depending on the circumstances of the collection and treatment
of the data, a data controller could be forced to use
additionally, other possible ways of transmitting the information to the
stakeholders applicable to the relevant settings as long as the information from the
first informational layer is transmitted in the first modality used to
communicate with the interested party. For this reason, EDP ENERGÍA complies with its
obligation of transparency when providing the information of the first informative layer
by telephone and the second layer of information in writing (either document
physical or electronic). It is also important to note that the most
transparent and suitable for the interested party to receive information about the treatment
of your personal data is including it together with the information about the
contracting the services, insofar as this is the circumstance with which the
relates the processing of your data and is, in addition, a document that the
interested party will retain during their contractual relationship with EDP ENERGÍA.
(iii)
Regarding the content of the information provided by telephone and in the
general conditions:
• Specification of the data controller:
The AEPD questions the clarity with which the interested party knows which entity acts
as responsible for the treatment, however, as accredited in the conditions
general contracting of EDP ENERGÍA (provided as evidence 6) of this
procedure, the client is informed about the identity of the person responsible for the
treatment through the privacy policy in relation to the conditions of
hiring:
Privacy policy: "the data will be processed by EDP Comercializadora SAU and
EDP ​​Energía SAU ”.
Specific conditions of the contract:
"The customer contracts, for the supply indicated, the supply of gas with EDP
Comercializadora, SAU and the supply of electricity and / or services
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 75
75/136
complementary with EDP ENERGIA, SAU, (hereinafter joint and / or
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
Specific that are collected below and the General Conditions in annex ”.
As explained in the allegations to the Initiation Agreement, information is included
on both entities while, depending on the service requested by the
interested party (gas and / or electricity), one or another entity will be responsible for the treatment
(or both if the interested party hires both services). Therefore, the
interested party -which has full capacity to contract and, therefore, is
assumes that you should be able to understand the terms and conditions that
govern such contracting, you are aware at all times that, depending on how you contract
the gas and / or electricity supply service, your data will be processed by one or
both entities.
• Purposes and bases of legitimation
It is alleged that neither article 13 of the RGPD nor any other legal precept requires that the
privacy policy list each purpose specifically indicating the basis of
legitimation that results from application. Even so, when it comes to treatments
subject to consent, if it is expressly indicated which they are.
In any case, as already indicated in the Allegations to the Initiation Agreement,
in the case of the bases of legitimation of "contractual performance" and "legitimate interest",
It is obvious to anyone who hires the supply services of
EDP ​​ENERGÍA that the treatments closely linked to the execution of the
contract such as “manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service ”find their basis of legitimacy in the execution of the
contract, being the other treatments assignable to the legitimate interest (e.g. the
carrying out fraud prevention actions or sending communications
commercial). Legitimate interests are clearly stated and placed in
relationship with the purposes pursued (that is, fraud prevention and
marketing, in relation to the sending of commercial communications
personalized) and since there is an identification between the reported purpose and the
pursued self-interest, making a separate allusion would be redundant.
• Profiling
It is stated in the allegations that in the Resolution Proposal, the AEPD considers
that, in relation to "profiling", it is not clear what its purpose is or
the legitimate interest that supports the treatment. In this sense, the AEPD states in
the Proposed Resolution as follows: “In this case, in the opinion of this
Agency, the information requirements described above. EDP ​​ENERGÍA, SAU, is
It limits to informing about the "profiling", but does not offer information
on the type of profiles to be made, the specific uses to which they will be
allocate these profiles or the possibility that the interested party can exercise the right
of opposition in application of article 21 of the RGPD. "
However, profiling is associated with sending communications
personalized commercials: “will be treated (...) for the purpose of (...) carrying out
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 76
76/136
profiles, personalized business communications based on information
provided by the Client and / or derived from the provision of the service by the / s
Marketer / s and related to products and services related to the supply and
energy consumption, maintenance of facilities and equipment ”.
While the wording could have included “for the submission of” (that is, the text
out "as well as making profiles for sending commercial communications
based on information provided by the Client (...) ”), this absence does not
It must be understood as that EDP ENERGÍA violates article 13 of the RGPD.
• Exercise of rights:
It is alleged that in the opinion of the AEPD, it should be expressly indicated which are the
treatments to which the right of opposition applies. However, as I already know
stated in the Allegations to the Initiation Agreement, the obligation to detail the
specific treatments to which the interested party has the right to oppose not only is it not
an obligation contained in the RGPD, the LOPDGDD or any other regulation of
application, but also the AEPD in its guides and tools (among others, the Guide
for the fulfillment of the duty to inform2 or the Facilita tool3) does not indicate that
The informative clauses on the right to object must specify the
treatments on which the right of opposition applies, not even as an example of
Good practice. In any case, EDP ENERGÍA expressly indicates that the interested party
You may object to some voluntary treatments such as promotion,
profiling, automated decision-making and conducting
commercial offers.
It points out that the motion for a resolution indicated that: “It is imprecise to indicate
that the interested party may oppose the automated decision-making of their
personal information. These can only be carried out by the person in charge in the
assumptions provided for in article 22 of the RGPD, based in the present case on the
consent of the interested party, so he must be able to know that he can revoke
the consent given for the adoption of such decisions in any
moment, without prejudice to being informed of the rights conferred by the
Article 22 to the interested parties. "
It is alleged that the semantic and technical nuance associated with the terms "opposition" and
“Revocation” in the context of the exercise of rights cannot have an impact on the
interested, because with both terms the user achieves the same objective, which is that
a treatment specifically identified in the policy stops occurring. Even more,
the term used by EDP ENERGÍA (opposition) in the context of this type of
treatments is understood in the regulations and by the market itself more broadly
-and therefore more guarantee- since it allows the user to eliminate a treatment whether
based on consent, is based on legitimate interest.
• Treatments based on consent:
The AEPD considers that the information on the treatments subject to consent
it is not completely clear. However, this part cannot agree with
this interpretation for the following reasons:
In the first place, the AEPD questions that in point (IV) it is not clear as to what
data refers to the phrase "the results obtained from the aggregation of the data
indicated ”and argues the existence of confusion as to whether the aggregated data
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 77
77/136
are those referred to in point (II) and / or in point (III). However, as manifested
in the Allegations to the Initiation Agreement, from reading it is clear that "the results
obtained from the aggregation of the indicated data ”refers to the indicated data
above, that is, the data referred to in point (II) and (III), since it is evident that
the use of the anaphoric term "indicated" refers to the data referred to in the points
previous.
Second, the AEPD states that the difference in data processing
advertising this point with the previous points is not obvious. However, the
difference is clear:
the advertising treatment derived from point (I) refers to offers of "services
financial, payment protection services, automotive or related and electronics,
own or third parties, offered by EDP and / or participation in contests
promotional, as well as for the presentation of related commercial proposals
to the energy sector after the end of the contract ”, that is, services offered by
EDP ​​ENERGÍA not related to the contracted services but to the sector
energy or other sectors such as financial or automotive and in addition to
generic - not personalized;
▪ point (II) refers to “personalized products and services”, that is, offers
tailored to the customer's business profile; Y
▪ point (IV) refers to “making personalized offers, specifically aimed at
to achieve the contracting of certain products and / or services from EDP or third parties
entities ”, that is, to the realization of personalized offers with an objective
specifically to achieve the sale of certain products or services, being the
personalization not only with respect to the client but also with respect to the concrete
service or product offered.
The AEPD's criticism of the granularity offered by EDP ENERGÍA cannot
be understood in the light of their own recommendations and those of the European Committee on
Data Protection, which require precisely such detail and granularity.
FOUR.- COOPERATION AND PROACTIVE ATTITUDE OF EDP ENERGÍA.
EDP ​​ENERGÍA is studying and analyzing the implementation of the measures
timely for the adoption and adaptation to the recommendations, better
practices and the criteria established by the AEPD both in this procedure and
in its guides and publications (in addition to the improvements already implemented to
referenced above), in order to improve all its protection policies of
data, clauses and general conditions through which information about the
treatment of the personal data of your clients and potential clients
FIFTH.- BREACH OF THE PRINCIPLE OF INTERDICTION OF THE
ARBITRARINESS.
It is noted that certain recommended practices (and even applied by the AEPD in
their own privacy policies) have served in this case to argue and
motivate the alleged infractions committed by EDP ENERGÍA (for example, the
presentation of the information regarding the exercise of rights of the interested parties
collected in the Second Allegation). These aspects that, a priori, the AEPD recommends
and puts into practice, considering them examples that conform to the regulations
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 78
78/136
applicable, are used as infringing elements to justify the alleged
breach of different legal precepts by EDP ENERGÍA.
SIX.- LACK OF GUILT IN THE PERFORMANCE OF EDP ENERGÍA.
By virtue of all the foregoing, the actions of EDP ENERGÍA cannot
be considered guilty in the eventual commission of administrative offenses in
matter of data protection that is imputed to him. In the administrative field
sanctioning is not enough that the conduct is typical and unlawful (which in this case,
neither is it), but it is also an inescapable requirement that he be guilty, that is,
consequence of an action or omission attributable to the person responsible for fraud or fault
inexcusable, without being admissible any kind of strict liability that
exempt the Administration from fully certifying the requirement of guilt or
intentionality in the commission of the offense. (Judgments of the Supreme Court of 9
July 1994, May 16, 1995, December 12, 1995, January 12 and 19,
1996, April 15, 1996, among many others.)
It is also worth mentioning that the appreciation of the subjective element of the
offense is determined by the degree of predictability it had for the subject
affected that their conduct could be considered typical and unlawful and, therefore,
liable to be sanctioned. The subjective element of guilt can only
concur when, in view of the existing situation at the time of the
conduct, the subject could reasonably anticipate that he was committing a
infringement Sentences of the Hon. Third Chamber of the Supreme Court of May 8
from 2003 - ref. Aranzadi RJ 4209—, of July 7, 2003 - ref. Aranzadi RJ 5832—,
and of January 28 and 27, 2010 - ref. Aranzadi RJ 1362 and 1357.
Likewise, the doctrine of contentious-administrative courts has excluded the
concurrence of the essential guilty element when the subject who has
objectively committed the offense has acted based on a reasonable
interpretation of the legal system.
A reasonable interpretation of the applicable regulations, even if it is not ultimately
considered correct by the courts, excludes guilt, especially in
those cases in which the applicable legal norms are not clear or univocal.
SEVENTH.- SUBSIDIARILY, THE PROPOSED SANCTIONS ARE
MANIFESTLY DISPROPORTIONATE AND SHOULD BE APPLIED
ATTENUATING CIRCUMSTANCES.
In short, analyzing each of the alleged infractions that are attributed to EDP
ENERGY, it can only be interpreted that there is an absolute disproportionality in the
interpretation made by the AEPD in the Resolution Proposal, not only because
lacks motivation when considering the alleged offense committed, but rather
the fact that the proposed sanctions escape any criteria valued with
prior character by the AEPD itself. In this sense, it should be added that the amounts of
Previous penalties imposed in similar factual events are not comparable
to the proposals in this case.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 79
79/136
Extenuating circumstances must be applied: Indeed, any sanction that is
imposed on EDP ENERGÍA would have to be set in accordance with articles 83.2 of the
RGPD and 76.2 of the LOPDGDD, which contemplate relevant instruments so that the
Administration adjusts the proportionality of the sanctions. In the present case, such and
as stated in the Allegations to the Initiation Agreement, concur
more than enough the following extenuating circumstances summarized here:
• The nature, seriousness and duration of the offense: according to article 83.2.a) of the
RGPD, the assessment of this circumstance must take into account “the nature,
scope or purpose of treatment ”(...) and“ the level of damages that may have
suffered ”. In this sense, what is attributed to EDP ENERGÍA is the need to
improve some aspects of its data protection policies, without in any way
In this case, the texts used so far can be understood to have generated
a high level of damages. Likewise, the treatments provided in these
policies - which are known to stakeholders - are not particularly
sensitive, neither by the type of data processed nor by the characteristics of the
treatment activities. Therefore, it is not only not appropriate to consider as
circumstance aggravating the nature of this offense but, the foregoing must
considered as a mitigating circumstance applicable to the present procedure.
• Intentionality or negligence in the infringement: EDP ENERGÍA has not shown
intentionality or negligence. The AEPD, in its Resolution Proposal, indicates
that “the defects indicated in the information provided show the lack of diligence
of EDP ENERGÍA in complying with transparency obligations ”. For
Therefore, what this Agency seems to refer to is the absence of all the diligence that,
According to said Authority, it would be expected from EDP ENERGÍA. However, it does not seem that
said statement can be understood as "intentionality or negligence" in its
action insofar as, as has been stated in the Allegations to the Agreement of
Inception and in these allegations, EDP ENERGÍA has carefully observed
the guides, guidelines and tools made available by the AEPD itself and the
European Data Protection Committee for the fulfillment of its obligations of
Data Protection. For this reason, EDP ENERGÍA's diligence must be taken into account
counts as an extenuating circumstance.
• The high link between the activity of the offender and the performance of treatment of
personal data: EDP ENERGÍA is dedicated, as stated by the AEPD in the Proposal for
Resolution, to the supply of electricity, an activity that is not intensive in the
processing of personal data and that although it is true that the development of the
EDP ​​ENERGÍA's activity involves the processing of personal data, this is
instrumental form without its activity being based on the exploitation of personal data.
In this sense, the low link between EDP ENERGÍA's activity in the treatment
personal data should be considered an extenuating circumstance.
• Any measure taken to alleviate damages: as stated
In the knowledge of the AEPD, EDP ENERGÍA is immersed in the review and
improvement of its procedures and clauses in order to adapt and implement the
recommendations made by this Agency, avoiding that
any type of damage or harm to the interested parties. Proof of this is that some of
the recommendations of this Agency are already implemented, such as the
improving access to information on data protection, which is already available
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 80
80/136
at the address edp-residencialbytotal.es/rgpd as well as the new protocol of
contracting through a representative, which was already contributed to the procedure by
last July 16, 2020 and it has already been implemented last January.
• Degree of cooperation with the authority: EDP ENERGÍA has shown from the beginning
of this procedure a completely collaborative attitude with the AEPD, as
as has been accredited in this writing. In the Allegations to the Agreement of
Home provides more complete information regarding cooperation
shown by EDP ENERGÍA.
• Categories of data and affectation of the rights of minors: the data subject
treatment are not special categories of data and the data have not been affected.
rights of minors (EDP ENERGÍA's clients are always older than
age with capacity to contract).
• Continued nature of the offense: as has been proven, EDP ENERGÍA,
from the moment it has been made aware of the improvements that, in the opinion of the
AEPD, could be adopted in its policies, has proceeded to analyze its texts and
procedures. Therefore, it cannot be understood that it is an infringement of
continuing character, although this Agency must understand that in corporate groups
complex processes of change and adaptation of procedures cannot be done
immediately. However, not for that reason the alleged infraction that is imputed
it should be understood as "continued".
• Status of a large company and its turnover: the fact that EDP
ENERGY is considered a large company cannot be used as a
aggravating circumstance as it is not a circumstance foreseen neither in the RGPD nor in the
LOPDGDD. In addition, in this sense, the Supreme Court (judgment of April 4,
November 2015, appeal 100/2014) has stated in recent jurisprudence but
consolidated statement that "it is not feasible, in any case, to presume malicious conduct by the
mere fact of the special circumstances surrounding the taxpayer of the
taxation (economic importance, type of advice received, etc.) (...). [It
that the public power cannot do, without violating the principle of guilt that
derives from art. 25 CE [see, for all, the Judgment of this Section of June 6,
2008 (rec. Cas. For the unification of doctrine no. 146/2004), FD 4], is to impose a
sanction to a taxpayer (or confirm it in the administrative or judicial phase of
recourse) due to its subjective circumstances -even if it is a legal person,
has great financial means, receives or can receive the most competent of the
advice and is habitually or exclusively dedicated to the activity taxed by the
unfulfilled norm ”. For this reason, it is neither legal nor constitutional to assess the
large company status as an aggravating circumstance. Likewise, the AEPD also
refers to “its business volume” (a fact that is not considered as
aggravating circumstance neither in the RGPD nor in the LOPDGDD). When it comes to quantifying the
sanction, the AEPD refers to the global billing volume of EDP ENERGÍA for
quantify it, when it should exclusively take into account, and where appropriate, the data
billing generated by the eventual alleged breach -in the case of the
Article 25 of the RGPD, relating exclusively to contracting by representation.
In this sense, the AEPD, in its investigation within the framework of the procedure, requested and
obtained concrete data on the volume of hiring by representation and the
the smallest part that corresponds to the overall activity of EDP ENERGÍA, and should
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 81
81/136
In any case, having taken it into account in the Proposal for Resolution, which has not
happened. Likewise, as has been indicated in the First Allegation, the volume
of business derived from contracting with a representative supposes approximately
0.11% of the global business volume. For its part, as regards the
sanction associated with the alleged violation of article 13 of the RGPD, the AEPD neither
it should have taken into consideration the global turnover of its activity.
Benefits obtained as a consequence of the infringement: the alleged commission of the
The alleged infringement has not generated any type of economic benefit, direct or
indirectly, to EDP ENERGÍA. In any case, if this Agency considers otherwise, the
The benefit should be calculated according to the criteria that have been indicated in the
First Claim, taking into account that the volume of business derived from the
contracting through a representative represent only 0.11% of the business volume
overall and that the proposed sanction represents a disproportionate amount in relation to
the benefits obtained
. • High volume of data and treatments: contrary to what this Agency indicates
in its Proposal for Resolution, the alleged infractions attributed to EDP
ENERGÍA does not affect “all the data processing carried out by the entity EDP
ENERGÍA SAU ”, but only to treatment related to clients. In fact, the
AEPD itself recognizes in the section on "High number of interested parties" that
"[T] he infringement affects all the entity's natural person customers", but not
indicates no other stakeholder group. Likewise, with regard to the
contracting by third parties on behalf of its owner, it is relevant to point out that said
Contracting only affects 0.11% of EDP ENERGÍA's business volume
so it is evident that the volume of data and treatments affected is minimal.
For this reason, the small number of treatments affected, and especially, in
relationship with contracting through a representative, must be taken into account as
extenuating circumstance.
• Recent acquisition of EDP ENERGÍA: as we have indicated in the claim
Preliminary of this writing, EDP ENERGÍA has recently been acquired by the
Total Group. By virtue of article 76.2.e) of the LOPDGDD, in conjunction with article
83.2.k) of the RGPD, understands this part that this
circumstance when, where appropriate, modulate and mitigate the potential sanction-sanction
that in any case this part understands that it is not applicable. Although the mentioned
precept includes the assumptions in which the structural modification is a merger by
absorption, in application of the principle of teleological interpretation, its regulation must
be extended to other structural modifications made after the
commission of the offense and that result in the imposition of sanctions
disproportionate and burdensome to the new entity that did not commit the initial offense
PROVEN FACTS
1 . It appears in the file that EDP ENERGÍA, SAU uses the following channels
to formalize the contracting of their services:
A. Telephone Channel, with partial or definitive closure of the contracting process
through a phone call. It includes the following subchannels:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 82
82/136
- CAC Inbound: Call reception, from customers to EDP. On
In general, they are already EDP customers who are identified from the beginning of the call
through a security protocol, although they can also be received
calls from potential customers.
- Telemarketing: Issuance of calls, from EDP to databases
own customers for upselling or abandonment recovery. Used
to make the call the telephone number that appears in the file
of the client, and that has been provided by said person previously.
- LEADS: Issuance or reception of calls, about users who have
expressed an interest in any platform or website (sweepstakes,
promotions, offer comparators, blogs, advertising agencies, etc.)
leaving their basic data to be contacted or contacting themselves at
the phone number shown to them. Usually such users still
they do not have active contracts with EDP.
B. Web channel, closed by means of a digital form. The user accesses through
a website and start a hiring process totally online, without interaction with
agents.
C. Distributors, with face-to-face or digital closing of the contracting process,
including:
- EDP's own Commercial Offices. Normally already EDP clients who
they proactively go to the office, although they can also be clients
potentials.
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to
make their purchases and are interested in EDP's offer.
D. External Sales Forces, with in-person closing of the contracting process,
including:
- Stands at Fairs, Shopping Centers, etc. In general new clients that
they go to such events or places and are interested in EDP's offer.
- Home visits with prior request. Clients or potential clients who have
provided your data and consent to receive proposals from an agent of
EDP ​​at home.
2. The contracting procedures implemented in those cases in which the
Contracting is carried out by a third party on behalf of the owner are the following:
A) Telephone channels:
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
As a representative, you are asked about your relationship with the owner and if you have
authorization of said person. 2) Once the previous point has been confirmed, they are requested
identification data of the representative, and all the data of the owner necessary to
formalize the hiring. 3) Finally the Consent is read and recorded in audio
Representative express. 4) The holder of the contract, for informational purposes, is sent
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 83
83/136
in duplicate, with a stamped envelope, the contractual documentation in compliance
of the provisions of the consumer and user protection regulations.
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
hiring as a representative is asked about their relationship with the owner. 2) A
Once the previous point has been confirmed, identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. 3) Then
the Express Consent of the representative is read and recorded in audio. 4) Finally
durable support is sent to the phone / sms provided by the representative, and is expected
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
duplicate, with a stamped envelope, the contractual documentation in compliance with the
provided in the consumer and user protection regulations.
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
representative is asked about his relationship with the owner. 2) Once the
previous point, identification data of the representative is requested, and all the data of the
holder necessary to formalize the contract. 3) It is then read and recorded in
audio the Express Consent of the representative. 4) Then support is sent
durable to the phone / sms provided by the representative, and awaits your confirmation.
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
franked, the contractual documentation in compliance with the provisions of the
consumer and user protection regulations. 6) In this channel, by the mode of
contracting and the characteristics of the clients who use it, it is in progress,
as a pilot test, communication via SMS or e-mail to the represented (in cases of
not related to the representative to study its effectiveness and receptivity.)
B. Distributors:
In the case of contracts made in EDP's own Commercial Offices (in
third-party stores there is no possibility of contracting in the name and on behalf of
a third) the procedure is as follows:
1) In those cases in which the user indicates that he wishes to make a contract
as a representative of a third party, you are asked about your relationship with the owner. 2) A
Once the information is obtained, the identification data of the representative is requested, and
all the data of the owner necessary to formalize the contract. Likewise,
requires a photocopy of the NIF, both the representative and the represented. 3)
The presentation of an authorization document is also required.
completed and signed by both interested parties (representative and owner).
C. External Sales Forces:
In the case of contracts made by external sales forces (fair stands,
shopping centers and home visits, provided there is prior request by
of the interested party), in the contract the identification data of the representative will be collected,
Also requesting the data of the owner necessary to formalize the contract.
In the contract, it is expressly specified that the representative declares to have
of sufficient powers to sign the contract on behalf of the client to whom it is
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 84
84/136
is responsible for informing of all the conditions thereof. It is required, on the other
part of a photocopy of the representative's NIF.
Next, an audio verification of the hiring is recorded where you are
indicates on two occasions to the representative, the fact that he acts on behalf of the
holder of the supply and the relationship-kinship that binds them is confirmed.
To prove the representation, the contracting stub is formalized where the
representative declares to have sufficient powers to sign the contract in
name of the client who is responsible for informing of all the conditions of
this. Likewise, a copy of the representative's NIF is provided.
3 . The record shows that the documentation used by EDP ENERGÍA,
SAU to prove the representation of the owner when signing a contract is the
following:
A. Telephone Channel:
In the three subchannels of the telephone channel (evidences 2, 3 and 4, CAC Inbound channels,
Telemarketing and Leads respectively) the representative is requested, during the
recording of the contracting procedure, confirmation of the following aspects:
of your identity and ID, of your performance on behalf of the owner, of the relationship with
the represented (as husband, wife, child, attorney, representative); of identity
(name, surname, DNI) of the represented, and telephone and email. The
Documentation accrediting the representation of the contract holder consists of the
recordings in which the representative makes the aforementioned confirmations. On
In the case of telemarketing and LEADS channels, a
sms / email with the following text “EDP Offer: Please, answer with a YES to this
SMS to accept and activate discounts. " (evidences 10 and 12).
B. Distributors: In the case of EDP ENERGÍA's own commercial offices,
SAU is requested completed and signed by both interested parties
(representative and owner) a document of express authorization in which the
data of both persons and copies of their NIF.
In the channel own commercial offices (evidence 5) the representation is accredited
by means of a document called "representative management authorization template",
in it the owner (identified with his name and ID or CIF), in his own name or
representation of the company authorizes the representative also identified with his
name and ID to carry out different procedures (registration / cancellation, change of ownership,
change of direct debit and / or other procedures) must be indicated in the box
contiguous to each one of them which or which are the authorized procedures. Saying
document requires the signature of the authorizer and the authorized person. Also, said document
contains the following warning “TO BE VALID, THIS AUTHORIZATION
IT MUST BE PRESENTED ACCOMPANIED BY A PHOTOCOPY OF THE HOLDER'S ID AND
OF THE AUTHORIZED. WHEN IT IS AN AUTHORIZATION GRANTED BY A
REPRESENTANTE DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF
OWNERS, FOUNDATIONS, SCHOOLS, ALSO WILL BE REQUIRED
PHOTOCOPY OF THE WRITING OF POWER OF ATTORNEY ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 85
85/136
C. External Sales Forces: In the case of external sales forces (stands of
fairs, shopping centers and home visits, provided there is prior request by
part of the interested party), a document is used to prove the representation
called sales book (evidence 6). In this checkbook, they contain
spaces to fill in the data of the contract holder (name, surname,
telephone and email) and representative data (name, NIF and address) and
include several boxes to mark that the representative is representative in the capacity of
spouse / registered partner, ascendant / descendant or attorney-in-fact) below such
boxes a text indicates that “it declares to have sufficient powers to subscribe
this contract on behalf of the client who is responsible for informing
all the conditions of the same. " A verification recording is made where
confirms with the representative the data of the represented, as well as the relationship or
kinship that unites them (evidence 16)
It is evident in the evidence presented that in the hiring subchannels
telephone representatives are informed that “On behalf of their client, and
After passing an analysis of the risk of the operation, we will take the necessary steps
to activate the access contracts, at which point the
new contract being terminated the previous one. "
5. It is established that during the hiring process, in the hiring channels
By telephone, the representative's consent is requested on behalf of the represented
to carry out other treatments such as sending offers related to the
energy adapted to your profile after the end of the contract or send you at any
information on non-energy products or services of companies or
collaborators of EDP. (evidences 2, 3 and 4).
During this process, the consent of the representative is also requested in
name of the represented to complete the commercial profile with information on bases
of third-party data, in order to send you personalized proposals and the
possibility of contracting or not certain services.
In the channel of external forces, the possibility of providing such
consents. As evidence 6 shows under the heading
CLIENT / REPRESENTATIVE, after noting that the information related to the protection of
data can be read on the back, allows you to mark the following consents,
marking the joint box for each of them:
 I consent to the processing of my personal data once the relationship has ended
contractual, to carry out commercial communications adapted to my profile
of products and services related to the supply and consumption of energy. In addition,
I consent to the aforementioned treatments during the term and after the end of the
contract, on non-energy products and services, both of the Group companies
EDP ​​and third parties.
 I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 86
86/136
6. Evidence 2, 3 and 4 show that during the telephone contracting process
the following information is provided to the representative: "Your personal data and those of your
represented will be treated by EDP Comercializadora SAU and EDP Energía SAU to
the management of your contracts, fraud prevention, profiling based on
customer and EDP information, as well as communication
personalized information on products or services directly related to their
contracts, being able to oppose them at any time ".
In the telemarketing and leads channel evidences 3 and 4 the following is added "Les
We remind you that you can exercise your access rights at any time,
rectification, opposition, deletion, limitation and portability, through any of
the routes indicated in the General Conditions that can be consulted on our website
*** URL.1 . "
This information does not appear in evidence 2 corresponding to the CAC inbound channel .
In the own offices channel, the information provided is as follows (evidence 5)
"Interested parties are informed that the personal data provided in
This form will be treated as the data controller by EDP ENERGÍA,
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
for the processing of authorized management.
The personal data that you provide us will be used, in the manner and with the
limitations and rights recognized by the General Data Protection Regulation
(EU) 2016/679.
The interested parties whose data are subject to treatment may exercise their rights
of access, rectification, deletion, portability, limitation and opposition to treatment
of these data, proving your identity, by email addressed to *** EMAIL. 2 or
by writing addressed to the person responsible for the treatment at the address Plaza del
Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can contact the
EDP ​​Data Protection Officer, at the same postal address or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection "
In the External Forces Channel, the sales book provides the following
information. On the back of the first page there is a section, entitled
"Basic Information on Data Protection": which includes the following:
"Personal data will be processed by EDP COMERCIALIZADORA,
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
Responsible for the Treatment, for the maintenance, development, compliance and
management of the contractual relationship, fraud prevention, profiling
based on information provided by the Client and / or derived from the provision of the
service by EDP, as well as sending commercial communications, related to
products and services related to the supply and consumption of energy,
maintenance of facilities and equipment, and that can be customized in
based on your Client profile, as reported in the General Conditions, being able to
object at any time to the sending of commercial communications.
Additionally, the Client gives his explicit consent for the treatments of
personal data collected on the front. Without prejudice to consents
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 87
87/136
provided, the client may exercise, at any time, their access rights,
rectification, opposition, deletion, limitation and portability, through any of
the routes indicated in the General Conditions. "
In the part of general conditions the following information regarding
personal data protection:
“LOPD Purposes of the processing of personal data. According to
provided in current regulations, the client is informed that all data
provided in this contract are necessary for the purposes of its formalization.
Said data, in addition to those obtained as a result of the execution of the
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
C / General Concha, 20, 48001, Bilbao and by EDP ENERGÍA, SAU with address at
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
in order to manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service, to carry out actions to prevent
fraud, as well as profiling, personalized commercial communications
based on information provided by the Client and / or derived from the provision of the
service by EDP and related to products and services related to the
supply and consumption of energy, maintenance of facilities and equipment.
These treatments will be carried out in strict compliance with the legislation
current and insofar as they are necessary for the execution of the contract and / or the
satisfaction of EDP's legitimate interests, provided that the latter are not
other rights of the client prevail.
Provided that the client has explicitly accepted it, their personal data will be
treated, even once the contractual relationship has ended and provided that there is no
Produces opposition to said treatment, to:
(I) The promotion of financial services, payment protection services, automotive
or related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract, (II) The preparation of
Commercial profiles of the Client by aggregating the databases of
third parties, in order to offer the Client personalized products and services,
thus improving the customer experience, (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (IV)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers, specifically aimed at achieving the
contracting of certain products and / or services from EDP or from third parties
depending on whether the client has consented to it or not, being in any case treated
data whose age will not exceed one year. In the event that said process was carried out
carried out in an automated way, the client will always have the right to obtain intervention
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
resulting decision.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 88
88/136
Categories of data processed
By virtue of the contractual relationship, EDP may process the following types of data
personal: (I) Identifying data (name, surname, ID, postal address, address
email address, supply point, etc.), (II) Identification codes or keys
User and / or Client, (III) Personal characteristics data (date of birth,
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
of these, (VI) Economic, financial, solvency and / or insurance data.
Personal data will be kept for the duration of the contractual relationship
and at most, during the statute of limitations for legal actions
corresponding, unless the Client authorizes its treatment for a longer period,
applying organizational and security measures from the beginning of the treatment
to ensure the integrity, confidentiality, availability and resilience of data
personal
Communications and recipients of personal data.
All personal data derived from the provision of the service and those obtained in
By virtue of this contract, they may be communicated to the following entities:
i)
The corresponding distribution company, producing with it a
permanent exchange of information for the adequate provision of the
service, including the request for access to your network, readings (which in the case
remote-managed meter will be hourly) and / or consumption estimate, control
quality of supply, request for supply cuts, modifications in
power, etc.
ii)
The Organizations and Public Administrations that by Law correspond.
iii)
Banks and financial entities for the collection of services rendered.
iv)
Other companies of the business group, solely for administrative purposes
internal and the management of the products and services contracted.
v)
National equity solvency and credit services (Asnef-Equifax,
...) to which in case of non-payment, without just cause by the Client,
You will be able to communicate the debt, as well as fraud prevention services,
for the sole purpose of identifying erroneous or fraudulent information provided
during the hiring process.
saw)
EDP ​​suppliers necessary for the adequate compliance with the
contractual obligations, including those that may be located outside
of the European Economic Area, in which case it is duly
adequate international data transfer.
Rights of the data owner
The client will have at all times the possibility of exercising freely and
completely free of charge the following rights:
i)
Access your personal data that is processed by
EDP.
ii)
Rectify your personal data that is processed by EDP
that are inaccurate or incomplete.
iii)
Delete your personal data that is processed by EDP
iv)
Limit EDP's treatment of all or part of its
personal information.
v)
Oppose certain treatment and decision-making
automated data processing, requiring the intervention
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 89
89/136
human rights in the process, as well as to challenge the decisions that
are finally adopted by virtue of the processing of your data.
saw)
Port your personal data in an interoperable format and
self-sufficient.
vii)
Withdraw at any time, the consents granted
previously.
In accordance with current regulations, the user can exercise their rights
requesting it in writing, and together with a copy of a reliable accreditation document
identity, at the following postal address: Plaza del Fresno, 2, 33007 Oviedo or
in the email *** EMAIL . 2 .
Likewise, you can contact the data protection officer of
EDP ​​at the following postal address Plaza del Fresno, 2, 33007 Oviedo or by mail
electronic *** EMAIL.1 , in the event that you understand that any of your rights has been violated
related to data protection, or, where appropriate, file a claim
before the Spanish Agency for Data Protection, at the address Calle de Jorge Juan,
6, 28001. Madrid "
7. It is established that the number of contracts signed in 2018 and 2019 by third parties
representing natural persons is the following:
A.1 - CAC INBOUND
Year Channel Representation
No. Contracts
2018 CAC Relationship
1,536
2018 CAC Unrelated
436
2019 CAC
Relationship
1,351
2019 CAC Unrelated
295
A.2 - TELEMARKETING
Channel Year
Representation
No. Contracts
2018 TELEMARKETING
Relationship
2,708
2018 TELEMARKETING
No kinship
114
2019 TELEMARKETING
Relationship
1,910
2019 TELEMARKETING
No kinship
83
A.3 - LEADS
Channel Year
Representation
No. Contracts
2018 LEADS
Relationship
17,040
2018 LEADS
No kinship
2,719
2019 LEADS
Relationship
17,808
2019 LEADS
No kinship
3,496
B. Web: Hiring with a representative is not contemplated.
C. Distributors (own commercial offices):
Year Channel Representation
No. Contracts
2018 OOCC Relationship
261
2018 OOCC Unrelated
64
2019 OOCC Relationship
244
2019 OOCC Unrelated
52
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 90
90/136
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
Year Channel Representation
No. Contracts
2018 FVE
Relationship
43,008
2018 FVE
No kinship
523
2019 FVE
Relationship
11,945
2019 FVE
No kinship
13
8 . It is established that it is in the investigation file E / 5549/2019, origin of the present
sanctioning procedure, the document referred to by EDP ENERGÍA, SAU in
their allegations, presented by EDP COMERCIALIZADORA, SAU, dated 16
July 2020, in which it states that "it has revised the procedure to be followed in the
contracting by third parties on behalf of the owner, in order to strengthen said
procedure and reduce the risks of possible identity theft carried out
in bad faith by the contracting party in this type of process, taking into account,
additionally, the particular needs identified as a result of the state of
alarm decreed last March and that has necessarily required that
all contracts are carried out in a non-face-to-face way.
That in order to inform the AEPD of the specific actions that are
are being carried out in relation to this matter by EDP, in compliance
of their duty of proactive compliance (accountability), we attach the
"Contracting procedure by third parties on behalf of the owner", so that they have
visibility on the modifications that are being implemented in these processes
in order to meet your request in this regard, as well as to highlight the
EDP's proactivity regarding its suggestion of adaptation of said
process." The procedure to follow is detailed below in said
written, consisting of sending the client a communication, by email
or SMS, once the contract has been formalized by the agent in cases where there is no
have written authorization.
This document is declared reproduced in this act for evidentiary purposes.
9. EDP ​​ENERGÍA, SAU provides in response to the request made by this
Agency within the framework of research activities extract from the Registry of
Treatment Activities that includes the records related to the activities that are
performed in the field of contracting products and / or services and the analysis of
risks carried out in relation to the treatments carried out in the context of the
contracting products and / or services.
The risk analysis is contained in an Excel document, it does not contain a date
nor signature. 15 risk factors are listed; 1. Information commercially
sensitive, 2. Commercial Communications, 3. Data Origin (external source or
internal), 4. Data transfers. 5, Treatment Managers. 6. Transfers
international 7. Scoring / Profiling activities. 8.Decisions
automated. 9. Systematic monitoring of headlines. 10. Categories
special data. 11. Large-scale data processing. 12.
Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders.
14. Application or use of innovative technologies.15. Unavoidable treatment /
Restriction of the exercise of rights or access to the service. Regarding the valuation
potential of inherent risk, the risk scale has 4 levels: low, with a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 91
91/136
score from 0 to 12; average score from 13 to 25; tall from 26 to 38 and very tall
from 39 to 51. The assessment or weight given to each of the factors of
risk is from 1 to 4. In the risk analysis, for each of the
sales channels a yes or no in each of the 15 risk factors above
listed. The sum of the weight attributed to each of the factors for
each channel determines the inherent risk. The result of inherent risk is
medium in all the contracting channels, except in the web channels and
external forces through home visits in which the outcome of the
inherent risk is low. Risk correction measures are not indicated.
These documents are declared reproduced in this act for evidentiary purposes.
10. It is clear that to access the General Conditions, which are referred to in the
telephone processes to obtain the rest of the information regarding the treatment of
personal data, on page *** URL.1 the following process must be followed:
-Access through the internet browser to the address *** URL.2
- Introduction in the search engine of the text page itself: "General Conditions"
-The website shows, under the following address: *** URL . 3, 2 tabs one
called Related Information and Other Documents.
-The "Documents" tab of the Search Results is selected. Is
offers a total of 78 results, the third of which corresponds to the
"General contracting conditions".
-The "General contracting conditions" are selected and automatically
open a new browser window pointing to the following internet address:
*** URL.4 , where the document can be downloaded.
11 .The following documents are provided in support of the allegations made:
Annex 1.a) Risk analysis methodology and implementation of DPIAs
- Annex 1.b) RAT contracting EDPE
- Annex 1.c) RAT risk assessment- EDPE contracting
- Annex 1.e) Impact Assessments -Risk Assessments
- Annex 1.f) Impact evaluations - Reports
Appendix 2 :
- EDP Privacy by Design by Default Methodology
- Operational Instruction Privacy by Design & Privacy by Default
- Privacy by Design & Privacy by Default form
- Privacy By Design Procedure Flowchart.
Annex 4:
- Examples of requests for the exercise of rights.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 92
92/136
The Risk Analysis Methodology and DPIAS (DATA PRIVACY
ASSESSMENTS) contains on its first page a version history, being the
date of the initial version 11/24/2017 and the last one on 05/11/2018 revision date
prior to the applicability of the RGPD. It is accompanied by various annexes whose date
not included or provided.
The document contained in annex 1.b RAT, EDPE, whose date does not appear, includes
a treatment purpose not included in the register of treatment activities
sent to this Agency on June 17, 2020. Specifically, said treatment
that is now included has the following content:
Responsible: EDP Energía, SAU
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
to hiring ”,
Description: “Scoring of customers in the B2C segment prior to the
contracting according to the internal pending debt and information from
solvency (ASNEF). "
Category of data holders: "Clients and potential clients."
Category of personal data processed: "Identifying data and economic data."
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
Period of conservation of personal data: “5 years from the end of the
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
contract will be maintained until its cancellation or the limitation period of the actions
pertinent legal recovery. "
Data transfers (data recipients, other than those in charge of the treatment):
“ASNEF is jointly responsible for the treatment, according to the signed agreement
with ASNEF. "
Categories in charge of treatment: The box has no content.
International data transfer: No
Annex 1.c) under the name “RAT Risk Assessment- EDPE Contracting”, whose
The date is not reflected in the document either, it contains the risk analysis, in the form of
matrix, the same as the one presented on June 17, 2020, with the same content, if
either two columns have been added under the title "treatment requires PIA", both
entitled "No. of EDP-W29 criteria", the first indicates a number that seems
correspond to its title and the second indicates the need to carry out a
Impact evaluation. In this matrix there is also a new treatment whose
The purpose is the “Scoring of customers in the B2C segment prior to the
hiring ”.
Various documents entitled impact evaluations are provided, whose date
Nor is it recorded, these impact evaluations are the following:
-Risk assessment of B2C customer scoring prior to the
contracting, in which, among other threats, the following are indicated:
- “The basis that legitimizes the treatment is not adequate, it is illegal or it has not been
formulated properly ”, whose probability is set as high, with a
impact rated as very high and resulting in inherent risk High. On
Regarding the controls implemented against this threat, it is stated that “the
legal basis of the treatment is to satisfy a legitimate interest (prevention of
fraud)".
- “At the time of data collection, the information is not provided
minimum expected to the person or no information is provided. " On
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 93
93/136
This assumption is considered to “not apply” neither the probability nor the impact, nor
there is an inherent risk, the controls being the “Protection clause of
data included in the contract signed with the client with all the information
required by the RGPD ”and the“ information provided to the client prior to the
carrying out the scoring process "
-Evaluation of channel leads to be converted by telemarketing.
-Evaluation of risks Telemarketing upselling and dropouts.
-CAC channel risk assessment to clients or potential clients (inbound).
-Evaluation Channel OOCC clients and potential clients.
-Risk evaluation of third-party stores for sale to potential customers.
-Evaluation of External Sales Forces through Stands at Fairs and Centers
Commercial.
In all these impact evaluations, threats are considered, among others
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
illegal or has not been properly formulated ”and“ at the time of collection of the
data is not provided the minimum information provided to the person or is not
provides no information "In both cases the probability is valued as high,
the impact as very high and the inherent risk high. Controls are mentioned
adopted, referring to the legitimizing basis of the treatment, in the first case,
and "Data Protection clause included in the contract signed with the client with
all the information required by the RGPD ”, in the second. They are described among the
checks in progress for both threats on all channels except channel
OOCC, “the implementation of a new contracting procedure through
representative, incorporating the sending of an SMS / Email message through which the
provides the basic information necessary in terms of data protection to the owner of the
contract."
The date on which the actions in progress were incorporated into the
corresponding impact evaluations.
These documents are declared reproduced in this act for evidentiary purposes.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679,
of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of
Individuals with regard to the Processing of Personal and Free Data
Circulation of this Data (General Data Protection Regulation, hereinafter
RGPD) recognizes each Control Authority, and as established in the articles
47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the
Director of the Spanish Data Protection Agency is competent to initiate and
solve this procedure.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 94
94/136
Article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in their development and, as long as they do not contradict them, in a
subsidiary, by the general rules on administrative procedures. "
II
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the
Council of April 27, 2016, regarding the protection of natural persons in the
regarding the processing of personal data and the free circulation of these data
(General Data Protection Regulation, hereinafter RGPD), under the rubric
"Definitions", provides the following:
"2)" treatment ": any operation or set of operations carried out on
personal data or personal data sets, whether by procedures
automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction ”.
7) "data controller" or "controller": the natural or legal person,
public authority, service or other body that, alone or together with others, determines the
purposes and means of the treatment; whether the law of the Union or of the Member States
determines the purposes and means of the treatment, the person responsible for the treatment or
Specific criteria for their appointment may be established by Union law.
or of the Member States "
Article 24.1 of the RGPD provides for the responsibility of the person responsible for the
treatment that “Taking into account the nature, scope, context and purposes of the
treatment as well as risks of varying probability and severity to the rights and
freedoms of natural persons, the data controller will apply measures
appropriate technical and organizational techniques in order to ensure and be able to demonstrate that the
treatment is in accordance with this Regulation. These measures will be reviewed and
will update when necessary . "
In this case, it is established that EDP ENERGÍA, SAU is responsible for the
data processing, referred to in the factual background of this agreement
initiation of the sanctioning procedure, since, according to the definition of the article
4.7 of the RGPD, it is who determines the purpose and means of the treatments carried out with
the purposes indicated in the documentation provided relative to the hiring of their
services, therefore, in its capacity as data controller, it is obliged to
comply with the provisions of article 24 transcript of the RGPD and especially regarding the control
effective and continuous of “appropriate technical and organizational measures in order to guarantee and
to be able to demonstrate that the treatment is in accordance with this Regulation "
Likewise, article 25. 1 of the RGPD establishes that “ Taking into account the state of
the technique, the cost of the application and the nature, scope, context and purposes of the
treatment, as well as the risks of varying likelihood and severity posed by the
treatment for the rights and freedoms of natural persons, the person responsible for the
treatment will apply, both at the time of determining the means of treatment
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 95
95/136
as at the time of the treatment itself, technical and organizational measures
appropriate, such as pseudonymisation, designed to effectively apply the
data protection principles, such as data minimization, and integrating the
guarantees necessary in the treatment, in order to meet the requirements of this
Regulation and protect the rights of the interested parties. "
For these purposes, the provisions of the following recitals of the
GDPR:
74. “The responsibility of the person responsible for the treatment for
any processing of personal data carried out by himself or on his own. On
In particular, the person responsible must be obliged to apply timely and effective measures and
must be able to demonstrate the compliance of the processing activities with the
this Regulation, including the effectiveness of the measures. These measures must have
take into account the nature, scope, context and purposes of the processing as well as the
risk to the rights and freedoms of natural persons. "
75. “The serious and serious risks to the rights and freedoms of natural persons
variable probability, may be due to the processing of data that could cause
Physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social damage; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevent exercising control over your personal data; in cases where the data
personal treaties reveal ethnic or racial origin, political opinions, religion
or philosophical beliefs, union membership and the processing of genetic data,
data relating to health or data on sexual life, or convictions and offenses
criminal or related security measures; in the cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
job performance, financial status, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or
use personal profiles; in the cases in which personal data of
vulnerable people, in particular children; or in cases where the treatment
involves a large amount of personal data and affects a large number of
interested. "
76. “The probability and severity of the risk to the rights and freedoms of the
stakeholder should be determined with reference to the nature, scope, context and
the purposes of data processing. Risk should be weighted on the basis of a
objective evaluation by which it is determined whether the treatment operations of
data pose a risk or if the risk is high. "
Therefore, the controller must carry out an analysis of the
risks that the data processing carried out may have for the rights and
freedoms of natural persons, implementing technical and organizational measures
appropriate to apply the principles of data protection and integrate the guarantees
necessary in the treatment in order to comply with the requirements of the RGPD, being able to
demonstrate that the treatment is in accordance with the provisions of the aforementioned standard.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 96
96/136
The data protection principles are contained in article 5 of the
RGPD, the first of which should be highlighted here regarding the legality of the
treatment. In accordance with article 5.1.a of the RGPD “Personal data will be: a)
treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
loyalty and transparency '). The second number of article 5 provides that “The
responsible for the treatment will be responsible for compliance with the provisions of the
paragraph 1 and capable of demonstrating it ('proactive responsibility'). "
The legality of the treatment implies that personal data can only be
treated by the person responsible for the treatment when any of the bases
legitimating entities listed in article 6 of the RGPD.
Taking into account the documentation provided by the person responsible for the treatment,
It should be noted that the contracting of electricity services by EDP
ENERGÍA, SAU can be carried out through different channels, these being the
following:
A- Telephone, which includes the following sub-channels: CAC Inbound, Telemarketing and
Leads.
B. Web Channel.
C. Distributors, which includes EDP's own Commercial Offices and third-party stores.
D. External Sales Forces, which can be: Stands at Fairs, Centers
Commercial, etc., or home visits with prior request.
According to said documentation, the contracting of the service can be carried out
with a customer representative, except for the web channel and sub-channel
third-party stores where it is not allowed. Examination of procedures
contracting the service described by the person in charge and the documentation provided
show that when the service is contracted through
representative is not required to prove the representation he claims to hold.
This absence of accreditation has a single exception when the hiring of the
service is carried out in the sub-channel of our own commercial offices in which a
document certifying the authorization granted for contracting by the
represented together with the presentation of his DNI (evidence 5). .
Thus, to the extent that a procedure has not been implemented that allows
certify the representation of the person who makes a contract on behalf of a
third, various risks may be generated and may be mentioned, by way of
For example, the one consisting of a data processing of the represented without legitimation, the
risk of identity theft or economic or other damages that are
may cause the interested party as a result of the change of company
service provider with the consequent cancellation of the original contract or the
change of ownership of the contract or the type of contract with the company
supplier, without the interested party having consented to such changes.
Secondly, in the documentation provided, it is observed that in the channel of
telephone contracting (CAC inbound, Telemarketing and leads subchannels) together with the
hiring the service, consent is requested to carry out other
treatments, such as sending energy-related offers tailored to the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 97
97/136
customer profile upon completion of the contract or referral at any time of
information on non-energy products or services of collaborating companies or
EDP. This request is made to the representative as is clear from the own
literality of the text of evidence 2, 3 and 4 submitted, according to which the
this one: “May we present to your client offers related to energy
adapted to your profile after the end of the contract, or send you at any time
information of non-energy products and services, of Collaborating Companies or of
EDP? " (Evidence 2)" Can you allow us to present your client with related offers
with the energy after the end of the contract, or send you at any time
information on products and services of the financial, insurance and
automotive, Collaborating Companies or EDP? " (evidence 3). "Allows us
present you with energy-related offers tailored to your profile after the
termination of the contract, or send you at any time product information and
non-energy services, of Collaborating Companies or EDP? (evidence 4).
In none of the three cases, as can be seen from the analysis of the
procedures followed by the person in charge in the hiring processes,
requests proof that the representative has been authorized to provide such
consent on behalf of the principal.
Nor is it proven that the representative has been authorized by his client.
to consent to the processing of data for advertising purposes that has been done above
reference, if it does so, when the hiring process is carried out
carried out through the channel of commercial offices owned by EDP ENERGÍA, SAU and
that no such possibility is contemplated in the document presented as evidence 5, in
which contains the authorizations for various treatments by the
representative, it should be taken into account that it must, where appropriate, be a
specific mandate without being deduced from a general authorization for others
treatments.
In the case of contracting through the external forces channel, evidence 6, at the
that the person in charge calls sales check, contains, in the box entitled
"Client / representative", a box to consent to the processing of personal data,
in the following terms: "I consent to the processing of my personal data once
once the contractual relationship has ended, to carry out commercial communications
adapted to my profile of products and services related to the supply and consumption of
Energy. Likewise, I consent to the aforementioned treatments during the term and after
the termination of the contract, on non-energy products and services, both of the
EDP ​​Group companies and third parties. " In said contract or sales stub,
as it has been called by the person in charge, it also appears, after the spaces
destined to the data of the representative who “declares to have powers
sufficient to sign this contract on behalf of the client to whom it is
is responsible for informing of all the conditions of the same. " Nor in this
hiring procedure requires an accreditation of the representation that is
claims to hold to contract or give consent for other treatments in
name of the represented, being the representation merely declared by the
representative.
Neither in these cases has a procedure been implemented that allows to accredit
that the representative had the authorization of the principal to consent to such
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 98
98/136
treatments, producing the risk of data processing of the represented without
legitimation, being exposed to the reception of publicity even after
the contractual relationship has ended. In the case of the external sales forces channel,
increases the risk, since the contract is not even sent to the represented, but
that the copy is given to the representative who is responsible for informing the
represented.
Thirdly, it is observed in the documentation in this procedure
that at the time of contracting through the telephone channel, in all
subchannels, the representative is requested permission to “complete the commercial profile of the
represented with information from third-party databases, in order to send you
commercial proposals and the possibility of contracting or not certain services "
(evidence 2, 3 and 4). As in the previous case, it is not proven that the
representative is authorized by the represented to consent to such treatment.
The same can be said when consent for this treatment is given by
the representative in the channel own commercial offices, since there is also no
in the document that reflects the authorizations granted to the representative
(evidence 5), specific authorizations for the representative to provide his
consent for such treatments.
In the case of the external forces channel, in the so-called sales book, it appears
a box to give consent, which is formulated as follows:
"I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services. " Likewise, no accreditation of the authorization of the
represented to consent to these treatments, considering that
his statement in this regard is sufficient. Moreover, just as it was revealed
above, the risk for the represented is increased since the check book
sales (evidence 6) it appears that a copy of the document is delivered to the
representative who is responsible for informing the principal.
Neither in these cases has a procedure been implemented that allows to accredit
that the representative had the authorization of the principal to consent to such
treatments, leaving the interested party exposed to profiling with
information from third party databases or decisions are made
automated with respect to him without having consented.
In the allegations to the agreement to initiate this proceeding, it was stated that
the freedom of form in the manner established in the Civil Code for the contract of
mandate is incompatible with obtaining evidence of the existence of the
representation or mandate, beyond the representations of the president, protected
in good contractual faith. However, as this Agency has indicated in the
resolution proposal, nothing prevents one of the parties to a contract from requiring
who acts as agent of the other party the accreditation of the representation that
claims to show off, proof of this is that EDP ENERGÍA, SAU itself requires it in its
contracting procedure in the channel own commercial offices, requiring the
representative a document certifying the authorization granted for the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 99
99/136
hiring by the represented signed by both, which must be accompanied by the
DNI of both the representative and the represented. It is now alleged by said entity
that it is not obliged to carry out with authorized third parties that contract through the
telephone channel or external sales forces no verification of the existence
and scope of its mandate, on the basis that the possibility of verifying the
powers of the principal constitute a burden for the agent, not for the third party,
since the interests to be safeguarded, within the framework of civil law,
they are those of the latter, and not those of the agent, nor those of the principal. It is alleged
also, that in the power to contract the service through an authorized third party
resides the power to give the consents inherent to the hiring process,
including those related to the processing of personal data.
This Agency cannot share such arguments, the regulations for the protection of
personal data focuses on the protection of this right of the interested parties, of
so that your data can only be processed when there is legitimacy,
without which no data processing can be carried out. In the event that we
occupies the legitimation may derive from the existence of a contract or the provision
of a consent for certain treatments, so that if the contract is
made by a third party on behalf of the interested party or such consents are
provided by a third party on behalf of the interested party, the data controller must
act diligently to verify that whoever claims to be
authorized to act on behalf of another, indeed he is and that that
authorization extends not only to the execution of a contract, but to the provision
of consents for other different data processing that are requested
during the hiring process. In the latter case, all the more reason can
doubt the existence of such authorization by the interested party to consent
treatments on your behalf, taking into account that consent requests
For the sending of commercial communications and the realization of profiling,
carried out during the telephone contracting process, unexpectedly, in
so that it is difficult to think that the principal has previously authorized the
representative to give such consents. In the same way, it is doubtful
that in a process of contracting in the channel external forces, which must be remembered
refers to the hiring in stands of fairs or shopping centers, there is a
prior authorization to consent to treatments on behalf of the represented, since such
The request is also made during the hiring process, aggravating the
risk for the interested party inasmuch as the contract is not even sent, but is
gives a copy to the representative who is responsible for informing the represented party.
In this way, the first of the risks to assess is precisely the legitimacy for
each treatment, and in particular, and in the event of acting through a representative
the risks that the data subject has for the data processing without the proper
legitimation, in the event that the representative lacks the power to allow such
treatments.
The risk analysis initially presented does not consider the aforementioned risks
above, limiting itself to mentioning commercial communications as risks
and scoring / profiling, risks that are not even considered for the channel
external sales. The risk analysis presented with the allegations to the agreement
The startup does not contemplate such risks either, being substantially the same as the previous one.
including only two columns that under the same title "No. of EIPD criteria-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 100
100/136
WP29 ”point out in one of them the supposed number of criteria and the need to
carry out a DPIA.
Several impact evaluations are provided with the allegations, one for each of the
sales channels, in which threats are considered, among others, the
two following: “the basis that legitimizes the treatment is not adequate, it is illegal or it is not
has been properly formulated ”and“ at the time of data collection, there was no
provides the minimum information provided to the person or is not provided
no information ”In both cases the probability is valued as high, the impact
as very high and the inherent risk as high. The adopted controls are mentioned,
that with respect to the first threat are constituted by the reference to the base
legitimizing the treatment and in the case of the second it is indicated as control
adopted the following: "Data Protection clause included in the signed contract
with the client with all the information required by the RGPD ”. They are described among the
checks in progress for both threats on all channels except channel
OOCC to clients or potential clients, “the implementation of a new procedure of
hiring through a representative, incorporating the sending of a message
SMS / Email through which the necessary basic information is provided regarding
data protection to the contract holder. " There is no record of the date on which he joined
impact evaluations of this ongoing action.
EDP ​​ENERGÍA, SAU alleges that the AEPD intends to justify the start of this
sanctioning file in the alleged non-existence of documentation that never
Has been requested. And it points out that it has a methodology for identification, analysis and
risk management, both to identify inherent risks, and specifically
to assess the need to carry out Impact Assessments, including
as an annex the supporting documentation that amply proves that it complies
fully and fully with these obligations.
In this regard, it should be taken into account that the obligations established in the
Articles 24 and 25 of the RGPD do not constitute mere formal obligations, but rather
as stated in article 24 "the person in charge will apply technical and organizational measures
appropriate in order to guarantee and be able to demonstrate that the treatment is in accordance with the
these Regulations. " And article 25 also reiterates that " the person responsible for the
treatment will apply, both at the time of determining the means of treatment
as at the time of the treatment itself, technical and organizational measures
appropriate, such as pseudonymisation, designed to effectively apply the
data protection principles, such as data minimization, and integrating the
guarantees necessary in the treatment, in order to meet the requirements of this
Regulation and protect the rights of the interested parties. " It is also a
dynamic obligation, each modification of the technical and organizational measures must
also be subject to a risk analysis to determine whether said modification
is suitable for effectively applying data protection principles and integrating
the necessary guarantees in the treatment.
In the present case, regardless of when it has been included in each
Impact evaluation between the controls in progress the implementation of this new
hiring procedure through a representative, since said date does not
It is clear that it is not until July 16, 2020 that a
writing stating that “it has reviewed the procedure to be followed in contracting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 101
101/136
by third parties on behalf of the owner, in order to strengthen said procedure and reduce the
risks of possible identity theft carried out in bad faith by the party
contracting party in this type of process, taking into account, additionally, the
particular needs identified as a result of the state of alarm decreed on the
last March and that has necessarily required that all
hiring are carried out in a non-face-to-face way.
That in order to inform the AEPD of the specific actions that are
are being carried out in relation to this matter by EDP, in compliance
of their duty of proactive compliance (accountability), we attach the
"Contracting procedure by third parties on behalf of the owner", so that they have
visibility on the modifications that are being implemented in these processes
in order to meet your request in this regard, as well as to highlight the
EDP's proactivity regarding its suggestion of adaptation of said
process." Said letter did not indicate the date of implementation of such measures.
In EDP ENERGÍA SAU's allegations, it is stated that “the protocol of
The proposed contract has been brought to the attention of the AEPD on
July 2020, presented in any case before receiving the written Start Agreement
of Sanctioning Procedure, being a Request for information with number
common for EPD ENERGÍA and EDP COMERCIALIZADORA without the
AEPD has ruled on it with the corresponding legal report
assessment, as requested, in order to implement a system that
was fully in accordance with the criteria and interpretations of the AEPD, limiting
so far to be included in the Initiation Agreement sent to EDP ENERGÍA
certain considerations in relation to it. " It also states that “In
Regarding the date of implantation, it depends precisely on the opinion that
the AEPD states about this procedure, since it would not make sense to put it
ongoing if the supervisory authority considers that it does not meet its criteria for
consider it an appropriate procedure, taking into account the economic costs
associated with this implementation, in addition to the resources of time and dedication
necessary for the deployment of these measures. "
The allegations to the motion for a resolution indicate that the procedure has been
implemented in January 2021. It also adds that it has been removed from its
contracting procedure by representation the possibility of requesting
consents for marketing and commercial purposes referred to in the
AEPD, attached some documents to evidence this elimination. Without prejudice to
that this Agency values ​​positively that the possibility of requesting
such consents, the procedure followed in the channels
telephone numbers, in which the deletion consists in indicating “[Read only legal persons
calling on behalf of a business] Also, so that we can advise you
with the best proposals: • Do you allow us to present your client with offers
related to energy after the end of the contract, or send you information on
non-energy products and services, typical of Collaborating Companies? [OTHERWISE] •
Will you allow us to complete the commercial profile of your client with information
provided by third parties, to send you personalized proposals? [OTHERWISE]." The
Data protection regulations do not protect legal persons, so that
it is beyond her that consent is requested to carry out a profiling
of these with information provided by third parties to send you proposals
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 102
102/136
personalized. In any case, it is not indicated what treatment will be given to the
authorizations provided by a representative of natural persons to send
commercial communications and profiling requested prior to
the adoption of said measure. On the other hand, the analysis of
risk from which the modification of the contracting procedure or the
justification on the suitability of the measures adopted to minimize them.
Reiterating the breach of the principle of proactive responsibility required by the
Regulation.
All of this goes to show that no measures had been taken to verify the
existence of authorization to contract or to lend on behalf of the represented
consent for other treatments until January of this year in which it was implanted
as they expose a new procedure, to verify the reality of the
representation and it has been eliminated, without indicating from what date, the possibility of
request authorization from the representative to carry out data processing
other than the contract such as the sending of commercial communications and the realization of
commercial profiles, thus breaching the obligations established in article 25
that are not limited to formal aspects, but to the effective implementation of
appropriate technical and organizational measures, measures which in turn should be subject to
of the corresponding risk analysis to determine its aptitude to achieve the
pursued result.
On the other hand, in relation to what is stated in the allegations to the commencement agreement, in
that it was indicated that such measures had not been implemented as this
The Agency had not issued a legal report to evaluate them, as it results from the
provided for in the RGPD is responsible, in compliance with its obligations to
proactive responsibility, who must implement the technical and organizational measures
necessary, as expressed in articles 24 and 25 of the RGPD, or as indicated in
the terms of recital 73 of the same standard: "In particular, the person responsible
must be obliged to apply timely and effective measures and must be able to demonstrate the
compliance of the processing activities with this Regulation, including the
effectiveness of the measures ”and it is up to the person responsible to assess whether such
measures are adequate. Second, this Agency is not required to issue
any legal report on such actions, which also in the event that
could be issued voluntarily, it is not binding, so there is no
justify, in the absence of a legal report from the AEPD, the breach of the
Responsible party's obligations.
Likewise, in the allegations to the commencement agreement, EDP ENERGÍA indicated,
SAU the application of the non bis in idem principle because it considers that the assessment of
the commission stems from events that, prior to the present
procedure, have been previously analyzed by the AEPD. In this respect it is
remember that the ruling of the Constitutional Court 77/2010, of October 19 comes
to point out with respect to said principle that “as we have affirmed the aforementioned triple
identity of subject, fact and foundation "constitutes the assumption of application of the
constitutional prohibition of incurring bis in idem, be it substantive or procedural, and
defines the content of the fundamental rights recognized in art. 25.1 CE, already
that these do not prevent the concurrence of any sanctions and procedures
sanctioners, not even if they are aimed at the same facts, but rather
These fundamental rights consist precisely in not suffering from a double
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 103
103/136
sanction and in not being subjected to a double punitive procedure, by the same
facts and with the same foundation "Such allegation cannot be admitted, since there is no
appreciate here that it is about the same facts and grounds as in procedures
previous followed against EDP ENERGÍA, SAU, since they were charged with
either the violation of article 6.1 of Organic Law 15/1999, of December 13, of
Protection of Personal Data or the violation of article 6.1 of the
RGPD, for treating the personal data of the claimants without legitimacy.
Consequently, in accordance with the findings set forth, the aforementioned
facts could be a possible violation of article 25 of the RGPD, which gives
place to the application of the corrective powers that article 58 of the RGPD grants to the
Spanish Agency for Data Protection.
III
The number 11 of article 4 of the RGPD defines consent as “ All
manifestation of free, specific, informed and unequivocal will by which the
interested party accepts, either through a statement or a clear affirmative action, the
processing of personal data concerning you "
For their part, articles 6 and 7 of the RGPD refer, respectively, to the “Legality
of the treatment ” and the “ Conditions for consent ”:
Article 6 of the RGPD. "1. The treatment will only be lawful if at least one of the
the following conditions:
a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
responsible for the treatment;
d) the treatment is necessary to protect vital interests of the interested party or of another
Physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party who require the protection of personal data, in particular when the
interested is a child.
The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.
2. Member States may maintain or introduce more specific provisions
in order to adapt the application of the rules of this Regulation with respect to the
treatment in compliance with section 1, letters c) and e), setting moreover
specifies specific treatment requirements and other measures that ensure a
lawful and equitable treatment, including other specific situations of
treatment according to chapter IX.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 104
104/136
3. The basis of the treatment indicated in section 1, letters c) and e), must be
established by:
a) Union law, or
b) the law of the Member States that applies to the controller.
The purpose of the treatment must be determined in said legal basis or, as
relating to the treatment referred to in paragraph 1, letter e), will be necessary for the
fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred to the person in charge of the treatment. Said legal basis may contain
specific provisions to adapt the application of the rules of this
Regulation, among others: the general conditions that govern the legality of the treatment
by the person in charge; the types of data being processed; the interested
affected; the entities to which personal data may be communicated and the purposes
of such communication; the limitation of the purpose; the terms of conservation of the
data, as well as operations and treatment procedures, including
measures to guarantee a lawful and equitable treatment, such as those related to other
specific treatment situations in accordance with Chapter IX. Union law
or Member States will meet a public interest objective and will be proportional
to the legitimate end pursued.
4. When the treatment for a purpose other than that for which the data were collected
personal data is not based on the consent of the interested party or on the Law
of the Union or of the Member States that constitutes a necessary measure and
proportional in a democratic society to safeguard the stated objectives
in article 23, paragraph 1, the data controller, in order to determine
if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:
a) any relationship between the purposes for which the data was collected
personal and the purposes of the planned further processing;
b) the context in which the personal data was collected, in particular for what
Regarding the relationship between the interested parties and the person responsible for the treatment;
c) the nature of the personal data, specifically when categories are processed
special personal data, in accordance with article 9, or personal data
relating to convictions and criminal offenses, in accordance with article 10;
d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or
pseudonymisation ”.
Article 7 of the RGPD .
"1. When the treatment is based on the consent of the interested party, the person in charge
must be able to demonstrate that he consented to the processing of his data
personal.
2. If the consent of the interested party is given in the context of a written statement
that also refers to other matters, the request for consent will be submitted
such that it is clearly distinguishable from other subjects, intelligibly and clearly
easy access and using clear and simple language. No part will be binding
of the declaration that constitutes an infringement of these Regulations.
3. The interested party will have the right to withdraw their consent at any time. The
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 105
105/136
Withdrawal of consent will not affect the legality of the treatment based on the
consent prior to its withdrawal. Before giving consent, the interested party
you will be informed of it. It will be as easy to withdraw consent as it is to give it.
4. When evaluating whether consent has been freely given, it will be taken into account in the
as much as possible the fact whether, among other things, the performance of a contract,
including the provision of a service, is subject to consent to the treatment of
personal data that are not necessary for the execution of said contract ”.
It takes into account what is expressed in recitals 32, 40 to 44 and 47 of the RGPD in
relation with the provisions of articles 6 and 7 above. From what is expressed in
these recitals, the following should be noted:
(32) Consent must be given by a clear affirmative act that reflects a
manifestation of free, specific, informed, and unequivocal will of the interested party
accept the processing of personal data concerning you, as a
written statement, including by electronic means, or an oral statement.
This could include checking a box on a website on the internet, choosing parameters
technicians for the use of information society services, or any
other statement or conduct that clearly indicates in this context that the data subject
accepts the proposal for the processing of your personal data. Therefore, the silence, the
Check boxes or inaction should not constitute consent. The
Consent must be given for all processing activities carried out with the
same or the same ends. When the treatment has several purposes, the
consent for all of them. If the consent of the interested party has to be given to
following a request by electronic means, the request must be clear, concise and not
unnecessarily disturbing the use of the service for which it is provided.
(42) When the treatment is carried out with the consent of the interested party, the
data controller must be able to demonstrate that he has given his
consent to the treatment operation. In particular in the context of a
written statement made on another matter, there must be assurances that the
interested party is aware of the fact that he gives his consent and of the extent to which
that makes. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071),
an elaborate model declaration of consent must be provided
previously by the person responsible for the treatment with an intelligible formulation and
easy access that uses clear and simple language, and does not contain clauses
abusive. For the consent to be informed, the interested party must know how
minimum the identity of the person responsible for the treatment and the purposes of the treatment
which personal data is intended for. Consent should not be considered
freely provided when the interested party does not have a true or free choice or not
You can deny or withdraw your consent without suffering any harm.
(43) (…) It is presumed that consent has not been freely given when no
allow the separate authorization of the different data processing operations
personal despite being appropriate in the specific case, or when compliance with a
contract, including the provision of a service, is dependent on consent,
even when this is not necessary for such compliance.
It is also necessary to take into account the provisions of article 6 of the LOPDGDD:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 106
106/136
"Article 6. Treatment based on the consent of the affected party
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
The consent of the affected party is understood to be any manifestation of free will,
specific, informed and unequivocal for which it accepts, either through a
declaration or a clear affirmative action, the processing of personal data that
concern.
2. When it is intended to base the treatment of the data on the consent of the
affected for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them.
3. The execution of the contract may not be subject to the consent of the affected party to the
processing of personal data for purposes that are not related to the
maintenance, development or control of the contractual relationship ” .
In accordance with the above, data processing requires the existence of a
legal basis that legitimizes it, such as the consent of the interested party provided
validly.
From the analysis of the gas service contracting procedures established by
EDP ​​ENERGÍA, SAU, it is clear that in the contracting carried out through the
telephone subchannels (CAC Inbound, Telemarketing and Leads) are requested from
representative permission to “complete the business profile of represented with
information on third-party databases, in order to send you commercial proposals
and the possibility of contracting or not certain services ”(evidence 2, 3 and 4).
Evidence 2, 3 and 4 show that the following information is provided to the contractor
“Your personal data and that of your client will be processed by EDP Comercializa-
dora SAU and EDP Energía SAU for the management of their contracts, fraud prevention,
creation of profiles based on customer and EDP information, as well as the realization of
zation of personalized communications about products or services directly
related to their contracts, being able at any time to oppose the same
more. "Your consent is then requested in the following terms:
"Additionally, so that EDP can advise you with the best proposals
tas:
Will you allow us to complete the commercial profile of your client with information from
third-party data sessions, in order to send you personalized proposals and the
possibility of contracting or not certain services? [OTHERWISE]"
Regarding the sales channel by external sales forces, in the
sales (evidence 6), the following consent request is included along with a
box to check the same:
"I consent to the processing of my personal data for the elaboration of my profile
with information from third party databases, for the
adoption, by EDP, of automated decisions in order to send
personalized commercial proposals, as well as to allow, or not, the contracting
of certain services. "
It is considered that the consent thus given is not adjusted to the provisions of the
RGPD and in the LOPDGDD. Consent is requested with deficient information,
As long as neither what third-party databases are going to be consulted nor what type of data are indicated
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 107
107/136
are going to be collected, so that the interested party is completely unaware of what
is consenting. Nor is it determined who will be responsible for the
treatment, a generic reference is made to EDP, without the client having
contracted a service only with one of the two entities (EDP
COMERCIALIZADORA SAU or EDP ENERGÍA, SAU) know if you are consenting
that such treatments are carried out by both entities or only the one of which
is a customer. Nor is it clear what type of services will be allowed to contract or not.
Such deficiencies do not allow the interested party to know the consequences of their
decision and thus assess the convenience of giving consent or not.
A single consent is also requested for two different purposes, although
both are automated, one of them is the sending of personalized advertising and, the
another, to give permission for the person in charge to determine whether or not to allow
certain services, so such consent cannot be considered to be
specific in the terms of articles 4.11 and 6.1.a) of the RGPD and 6.1 of the
LOPDGDD.
Regarding the automated decision regarding “to allow or not the hiring of a
service ”must also take into account the provisions of article 22 of the RGPD
according to which:
" 1. Any interested party shall have the right not to be the subject of a decision based on
only in automated processing, including profiling, which
produces legal effects on him or significantly affects him in a similar way.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for the conclusion or execution of a contract between the interested party and
a data controller;
b) is authorized by the law of the Union or of the Member States that
apply to the person responsible for the treatment and also establish adequate measures
to safeguard the rights and freedoms and the legitimate interests of the interested party, or
c) is based on the explicit consent of the interested party.
3. In the cases referred to in section 2, letters a) and c), the person responsible for the
treatment will adopt the appropriate measures to safeguard the rights and
freedoms and legitimate interests of the interested party, at least the right to obtain
human intervention by the person in charge, to express their point of view and
challenge the decision.
4. The decisions referred to in paragraph 2 shall not be based on the categories
special personal data referred to in article 9, paragraph 1, except that
Article 9 (2) (a) or (g) applies, and measures have been taken
adequate to safeguard the rights and freedoms and the legitimate interests of the
interested."
In accordance with the provisions of said precept, insofar as the decisions
automated systems will produce legal effects on the interested party or will affect
meaningful way, consent must be explicit, so obtaining it is not
can be done in the same way as to obtain general consent,
having to be obtained in a reinforced way. To this must be added that Article 13 of the
RGPD in letter f) requires that significant information be provided to the interested party
on the applied logic, as well as the importance and expected consequences of
said treatment for the interested party. This information is not provided which, in addition,
may make it difficult for the interested parties to exercise their rights and especially
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 108
108/136
of those expressly included in art. 22 of the RGPD: right to obtain intervention
human rights on the part of the person in charge, to express their point of view and to challenge the
decision.
Alleges EDP ENERGÍA, S.AU. that consent is provided based on the
good practices enunciated by the AEPD and ratified by the LOPDGDD, so
that the interested parties are transferred through the double layer system, also alleges
that with respect to the absence of identification of the sources of third parties or
categories of data, such information may be derived from the information
provided to the client in the first layer (by clearly identifying that the treatment
will be made with third-party sources) as in the second layer, whose content
It appears in the section called "general conditions of the contract", whose
content indicates: “(II) The elaboration of commercial profiles of the Client by means of the
aggregation of EDP databases with data from databases
from third parties, in order to offer the Client personalized products and services,
thus improving the Customer experience. (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (iv)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers specifically aimed at achieving the
contracting of certain EDP products and / or services. "
It indicates that as reflected in the cited text, EDP ENERGÍA has identified with
broad detail the types of data that are treated for the detailed purposes, being the
sources consulted for this an obvious derivation of the above. Finally alleges
that being the origin of the data the interested party, it only corresponds to the
Entity inform in accordance with the provisions of article 13 RGPD, provision that
does not establish, in any of its precepts, the obligation to identify or the source
nor the typology of the data. Only in the event that said treatment had been
come to effect, the Entity should have reported such extremes, since
Only at that time would the provisions of article 14 RGPD apply.
These claims cannot be shared, the double layer system is not intended
in the LOPDGDD as a mechanism that may lead to a breach of the
provided for in article 4.11 of the RGPD, according to which consent must be free,
specific, informed and unequivocal. It is worth remembering here what was indicated by the Committee
European Data Protection in the document "" Guidelines 05/2020 on the
consent in accordance with Regulation 2016/679 ”approved on May 4,
2020, which updates the Consent Guidelines under the Regulation
2016/679, adopted by the Article 29 Working Group and approved
by the European Data Protection Committee at its first plenary meeting. Points
said document in point 3.3.1. Minimum content requirements for the
consent is "informed":
"In order for consent to be informed, it is necessary to inform the interested party
certain elements that are crucial to be able to choose. Therefore, the CEPD is of the opinion that
At least the following information is required to obtain valid consent:
i. the identity of the person responsible for the treatment,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 109
109/136
ii. the end of each of the treatment operations for which the
consent,
iii. what (type of) data is to be collected and used,
iv. the existence of the right to withdraw consent,
v. information on the use of the data for automated decisions of
in accordance with Article 22 (2) (c), where relevant, and
saw. information on the possible risks of data transfer due to the
absence of a decision on adequacy and adequate guarantees, as stated
described in article 46. "
In the present case, the identity of the person responsible for the
treatment, since it is collected on behalf of EDP, it is a
ambiguous information, since EDP ENERGÍA, SAU's client does not know if it is
consenting to the data processing being carried out by EDP
COMERCIALIZADORA SAU and EDP ENERGÍA, SAU or only by the former
entity with which you are contracting. On the other hand, at no time are you informed
which are the third-party databases from which data will be obtained, or
even in the second layer, being inadmissible that he should deduce it himself
client of the categories of data that it deals with. Nor can it be admitted that only in
the assumption that the treatment had been carried out should be reported to the
interested party of what data are going to be treated, since only in such case would it result from
Article 14 of the RGPD applies. On the contrary, it is essential that the interested party
know what types of data are going to be collected and used, so such information,
This is the data from third-party databases that will be used and, obviously, which databases
They are those, it is an essential element so that the interested party knows what he is consenting to.
Claims that consent is specific cannot be shared
because there is a single purpose, such as the generation of a commercial profile,
whose use is limited to two interrelated contexts: (i) the first, to lead to
carry out the assessment of the possibility of contracting and, (ii) the second, to issue the
corresponding commercial offers to the user in question. Requests for
consent to allow the completion of the commercial profile mention two purposes
differentiated, one the sending of personalized commercial proposals, described with
this generic nature, which may include any unrelated commercial proposal
to its services and another, the possibility of contracting or not certain services, entering
the latter, where appropriate, in the field of automated decisions.
Nor can it be admitted, as EDP ENERGÍA, SAU alleges, that the information relating to
the elaboration of profiles and automated decisions, complies with what is required by the
Article 13 of the RGPD, since it informs about the existence of automated decisions,
including profiling and provides meaningful information on the logic
applied, as well as the importance and expected consequences of such treatment
for the interested party.
In this sense, it is necessary to take into account what is stated in the Guidelines on decisions
individual automated and profiling for the purposes of the Regulation
2016/679 adopted by the Working Group on Data Protection of article 29
on October 3, 2017, last revised and adopted on February 6, 2018
and approved by the European Data Protection Committee at its first meeting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 110
110/136
plenary, which refers to the significant information on the logic applied in the
following terms:
" Significant information on" applied logic "
The growth and complexity of machine learning can make it difficult
understand how an automated decision-making or profiling process works.
The data controller must find simple ways to inform the interested party about
the underlying logic or criteria used to arrive at the decision. The GDPR requires that the
responsible for the treatment offers meaningful information on the logic applied, not
necessarily a complex explanation of the algorithms used or the disclosure of the entire
algorithm.
However, the information provided must be sufficiently exhaustive so that the
interested party understands the reasons for the decision.
Example
A controller uses the credit rating to evaluate and reject a
loan application from a person. The rating may have been provided by a
credit reference body, or have been calculated directly from information
held by the person responsible for the treatment.
Regardless of the source (information about the source must be provided to the interested party in
under article 14, paragraph 2, letter f), when the personal data have not been obtained
from the interested party), if the controller is based on this qualification,
You must be able to explain this qualification to the interested party, as well as the reasons for it.
The controller must explain that this process helps them make decisions
fair and responsible on loans. It should also provide details about the
main characteristics considered when making the decision, the source of this
information and relevance. This may include, for example: • information provided by the
interested in the application form;
• information on the behavior of accounts, including payment arrears; and •
information from official public records, such as fraud information or records of
insolvency. Likewise, the person responsible for the treatment must include information to warn the
interested that the credit rating methods used are periodically checked
to ensure that they remain fair, effective and impartial. The person responsible for
treatment must offer contact information for the interested party to request the
reconsideration of the rejected decisions, in accordance with the provisions of the
article 22. "
This document also indicates the «Importance» and «consequences
planned »that“ This term suggests that information should be provided on the
planned or future treatment, and how the automated decision may affect the
interested. In order for this information to be meaningful and understandable, they must
offer real and tangible examples of the kind of possible effects. "
In the present case, in the opinion of this Agency, such requirements are not met: no
It is reported what type of products or services it will allow to contract, the
logic to apply to make this decision, limiting itself to indicating that a
set of data that “allow to know in greater detail the risks associated with the
contracting ”, therefore not knowing what type of products or services can be
allow hiring or the logic to apply for making said decision is not
You can know its importance or the expected consequences.
On the other hand, this Agency does not share the allegation that there is a competition
medial between these violations and the violation of article 13 of the RGPD. It fits this
In this regard, cite the judgment of July 16, 2019 of the National High Court, in which
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 111
111/136
it is stated that “Thus, as regards the existence of a medial contest between the two
infractions, which would determine the imposition of a single sanction, this Chamber has
repeatedly declared (judgments of January 29 and June 24, 2014
(resource 562/12 and 141/2013), among others, that both offenses are independent
and there is no medial relationship that is intended between the two, but rather: «[...] they can
be carried out with absolute independence, since they present their own substantivity and are
autonomous from each other, since they protect data protection principles
different, in one case the unequivocal consent that requires all treatment of
personal data (article 6.1 LOPD), and, in another, the quality of said personal data
(article 4.3 LOPD), in order to safeguard the power of disposal of the owner of the
themselves, which integrates the fundamental right to data protection (...) Of the
In the same way, it must be considered that the three infractions of article 6, 13 and 22 of the
RGPD are independent infringements, in this sense it should be taken into account that
Information constitutes an essential element of consent, in accordance with
the provisions of article 4.11 of the RGPD, being determinant of its existence, of
so that its absence will result in the consent being invalid, thus being able to
violate both article 6 and, where appropriate, 22 when the treatment is
based on the explicit consent of the interested party. On the other hand, there is a
principle of general transparency regarding all the processing carried out
the interested party and that is reflected in the provisions of articles 12 to 14. In this way
it may be the case that assumptions occur, in which in addition to the
non-existence of informed consent, the principle of transparency is violated
in general for all the treatments carried out by the interested party,
thus violating the provisions of articles 12 to 14, without implying a
medial infraction contest.
EPD ENERGÍA, SAU alleges that the treatment related to the creation of a profile
commercial based on the information of third parties for the referral of information
advertising is not, in practice, being carried out, nor at the date of issuance of the
present allegations, nor prior to them. It also alleges that,
even though EDP ENERGÍA includes the possibility of profiling and adopting
automated decisions, the only profiling performed, is related to the qualification of
clients regarding fraud prevention, treatment for which there is
legal authorization and is based on the legitimate interest of EDP ENERGÍA, with
the purpose of safeguarding the success of the contracts made by EDP
ENERGY, as well as preventing customers, whose sole purpose is to consume the service
energy without paying the bills, become part of the client portfolio. Without
detriment to the foregoing, the owners of the data are informed that said profiling is
reviewed and finally processed by EDP ENERGÍA staff, which is why no
can be considered as an automated decision in itself, taking into account in this
meaning to the literal wording of the concept established by the authorities. In other words,
nor is there any data processing based on automated decisions, nor is there
any manifestation about said treatments, since outside of the strictly
necessary to continue with the service and those provided by law, are not
carried out, which is why, not only can it not be considered that there are
non-compliance with article 22 of the RGPD, as the requirements are met
collected by the regulations, but there are not, nor can there be data owners who
may have been affected by such treatments.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 112
112/136
The purpose of this procedure at this point is to examine the
consent for the enrichment of profiles with third-party databases to
effects of sending advertising communications and possible decisions
automated systems that produce legal effects or significantly affect the
interested party and that are also based on their consent. Therefore
The profiling carried out will not be the object of a pronouncement in this procedure
for the prevention of fraud, which EDP ENERGÍA, SAU bases on the interest
legitimate, neither with regard to its legitimacy nor in relation to whether there are
automated decisions based on such profiling.
The instruction of the procedure has not made it possible to verify that EDP ENERGÍA, SAU
has carried out profiling incorporating data from third party databases or
data processing based on automated decisions that produce effects
legal or significantly affect the interested party who had consented to such
treatments, as requested during the hiring process.
This Agency considers that in the event that it was intended to carry out the
treatments mentioned in the previous paragraph, these should be adjusted to the
expressed demands and the requirements that make it possible to consider that the
Consent has been validly given and all the
Requirements required in accordance with article 22 of the RGPD.
Consequently, it is deemed appropriate that due to lack of evidence, taking into account the
principle of presumption of innocence expressly included for the proceedings
administrative penalties in article 53.2.b) of Law 39/2015, of 1
October, of Common Administrative Procedure of Public Administrations,
which recognizes the interested party the right “ To the presumption of non-existence of
administrative responsibility until proven otherwise ”, it is not considered
attributable to EDP ENERGÍA, SAU the violation of the provisions of articles 6 and
22, considered as possible infractions in the agreement to initiate this
sanctioning procedure.
IV
Article 12.1 of the RGPD provides that “ The person responsible for the treatment will take the
appropriate measures to provide the interested party with all the information indicated in the
Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22
and 34 related to the treatment, in a concise, transparent, intelligible and easily
access, with clear and simple language, in particular any information directed
specifically to a child. The information will be provided in writing or by others
means, including, if applicable, by electronic means. When requested by the
interested party, the information may be provided verbally provided that the
identity of the interested party by other means. "
Articles 13 and 14 list the categories of information to be provided
when the personal data is obtained from the interested party and when the data
personal data have not been obtained from the interested party, respectively.
When personal data is collected directly from the interested party, the information
It must be provided at the same time that data collection takes place.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 113
113/136
It has article 13 of the RGPD
"Information that must be provided when personal data is obtained from the
interested
1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined and the legal basis
of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person responsible or a third party;
e) the recipients or categories of recipients of personal data, in their
case;
f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate warranties and the means of obtaining a copy of these or
to the fact that they have been borrowed.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this deadline;
b) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability
of the data;
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to be
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.
3. When the data controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information on that other purpose
and any additional relevant information pursuant to section 2.
4. The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 114
114/136
to the extent that the interested party already has the information. "
Article 14
" Information to be provided when personal data has not been obtained
Of the interested
1. When the personal data have not been obtained from the interested party, the person in charge
of the treatment will provide you with the following information:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined, as well as the basis
legal treatment;
d) the categories of personal data in question;
e) the recipients or categories of recipients of personal data, in their
case;
f) where appropriate, the intention of the person responsible to transfer personal data to a
recipient in a third country or international organization and the existence or absence
of an adequacy decision of the Commission, or, in the case of transfers
indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
reference to adequate or appropriate guarantees and means of obtaining a
a copy of them or the fact that they have been loaned.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party with the following information necessary to guarantee
a fair and transparent data processing with respect to the interested party:
a) the period during which the personal data will be kept or, when that is not
possible, the criteria used to determine this deadline;
b) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person responsible for the treatment or of a third party;
c) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, and to oppose the treatment, as well as the right to portability
of the data;
d) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent before its withdrawal;
e) the right to file a claim with a supervisory authority;
f) the source from which the personal data come and, where appropriate, if they come from
public access sources;
g) the existence of automated decisions, including profiling, to which
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.
3. The person responsible for the treatment will provide the information indicated in sections 1 and
two:
a) within a reasonable period of time, once the personal data has been obtained, and more
take within a month, taking into account the specific circumstances in which
said data is processed;
b) if the personal data are to be used for communication with the interested party, to
at the latest at the time of the first communication to said interested party, or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 115
115/136
c) if it is planned to communicate them to another recipient, at the latest at the time
that the personal data are communicated for the first time.
4. When the data controller plans the further processing of the data
personal data for a purpose other than that for which they were obtained, will provide the
data subject, before said further processing, information on that other purpose and
any other relevant information indicated in section 2.
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent
in what:
a) the interested party already has the information;
b) the communication of such information is impossible or involves an effort
disproportionate, in particular for processing for archival purposes in the interest
public, scientific or historical research purposes or statistical purposes, subject to
the conditions and guarantees indicated in article 89, paragraph 1, or to the extent
that the obligation mentioned in paragraph 1 of this article may
make it impossible or seriously impede the achievement of the objectives of such treatment. On
such cases, the person in charge will adopt adequate measures to protect the rights,
freedoms and legitimate interests of the interested party, including making public the
information;
c) the obtaining or the communication is expressly established by the Law of the
Union or Member States that applies to the controller and that
establish adequate measures to protect the legitimate interests of the data subject, or
d) when personal data must continue to be confidential about the
basis of an obligation of professional secrecy regulated by Union law or
of the Member States, including an obligation of secrecy of a statutory nature.
For its part, article 11, numbers 1 and 2 of the LOPDGDD provides the following:
" Article 11. Transparency and information to the affected 1. When personal data
are obtained from the affected party, the person responsible for the treatment may comply with the
duty of information established in article 13 of Regulation (EU) 2016/679
providing the affected party with the basic information referred to in the following section and
indicating an electronic address or other means that allows you to access in a
simple and immediate to the rest of the information.
2. The basic information referred to in the previous section must contain, at the
less: a) The identity of the person responsible for the treatment and of their representative, in their
case. b) The purpose of the treatment. c) The possibility of exercising rights
established in articles 15 to 22 of Regulation (EU) 2016/679. If the data
obtained from the affected party were to be processed for profiling,
Basic information will also include this circumstance. In this case, the
affected must be informed of their right to oppose the adoption of decisions
individual automated that produce legal effects on him or affect him
significantly similarly, when this right concurs in accordance with the
provided for in Article 22 of Regulation (EU) 2016/679 ”.
In relation to this principle of transparency, it also takes into account the
expressed in Recitals 39, 58, 60 and 61 of the RGPD.
(39) “All processing of personal data must be lawful and fair. For the people
it should be made absolutely clear that they are collecting, using, consulting
or otherwise processing personal data that concerns them, as well as the extent
in which said data is or will be processed. The principle of transparency requires that all
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 116
116/136
information and communication regarding the processing of said data is easily
accessible and easy to understand, and that simple and clear language is used. Saying
The principle refers in particular to the information of the interested parties about the identity
of the person responsible for the treatment and the purposes thereof and the information added to
guarantee fair and transparent treatment with regard to natural persons
affected and their right to obtain confirmation and communication of the data
personal concerns that are subject to treatment. Natural persons
must be aware of the risks, rules, safeguards and rights
relating to the processing of personal data as well as the way to enforce their
rights in relation to the treatment. In particular, the specific purposes of the
processing of personal data must be explicit and legitimate, and must
be determined at the time of collection. Personal data must be
adequate, relevant and limited to what is necessary for the purposes for which they are
treaties. This requires, in particular, ensuring that their
conservation period. Personal data should only be processed if the purpose of the
treatment could not reasonably be accomplished by other means. To ensure that
personal data is not kept longer than necessary, the person responsible for the
Treatment must establish deadlines for its deletion or periodic review. Must
take all reasonable steps to ensure that they are rectified or deleted
personal data that are inaccurate. Personal data must be a
a way that ensures adequate data security and confidentiality
personal data, including to prevent unauthorized access or use of said data and
of the equipment used in the treatment. "
(58) “The principle of transparency requires that all information directed to the public or the
is concise, easily accessible and easy to understand, and that a
clear and simple language, and, in addition, where appropriate, is displayed. This information could
be provided in electronic form, for example, when addressed to the public, through
a website. This is especially relevant in situations where proliferation
number of agents and the technological complexity of the practice make it difficult for the
interested to know and understand if they are being collected, by whom and for what purpose,
personal data concerning you, as in the case of online advertising.
Since children deserve specific protection, any information and
Communication whose treatment affects them must be facilitated in clear language and
simple that is easy to understand. "
(60) “The principles of fair and transparent treatment require that the
interested in the existence of the treatment operation and its purposes. The responsible
of the treatment must provide the interested party with any additional information
necessary to guarantee fair and transparent treatment, taking into account the
specific circumstances and context in which personal data is processed. I know
must also inform the interested party of the existence of profiling and of
the consequences of such elaboration. If the personal data is obtained from
interested parties, they should also be informed of whether they are obliged to provide them and of the
consequences should they fail to do so. Such information may be transmitted in
combination with standardized icons that offer, in an easily visible way,
intelligible and clearly legible, an adequate overview of the treatment
provided. Icons presented in electronic format must be legible
mechanically."
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 117
117/136
(61) “The interested parties should be provided with information on the treatment of their
personal data at the time it is obtained from them or, if obtained from another
source, within a reasonable time, depending on the circumstances of the case. If the
personal data can be legitimately communicated to another recipient, it must
inform the interested party at the time they are communicated to the recipient for the first
time. The person responsible for the treatment that plans to process the data for a purpose that does not
be the one for which they were collected must provide the interested party, before said
further processing, information on that other purpose and other necessary information.
When the origin of the personal data cannot be provided to the interested party due to
various sources have been used, general information should be provided. "
Examining the information provided by EDP ENERGÍA, SAU, it is observed that the
It does not meet the requirements of article 13 of the RGPD.
1 In the first place, when contracting is carried out through the subchannels
CAC Inbound, Telemarketing and Leads, the information is provided by telephone from the
as follows, as can be seen from the evidence provided:
In the CAC Inbound channel, the person who makes the contracting by phone is indicated
following: “Your personal data and that of your client will be processed by EDP
Comercializadora SAU and EDP Energía SAU to manage their contracts,
fraud prevention, profiling based on customer information and
EDP, as well as the realization of personalized communications about products or
services directly related to their contracts, being able at any time
moment to oppose them. "(Evidence 2, CAC Inbound channel hiring.)
In the Telemarketing and Leads contracting sub-channels, in addition to the information
that appears in the previous paragraph, the following information is added: “We remind you
that they may exercise their rights of access, rectification, or opposition at any time.
deletion, deletion, limitation and portability, through any of the indicated channels
in the General Conditions that can be consulted on our website *** URL.1 . " (evi-
dences 3 and 4)
Said information is not in accordance with the provisions of article 13 of the RGPD in
in relation to the provisions of article 11 of the LOPDGDD, as well as in the first of the
sos the information is incomplete since during the hiring process in the
Canal CAC Inbound is not informed of the possibility of exercising the rights established
two in articles 15 to 22 of the RGPD, nor is it indicated who hires an address
electronic or other means that allows easy and immediate access to the rest of the
you information.
It is alleged that at the beginning of the call the following phrase is heard "This call
can be recorded. The data you provide us will be processed by EDP Energía,
SAU and / or EDP Comercializadora, SAU for the management of your request or inquiry.
You can exercise the rights of access, rectification, deletion, opposition, limitation and
portability at any time. Check the Privacy Policy on our website
edpenergia.es or press 0 ”. It also considers that according to article 13.4 of the RGPD,
The obligation to inform does not apply to the extent that the interested party already
has the information and that in the case that concerns us, taking into account that the
initial speech is played automatically on each call, there is enough left
It has been accredited that any interested party who contacts EDP ENER-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 118
118/136
GÍA, through the CAC Inbound Channel, receives information related to data protection
personal coughs.
Such allegations cannot be shared, in the opinion of this Agency an in-
formation in a fragmented and dispersed way that does not comply with the provisions of
articles 13 of the RGPD and 11 of the LOPDGDD, as well as in the initial locution that according to
alleges, in any case, when the call is initiated, the interested party is informed of the transaction.
processing of your data for the generic purposes of “managing the request or consulting
ta ”you are informed of the possibility of exercising the rights recognized by the RGPD and
You are directed to the privacy policy on the website or you are instructed to dial 0. In
that second locution, the purposes are extended to those of conducting surveys and
participation in raffles, games and promotions, without, on the other hand, being informed of
the legal basis for participation in sweepstakes games and promotions, but does not contain any
Any reference to purposes other than those mentioned in this paragraph.
In the information that is provided in the framework of telephone contracting in the channel
CAC Inbound, according to evidence 2, other different purposes are listed, so-
The mind makes reference to the possibility of opposing personal communications
made on products or services directly related to the contracts, and
the interested party is not directed to the General Contract Conditions, which contain
They would, apart from the deficiencies that this Agency has observed in them, the
specific information related to such purposes.
It is not satisfied with the possibility of reporting by layers, that the interested party must
go to different phrases to know the basic information referred to in the
Article 11 of the LOPDGDD, so that the interested party must deduce from a first
locution that can exercise rights other than opposition to co-communications.
commercial, the only one that is informed at the time of hiring. By another pair-
you, none of the aforementioned phrases refers the interested party to the general conditions
contract where the required information is found in accordance with article 13
related to the purposes mentioned during the hiring in the CAC In-
bound, but refer generically to the privacy policy of the website,
that does not contemplate that specific information.
On the other hand, the electronic address indicated in evidence 3 and 4, in the
co of telephone contracting in the Telemarketing and Leads channels, does not allow ac-
assign in a simple and immediate way to such information, thus violating the provisions of
Article 11.1 of the LOPDGDD. From the examination of the search process for the
General provisions (as documented in the ninth number of the events)
It follows that the address provided does not lead directly to the required information.
gible in accordance with article 13 of the RGPD, but to the website of the interested party, where
a search must be carried out that, in addition, yields several similar results and
requires looking at the general conditions (which include numerous aspects relating to
to contracting) the information related to data protection, so it cannot
be considered that such electronic address allows immediate access to such information
training or access is easy for anyone.
It is alleged by EDP ENERGÍA that in order to meet the aforementioned general conditions
a simple search is enough to access them directly, using to
This is done in the search engine available on the website. Performing the search for "conditions
contracting "or" general contracting conditions ", are published as the first
results the documents related to the general contracting conditions.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 119
119/136
Such allegation cannot be shared, even using the page's own search engine.
gina the information is not directly accessible, as demonstrated in the
search process documented by this Agency.
In this regard, it should be recalled that the “Guidelines on transparency under the
Regulation 2016/679 ", adopted on 11/29/2017 and revised on 04/11/2018." approve-
given by the European Data Protection Committee at its first plenary meeting,
they point out that “Both articles 13 and 14 refer to the obligation by which
the data controller "will provide all the information indicated below"
to the interested party. The key word in this expression is "will facilitate." This means that the
data controller must take active measures to provide the information
tion in question to the interested party or actively direct the interested party to the location of this
(eg by direct link, use of a QR code, etc.). The interested party does not
you should have to actively search for the information covered by such articles between
information of another type, such as the conditions of use of a website or
an app." On the other hand, although this Agency positively values ​​that it has
created a direct access to the information required by article 13 of the RGPD, this does not
invalidates the fact until its creation, after the proposed resolution,
access to information lacked that element of immediacy and simplicity required
by article 11 LOPDGDD.
It is also alleged that an infringement of the duty of transparency was not committed.
while the complete information on data protection (with the content of
required by the regulations) is contained within the general conditions of con-
treatment that are sent to the interested party after hiring. This cannot be shared
argument, the information must be provided to the interested party at the time it is obtained
have the data, without being able to defer that moment to the reception of the contract.
Article 13 of the RGPD determines in its first section when the
information by providing that “ When personal data is obtained from an interested party
relating to him, the person responsible for the treatment, at the moment in which these are obtained
gan, will provide you with all the information indicated below: (…) ”, (the underlining is
the AEPD). The LOPDGDD allows said information to be provided in layers,
providing the interested party during the data collection basic information, whose
content determines, and allowing to indicate an electronic address or other means that
allow easy and immediate access to the rest of the information. The element
immediacy is essential to comply with article 13 of the RGPD, of
so providing the information days later when a contract is received, not
complies with the requirement to provide the information that according to said precept
it must be communicated "at the time the data of the interested party is obtained".
In this same sense, the aforementioned "Guidelines on transparency under the
Regulation 2016/679 ”state that“ Regardless of the formats used,
In this tiered approach, WP29 recommends that the first 'tier' (that is,
the main means by which the person in charge interacts for the first time with the interested party)
regularly transmit the most important information (mentioned in the section
36), namely the details of the purposes of the treatment, the identity of the controller and the
existence of the rights of the interested party, together with information on the greater
cusion of the treatment or the treatment that could surprise the interested party. For example-
For example, when the first contact with an interested party is by telephone, this information
mation could be facilitated during the call with the interested party and he could receive the
rest of the information required under article 13 or 14 by other additional means
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 120
120/136
otherwise, for example, by sending you a copy of the privacy policy by e-mail.
tronic or a link to the online privacy statement / notice of the person in charge. " It is-
E-mail or link to the privacy statement, have the same effect-
mind in that element of immediacy, which allows to comply with what is foreseen in
Article 13.
In this regard, the considerations contained in the dicta-
menu of the State Council to the preliminary draft of the Organic Law on Data Protection
of a personal nature, in which the following was indicated regarding the information by
layers:
“(…) If the information is provided in another format, or through different“ layers ”, it will not be
will be violating the principle of transparency, but the person in charge must assess whether
the principle has been adequately fulfilled or if some type of additional measure is required
protection of rights, (…) ”. And it added “(…) Without prejudice to the foregoing,
It should be remembered that Article 13 requires that all the information that must be
supplied to the interested party is provided at the time the data is obtained
personal object of treatment. Despite the direct applicability of this provision
of the Regulations, it would be convenient for Article 12 of the preliminary draft to specify that
This "layered" information method cannot in any case imply a delay
in the provision of information considered "non-basic."
2 .On the other hand, with regard to the information provided both by telephone
(evidences 2,3, and 4) as in the general conditions (evidence 6 and document of
general conditions of the website) the following is observed:
A. Regarding the person responsible for the treatment, it is indicated in evidence 2, 3, 4 and 5
that the data will be "processed by EDP Comercializadora SAU and EDP Energía SAU"
which does not necessarily correspond to the entity with which you are contracting,
since when only the energy service is contracted or only that of
gas, the person responsible will be one or the other, without being correctly informed in such cases
to the interested party about who is responsible for the treatments. The same reproach
It should be done to the information provided in the general conditions in which
indicates “Said data, in addition to those obtained as a result of the execution of the
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
C / General Concha, 20, 48001, Bilbao and by EDP ENERGÍA, SAU with address at
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers "
It is also an inaccurate information, since they will be responsible
one or another entity depending on the contracted service or, where appropriate, each of the
entities for the respective treatments derived from the contract and the possible
consents granted, without this information being clear to the client. TO
this imprecision in the determination of the person in charge is added to refer
generically to EDP in the rest of the information provided, so that the
The interested party does not know in the case of other treatments which is the responsible entity.
In this regard, EDP ENERGÍA, SAU alleges that the customer is informed about the
identity of the person responsible for the treatment through the privacy policy in relation to
tion with the contracting conditions: Privacy policy: “the data will be processed
two by EDP Comercializadora SAU and EDP Energía SAU ”. Specific conditions
of the contract: "The customer contracts, for the supply indicated, the supply of gas
with EDP Comercializadora, SAU and the supply of electricity and / or services
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 121
121/136
complementary with EDP ENERGIA, SAU, (hereinafter jointly and / or individually
te, as appropriate, referred to as “EDP”) in accordance with the Specific Conditions
which are set out below and the General Conditions in the annex ”. Therefore, the
interested party -which has full capacity to contract and, therefore, it is presumed-
ne that you should be able to understand the terms and conditions that govern di-
hiring, you are aware at all times that, depending on how you contract the service
gas and / or electricity supply, your data will be processed by one or both entities
dades.
This allegation cannot be shared by this Agency, as stated by EDP
ENERGÍA, SAU can only be admitted that what the client knows is the entity with
who has contracted the services, but not the person in charge of the different treatment
of data that can be made, since as previously stated, in other
evidence and in the contracting conditions themselves, it is stated that both entities
des are responsible for data processing (evidence 2.3 and 4 and 5) and the
generic EDP formula that includes both.
Regarding other explanations by EDP ENERGÍA, SAU such as the absence of activities
of one of the entities and the possible sale to third parties, already carried out as stated,
do not justify the inaccuracy of the information, since it is contracted on behalf of two entities
different communities, regardless of whether one is active or not, an aspect that
is relevant from the point of view of data protection, since said entity
dad continues to act as the controller.
B. Regarding the purposes and legitimizing bases of data processing, it is
indicate in the general conditions the following "manage, maintain, develop,
complete and control the contracting of electricity and / or gas supply and / or
complementary services of and / or gas and / or complementary services of revision and / or
technical assistance and / or points program, and / or service improvement, to carry out
of fraud prevention actions, as well as profiling,
personalized commercial communications based on information provided by the
Client and / or derived from the provision of the service by EDP and related to
products and services related to the supply and consumption of energy,
maintenance of facilities and equipment. These treatments will be carried out
in strict compliance with current legislation and to the extent that they are
necessary for the performance of the contract and / or the satisfaction of legitimate interests
of EDP, provided that other rights of the client do not prevail over the latter. "
This Agency considers that it is not easy for anyone, without
knowledge of data protection matters, differentiate which treatments
derive from the contract and which are based on the legitimate interest of the person responsible.
Nor is it indicated what is the legitimate interest that the person in charge attributes to himself. Result
essential for the exercise of the rights of the interested parties to know the legal basis
on which the treatment is based, in particular to be able to exercise your right to
opposition to the treatment when it is based on the legitimate interest of the
responsible in accordance with the provisions of article 21 of the RGPD.
In this sense, the Guidelines on Transparency under the
Regulation (EU) 2016/679, adopted on November 29, 2017 by the Group of
Article 29 work that “The specific interest in question must be identified in
benefit of the interested party. As a matter of good practice, the person responsible for the treatment
The data subject can also provide the interested party with the information resulting from the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 122
122/136
deration »that must be carried out in order to be able to benefit from the provisions of article
6, section 1, letter f), as a lawful basis for the treatment, prior to any
collection of the personal data of the interested parties. To avoid information fatigue,
This may be included within a structured privacy statement / notice in ni-
veles (see section 35). In any case, the position of the GT29 is that the information
The information addressed to the interested party must make it clear that he or she can obtain information
Read the weighting test upon request. This is essential for the
transparency is effective when interested parties doubt whether the weighting test
tion has been carried out fairly or they wish to make a claim. "
This Agency does not share the argument that neither Article 13 nor any other provision
The legal concept requires that the privacy policy list each purpose, indicating the specific
specifically the basis of legitimation that results from application, the wording of the
Article 13 requires that the interested party be informed of “the purposes of the treatment to which
allocate the personal data and the legal basis of the treatment ”, that is, the use of the
singular already makes it clear that the legal basis of each treatment must be indicated. The
Transparency is closely linked to the legality of the treatment, article 5.1.a) of the
RGPD indicates as one of the principles related to the treatment the principle of legality,
loyalty and transparency. The legal basis determines the legality of the treatment, so
The person in charge must inform the interested party in each case that there is a legal basis
appropriate authority to carry out said treatment in accordance with article 6 of the RGPD, without
that it is admissible that the interested party has to interpret the privacy policy to
determine what may be the legitimizing basis for each treatment .
This Agency also does not agree with the allegation that “for any person
na it may be evident that treatments such as “manage, maintain, develop, comply with
define and control the contracting of electricity and / or gas supply and / or services
complementary services of and / or gas and / or complementary services of revision and / or assistance
technical and / or points program, and / or service improvement ”are closely related
n related to the execution of the contract, the rest being assignable to the legitimate interest.
In this sense, it is worth remembering what is stated in the aforementioned “Guidelines
ces on transparency under Regulation 2016/679 ”. In them the
scope to be attributed to the elements of transparency established in article
Article 12 of the RGPD, according to which the data controller will take the measures
appropriate to “provide the interested party with all the information indicated in articles 13 and
14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the
treatment, in concise, transparent, intelligible and easily accessible form, with a language
clear and simple gage ”, which must be related to what was expressed in the Consideration
Section 39 of the aforementioned Regulation. From what is stated in said Guidelines, it is worth highlighting
at this time the following: “The requirement that the information be“ intelligible ”wants
re to say that it must be understandable to the average member of the target audience.
Intelligibility is closely linked to the requirement to use clear language
And simple. A data controller who acts with proactive responsibility co-
You will know the people about whom you collect information and you can use this knowledge
to determine what said audience is likely to understand… ”. In the
In this case, the services provided by EDP ENERGÍA, SAU are aimed at all
citizens, so that it cannot be presumed that anyone can enter
tend when it comes to one legal basis or another. In this sense, the allegations themselves
tions point out that their clients do not distinguish between opposition and revocation of the
feeling, which shows that, in general, they lack knowledge
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 123
123/136
technicians in the field and cannot distinguish between different legal bases,
that involve an exercise of rights in a different way.
Regarding the information on the legitimate interest that the person in charge attributes to himself,
EDP ​​ENERGÍA, SAU alleges that they are clearly displayed and posted
in relation to the purposes pursued, that is: fraud and merchandise prevention
cadotecnia, in relation to the sending of personalized commercial communications.
In these cases, it is obvious that there is an identification between the informative purpose
gives and self-interest pursued, so making a separate allusion to the latter
it would be redundant.
This claim cannot be admitted, within the treatments indicated by EDP
the basis of which is their legitimate interest, the "profiling" is mentioned regarding
of which neither the legitimate interest nor the purpose is indicated.
In this sense, the Guidelines of the Working Group on Article
29 on automated individual decisions and profiling for the purposes of
Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what
following:
“The transparency of the treatment is a fundamental requirement of the GDPR.
The profiling process is usually invisible to the person concerned. Works
creating derived or inferred data about people ("new" personal data
that have not been directly provided by the interested parties themselves). People
have different levels of understanding and it may be difficult for them to understand the
The techniques of the profiling processes and automated decisions ”.
“Taking into account the basic principle of transparency that underpins the RGPD, the
data controllers must ensure that they explain to people in a manner
clear and simple operation of profiling or self-decision making
nuanced.
In particular, when the treatment involves decision-making based on the
profile creation (regardless of whether they fall within the scope of the
provisions of article 22), the user should be made aware of the fact that the treatment is intended to
purposes of both a) profiling and b) adoption of a decision on the
base of the generated profile
Recital 60 establishes that providing information about the preparation of
files is part of the transparency obligations of the data controller
according to article 5, paragraph 1, letter a). The interested party has the right to be informed
by the data controller, in certain circumstances, about their rights
opposition to 'profiling' regardless of whether they have
made individual decisions based solely on automated processing
The basis for profiling ”.
"The person in charge of the treatment must explicitly mention to the interested party details
on the right of opposition according to article 21, paragraphs 1 and 2, and present them clearly
rally and apart from any other information (Article 21, paragraph 4).
According to article 21, paragraph 1, the interested party can object to the treatment (including
profiling) for reasons related to your particular situation. The
data controllers are specifically obliged to offer this right
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 124
124/136
in all cases in which the treatment is based on article 6, paragraph 1, letters
e) of) ”.
In this case, in the opinion of this Agency, the information requirements are not met.
previously described. EDP ​​ENERGÍA, SAU, limits itself to reporting on the “performance of
profiles ”, but it does not offer information on the type of profiles to be made,
the specific uses to which these profiles are to be put or the possibility that the
The person concerned can exercise the right of opposition in application of article 21 of the
GDPR.
The claim that profiling is associated with
sending personalized commercial communications. As indicated
When determining the purposes in the first paragraph of the general conditions, the
the following are: “manage, maintain, develop, complete and control the
contracting supply of electricity and / or gas and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or program of
points, and / or improvement of the service, to carry out actions to prevent
fraud, as well as profiling, personalized commercial communications
based on information provided by the Client and / or derived from the provision of the
service by EDP and related to products and services related to the
supply and consumption of energy, maintenance of facilities and equipment "
clearly separating the purpose of profiling from that of sending
commercial communications.
In the same way, as evidenced by evidence 2, 3 and 4 during
In the telephone contracting process through a representative, the representative is informed of
that: “Your personal data and that of your client will be processed by EDP Comer-
cializadora SAU and EDP Energía SAU for the management of their contracts, prevention of
fraud, profiling based on customer and EDP information, as well as
the realization of personalized communications about products or services directly-
related to their contracts, being able at any time to oppose the
themselves. "It is also reported with respect to profiling as a treatment
treatment or different and separate treatments of the sending of personalized communications
on products or services directly related to the contracts, such as
try the use of the conjunctive phrase “as well as”.
In any case, even when it could be taken for granted, that EDP ENER-
GÍA, SAU was to link both purposes, the way in which information is given in
fringe the principle of transparency, as stated in recital 60 “The principles
Fair and transparent treatment principles require that the interested party be informed of the existence of
tenance of the processing operation and its purposes. The person responsible for the treatment must
provide the interested party with any additional information necessary to guarantee
fair and transparent treatment, taking into account the circumstances and the
specific text in which personal data is processed. You must also inform the
interested party regarding the existence of profiling and the consequences of
cha elaboration. "
C. The general conditions also provide the following information regarding
of the treatments based on the consent of the interested party:
“As long as the client has explicitly accepted it, their personal data will be
treated, even once the contractual relationship has ended and provided that there is no
Produces opposition to said treatment, to:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 125
125/136
(I) The promotion of financial services, payment protection services, automotive
or related and electronic, own or third parties, offered by EDP and / or participation in
promotional contests, as well as for the presentation of commercial proposals
linked to the energy sector after the end of the contract, (II) The preparation of
Commercial profiles of the Client by aggregating the databases of
third parties, in order to offer the Client personalized products and services,
thus improving the customer experience, (III) Decision-making
automated, such as allowing the contracting, or not, of certain products
and / or services based on the Client's profile and particularly, on data such as, the
history of defaults, the history of hires, permanence, locations, data
consumption, types of devices connected to the energy network, and similar data
that allow to know in greater detail the risks associated with the contracting. (IV)
Based on the results obtained from the aggregation of the indicated data,
EDP ​​may make personalized offers, specifically aimed at achieving the
contracting of certain products and / or services from EDP or from third parties
depending on whether the client has consented to it or not, being in any case treated
data whose age will not exceed one year. In the event that said process was carried out
carried out in an automated way, the client will always have the right to obtain intervention
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
resulting decision.
Nor is it easy for anyone without specialized knowledge in-
tend what type of treatments are going to be carried out based on the consent
In particular, the wording of point IV is not clear at all: it is unknown to
which data is referred to by “the results obtained from the aggregation of the data
indicated ”that could be both those contained in number III above and those obtained
nests of third-party bases or all of them. The purpose of the treatment seems to indicate
that these are advertising treatments other than those indicated in the first two
different numbers, without the difference being evident with respect to them. On the other hand, it does not
The last paragraph of this point IV is understandable, when mentioning the rights that the
Article 22 of the RGPD recognizes the interested parties when self-determination decisions are made
nuances that produce legal effects on them or significantly affect them in
similar way.
The allegations provide an explanation of the purposes of the different
treatments and the data to be treated that seek to clarify said aspects, however,
It is not in them that such points should be clarified, but rather it is the information provided
which must be clear and understandable to the interested party, breaching-
I know with the information provided, in the opinion of this Agency, the provisions of article
12 of the GDPR.
D . The general conditions inform as follows regarding the rights
Of the interested:
"Rights of the data owner
The client will have the possibility of exercising freely at all times
and completely free the following rights:
i)
Access your personal data that is processed by EDP.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 126
126/136
ii)
Rectify your personal data that is processed by EDP that
are inaccurate or incomplete.
iii)
Delete your personal data that are processed by EDP.
iv)
Limit the treatment by EDP of all or part of your data
personal.
v)
Oppose certain treatments and self-decision making
nuances of your personal data, requiring human intervention
in the process, as well as to challenge the decisions that are ultimately
adopted by virtue of the processing of your data.
saw)
Port your personal data in an interoperable and self-sufficient format.
tea.
vii)
Withdraw at any time, the consents previously granted-
mind."
Said information, although it includes all the rights that the RGPD grants to the interested party.
do, must be adapted to the specific treatments carried out by the person in charge. So and
as indicated in the aforementioned Guidelines on Transparency under the Regulation
(EU) 2016/579: “This information must be specific to the treatment scenario and
include a summary of what the right implies and how the interested party can act
to exercise it, as well as any limitation to the right. "
The allegation that the obligation to detail the specific treatments cannot be accepted.
to which the interested party has the right to oppose not only is it not a re-
caught in the RGPD, the LOPDGDD or any other applicable regulations, but
In addition, the AEPD in its guides and tools (among others, the Guide for compliance with
the duty to inform2 or the Facilita tool3) does not indicate that the reporting clauses
information on the right of opposition should specify the treatments on the
that applies the right of opposition. The provisions of the Guidelines must be reiterated here
of the Article 29 Working Group on automated individual decisions and
profiling for the purposes of Regulation 2016/679, adopted on 10/03/2017 and
revised on 02/06/2018, which indicate the following:
"The person in charge of the treatment must explicitly mention to the interested party details
on the right of opposition according to article 21, paragraphs 1 and 2, and present them clearly
rally and apart from any other information (Article 21, paragraph 4). "
Therefore, it is not enough to mention the right to oppose “certain tra-
treatments ”, but should be informed that these treatments, in the present
put, they are those that the person in charge bases in article 6.1.f), that is, in the
existence of a legitimate interest prevailing over the interests, rights and freedoms
of the interested party, and it must be clear to the interested party what these treatments are
against which you can exercise your right to object.
Nor can it be shared that this interpretation violates the principle of
termination of the arbitrariness alleged when EDP ENERGÍA considers that the presentation
of the information regarding the exercise of rights, as presented in your information
This is a recommended practice and even applied by the Spanish Agency.
ñola of Data Protection in its privacy policy. In this regard, you must have-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 127
127/136
It is taken into account that this Agency does not carry out treatments based on the provisions of the
Section 6.1.f, in particular those related to direct marketing.
It is imprecise to indicate that the interested party can oppose the adoption of a decision.
automated use of your personal data. These can only be carried out
by the person in charge in the cases provided for in article 22 of the RGPD, based on
in the present case in the consent of the interested party, so he must be able to
know that you can revoke the consent given for the adoption of such decisions
sions at any time, without prejudice to also being informed of the rights
chos conferred by article 22 to the interested parties.
It cannot be shared, regarding this imprecision regarding the exercise of rights,
the allegation that the semantic and technical nuance associated with the terms "opposition" and
“Revocation” in the context of the exercise of rights cannot have an impact on the
interested, because with both terms the user achieves the same objective, which is that
a treatment specifically identified in the policy ceases to occur and that the
term used by EDP ENERGÍA (opposition) in the context of this type of treatment
terms is understood in the regulations and by the market itself more broadly - and
therefore more guarantee- since it allows the user to eliminate a treatment is
based on consent, is based on legitimate interest. The regulations are clear to the
mitigate both rights and when they can be exercised in articles 7 and 21.1.2 of the
RGPD, which requires correlatively that the interested party have knowledge of the base
legal treatment. This cannot be justified in a presumed greater guarantee for the
interested parties the incorrect information provided on the exercise of rights of the
interested.
Consequently, in accordance with the evidence presented, the facts described
in this Legal Basis constitute a violation of the principle of
transparency regulated in article 13 of the RGPD, which gives rise to the application of the
corrective powers that article 58 of the aforementioned Regulation grants to the Agency
Spanish Data Protection.
V
In the event of an infringement of the provisions of the RGPD, between
the corrective powers available to the Spanish Agency for the Protection of
Data, as a control authority, article 58.2 of said Regulation contemplates the
following:
“2 Each supervisory authority shall have all the following corrective powers
listed below:
(…)
d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each
particular case;" .
According to the provisions of article 83.2 of the RGPD, the measure provided for in the letter
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 128
128/136
d) above is compatible with the sanction consisting of an administrative fine.
SAW
In the present case, the breach of the principle of
privacy by design established in article 25 of the RGPD, and the principle of
transparency regulated in article 13 of the RGPD with the scope expressed in the
Previous Foundations of Law, which implies the commission of paths
offenses typified in articles 83.4 and 83.5 of the same rule as under the
heading " General conditions for the imposition of administrative fines" provides
the next:
4 “Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11,
25 to 39, 42 and 43; "
5. "Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
b) the rights of the interested parties in accordance with articles 12 to 22; (…) ”.”
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
offenses the acts and conducts referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law ” .
For the purposes of the limitation period, articles 73 and 74 of the LOPDGDD
indicate:
Article 73. Violations considered serious.
" 1 Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
d) The lack of adoption of those technical and organizational measures that result
appropriate to effectively apply the principles of data protection from
the design, as well as the non-integration of the necessary guarantees in the treatment, in
the terms required by article 25 of Regulation (EU) 2016/679. "
Article 74. Infractions considered minor.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 129
129/136
"They are considered minor and will prescribe a year the remaining offenses of character
merely formal of the articles mentioned in sections 4 and 5 of article 83
of Regulation (EU) 2016/679 and, in particular, the following: a) Failure to comply with the
principle of information transparency or the data subject's right to information
for not providing all the information required by articles 13 and 14 of the Regulation
(EU) 2016/679 ".
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state :
"1. Each supervisory authority will guarantee that the imposition of fines
administrative pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute title for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the nature of
za, scope or purpose of the processing operation in question as well as the number of
number of affected stakeholders and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to pa-
bundle the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in particular
cular if the person in charge or the person in charge notified the infringement and, if so, in what measure
gives;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;
j) adherence to codes of conduct under article 40 or to certification mechanisms
fication approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly-
mind, through the infraction. "
For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD
has:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 130
130/136
established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have induced the commission
of the offense.
e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "
In accordance with the transcribed precepts, in order to set the amount of the
fine sanctions to be imposed in the present case on the defendant, as responsible for
offenses typified in article 83.5.a) and b) of the RGPD, the fine should be graduated
that would correspond to impose for each one of the imputed infractions as follows:
1. Infringement for breach of the provisions of article 25 of the RGPD, typified
in article 83.4.a) and classified as serious for the purposes of prescription in article
73.1.d) of the LOPDGDD:
In this case, considering the seriousness of the violations found, it is appropriate
the imposition of a fine.
It is not possible to accept the request made by EDP ENERGÍA, SAU for the
impose other corrective powers, specifically, the warning, which is
intended for natural persons and when the sanction constitutes a burden
disproportionate (recital 148 of the RGPD).
For the same reasons, and considering the graduation criteria of the
sanctions indicated below, the petition for
imposition of a sanction in its minimum degree.
In accordance with the transcribed precepts, in order to set the amount of the
fine sanctions to be imposed in the present case on EPD ENERGÏA, SAU, as
responsible for infractions typified in article 83.4.a) and 83.5.b) of the RGPD,
It is necessary to graduate the fine that would correspond to impose for each one of the infractions
charged as follows:
1. Infringement for breach of the provisions of article 25 of the RGPD, typified
in article 83.4.a) and classified as serious for the purposes of prescription in article
73.1.d) of the LOPDGDD:
It is estimated that the following factors concur as aggravating factors that
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 131
131/136
reveal greater unlawfulness and / or culpability in the conduct of the EDP entity
ENERGÍA, SAU:
- The nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operations of which
trafficking: The offense results from the absence of an effective implementation of
technical and organizational measures to eliminate the risks generated by the
treatment of services and obtaining consent for other purposes
des when acting through representative.
- The intentionality or negligence appreciated in the commission of the offense.
The deficiencies in such procedures for contracting and obtaining
consent for other purposes should have been advised by a
entity of the characteristics of EDP ENERGÍA, SAU and avoided when designing
your processes.
- The continuing nature of the offense. The offense has its origin in a
incorrect design of contracting procedures through
representative, which have been used since at least 2018, without
these have been modified or corrective measures have been implemented until the
month of January of the current year in which a protocol of
hiring through a representative.
- The high link between the activity of the offender and the performance of
processing of personal data. The operations that constitute the
business activity carried out by EDP ENERGÍA, SAU as
commercialization of electricity services to individuals imply
personal data processing operations.
It cannot be considered as mitigating, as alleged by the person in charge, that
the data processing is carried out in an instrumental way without your
activity is based on the exploitation of personal data, in this regard
takes into account that authorizations have been obtained from the representative in
name of the represented to carry out advertising treatments of
non-energy products or services of EDP companies or collaborators
ENERGY .
- The status of a large company of the responsible entity and its volume of
deal. The entity's turnover according to the information obtained
has been 1,236,124,000 euros in 2018. It is alleged that they have had
take into account the data of 2018 and not those of 2019 being the turnover
of that year of 589,929,000 euros.
It is alleged that being considered a large company or the volume of
billing are not circumstances foreseen as aggravating nor in the RGPD
nor in the LOPDGDD.
Such allegation cannot be shared, article 83.1 of the RGPD provides that
"Each control authority will guarantee that the imposition of fines
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 132
132/136
administrative regulations pursuant to this article for infractions of the
these Regulations indicated in paragraphs 4, 5 and 6 are in each case
individual effective, proportionate and dissuasive. " Saying number 2
Article establishes that when deciding to impose an administrative fine and
its amount in each individual case will be duly taken into account: (…) k)
any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided,
directly or indirectly, through the offense. "
For these purposes, as an aggravating factor, the
consideration of the entity as a large company what is found
linked among other aspects to its turnover, to the extent
that it has greater means to comply with the obligations
imposed by the GDPR.
Regarding the volume of business taken into account in the procedure,
took the one that was available at the time of the initiation agreement,
without being questioned up to now by EDP ENERGÍA, SAU. Not
However, even if it is true that the volume corresponding to the year
2019 is the one that appears in the allegations to the motion for a resolution, such
This data does not modify the condition of a large company of said entity .
- High volume of data and treatments that constitutes the object of the
proceedings. The volume of contracts signed by third parties on behalf of
of natural persons increased during the year 2019 amounted to 37,197.
- Any previous infringement committed by the person in charge or the person in charge of the
treatment; EDP ​​ENERGÍA, SAU has been sanctioned in the
procedures PS / 00101/2018 and PS / 00363/2018, for violation of article
6.1 of Organic Law 15/1999, and PS / 00109/2019 for the violation of the
Article 6.1 of the RGPD.
It is alleged by the person in charge that the AEPD refers to the global billing volume
of EDP ENERGÍA to quantify the infringement when it should take into account
exclusively, and where appropriate, the billing data generated by the eventual
alleged non-compliance - in the case of article 25 of the RGPD, relating exclusively
to the hiring by representation, being the amount obtained by hiring by
representation of approximately 7,650,000 euros.
In this regard, it should be taken into account that article 83.4 provides that “The
Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year ”, by
Consequently, this Agency understands that the total annual business volume is the one that
operates as a limit to the amount of the infringement, and not the profit obtained, which
constitutes one more aggravating element. In this regard, it should be noted that the
2% of the turnover of said entity during 2019 according to the data indicated,
supposes a figure of 11,798,580 euros, so the amount in which the
The amount of the fine, far removed from this maximum amount, is weighted.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 133
133/136
On the other hand, said entity requests that the fact of
that special categories of data are not processed, nor data of minors, in this regard
It should be considered that the processing of such data may constitute, where appropriate, a
aggravating, but the fact that such data is not processed in itself does not constitute
a mitigating factor, without, on the other hand, by the person responsible for the treatment justifying in
In no way because such a circumstance should be taken into account in this sense.
The fact that the entity has been
object of sale to another company, article 76.2.e) of the LOPDGDD states that it may
take into account “the existence of a process of merger by absorption subsequent to the
commission of the offense, which cannot be attributed to the absorbing entity ”
seeks here an analogical interpretation of this precept so that it extends
said circumstance to other "structural modifications" carried out later
to the commission of the offense, an interpretation that cannot be admitted, when the
LOPDGDD wants to refer to structural modifications in general, it does so,
while in the aforementioned precept it makes exclusive reference to the merger by
absorption .
It alleges that the measures taken should also be considered mitigating
to alleviate the damage, such as the implementation of a new protocol for
hiring and the degree of cooperation with the administration and the degree of
collaboration with the AEPD. These elements are taken into account so that they are not
has made use of another of the corrective powers that this Agency may use as
It is the imposition of measures in the terms provided in article 58.2 of the RGPD.
Considering the exposed factors, the valuation of the fine for the
The offense charged is 500,000.00 euros.
2. Infringement for breach of the provisions of article 13 of the RGPD, typified
in article 83.5.b) and classified as mild for prescription purposes in article
74.a) of the LOPDGDD:
The following graduation criteria are considered concurrent:
- The nature, severity and duration of the offense: The deficiencies
valued in the information provided to the interested parties affect the
substantive aspects of the principle of transparency.
It is alleged that the imputed is the need to improve some aspects of their
data protection policies without in any case the texts used
can be understood to have generated a high level of damage and
damages, which should be considered as a mitigating factor. This claim
cannot be accepted, these are not simple information defects
offered without major importance, said information violates aspects
fundamental principles of the principle of transparency as
manifest in the present proceeding.
- The intentionality or negligence appreciated in the commission of the offense.
The defects indicated in the information provided show the lack of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 134
134/136
diligence of EDP ENERGÍA, SAU in complying with the obligations
transparency imposed by the RGPD.
The allegation that in his actions he has followed the
guides and guidelines of the AEPD and the European Data Protection Committee
which shows his diligence, on the contrary, in the fundamentals of
law contains the many aspects in which the guidelines of the
European Data Protection Committee have not been taken into account in its
performance.
- The high link between the activity of the offender and the performance of
processing of personal data. The operations that constitute the
business activity carried out by EDP ENERGÍA, SAU as
electricity services trading company involve operations of
processing of personal data.
It cannot be considered as mitigating, as alleged by the person in charge, that
the data processing is carried out in an instrumental way without your
activity is based on the exploitation of personal data. As i know
is derived from the facts set forth in this proceeding and from the
general contracting conditions, consents are collected for
carry out third-party advertising treatments in various sectors
(financial, payment protection automotive and related, electronics….)
- The continuing nature of the offense, interpreted by the National High Court
as a permanent offense.
- The status of a large company of the responsible entity and its volume of
deal. The entity's turnover according to the information obtained
has been 1,236,124,000 euros in 2018. It is now alleged that the
business volume for the year 2019 is 589,929,000 euros.
Regarding the allegation that being considered a large company or the
billing volume are not circumstances foreseen as aggravating nor
in the RGPD nor in the LOPDGDD, this Agency reiterates as indicated
previously in the determination of the aggravating factors of the infraction of the
Article 25 before the same allegation.
- High volume of data and treatments that constitutes the object of the
proceedings. The infringement affects all data processing carried out
by the entity EDP ENERGÍA, SAU
- High number of interested parties. The violation affects all customers
natural persons of the entity. According to the supervision report of the
changes of marketer, corresponding to the first quarter of 2019, from
the National Commission of Markets and Competition the number of points
supply of the entity in the domestic sphere amounted to 1,129,534
constituting 4% of the total electricity sector in this domestic sphere.
The claim that it is not a high volume cannot be accepted
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 135
135/136
of treatments because other groups other than their
customers. The high number of natural person clients of the entity
responsible is sufficient element to consider this circumstance as
an aggravating one.
Regarding other factors that the controller considers to be
taken into account as mitigating factors, such as the fact that they are not treated
special categories of data or data of minors or the sale of all the
shares to another company, it is only possible to refer to what was expressed by this Agency before
the same allegations in relation to the violation of article 25 of the RGPD.
It alleges that the measures taken should also be considered mitigating
to alleviate the damage, such as the improvement of access to information on
data protection, which is already available at the address edp-
residentialbytotal.es/rgpd and the degree of cooperation with the authority. The alleged
improvement affects only one of the defects noted in relation to the
transparency of the procedure, whose positive assessment by this Agency cannot
suppose an extenuating sanction taking into account that such measure has been
taken once the present sanctioning procedure has been initiated.
Considering the exposed factors, the valuation of the fine for the
Infringement charged is 1,000,000.00 euros
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation graduation of the sanctions whose existence has been accredited,
the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE the entity EDP ​​ENERGIA, SAU . , with NIF A33543547 , for
an infringement of article 25 of the RGPD, typified in article 83.4.a) and qualified
as serious for the purposes of prescription in article 73.d) of the LOPDGDD, a fine
for an amount of 500,000 euros (five hundred thousand euros).
SECOND: IMPOSE the entity EDP ​​ENERGIA, SAU, for a violation of the
article 13 RGPD, typified in article 83.5.b) and classified as mild for the purposes of
prescription in article 74.a) of the LOPDGDD, a fine of 1,000,000
euros (one million euros).
THIRD: DECLARE, due to lack of evidence in application of the principle of
presumption of innocence, not attributable to EDP ​​ENERGIA, SAU ., infractions of
the provisions of articles 6 and 22 of the RGPD.
FOURTH: NOTIFY this resolution to EDP ​​ENERGIA, SAU .
FIFTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 136
136/136
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency
Spanish Data Protection Agency in the bank CAIXABANK, SA. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
Contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es