AEPD (Spain) - EXP202105923: Difference between revisions
No edit summary |
|||
Line 73: | Line 73: | ||
=== Holding === | === Holding === | ||
The DPA held that the controller had violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] ("accuracy") for not keeping the data subject's contact information up to date. It considered the controller's negligence and routine handling of personal data as aggravating factors. For this infraction the DPA assessed a fine of €100,000. | The DPA held that the controller had violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] ("accuracy") for not keeping the data subject's contact information up to date. It considered the controller's negligence and routine handling of personal data as aggravating factors. For this infraction the DPA assessed a fine of €100,000. The controller ultimately paid €60,000, taking advantage of two reductions available for admitting responsibility and paying the fine before the resolution of the sanctioning procedure. | ||
The controller ultimately paid €60,000, taking advantage of two reductions available for admitting responsibility and paying the fine before the resolution of the sanctioning procedure. | |||
== Comment == | == Comment == |
Revision as of 13:08, 13 July 2022
AEPD - PS-00087-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(d) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 30.11.2021 |
Decided: | |
Published: | 08.07.2022 |
Fine: | 60,000 EUR |
Parties: | Comercializadora Regulada, Gas & Power, S.A. |
National Case Number/Name: | PS-00087-2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | MW |
The Spanish DPA fined a controller €60,000 for violating Article 5(1)(d) GDPR by delivering a customer's contract to the wrong address. The customer had a restraining order against the current resident, who now had the customer's correct address.
English Summary
Facts
The data subject filed a complaint with the Spanish DPA after a personal data breach. The controller, an electric and gas company, sent the data subject's contract to the wrong address.
The data subject had previously held a contract with the controller at their address, which was cancelled when the data subject moved. The data subject had indicated their new address when they registered again with the controller, but the controller had activated its online invoice service without updating the data subject's contact information, causing the new contract to be sent to the old address.
When the contract was mistakenly delivered to the old address, the data subject had a restraining order on the current resident, who now had access to, among other things, the data subject's current address.
Holding
The DPA held that the controller had violated Article 5(1)(d) GDPR ("accuracy") for not keeping the data subject's contact information up to date. It considered the controller's negligence and routine handling of personal data as aggravating factors. For this infraction the DPA assessed a fine of €100,000. The controller ultimately paid €60,000, taking advantage of two reductions available for admitting responsibility and paying the fine before the resolution of the sanctioning procedure.
Comment
The Spanish DPA found that the controller violated Article 5(1)(d) GDPR ("accuracy"), but a more natural conclusion would be to find a violation of Article 32(1)(d) GDPR ("adoption of adequate technical and procedural measures"). This somewhat strained interpretation may be explained by the fact that the LOPDGDD categorizes Article 5 GDPR violations as "very serious" and Article 32(1) GDPR violations as merely "serious." The two categories differ both in statute of limitations and maximum fine.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: EXP202105923 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On April 1, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against REGULATED COMERCIALIZADORA, GAS & POWER, S.A. (hereinafter the part claimed), through the Agreement that is transcribed: << File No.: EXP202105923 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the complaining party) dated November 30, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against COMERCIALIZADORA REGULADA, GAS & POWER, S.A. with NIF A65067332 (hereinafter, the claimed party). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/11 The reason on which the claim is based is that the claimed entity has sent the electricity supply contract for his new house, in which he included all his data personal information, including your new address, to the address of your old residence, where lives the person on whom you have a restraining order. Attaches a copy of the letter sent by the respondent in which they indicate that They send a copy of the contract, as well as a copy of it. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on December 29, 2021, said information was transferred claim to the claimed party, so that it proceeded to its analysis and inform the this Agency within a month, of the actions carried out to adapt to the requirements set forth in the data protection regulations. On January 31, 2022, this Agency received a response letter indicating that the claimant has contracted gas and electricity supplies in the address located at ***ADDRESS.1 from November 16, 2021. Previously, the claimant had been the holder of an electricity supply contract located at ***ADDRESS.2, until your contract was terminated due to a change ownership. It has been verified in the systems of the Regulated Marketer that at the moment of the registration of the contract on November 16, 2021, although it was indicated by the claimant as correspondence address the ***ADDRESS.1 the service of On-Line Invoice but the main address associated with the claimant was not updated, reason the copy of your contract was sent to the previous primary address associated with the customer's NIF, which was the address of ***ADDRESS.2. THIRD: On February 14, 2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/11 FOUNDATIONS OF LAW Yo By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and to resolve this procedure. II Article 5 of the RGPD establishes what are the principles in the treatment of data. data of a personal nature indicating the following: “1 The personal data will be: a) processed in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency»); b) collected for specific, explicit and legitimate purposes, and will not be processed further. riorly in a manner incompatible with said purposes; according to article 89, paragraph 1, the further processing of personal data for archiving purposes in- public interest, scientific and historical research purposes or statistical purposes are not considered will be incompatible with the original purposes ("purpose limitation"); c) adequate, pertinent and limited to what is necessary in relation to the purposes for which that are processed ("data minimization"); d) accurate and, if necessary, updated; All reasonable steps will be taken ble to delete or rectify without delay the personal data that are ine- accurate with respect to the purposes for which they are processed (“accuracy”); e) kept in a way that allows the identification of the interested parties during longer than necessary for the purposes of the processing of personal data; the Personal data may be kept for longer periods provided that it is processed exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with Article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures that This Regulation is imposed in order to protect the rights and freedoms of the interest sado (“retention period limitation”); C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/11 f) processed in such a way as to guarantee adequate security of the personal data. personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, through the application of technical measures or appropriate organizational measures ("integrity and confidentiality"). 2. The controller will be responsible for compliance with the provisions in section 1 and able to demonstrate it (“proactive responsibility”).” III In the present case, the complaining party denounces the defendant because he has sent the supply contract of your new address, to the address of your old address, where the person on whom you have a restraining order lives. The respondent party has argued that the claimant had been the holder of a contract of light of the supply located at ***ADDRESS.2, until the cancellation of its contract for change of ownership, registering again on November 16, 2021, contracting gas and electricity supplies at the address located on the ***ADDRESS 1. Previously, the claimant had been the holder of an electricity supply contract located at ***ADDRESS.2, until your contract was terminated due to a change ownership. Although the new address was indicated at the time of discharge, the service of On-Line Invoice without updating the address, which is why the copy of your contract is shipped to ***ADDRESS.2. Therefore, in accordance with the available evidence, and without prejudice of what results from the instruction of this sanctioning procedure, considers that we are facing an illicit treatment of personal data, by referring to a incorrect address the supply contract of the claimant where their personal data, among others, your address, incurring in an infringement of art. 5.1.d) for not having updated the data indicated in the basis of law II. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/11 IV Article 72.1 a) of the LOPDGDD states that “according to what is established in the article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679.” v In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/11 e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection officer. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.” In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction of fine to impose on COMERCIALIZADORA REGULADA, GAS & POWER, S.A. with NIF C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/11 A65067332, as responsible for an offense classified in article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent in the present case, in aggravating quality, the following factors: - The intentionality or negligence in the infraction, since given the activity of the claimed party, greater care is required in the processing of the data (83.2.b) GDPR) - The link between the offender's activity and the performance of data processing because the business activity of the claimed party represents a continuous processing of personal data (76.2.b) LOPDGDD) This infraction can be sanctioned with a fine of €20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5 of the RGPD. Pursuant to these criteria, it is considered appropriate to impose on the defendant entity a penalty of 100,000 euros (one hundred thousand euros), for the infringement of article 5.1 d) of the RGPD, regarding the processing of personal data. In accordance with the above exposed, by the Director of the Spanish Agency for Data Protection Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: FIRST: START SANCTION PROCEDURE against REGULATED COMERCIALIZADORA, GAS & POWER, S.A. with NIF A65067332, of in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged infringement of article 5.1 d) of the RGPD, typified in article 83.5.a) of the RGPD and for the purposes of prescription, by article 72.1 a) of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/11 SECOND: APPOINT instructor to B.B.B. and, as secretary, to C.C.C., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sec- Public Tor (LRJSP). THIRD: INCORPORATE to the disciplinary file, for evidentiary purposes, the claim filed by the claimants and their documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FOURTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Public Administrations, the sanction that could correspond would be 100,000 euros (one hundred thousand euros) without prejudice of what results from the instruction. FIFTH: NOTIFY this agreement COMERCIALIZADORA REGULADA, GAS & POWER, S.A. with NIF A65067332 granting a hearing period of ten days able to formulate the allegations and present the evidence that it considers convenient. In your brief of allegations you must provide your NIF and the number of procedure at the top of this document. If within the stipulated period it does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed was a fine, it may recognize its responsibility within the term granted for the formulation of allegations to this initial agreement; it which will entail a reduction of 20% of the sanction to be imposed in this procedure, equivalent in this case to 20,000 euros. with the app of this reduction, the sanction would be established at 80,000 euros, resolving the procedure with the imposition of this sanction. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/11 will mean a reduction of 20% of the amount of the same, equivalent in this case to 20,000 euros. With the application of this reduction, the sanction would be established in 80,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if it were appropriate to apply both reductions, the amount of the penalty would be set at 60,000 euros (sixty thousand euros). In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the abandonment or renunciation of any action or resource in via administrative against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated previously, 80,000 or 60,000 euros, you must make it effective by paying into account number ES00 0000 0000 0000 0000 0000 opened in the name of the Agency Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which it avails itself. Likewise, You must send proof of entry to the General Subdirectorate of Inspection for continue with the procedure in accordance with the amount entered. The procedure will have a maximum duration of nine months from the date of the start-up agreement or, where appropriate, of the draft start-up agreement. Once this period has elapsed, it will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Sea Spain Marti Director of the Spanish Agency for Data Protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/11 >> SECOND: On April 26, 2022, the claimed party has proceeded to pay the sanction in the amount of 60,000 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "1. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/11 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure EXP202105923, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to the MARKETER REGULATED, GAS & POWER, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 936-240122 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es