AEPD (Spain) - EXP202205932: Difference between revisions

From GDPRhub
No edit summary
 
(10 intermediate revisions by 4 users not shown)
Line 22: Line 22:
|Outcome=Upheld
|Outcome=Upheld
|Date_Started=24.04.2022
|Date_Started=24.04.2022
|Date_Decided=08.09.2023
|Date_Decided=22.05.2023
|Date_Published=08.09.2023
|Date_Published=08.09.2023
|Year=2023
|Year=2023
Line 63: Line 63:
}}
}}


The Spanish DPA fined Mas luz Energía (SIE) €70,000 for processing personal data after the cancellation of energy and gas supply contract, violating [[Article 6 GDPR#1|Article 6(1) GDPR]].
The Spanish DPA fined másLUZ Energía (SIE) €70,000 for violating [[Article 6 GDPR#1|Article 6(1) GDPR]] as it unlawfully processed personal data after the cancellation of an energy and gas supply contract.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 14 July, 2021 the data subject signed a contract with Mas luz Energía (SIE) through an SMS. Allegedly, he later realized that Mas luz Energía was pretending to be its own supplier and requested the cancellation of the contract on August 10, 2021 for the gas service and on August 26, 2021 for the electricity supply.
On 14 July 2021 the data subject mistakenly signed a contract with másLUZ Energía (marketed by SUMINISTRADOR IBÉRICO DE ENERGÍA - SIE) through an SMS. As he later realized that másLUZ Energía was posing as the complainant's own energy supplier, he requested the cancellation of the contract for gas supply on 10 August 2021 and for electricity supply on 26 August 2021.


During this period, Mas luz Energía issued three invoices that the data subject paid, despite not having given his consent to the change of the energy and gas supplier.
Nonetheless, másLUZ Energía (SIE), the controller, continued issuing energy consumption invoices to the data subject, which were automatically paid via his bank account. Further, in January 2022, the controller again changed the electricity contract without consent of the data subject. On 24 April 2022, the data subject filed a complaint with the Spanish DPA against SIE.  


=== Holding ===
=== Holding ===
The Spanish DPA fined Mas luz Energía (SIE) €70,000 for the processing of personal data after the cancellation of energy and gas supply contract, violating [[Article 6 GDPR#1|Article 6(1) GDPR]].  
The Spanish DPA considered the certification of the digital signature of the supply contract through the sending of an SMS with másLUZ Energía (SIE) on 14 July 2021 and, with this, the registration in the services in August 2021. The DPA also acknowledged the request by the data subject to withdraw from the contract for gas supply on 10 August 2021 and for electricity supply on 26 August 2021.  


AEPD considered the certification of the digital signature of the supply contract through the sending of an SMS with Mas luz Energía (SIE) on July 14, 2021 and, with this, the registration in the services in August, 2021.
As a matter of fact, the controller was able to provide evidence (through call recordings and SMS) of the contract, but only with respect to the contract signed on 14 July 2021, from which the claimant withdrew on 10 and 26 August 2021 respectively. However, the controller failed to adduce evidence of the contract of January 2022, according to which two invoices were issued by másLUZ Energía (SIE) between 8 and 18 January 2022, and another one with consumptions made between 19 January and 11 February 2022. The controller thus failed to provide a legitimate basis for processing activities that took place after the data subject withdrew from the contract.


On the other hand, they also considered the cancellation request by the data subject on August 10, 2021 for the gas service and on August 26, 2021 for the electricity supply.
Accordingly, the Spanish DPA held that the processing activities carried out after cancellation of the contract lacked a legal basis under [[Article 6 GDPR|Article 6(1) GDPR.]] In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of [[Article 83 GDPR|Article 83(5) GDPR]] for unlawful processing activities in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]].
 
They highlighted that there is evidence that the processing of data of the data subject has been carried out without a legitimate basis under GDPR after the cancellation request. 
 
The controller provided evidence (call recording and SMS) of the contracting, but only with respect to the contracting carried out on July 14, 2021, on which the claimant cancelled on August 10 and 26, 2021, for gas and electricity service, respective. 
 
However, the controller did not provide justification for the contracting that took place in January of the year 2022, in which two invoices were issued in the name of the data subject between the 8th and 18th of January of 2022, and another one with consumptions made between January 19 and 11, 2022, subsequent to the date of cancellation of the gas and electricity services.
 
Therefore, the controller did not prove that it has a legitimate basis for the processing of the data subject’s personal data after the cancellation has occurred.


== Comment ==
== Comment ==

Latest revision as of 13:11, 13 December 2023

AEPD - PS/00218/2023
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started: 24.04.2022
Decided: 22.05.2023
Published: 08.09.2023
Fine: 70,000 EUR
Parties: SUMINISTRADOR IBERICO DE ENERGIA S.L.
National Case Number/Name: PS/00218/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined másLUZ Energía (SIE) €70,000 for violating Article 6(1) GDPR as it unlawfully processed personal data after the cancellation of an energy and gas supply contract.

English Summary

Facts

On 14 July 2021 the data subject mistakenly signed a contract with másLUZ Energía (marketed by SUMINISTRADOR IBÉRICO DE ENERGÍA - SIE) through an SMS. As he later realized that másLUZ Energía was posing as the complainant's own energy supplier, he requested the cancellation of the contract for gas supply on 10 August 2021 and for electricity supply on 26 August 2021.

Nonetheless, másLUZ Energía (SIE), the controller, continued issuing energy consumption invoices to the data subject, which were automatically paid via his bank account. Further, in January 2022, the controller again changed the electricity contract without consent of the data subject. On 24 April 2022, the data subject filed a complaint with the Spanish DPA against SIE.

Holding

The Spanish DPA considered the certification of the digital signature of the supply contract through the sending of an SMS with másLUZ Energía (SIE) on 14 July 2021 and, with this, the registration in the services in August 2021. The DPA also acknowledged the request by the data subject to withdraw from the contract for gas supply on 10 August 2021 and for electricity supply on 26 August 2021.

As a matter of fact, the controller was able to provide evidence (through call recordings and SMS) of the contract, but only with respect to the contract signed on 14 July 2021, from which the claimant withdrew on 10 and 26 August 2021 respectively. However, the controller failed to adduce evidence of the contract of January 2022, according to which two invoices were issued by másLUZ Energía (SIE) between 8 and 18 January 2022, and another one with consumptions made between 19 January and 11 February 2022. The controller thus failed to provide a legitimate basis for processing activities that took place after the data subject withdrew from the contract.

Accordingly, the Spanish DPA held that the processing activities carried out after cancellation of the contract lacked a legal basis under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful processing activities in violation of Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11








     File No.: EXP202205932



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following:

                                   BACKGROUND



FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated April 24,
2022 filed a claim with the Spanish Data Protection Agency. The
claim is directed against Suminidor Ibérico de Energía, S.L. with NIF

B67421867 (hereinafter, the claimed part or SIE). The reasons on which the
claim are the following:

The claimant states that in August 2021, posing as his
marketing company, supposedly signed a contract with Mas luz Energía (SIE) through
of an SMS.


Later, he realized what had happened and requested the cancellation of the contract.

Mas luz Energía (SIE) issued three invoices that it paid, despite not having provided its
consent for the change of the marketing company.


This being the case, without your authorization or consent, in January 2022, More
Luz Energía (SIE) once again changed the electricity services of its
electricity marketer.


He adds that he learned of this fact due to the direct debit of an electricity bill
in your account under the name of SIE; and, on the other hand, indicates that he requested from his bank the
refund of the invoice amount since it did not recognize this charge and, with this,
This company will not charge your account again and even points out that the
A paper bill arrived a week or two later, this time under Mas's name.
Light Energy.


And, provide the following relevant documentation:

    - Invoice from the Reference Regulated Marketer, with a period of
       consumption that covers from December 14 to January 7, 2022.


    - More Light Energy Bill, from January 8, 2022 to January 18, 2022
       month and year.

    - More Light Energy Bill, from January 19 to February 11 of the year

       2022.

    - Invoice from the Reference Regulated Marketing Company, dated February 11
       from 2022 to the 23rd of the same month and year.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11









SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of

October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on June 7, 2022 as
It appears in the acknowledgment of receipt that is in the file.

On July 7, 2022, this Agency received a response letter indicating:


<<It is necessary to indicate that the procedures for formalizing the contract of
electrical supply in SIE require, logically, verification and
authentication of the client's expression of will to proceed with the signing of the
contract. This implies that, when a telemarketing service provider formalizes
a supply contract on behalf of SIE, you must provide the recording of the

sale.

In this way, SIE can verify that the contracting has been carried out in an
appropriate. After reviewing the recordings of the phone call, we have been able
check that the salesperson at no time said he worked for the third company

company in question, but carried out the contracting process indicating to the
Claimant that said contracting would be carried out with MAS LUZ ENERGÍA, which
is a brand marketed by SIE.

Regarding the origin of the personal data referred to by the Claimant,

The following considerations should be made about the contracting process when
This is carried out by a company that provides telemarketing services.

▪ The telemarketing service provider transfers to SIE the personal data of
interested parties to whom SIE products and services will be offered.


Subsequently, the telemarketing service provider acts as
responsible for the processing of SIE for carrying out the activities of offering
its products and services and contracting the products and services that
correspond.


▪ However, the telemarketing service provider can only carry out
commercial actions on those interested parties who have provided their
consent to the transfer of your personal data to SIE for this purpose.

Taking into account the above, from SIE it is not possible to determine where the

telemarketing service provider the personal data of the Claimant, since
that he obtained them as the independent controller of SIE.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11








At the time of signing the contract for the provision of services, said service provider
telemarketing services acquired the commitment to only transfer the data
personal data of those interested parties who have given their consent for said
purpose.


Additionally, the service provider undertook to inform interested parties
duly and in accordance with the regulations on data protection regarding
of the transfer of your data to SIE.

However, as has been reflected in the first section of this document,
It has been confirmed that the contracting was carried out by informing the

Complainant that this was produced with MAS LUZ ENERGY which is a brand
marketed by SIE, and not with the supplying company with which at that time
At the time he had contracted the electricity supply

For this reason, and although in this case it has been possible to determine after the investigations

made that their actions have been in accordance with data protection regulations
personal, because incidents of a different nature have been detected in the
procedure for contracting its services, SIE has adopted as a measure the
total paralysis of the contracting procedure for its services since the past
March 4, 2022>>.


THIRD: On July 14, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the

article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:

RESULT OF THE RESEARCH ACTIONS


1.- Products or services contracted by the client.

Products with- Date of registration Date of cancellation Cause of cancellation

treated by
of A.A.A. are:
Product

Supply of elec- ***DATE.1 ***DATE.3 Withdrawal from
customer tricity
Gas supply ***DATE.2 ***DATE.4 Withdrawal from

                                                                 customer

2.- List of invoices issued, indicating those that are unpaid and the

debt that, if applicable, the complaining party maintains with the entity.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11










The claimed party provides a copy of the invoices issued for the supply of electricity, not
showing outstanding debt.


They provide a copy of the invoices issued for the gas supply, showing a debt
pending for this product of XX €.

From the analysis of the invoices provided, it appears that there are two invoices, one with

date of consumption made between 8-1-2022 to 01-18-2022 and another with consumption
carried out between 01-19-2022 and 02-11-2022, after the date of withdrawal of the
gas and electricity services carried out in August 2021.

3.- Copy of the recording or contract signed by the claimant.


The telephone contracting procedure consists of two phases, a first-
This is the phase in which the interested party expresses her willingness to hire the teleoperator and,
In a second phase, the interested party must complete the contracting process with the
signing the contract by sending an SMS.


In order to verify the contracting processes of the service providers
telemarketing are required to provide both documents, both the recording
such as the certification of the signature digitally through certification
correspondent.


They provide a recording of the claimant where she accepts the contracting of the services of
electricity.

And they provide certification of the digital signature of the supply contract by sending
of an SMS.


This certificate states that the contractor has carried out the following
communications by SMS, email and WEB messages:

1. Sending: SMS message on 2021-07-14 17:37 CET to the mobile number

***PHONE.1 with sender ***PHONE.2 with the following text:

"MASLUZ ENERGIA (Insignia Gas SL). To read the pre-contractual information and
confirm the contract,


accept at https://masluz.pulsa.me/h8175-id or reply OK to this SMS"

2. The "I accept" button contained on the WEB page was pressed at 2021-07-14 17:38
CET from address ***IP.1


FIFTH: According to the report collected from the AXESOR tool, the entity
Iberian Energy Supplier, S.L. It is a microenterprise established in the year
2019, and with a business volume of 247,757 euros in 2020.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11








SIXTH: On May 22, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
for the alleged violation of Article 6.1 of the RGPD, typified in Article 83.5 of the

GDPR.

SEVENTH: Notified of the Startup Agreement, through the Management service
Unique Enabled Electronics (DEHÚ) certifies: “expired on June 3, 2023.”

There is no evidence that the claimed party has submitted written allegations regarding it.


Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP) - provision of which
The claimed party was informed in the agreement to open the procedure.
establishes that if allegations are not made within the established period regarding the content of the
initiation agreement, when it contains a precise statement about the
imputed responsibility, may be considered a resolution proposal. In it

In this case, the agreement to initiate the sanctioning file determined the
facts in which the imputation materialized, the violation of the RGPD attributed to the
claimed and the sanction that could be imposed. Therefore, taking into consideration that
the claimed party has not made allegations to the agreement to initiate the file and
In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement

initiation is considered in the present case as a proposed resolution.

In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                PROVEN FACTS


1st. The claimant filed a claim with this Agency on April 24, 2022,
in which it is stated that in August 2021, by passing off the claimed
by its marketing company, supposedly signed a contract with Mas luz Energía (SIE) to
via an SMS.


2nd. There is certification of the digital signature of the supply contract by sending
of an SMS with SIE, on July 14, 2021 and, with this, the registration in the
services in August 2021; and, on the other hand, his withdrawal appears in the entity for
withdrawal on August 10, 2021 for gas service and on August 26

of 2021 for the supply of light.

3rd. SIE does not accredit the new hires, the claimed party provides two invoices
of consumption made by the complaining party between January 8 and 18 of the year
2022 and another with consumption made between January 19 and February 11 of the
same year, after the date of cancellation of gas and electricity services

carried out in August 2021.

                           FOUNDATIONS OF LAW

                                            Yo
                                     Competence



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11








In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

LOPDGDD, is competent to initiate and resolve this procedure the Director of the
Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures".

                                            II
                                 Unfulfilled obligation


Article 6.1 of the RGPD establishes the assumptions that allow the
processing of personal data.

"1. The treatment will only be legal if it meets at least one of the following

conditions:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;


b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the

responsible for the treatment;

d) the processing is necessary to protect vital interests of the interested party or another
Physical person.


e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;

f) the processing is necessary for the satisfaction of legitimate interests pursued

by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the

interested is a child.

The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.

Recital 40 also affects this question of the legality of the treatment.

of the aforementioned RGPD, when it provides that "For the treatment to be lawful, the
Personal data must be processed with the consent of the interested party or on
any other legitimate basis established in accordance with Law, whether in the present
Regulation or under other law of the Union or of the Member States to which
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11








referred to in this Regulation, including the need to comply with the legal obligation
applicable to the person responsible for the treatment or to the need to execute a contract with
to which the interested party is a party or in order to take measures at the request of the

interested prior to the conclusion of a contract."

In relation to the above, it is considered that there is evidence that the treatment
of the claimant's data that is the subject of this claim has been made without cause
legitimizing those included in article 6 of the RGPD.

The GDPR applies to personal data, which is defined as “personal data”:
any information about an identified or identifiable natural person (“the interested party”);

An identifiable natural person will be considered any person whose identity can be
be determined, directly or indirectly, in particular by means of an identifier, such as
for example a name, an identification number, location data, a
online identifier or one or more elements of the physical identity,
physiological, genetic, psychological, economic, cultural or social of said person.

It has been verified that there is certification of the digital signature of the contract of

supply by sending an SMS with SIE, on July 14, 2021 and, with this,
he was discharged from the services in August 2021; and, on the other hand, it appears in the
entity his withdrawal due to withdrawal on August 10, 2021 for the
gas and August 26, 2021 for the electricity supply.

It should be noted that SIE does not accredit new hires, the part claimed

provides two invoices for consumption made by the complaining party between the 8th and the 18th
January 2022 and another with consumption made between January 19 and January 11
February of the same year, after the date of cancellation of gas services and
electricity carried out in August 2021.

 In short, SIE provides evidence (recording and SMS) of the contracting, but only

regarding the contract carried out on July 14, 2021, about which the party
The claimant was discharged on August 10, 2021, with respect to the
gas and the 26th of the same month and year regarding the electricity service. However,
does not provide justification for the hiring that was carried out in the month of January of the year
2022 and the claimed party provides two invoices for consumption made by the party
claimant between January 8 and 18, 2022 and another with consumption made

between January 19 and February 11 of the same year, after the date of withdrawal
of the gas and electricity services carried out in August 2021 and,
Consequently, the latter are not justified.

Hence, the claimed party does not prove a basis of legitimacy for the treatment of

the data of the complaining party.

                                            III
                        Classification and classification of the offense


In accordance with the evidence available, it is considered that the
facts presented do not comply with the provisions of article 6.1, so it could
involve the commission of the infraction classified in article 83.5 of the RGPD, which
provides the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11








 "Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9.>>
The LOPDGD, for the purposes of the prescription of infractions, qualifies in its article

72.1 of very serious infractions, in this case the limitation period being three
years,

“b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679”.


                                           IV.
                                        Sanction

In order to establish the administrative fine that should be imposed, the following must be observed:
provisions contained in articles 83.1 and 83.2 of the RGPD, which indicate:


"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.


2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:


a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;


b) intentionality or negligence in the infringement;

c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;


d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;

e) any previous infringement committed by the controller or processor;


f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11








g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in

particular whether the controller or processor notified the infringement and, if so, in what
extent;

i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;


j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.

In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76,
“Sanctions and corrective measures” establishes that:


"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuous nature of the infringement.


b) The linking of the offender's activity with the performance of medical treatments.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.


d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.


f) The impact on the rights of minors.

g) Have, when not mandatory, a data protection delegate.

h) The submission by the person responsible or in charge, on a voluntary basis, to

alternative conflict resolution mechanisms, in those cases in which
"There are disputes between them and any interested party."

In accordance with the transcribed precepts, in order to set the amount of the sanction of
fine to be imposed in the present case for the infraction classified in article 83.5.a)
of the RGPD for which the claimed party is held responsible, are considered concurrent
the following aggravating factors:


- The evident link between the business activity of the defendant and the
      processing of personal data of clients or third parties (article 83.2.k, of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11








      RGPD in relation to article 76.2.b, of the LOPDGDD).

       The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,
      with respect to entities whose activity entails continuous processing of
      client data, indicates that “…the Supreme Court has been understanding that
      Imprudence exists whenever a legal duty of care is neglected, that is
      That is, when the offender does not behave with the required diligence. And in the
      assessment of the degree of diligence, special consideration must be given to

      professionalism or not of the subject, and there is no doubt that, in the case now
      examined, when the appellant's activity is constant and abundant
      handling of personal data must insist on rigor and exquisite
      “Be careful to comply with the legal provisions in this regard.”

The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the infraction committed by violating the provisions of article 6.1 of the

GDPR allows a fine of 70,000 euros (seventy thousand euros) to be set.

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. with NIF
B67421867, for a violation of Article 6.1 of the RGPD, typified in Article 83.5
of the GDPR, a fine of 70,000 euros (seventy thousand euros).


SECOND: NOTIFY this resolution to SUMINISTRADOR IBÉRICO DE
ENERGY, S.L.

THIRD: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A.. Otherwise, it will be
collection in executive period.


Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11








Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through

of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

Sea Spain Martí
Director of the Spanish Data Protection Agency





























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es