AEPD (Spain) - PS/00188/2019: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
{{DPAdecisionBOX
! colspan="2" |AEPD - PS/00188/2019
 
|-
|Jurisdiction=Spain
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoES.jpg|center|250px]]
|DPA-BG-Color=background-color:#ffffff;
|-
|DPAlogo=LogoES.jpg
|Authority:||[[AEPD (Spain)]]
|DPA_Abbrevation=AEPD (Spain)
[[Category:AEPD (Spain)]]
|DPA_With_Country=AEPD (Spain)
|-
 
|Jurisdiction:||[[Data Protection in Spain|Spain]]
|Case_Number_Name=PS/00188/2019
[[Category: Spain]]
|ECLI=
|-
 
|Relevant Law:||[[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]
|Original_Source_Name_1=AEPD
[[Category:Article 5(1)(f) GDPR]]
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00188-2019.pdf
|-
|Original_Source_Language_1=Spanish
|Type:||Complaint
|Original_Source_Language__Code_1=ES
|-
|Original_Source_Name_2=
|Outcome:||Upheld
|Original_Source_Link_2=
|-
|Original_Source_Language_2=
|Decided:||5.11.2019
|Original_Source_Language__Code_2=
[[Category:2019]]
 
|-
|Type=Complaint
|Published:||n/a
|Outcome=Upheld
|-
|Date_Started=
|Fine:||None
|Date_Decided=05.11.2019
|-
|Date_Published=
|Parties:||Madrileña Red De Gas, S.A.U.  
|Year=2019
|-
|Fine=None
|National Case Number:||PS/00188/2019
|Currency=
|-
 
|European Case Law Identifier
|GDPR_Article_1=Article 5(1)(f) GDPR
|n/a
|GDPR_Article_Link_1=Article 5 GDPR#1f
|-
|GDPR_Article_2=
|Appeal:||n/a
|GDPR_Article_Link_2=
|-
|GDPR_Article_3=
|Original Language:||[[Category:Spanish]]
|GDPR_Article_Link_3=
Spanish
 
|-
|EU_Law_Name_1=
|Original Source:||[https://www.aepd.es/es/documento/ps-00188-2019.pdf AEPD (in ES)]
|EU_Law_Link_1=
|}  
|EU_Law_Name_2=
|EU_Law_Link_2=
 
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
 
|Party_Name_1=Madrileña Red De Gas, S.A.U.
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
 
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
 
|Initial_Contributor=
|
}}


The AEPD fined a gas distribution company €12,000 for a violation of Article 5(1)(f) of the GDPR.   
The AEPD fined a gas distribution company €12,000 for a violation of Article 5(1)(f) of the GDPR.   

Latest revision as of 14:08, 13 December 2023

AEPD (Spain) - PS/00188/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.11.2019
Published:
Fine: None
Parties: Madrileña Red De Gas, S.A.U.
National Case Number/Name: PS/00188/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The AEPD fined a gas distribution company €12,000 for a violation of Article 5(1)(f) of the GDPR.

English Summary

Facts

A customer of a gas distribution company (Madrileña Red De Gas, S.A.U) complained to the AEPD claiming that the company had provided the complainant's tenant with his personal data without prior authorisation to do so. The DPA found that the supply contract was only between the complainant and the company, so that the tenant was a third party.

Dispute

Was the principle of confidentality under Article 5(1)(f) GDPR violated?

Holding

By sharing personal data with a third party, the company failed to comply with the principle of confidentiality provided for in Article 5(1)(f) GDPR. The company was fined € 12,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.






Product No.: PS/00188/2019
938-0419

DECISION ON DISCIPLINARY PROCEEDINGS
In the sanctioning procedure PS/00188/2019, instructed by the Spanish Data Protection Agency, to the entity MADRILEÑA RED DE GAS S.A.U., (hereinafter, "the claimed entity"), in view of the complaint presented by Ms. A.A.A., (hereinafter, "the claimant"), and based on the following,
BACKGROUND
FIRST: On 28/08/18, this Agency received a written submission from the complainant, in which she stated, among other things, the following: "In relation to the gas supply contract with Madrileña de Gas, of which I am the sole holder of contract no.
***CONTRACT.1 and not having given any representation to third parties, the company has provided the tenant of the property of my property, located in
***ADDRESS.1 information about my data and consumption history, giving me the tenant transfer of this, through an image via WhatsApp, on 11/08/18". A copy of the message received via WhatsApp is provided.
SECOND: In view of the facts set out in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD). Thus, on 10/10/18, 25/10/18 and 15/01/19, information requests are addressed to the entity MADRILEÑA SUMINISTRO DE GAS, S.L. located at: c/ Anabel Segura 16 Edif. Vega Norte I 28108 Alcobendas (Madrid).
THIRD: On 15/01/19, a request for information is addressed to the claimant, so that she can present information in this Agency, about the rental contract of the property that is the object of the claim and a copy, if applicable, of the extension contract until the time of presentation of the claim. This documentation is sent to this Agency on 21/01/19.
The contract, signed on 16/09/17, states that the rented property is located in the ***ADDRESS.1. The owner of the property is Ms. A.A.A. with an e-mail address for notification purposes ***EMAIL.1 and the tenants are Mr. B.B.B. and Ms. C.C.C., with an e-mail address for notification purposes ***EMAIL.2
FOURTH: On 07/02/19, the Subdirectorate General for Data Inspection made an information request to the entity MADRILEÑA RED DE GAS, SAU located at c/ Virgilio 2, B, Edificio 1, Centro Empresarial Arco; 28223 Pozuelo de Alarcón, (Madrid), requesting that it submit information regarding the claim presented by the claimant as a result of the communication of data from her contract to third parties.
FIFTH: On 15/02/19, the entity MADRILEÑA RED DE GAS SAU, sent to this Agency a letter informing, among others, that: "Madrileña Red de Gas is a gas distribution company, which among other tasks. manages the requests for commissioning processed by the Marketing Companies. As a result
 



of a gas supply contract that these companies manage with the end users. Therefore, Madrileña Red de Gas cannot provide them with a copy of the supply contract, understanding that this document must be provided by the marketing company with which the user has negotiated the supply contract.
For the supply point CUPS of which information is requested in the call referenced in the following point, at the time of said call, there was no contract in force since 2013, date in which the previous contract was cancelled. Therefore, this point was available in the system for new contracts and was not associated to any holder. On the other hand, the holder of the previous contract, already cancelled, which is recorded in our records, is a third person who does not coincide with the claimant in his request for information. Finally, trying to find out some information that would clarify this query, we did not locate any records related to the interested party
With respect to the procedure used to identify the person who submitted the request for information, our system records a call to our telephone platform made on 13/04/18 by the user, Ms. D.D.D., requesting the Universal Supply Point Code, located in the ***DIRECTION.2. In order to provide the CUPS code, the telephone agent asked the user to identify herself by providing her name and ID number, at which point she provided this information. No personal data were provided since, as explained above, this point of supply was available in the system for new contracts and was not associated to any holder".
SIXTH: On 20/02/19, the Subdirectorate General for the Inspection of Data informed the entity MADRILEÑA RED DE GAS SAU, on detecting in the letter received on 15/02/19, an alteration in the data provided. Thus, on 06/03/19, the claimed entity sent a letter to this Agency, informing that
"After reviewing the code provided with numbering ***REFERENCE.1 we have found a record associated with a point of supply. in which the holder of the contract was Ms. A.A.A. until 22/10/18 and the system records an email received in the mailbox atención.usuarios@madrilena.es, in April 2018 requesting information on consumption of a point of supply. Specifically, this request referred to the reading history of Mrs. A.A.A., indicating that the applicant's ID was ***NIF.1. After verifying that the person who claimed to be requesting the information actually had an active contract corresponding to the informed ID, the requested consumption data was sent exclusively.
The data transferred are limited to the consumption of the supply point linked to the ID card and in the name of the applicant, A.A.A., in the period from 31/12/10 to 15/09/12. This information is sent by email to the same email from which the request for information is made, ***EMAIL.3.
SEVENTH: On June 24, 19, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the entity complained of, by virtue of the powers established in Article 58.2 of the RGPD and in Articles 47, 64.2 and
68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), for the infringement of
 



Article 5.1.f) of the RGPD typified in Article 83.5.a) of the RGPD and considered very serious, for the purposes of prescription, in Article 72.1.a) of the LOPDGDD, arguing in the same that: it has been verified that, the reference number of the consultation that appears in the complaint is associated to a point of supply of which the claimant was holder until 22/10/18. The consultation, nº ***REFERENCE.1 was made by e-mail to the address atención.usuarios@madrilena.es, in April 2018, indicating as the applicant's ID, that of the contract holder.
Although the claimed entity provides the reply mail to the application nº
***REFERENCE.1 and states that it is the same as that of the sender of the solitude, it is verified that the data do not correspond with those of the holder of the supply contract, since in that address appears as the recipient E.E.E. < ***EMAIL.3
>.Nor does it provide the mail through which the information is requested and in which the data of the claimant was supposedly indicated.

EIGHTH: Once the agreement to initiate the proceedings had been notified, the requested entity, MADRILEÑA RED DE GAS (MRG), by means of a letter dated 10/07/19, formulated, in summary, the allegations already set out in the proposed resolution.

NINTH: On 09/08/19, the period for the practice of evidence began, and it was agreed: (a) to consider the complaint filed by the complainant and its documentation, the documents obtained and generated that form part of file E/00242/2019, as reproduced for evidential purposes, and (b) to consider the allegations to the agreement to initiate PS/00188/2019, presented by the complainant, as reproduced for evidential purposes.

TENTH: On 02/09/19, the proposal for a sanctioning resolution was notified, consisting of the Director of the Spanish Data Protection Agency sanctioning the entity complained of for infringement of Article 5.1.f) of the RGPD, typified in Article 83.5.a) of said regulation and considered "very serious" for the purposes of prescription, in Article 72.1.a) of the LOPDGDD, on the grounds that, according to the documentation in the file: "from the electronic mail
***EMAIL.2, belonging to the tenants of the house located at ***ADDRESS.1, since September 2017, an e-mail was sent, using the personal data of the owner of the house, (her name and ID card), to the e-mail address of the entity, MADRILEÑA RED DE GAS SAU, atencion.usuarios@madrileña.es , to request the gas consumption made in the house during the years 2011 and 2012.

The claimed entity, considering that the applicant of such information was duly identified with the data provided, forwarded to the e-mail address of the tenants the consumption data of the dwelling in the years 2011 and 2012 of the owner of the dwelling.

It is noted the lack of diligence, in the accreditation of the identity of the applicant by the entity, since it did not require sufficient evidence for proper identification as a customer, moreover, when in the field "sender", the email of the request, appeared another person other than the owner of the contract, shows that the entity does not guarantee compliance with the RGPD when verifying that the data of the person who contacts them, is who he says he is.
 




It must be reiterated that this sanctioning procedure opened against MADRILEÑA RED DE GAS SAU, refers to the processing of personal data managed by the company and the lack of diligence in adopting appropriate measures to ensure compliance with the RGPD, in this case, with regard to the usurpation of the identities of customers and fraud that this may give rise to, without going into assessment here, that the data offered by the company afterwards were or were not covered by the RGPD (Article 4 and recital 30)".

Eleventh: Once the proposal for a resolution has been notified, the requested entity presents allegations to the proposal within the period granted for that purpose, essentially arguing the following:

"In the FIRST point of the section PROVEN FACTS of the writing of the PROPOSAL, a rental contract is included between the claimant Ms. A.A.A. and her tenants Mr. B.B.B. and Ms. C.C.C.. This contract establishes a link between the tenants and the mail ***EMAIL.2. However, MRG has no knowledge of the existence of such a contract, much less the data of the tenants, so it can not link this mail to a third person so that it is aware that it is not a mail from the contract holder who is using to communicate with MRG. From our point of view, what this contract shows is the following: a) That the owner provides his personal data to his tenant for the purpose of managing the contractual relationship between the parties, a relationship demonstrated by this contract. Therefore, the tenants have the necessary information to identify themselves on behalf of the gas supply contract holders. Whether this use is improper or not, we cannot determine because we do not know the terms of the contract or what was agreed between the parties. b) It is demonstrated that, as alleged by MRG in the response to the proposed sanction dated 06/27/19, Ms. A.A.A. failed to comply with her obligations by not transferring her gas contract to the tenant or formally notifying MRG. By not complying with this requirement, MRG cannot in any way be aware of this situation. Furthermore, since the tenant has the holder's identification data, it makes it very difficult in practice to reliably identify the information applicant as the holder of the contract.

We insist that, according to article 21, 1, c) of Royal Decree 1434/2002 which regulates the activities of transport, distribution, marketing. supply and authorisation procedures for natural gas installations, the obligation is imposed on the holder of the supply point, in this case the claimant, "That the natural gas is for its own use", a legal obligation that the claimant is infringing by allowing the gas to be used by a different person. in this case the tenant.

In addition, Article 36.2 of this Royal Decree 1434/2002 establishes that: 2. The supply contract is personal, and its holder must be the actual user of the fuel, which may not be used in a place other than that for which it was contracted, nor may it be assigned or sold to anyone. It may be transferred to third parties under the conditions established in art. 39. 1 of said Royal Decree 1434/2002: 1. The holder of the
 



shall inform the distribution company by means of a communication that will enable it to have a record for the purposes of issuing the new contract.

In point 2 of the TESTED FACTS, it is stated that mailings requesting information on consumption are made from ***EMAIL.2. However, this is not correct. As can be seen in the emails that were added to the file, the emails are sent from the account ***EMAIL.3 which does not appear to be the one in the contract between the owner and her tenant either. We would like to point out that this error is not the first to occur in the processing of this procedure.

Already in the first communication addressed to MRG, the AEPD was asked for information on a supply point that was not related to this case. Subsequently, and as the AEPD explains in its own proposal for a sanction and in the ANNEX, several communications have been sent notifying MADRILENA SUMINISTRO DE GAS, a company totally unrelated to MRG, of this case. In this respect, in its previous letter it was implied that MRG had not replied to the communications of the AEPD when, in fact, these notifications were unduly addressed to another addressee by the AEPD itself not correctly identifying the addressee. In the response to the previously submitted Proposal for an Agreement to Initiate Sanctions, MRG attempted to provide as evidence a recording of a call where the caller is identified as A.A.A., provides the contact email
***EMAIL.2 and a meter reading is provided. However, the system implemented by the AEPD does not allow the attachment of voice files, so the sending could not be done. When the response to the AEPD was recorded, this circumstance was reported by requesting an alternative channel to send this file. We want to put on record that MRG has not received a response from the AEPD so far, so this document could not be sent. We believe that this call provides information on how in communications with MRG, the contract holder, reports the mail of the user ***EMAIL.2 as communication mail with MRG. The operator consults various data in the file to identify the holder. If the caller is misusing the data, this responsibility cannot be attributed to MRG, even more so when in our opinion this situation is caused by the failure of the holder to change the contract and allow a different holder from the consumer. Attached to this letter is a copy of the document requesting the AEPD to provide an alternative communication channel for this voice file and a transcript of the conversation contained in this voice file.

In the LAW FUNDAMENTALS it is stated that 'the lack of diligence, in the accreditation of the identity of the applicant by the claimed entity, since it did not require sufficient evidence for the correct identification as a client, is verified. It also states, in the same section, that 'the lack of diligence in the accreditation of the identity of the applicant by the requested entity is established, since it did not require sufficient evidence for correct identification as a client. "lack of diligence in the adoption of adequate measures to ensure compliance with the RGPD, in this case, with regard to the usurpation of the identities of the customers and the fraud that this may give rise to". The point of the RGPD by which it is proposed to sanction MRG is that contained in Article 5.1.f) 1. Personal data will be: processed in such a way as to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against loss, destruction
 



or accidental damage, through the application of appropriate technical, organizational measures (integrity and confidentiality).

In view of the said article, we understand that MRG must take measures to identify the applicant within the existing possibilities, as it has done in the present case, but that it is up to MRG to prevent in any way a usurpation of identity or to avoid its damage, when it is the complainant itself that fails to comply with its obligations established in the legislation (cited) on the supply of natural gas and provides its personal identification data to third parties so that they can usurp its identity, we consider that it exceeds the provisions of the aforementioned article. We cannot agree that MRG has not had the due diligence to prove the identification of the information applicant. On the contrary, the necessary identification data has been requested to see that the request came from the owner.

In the RIGHT FOUNDATIONS it says 'in the field "sender" of the email of the request appeared another person different from the holder of the contract. In this respect we would like to clarify that the name that appears in relation to an email address, in no case can be taken as an identifying data. Changing that name in the account is trivial. Simply by editing his profile, the account holder can put the text he prefers, identifying himself, a third party, or any other text. This change can also be made at any time, not just when the account is being designed. In fact, the name displayed in the mail is E.E.E., not D. B.B.B. or Dª C.C.C.. Therefore, the e-mail, when its function is to establish a communication channel, cannot be a data to be considered to identify the applicant since there is no guarantee that it certifies neither its ownership nor its use by the interested party. Therefore, the suspicions that should have been aroused by the E.E.E. mail, according to the interpretation of the Proposal of Sanction, is not an objective criterion.

It should also be taken into consideration that gas distribution and marketing companies are obliged by Royal Decree 1434/2002 to maintain a telephone channel available to customers. Identification through these channels must be done by contrasting identification data, since at this time there is no technology to make identification more secure. Demanding other types of identification (verification of telephone numbers, e-mails, passwords) at this time, due to the profile of the consumer and the technical means extended socially, would lead to the impossibility of providing the service. As explained in the previous letter, in the Resolution of 12 April 2011, from the Directorate General for Energy Policy and Mines, which approved the framework procedure for telephone, electronic and telematic contracting for the natural gas market, the email is not recorded as one of the data to identify the holder, using name and ID card to identify the person. The e-mail channel, in this sense, is similar to the telephone channel. It can be verified that the sender presents the necessary identifying data (Name and DNI), but others, like for example the email, we have already verified that it cannot be an identifying data because of the null guarantees that it offers. To demand that a holder always addresses MRG from the same email would be as much as to force him to always call from the same phone number and that it would be the one that the distribution company had registered in order to attend the user. We want to make clear that MRG has always acted in good faith, considering that the applicant was properly identified with the data of the holder (Name, Surname
 



and DNI). If the tenant, or any other person, has made a bad use of the supply point holder's data (data that have NOT been provided by MRG), supposedly impersonating him without his authorization, Madrileña Red de Gas is NOT, and cannot be, responsible for the inadequate and illegal action of this person, and to whom the claimant, as supply point holder, has had to provide his identification data (name, surname and DNI).

However, the claimant has not fulfilled its obligations to notify the distributor of the change of contract when formalizing the rent, which leaves MRG in a situation of defenselessness since it provides its data to a tenant but MRG can not know this situation. According to the above regulations it appears that MRG If I request all the identification data of the supply point holder to ensure adequate security of personal data before providing the information on consumption; the data of the supply point holder (Name. Surname and ID), to verify the identity of the petitioner, in a way that ensures adequate security and confidentiality of personal data, including to prevent unauthorized access or use of such data and the equipment used in the treatment, so it has NOT violated the recital (39) of the RGPD, or has not violated any provision of the RGPD, or incurred in any violation of the RGPD, or Article 5.1.f), or any other, so any penalty is inappropriate.

We also believe that it should be taken into consideration that MRG has at this moment 906.912 active clients, that in a high percentage make managements. as much by telephone as by email. However, this is the first case of a claim for an improper identification of the interested party. We believe that this guarantees that the procedures followed, always susceptible to error and improvement, are adequate and achieve the proper identification of the interested parties. On the other hand. and having established that, in violation of the above regulations, the claimant maintains the ownership of the point of supply in his name, although it is intended for use by third parties, such as the tenant, it is also not accredited that the consumption data provided by the gas distributor MRG correspond to the claimant or any other third party, for example, tenants. who used the property. This situation, by itself, leaves the present file without any object, proceeding that its file is agreed. 7) Regarding the data provided by MRG, as accredited in the file, they are ONLY referred to the consumption of natural gas in a given period for a given supply point, without further detail or additional information. Therefore, it is not accredited that personal data of the owner have been disclosed that are not already known by the applicant of the information. 8) In the Penalty Procedure, there is no response to the answer given to the consideration as aggravating the fact of not having notified the incident proactively by Madrileña Red de Gas. We insist in this respect that MRG did not have knowledge of the situation until it received the request for information from the AEPD, and that, in any case, Madrileña Red de Gas was the object of deception in order to obtain said information, if indeed it was not requested by the complainant, since otherwise it would not have been sent. 9) Finally, we understand that if the Resolution of Sanction is maintained because the arguments of MRG are not taken into account, the fact that the holder of the contract has not complied with its obligations to change the holder at the time must be considered as mitigating
 



of renting the property, as this creates the identification problems seen in this case.

This assumption is in line with the provisions of the LOPD in its Art 76.2 d) Art
76. Sanctions and corrective measures. In accordance with Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account: (d) The possibility that the conduct of the person concerned may have led to the commission of the infringement. In any case, MRG will consider whether the identification of the supply point holder in the requests for information can be strengthened by expanding the information to be provided by the applicant without violating its intimate and personal sphere. In view of the above, and NOT having violated MRG recital (39) of the RGPD, or breached any precept of the RGPD. or incurred in any violation of the RGPD. or of art 5.1.f), or of any other, any sanction is inappropriate and the AEPD is requested to agree to the termination of the present sanctioning procedure".

In view of the foregoing, the following are considered to be proven facts by the Spanish Data Protection Agency in these proceedings
PROVEN FACTS
From the proceedings in the present case, from the information and documents submitted by the parties, the following have been established

1 In the lease presented by the claimant, it is noted that the lease was concluded on 16/09/17. The rented property is located in the
***The owner is Ms. A.A.A. with ID ***NIF.1 and the tenants are Mr. B.B.B. and Ms. C.C.C.

It should also be noted that, in point twenty of the contract, under "Notifications", "***EMAIL.2" and the telephone number ***TELEFONO.1" are indicated as the lessee's e-mail address for notification purposes.

2. On April 4, 6, and 7, 2018, three e-mails are sent from the address: E.E.E., ***EMAIL.3 (Apple mail used when using an Apple device), to the address: atencion.usuarios@madrileña.es, with subject: "A.A.A. reading history" and with the text: "Good afternoon, with ID ***NIF.1, I request consumption history from 31/12/10 to 15/09/12. Sent from my iPhone 5.

3º On 13/04/18 an e-mail is sent from the address atencion.usuarios@madrileña.es to the address E.E.E., ***EMAIL.3 with Subject: A.A.A. Reading History, and with the message: "Thank you for contacting Madrileña Red de Gas. In response to your request for reference ***REFERENCE.1 we detail the readings requested ..."

The information is then divided into three columns: the first column indicates the "date of registration", with 15 readings, ranging from 31/12/10 to 08/11/12; the second column details the "consumption in cubic metres" and the third column indicates the "type of reading", whether it has been estimated, provided or actual.
 





LEGAL BASIS

I
By virtue of the powers that Article 58.2 of the RGPD grants to each supervisory authority, and as established in Article 47 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

II
The joint evaluation of the documentary evidence in the procedure gives the AEPD a view of the performance of the entity complained of, which has been reflected in the facts declared proven.

However, in the present case, with respect to the allegations presented by the entity complained of in the proposal for a resolution, it should be clarified that, when in the proposal for a resolution, in the section on "proven facts", it is indicated that, "of the actions carried out in these proceedings, of the information and documentation presented by the parties, the following have been proven" ..., it is indicated that the facts listed below are affirmed as a result of the investigations carried out by this Agency, and by the documentation provided by the parties. They are facts that the Agency takes as true to make the proposal of resolution. Thus, in point 1 of the proven facts, it has been stated, as of the lease contract, that the tenants of the property in question have as their e-mail address ***EMAIL.2 (or account "@icloud.com", when using iOS or macOS operating systems, in Apple branded devices). E-mail address, from which they contacted the MRG entity to request consumption data from a third party.

Regarding the call transcribed by the entity MRG, indicate that it was made on 06/08/18 and was to give a meter reading. The same entity, in writing sent to this Agency on 06/03/19, indicates: "(...) the system records an email received in the mailbox atención.usuarios@madrilena.es , in April 2018 requesting consumption information from a supply point". Specifically, this request referred to the reading history of Dª A.A.A., indicating that the applicant's DNI was ***NIF.1 (...). From all of the above, it can be seen that the date on which the events in this file occurred (April 2018), is prior (3 months) to the call that the entity claims. It is also noted that the phone number indicated in the call of 06/08/18 by the person who contacts the entity MRG, does not correspond with the phone of the holder of the supply, but with the number of the tenant of the house.

When MRG states that: "(...) the email, when its function is to establish a communication channel, can not be a data to be considered to identify the applicant as there is no guarantee that they certify neither its ownership nor its use by the person concerned", is recognizing with this, a foreseeable security breach in their systems, because any person who contacts them through this means and indicate that, is who really is not, providing a minimum identification, such as name or ID, the entity MRG considers it
 



as valid, thus demonstrating a clear symptom of lack of diligence in taking appropriate measures to ensure that the person who contacts them is who they say they are and not someone else.

For all these reasons, from the documentation in the file, there are clear indications that the respondent violated Article 5 of the RGPD, principles relating to the processing, in relation to Article 5 of the LOPGDD, duty of confidentiality, by disclosing to a third party the personal data of the complainant through an email sent by the respondent.

The claimant has provided the e-mail sent by a third party in which there is a link that leads to a summary of the claimant's purchase, and this third party has seen her data, being aware of the facts because this person sent her an e-mail explaining what happened, indicating that her telephone line is associated with the claimant's data.

The duty of confidentiality, previously a duty of secrecy, must be understood as having the purpose of preventing the data from being filtered without the consent of the data owners.

Therefore, this duty of confidentiality is an obligation incumbent not only on the person responsible for and in charge of the processing, but also on all those who intervene in any phase of the processing, and is complementary to the duty of professional secrecy.

In this regard, the Audiencia Nacional ruled in its judgment of 18 January 2002, in which it stated, in its second point of law: "The duty of professional secrecy incumbent on the persons responsible for automated files ... means that the person responsible - in this case, the appellant bank - for the data stored
-This duty of secrecy is essential in today's increasingly complex societies, where technical advances place individuals at risk for the protection of fundamental rights, such as privacy or the right to data protection under Article 18(4) of the EC. In effect, this precept contains an "institute for the guarantee of the rights to privacy and honour and the full enjoyment of the rights of citizens which, furthermore, is in itself a fundamental right or freedom, the right to freedom from potential attacks on the dignity and freedom of the person resulting from the illegitimate use of the mechanised processing of data (STC 292/2000)
…”

For all these reasons, the lack of diligence, in the accreditation of the identity of the applicant by the MRG entity, is noted, since it did not require sufficient evidence for the correct identification of the person who was contacting them.

III
Article 5.1.f) of the RGPD states that: "personal data shall be processed in such a way as to ensure adequate security,
 



including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, through the implementation of appropriate technical or organisational measures".

For its part, and after the evidence obtained in the phase of previous investigations and throughout the investigation of the procedure, it is appropriate in this case to comply with the provisions of Article 83.2 of the RGPD, for the purpose of fixing the amount of the penalty to be imposed in the present case:

(a) As aggravating criteria:

- The way in which the control authority became aware of the infringement. By taking cognizance of the complaint, (paragraph h).

(b) As mitigating criteria:

- The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages they have suffered (paragraph a).

- The non-intentionality of the infringement, (paragraph b).

- No previous infringement committed by the controller or processor (paragraph e).

- The categories of data affected by the infringement, (paragraph g).

- The non-existence of financial benefits obtained through the infringement (paragraph k).

On the other hand, it is considered that the sanction to be imposed should be graduated in accordance with the following criteria established by Article 76.2 of the LOPDGDD. As aggravating criteria:

- The link between the activity of the offender and the processing of personal data, (paragraph b).

The balance of the circumstances contemplated in Article 83.2 of the RGPD, with regard to the infringement committed, on violating the provisions of Article 5.1.f), allows a sanction of 12,000 ('12,000) to be set, considered as "very serious", for the purposes of the prescription of the same, in 72.1.a) of the LOPDGDD.

In view of the aforementioned precepts and others of general application, the Director of the Spanish Data Protection Agency

RESOLVED:

FIRST: TO IMPOSE on the entity MADRILEÑA RED DE GAS a penalty of 12,000 euros (twelve thousand euros), for the infringement of Article 5.1.f) of the RGPD.
 




SECOND: TO NOTIFY this resolution to the entity MADRILEÑA RED DE GAS. and, in accordance with article 77.2 of the RGPD, TO INFORM the claimant of the result of the claim.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

THIRD: To warn the sanctioned party that the sanction imposed must be made effective once this resolution has become enforceable, in accordance with the provisions of Article 98.1(b) of Law 39/2015, of October 1, on Common Administrative Procedure for Public Administrations, within the period for voluntary payment indicated in Article 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of July 29, in relation to Article 62 of Law 58/2003, of 17 December, by payment into the restricted account no. ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A., or else it will be collected during the enforcement period.

Once the notification has been received, and once it has been executed, if the execution date is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment will be up to the 5th of the second following month or the immediately following working month.

In accordance with the provisions of Article 37.2 of the LOPD, in the wording given by Article 82 of Law 62/2003 of 30 December on fiscal, administrative and social order measures, this Resolution shall be made public, once it has been notified to the interested parties. The publication shall be carried out in accordance with the provisions of Instruction 1/2004, of 22 December, of the Spanish Data Protection Agency on the publication of its Resolutions and in accordance with the provisions of Article 116 of the regulations implementing the LOPD approved by Royal Decree 1720/2007, of 21 December.

Against this resolution, which puts an end to the administrative procedure (Article 48.2 of the LOPD), and in accordance with the provisions of Articles 112 and 123 of Law 39/2015, of 1/10, on the Common Administrative Procedure of Public Administrations, the interested parties may, optionally, file an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this resolution, or, directly to the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13/07, regulating Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned legal text.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal.
 



If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension.


Mar Spain Martí
Director of the Spanish Data Protection Agency