AEPD (Spain) - EXP202105923: Difference between revisions

From GDPRhub
No edit summary
 
(2 intermediate revisions by 2 users not shown)
Line 73: Line 73:


=== Holding ===
=== Holding ===
The DPA held that the controller had violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] ("accuracy") for not keeping the data subject's contact information up to date. It considered the controller's negligence and routine handling of personal data as aggravating factors. For this infraction the DPA assessed a fine of €100,000.  
The DPA held that the controller had violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] ("accuracy") for not keeping the data subject's contact information up to date. It considered the controller's negligence and routine handling of personal data as aggravating factors. For this infraction the DPA assessed a fine of €100,000. The controller ultimately paid €60,000, taking advantage of two reductions available for admitting responsibility and paying the fine before the resolution of the sanctioning procedure.  
 
The controller ultimately paid €60,000, taking advantage of two reductions available for admitting responsibility and paying the fine before the resolution of the sanctioning procedure.


== Comment ==
== Comment ==
The Spanish DPA found that the controller violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] ("accuracy"), but a more natural conclusion would be to find a violation of [[Index.php?title=Article 32 GDPR#1d|Article 32(1)(d) GDPR]] ("adoption of adequate technical and procedural measures"). This somewhat strained interpretation may be explained by the fact that the LOPDGDD categorizes [[Article 5 GDPR|Article 5 GDPR]] violations as "very serious" and [[Index.php?title=Article 32 GDPR#1|Article 32(1) GDPR]] violations as merely "serious." The two categories differ both in statute of limitations and maximum fine.
The Spanish DPA found that the controller violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] ("accuracy"), but a more natural conclusion would be to find a violation of [[Article 32 GDPR#1d|Article 32(1)(d) GDPR]] ("adoption of adequate technical and procedural measures"). This somewhat strained interpretation may be explained by the fact that the LOPDGDD categorizes [[Article 5 GDPR|Article 5 GDPR]] violations as "very serious" and [[Article 32 GDPR#1|Article 32(1) GDPR]] violations as merely "serious." The two categories differ both in statute of limitations and maximum fine.


== Further Resources ==
== Further Resources ==

Latest revision as of 12:42, 13 December 2023

AEPD - PS-00087-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Started: 30.11.2021
Decided:
Published: 08.07.2022
Fine: 60,000 EUR
Parties: Comercializadora Regulada, Gas & Power, S.A.
National Case Number/Name: PS-00087-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: MW

The Spanish DPA fined a controller €60,000 for violating Article 5(1)(d) GDPR by delivering a customer's contract to the wrong address. The customer had a restraining order against the current resident, who now had the customer's correct address.

English Summary

Facts

The data subject filed a complaint with the Spanish DPA after a personal data breach. The controller, an electric and gas company, sent the data subject's contract to the wrong address.

The data subject had previously held a contract with the controller at their address, which was cancelled when the data subject moved. The data subject had indicated their new address when they registered again with the controller, but the controller had activated its online invoice service without updating the data subject's contact information, causing the new contract to be sent to the old address.

When the contract was mistakenly delivered to the old address, the data subject had a restraining order on the current resident, who now had access to, among other things, the data subject's current address.

Holding

The DPA held that the controller had violated Article 5(1)(d) GDPR ("accuracy") for not keeping the data subject's contact information up to date. It considered the controller's negligence and routine handling of personal data as aggravating factors. For this infraction the DPA assessed a fine of €100,000. The controller ultimately paid €60,000, taking advantage of two reductions available for admitting responsibility and paying the fine before the resolution of the sanctioning procedure.

Comment

The Spanish DPA found that the controller violated Article 5(1)(d) GDPR ("accuracy"), but a more natural conclusion would be to find a violation of Article 32(1)(d) GDPR ("adoption of adequate technical and procedural measures"). This somewhat strained interpretation may be explained by the fact that the LOPDGDD categorizes Article 5 GDPR violations as "very serious" and Article 32(1) GDPR violations as merely "serious." The two categories differ both in statute of limitations and maximum fine.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/11











     File No.: EXP202105923

       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                  VOLUNTEER


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                 BACKGROUND


FIRST: On April 1, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against
REGULATED COMERCIALIZADORA, GAS & POWER, S.A. (hereinafter the part
claimed), through the Agreement that is transcribed:


<<






File No.: EXP202105923






           AGREEMENT TO START A SANCTION PROCEDURE



Of the actions carried out by the Spanish Data Protection Agency and in

based on the following



                                     FACTS




FIRST: A.A.A. (hereinafter, the complaining party) dated November 30,
2021 filed a claim with the Spanish Data Protection Agency.




The claim is directed against COMERCIALIZADORA REGULADA, GAS &
POWER, S.A. with NIF A65067332 (hereinafter, the claimed party).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/11








The reason on which the claim is based is that the claimed entity has sent the
electricity supply contract for his new house, in which he included all his data

personal information, including your new address, to the address of your old residence, where
lives the person on whom you have a restraining order.




Attaches a copy of the letter sent by the respondent in which they indicate that
They send a copy of the contract, as well as a copy of it.




SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on December 29, 2021, said information was transferred

claim to the claimed party, so that it proceeded to its analysis and inform the
this Agency within a month, of the actions carried out to adapt to
the requirements set forth in the data protection regulations.




On January 31, 2022, this Agency received a response letter
indicating that the claimant has contracted gas and electricity supplies in

the address located at ***ADDRESS.1 from November 16, 2021.



Previously, the claimant had been the holder of an electricity supply contract

located at ***ADDRESS.2, until your contract was terminated due to a change
ownership.




It has been verified in the systems of the Regulated Marketer that at the moment
of the registration of the contract on November 16, 2021, although it was indicated by the claimant

as correspondence address the ***ADDRESS.1 the service of
On-Line Invoice but the main address associated with the claimant was not updated,
reason the copy of your contract was sent to the previous primary address

associated with the customer's NIF, which was the address of ***ADDRESS.2.



THIRD: On February 14, 2022, in accordance with article 65 of the

LOPDGDD, the claim filed by the claimant was admitted for processing.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/11








                            FOUNDATIONS OF LAW




                                             Yo



By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Agency for Data Protection is competent to initiate and to

resolve this procedure.



                                             II




Article 5 of the RGPD establishes what are the principles in the treatment of data.
data of a personal nature indicating the following:

“1 The personal data will be:

a) processed in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,

loyalty and transparency»);

b) collected for specific, explicit and legitimate purposes, and will not be processed further.
riorly in a manner incompatible with said purposes; according to article 89,

paragraph 1, the further processing of personal data for archiving purposes in-
public interest, scientific and historical research purposes or statistical purposes are not considered

will be incompatible with the original purposes ("purpose limitation");

c) adequate, pertinent and limited to what is necessary in relation to the purposes for which
that are processed ("data minimization");

d) accurate and, if necessary, updated; All reasonable steps will be taken

ble to delete or rectify without delay the personal data that are ine-
accurate with respect to the purposes for which they are processed (“accuracy”);

e) kept in a way that allows the identification of the interested parties during
longer than necessary for the purposes of the processing of personal data; the

Personal data may be kept for longer periods provided that it is
processed exclusively for archival purposes in the public interest, research purposes

scientific or historical or statistical purposes, in accordance with Article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that
This Regulation is imposed in order to protect the rights and freedoms of the interest

sado (“retention period limitation”);


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/11








f) processed in such a way as to guarantee adequate security of the personal data.
personal data, including protection against unauthorized or unlawful processing and against

accidental loss, destruction or damage, through the application of technical measures or
appropriate organizational measures ("integrity and confidentiality").

2. The controller will be responsible for compliance with the provisions

in section 1 and able to demonstrate it (“proactive responsibility”).”




                                            III


In the present case, the complaining party denounces the defendant because he has

sent the supply contract of your new address, to the address of your old
address, where the person on whom you have a restraining order lives.




The respondent party has argued that the claimant had been the holder of a contract of
light of the supply located at ***ADDRESS.2, until the cancellation of its
contract for change of ownership, registering again on November 16,

2021, contracting gas and electricity supplies at the address located on the
***ADDRESS 1.




Previously, the claimant had been the holder of an electricity supply contract
located at ***ADDRESS.2, until your contract was terminated due to a change

ownership.



Although the new address was indicated at the time of discharge, the service of

On-Line Invoice without updating the address, which is why the copy of your contract is
shipped to ***ADDRESS.2.




Therefore, in accordance with the available evidence, and without prejudice
of what results from the instruction of this sanctioning procedure,
considers that we are facing an illicit treatment of personal data, by referring to a

incorrect address the supply contract of the claimant where their
personal data, among others, your address, incurring in an infringement of art. 5.1.d)

for not having updated the data indicated in the basis of law II.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/11








                                          IV




Article 72.1 a) of the LOPDGDD states that “according to what is established in the
article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe

after three years the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:




a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.”




                                           v



In order to determine the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:



“Each control authority will guarantee that the imposition of administrative fines

under this Article for infringements of this Regulation
indicated in sections 4, 5 and 6 are in each individual case effective,
proportionate and dissuasive.”




“Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:


a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;


c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/11








e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;


h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;

i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or mechanisms of

certification approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”


Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures”, provides:


"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuing nature of the offence.

b) The link between the activity of the offender and the performance of treatment of

personal information.

c) The profits obtained as a result of committing the offence.

d) The possibility that the conduct of the affected party could have induced the commission
of the offence.


e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) Affectation of the rights of minors.

g) Have, when not mandatory, a data protection officer.


h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between them and any interested party.”

In accordance with the transcribed precepts, and without prejudice to what results from the

instruction of the procedure, in order to set the amount of the sanction of fine to
impose on COMERCIALIZADORA REGULADA, GAS & POWER, S.A. with NIF
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/11








A65067332, as responsible for an offense classified in article 83.5.a) of the
RGPD, in an initial assessment, they are considered concurrent in the present case, in

aggravating quality, the following factors:
    - The intentionality or negligence in the infraction, since given the activity
    of the claimed party, greater care is required in the processing of the data

    (83.2.b) GDPR)




    - The link between the offender's activity and the performance of
    data processing because the business activity of the claimed party represents a
    continuous processing of personal data (76.2.b) LOPDGDD)




This infraction can be sanctioned with a fine of €20,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 4% of the

global total annual turnover of the previous financial year, opting for the
of greater amount, in accordance with article 83.5 of the RGPD.




Pursuant to these criteria, it is considered appropriate to impose on the defendant entity
a penalty of 100,000 euros (one hundred thousand euros), for the infringement of article 5.1 d) of the
RGPD, regarding the processing of personal data. In accordance with the above

exposed, by the Director of the Spanish Agency for Data Protection



Therefore, based on the foregoing,




By the Director of the Spanish Data Protection Agency,




HE REMEMBERS:



FIRST: START SANCTION PROCEDURE against

REGULATED COMERCIALIZADORA, GAS & POWER, S.A. with NIF A65067332, of
in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged infringement

of article 5.1 d) of the RGPD, typified in article 83.5.a) of the RGPD and for the purposes of
prescription, by article 72.1 a) of the LOPDGDD.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/11








SECOND: APPOINT instructor to B.B.B. and, as secretary, to C.C.C., indicating
that any of them may be challenged, where appropriate, in accordance with the provisions of

Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sec-
Public Tor (LRJSP).




THIRD: INCORPORATE to the disciplinary file, for evidentiary purposes, the
claim filed by the claimants and their documentation, the documents

obtained and generated by the General Subdirectorate for Data Inspection during the
investigation phase, as well as the report of previous Inspection actions.




FOURTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Public Administrations, the
sanction that could correspond would be 100,000 euros (one hundred thousand euros) without prejudice

of what results from the instruction.



FIFTH: NOTIFY this agreement COMERCIALIZADORA REGULADA, GAS

& POWER, S.A. with NIF A65067332 granting a hearing period of ten days
able to formulate the allegations and present the evidence that it considers

convenient. In your brief of allegations you must provide your NIF and the number of
procedure at the top of this document.




If within the stipulated period it does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).



In accordance with the provisions of article 85 of the LPACAP, in the event that the

sanction to be imposed was a fine, it may recognize its responsibility within the
term granted for the formulation of allegations to this initial agreement; it

which will entail a reduction of 20% of the sanction to be imposed in
this procedure, equivalent in this case to 20,000 euros. with the app
of this reduction, the sanction would be established at 80,000 euros, resolving the

procedure with the imposition of this sanction.



Similarly, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/11








will mean a reduction of 20% of the amount of the same, equivalent in this case
to 20,000 euros. With the application of this reduction, the sanction would be established

in 80,000 euros and its payment will imply the termination of the procedure.




The reduction for the voluntary payment of the penalty is cumulative with the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate

arguments at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if it were appropriate to apply both reductions, the amount of the penalty would be

set at 60,000 euros (sixty thousand euros).



In any case, the effectiveness of any of the two reductions mentioned will be

conditioned to the abandonment or renunciation of any action or resource in via
administrative against the sanction.




If you choose to proceed to the voluntary payment of any of the amounts indicated
previously, 80,000 or 60,000 euros, you must make it effective by paying into

account number ES00 0000 0000 0000 0000 0000 opened in the name of the Agency
Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the
concept the reference number of the procedure that appears in the heading

of this document and the reason for the reduction of the amount to which it avails itself. Likewise,
You must send proof of entry to the General Subdirectorate of Inspection for
continue with the procedure in accordance with the amount entered.




The procedure will have a maximum duration of nine months from the

date of the start-up agreement or, where appropriate, of the draft start-up agreement.
Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.




Sea Spain Marti

Director of the Spanish Agency for Data Protection.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/11








>>

SECOND: On April 26, 2022, the claimed party has proceeded to pay
the sanction in the amount of 60,000 euros making use of the two reductions

provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via

administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.


                           FOUNDATIONS OF LAW


                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve

this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.”




                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:


"1. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in

any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/11








3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.


The reduction percentage provided for in this section may be increased
regulations."

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: TO DECLARE the termination of procedure EXP202105923, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to the MARKETER

REGULATED, GAS & POWER, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.


                                                                               936-240122

Sea Spain Marti
Director of the Spanish Data Protection Agency


















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es