AEPD (Spain) - EXP202203969: Difference between revisions

From GDPRhub
 

Latest revision as of 13:08, 13 December 2023

AEPD - PS/00139/2023
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Upheld
Started: 20.04.2023
Decided: 19.07.2023
Published: 18.08.2023
Fine: 70,000 EUR
Parties: HOLALUZ-CLIDOM S.A.
National Case Number/Name: PS/00139/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined HOLALUZ €70,000 for unlawful data processing without consent by registering the electricity supplies of several properties of the data subject, violating Article 6(1) GDPR.

English Summary

Facts

Holaluz is an electric power and gas commercialization company. It has three three channels for contracting: internet, telephone and commercial networks (with collaboration contracts).

On July 28, 2021 four energy supply contracts were signed up through the collaborator BLANER ENERGY, S.L. for supply points associated with the data subject.

On December 11, 2021 the data subject contacted Holaluz communicating the identity fraud suffered in order to contract with Holaluz, stating that it was not her who signed and subscribed to the agreement.

On May 4, 2022, the data subject initiated a procedure at AEPD against Holaluz for unlawful data processing without her consent, based on the identity theft to contract with Holaluz for electricity contracts.

Allegedly, based on the fraudulent contract between the data subject and Holaluz, the company proceeded with the cancellation of the energy contract the data subject had previously with another energy commercial company, Energía XXI, using her personal data without her consent.

As a result, there was a discharge of electric energy supplies from one of her four properties subscribed to Energía XXI. In addition, the email address given in the contract did not actually belong to the data subject.

Holaluz alleged that was unable to detect that the contracting had been signed without the consent of the data subject, considering that the collaborator appeared to be truthful in the contracting. Holaluz affirmed that it randomly performs a subsequent review of the contract made by new employees and that Blaner carries out its activities for them both directly or through “sub-agents”.

They also confirmed the deletion of the data subject’s personal data from its database.

Holding

AEPD concluded that Holaluz has registered the electric energy supplies of four properties from the data subject, using her personal data, without her consent and, based on that, the processing was unlawful.

AEPD considered the fact that the data subject had previously subscribed to energy supplier service with Energía XXI and that the contract informed a different email address than the one the data subject has.

In addition, although Holaluz has a system for validating the contracts made by its employees and commercial partners, AEPD considered that there is no evidence that the validation was carried out correctly in this case, since they send the contracts unsigned as well as the e-mail sent for such validation for an email that did not belong to the data subject.

The AEPD pointed out a violation of Article 6(1) GDPR by processing data without an adequate basis of legitimacy, since the data subject had not given her consent to carry out such contracts. It was determined that personal data were incorporated into the company's information system without accrediting a legitimate contract, and therefore the processing was unlawful, leading to a fine of €70,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/17











     File No.: EXP202203969


       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTEER


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
                                 BACKGROUND


FIRST: On April 20, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanction proceedings against HOLALUZ-CLIDOM,
S.A. (hereinafter the claimed party). Once the initiation agreement has been notified and after analyzing the
allegations presented, on June 19, 2023, the proposal for
resolution which is transcribed below:


<<


File No.: EXP202203969



      PROPOSED RESOLUTION OF SANCTION PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following:

                                 BACKGROUND

FIRST: Ms. A.A.A. (hereinafter, the claiming party) dated March 2,

2022 filed a claim with the Spanish Data Protection Agency. The
claim is directed against HOLALUZ-CLIDOM, S.A. with NIF A65445033 (in
forward, the claimed or Holaluz). The reasons on which the claim is based are the following:
following:


The complaining party states that Holaluz has registered the energy supplies
electricity of four properties that the claimant had previously signed with the
marketer Energía XXI using your personal data, without your
consent.


In addition, the complaining party indicates that it became aware of such a situation in the month of
December 2021 when the supply cut occurred in one of the
estate.

And, provide the following relevant documentation:





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/17








    - Allegations made by Holaluz, on February 2, 2022, in which
       states that it has sent the claimant an agreement on which it has not
       received reply.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to Holaluz, so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.


The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on April 5, 2022 as stated
in the acknowledgment of receipt in the file.


On April 28, 2022, this Agency received a written response
indicating:

- That it is a marketer of electricity and gas. It also has
of three channels for contracting: internet, telephone, and sales network. With
the latter sign collaboration contracts.

- That on July 28, 2021 they registered through the collaborator
BLANER ENERGY, S.L (hereinafter Blaner) four supply points associated with
the claimant. The coding of said supply points (CUPS) is:
***ENCODING.1, ***ENCODING.2, ***ENCODING.3, and
***ENCODING.4.


- That, due to the fact that the employee appeared to be truthful in the hiring, he did not
was able to detect that said contract had been carried out without the consent of the
holder, until the complaining party revealed it.

- That they appear in the Holaluz database (“since they are the same incorporated
by the collaborator") associated with the complaining party the email

***USER.1@gmail.com and the phone number ***PHONE.1.

- That within the framework of the contracting, the
conditions to the email address linked to the consigned claimant
in the contract for validation. The latter issue which, as indicated, was
done.


- That the problem that occurred was that the email address
e-mail consigned in the contract did not actually belong to the owner, but rather
was "knowingly facilitated by the Collaborator to perpetuate his fraud, something
that, in principle, it was impossible to detect on this side, despite the mechanisms of

established controls”.

- That on December 11, 2021 the claimant contacted the defendant
communicating the identity theft suffered in the execution of said
hires.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/17









- That he contacted the collaborator in order to clarify the facts on the 17th of
January 2022 and, after no response, again on January 24, 2022.

- That as a measure to prevent this type of event from occurring, it

randomly a subsequent review of the quality of the calls and the discharges
made by new collaborators. It states that the protocol consists of the
internal customer service agents of the defendant call a
significant percentage of new customers contributed by commercial channels
with whom a collaboration contract had been signed the previous month.


- That it proceeds to delete the personal data of the claimant from its
databases.

Relevant documentation provided by Holaluz:


- Contract for the provision of services signed on March 30, 2017 between
CLIDOM ENERGY, S.L. and Blaner whose object includes the processing of customer registrations
in relation to the supply of electrical energy (hereinafter
Collaborator Contract#2).

- Email dated January 17, 2022 addressed from

gestiones@holaluz.es to ***USUARIO.2@blanerenergy.es in which the
claim received in relation to the contracted CUPS. In it it is stated that
“the contracts were validated from an email that is not yours
***USUARIO.1@gmail.com" and information is requested in this regard.

- Email dated January 24, 2022 addressed from

gestiones@holaluz.es to ***USUARIO.2@blanerenergy.es in which it communicates
that has to deal with the claim since it does not have the "sales call" and
expresses that "the channel will have to take charge of the invoices until the date of
low".

THIRD: On May 4, 2022, in accordance with article 65 of the

LOPDGDD, the claim presented by the claimant party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:

RESULT OF INVESTIGATION ACTIONS


Holaluz, in its response to the transfer made by the AEPD, stated that on the 28th of
July 2021, the supply points were registered through the collaborator Blaner
associated with the claimant that are the subject of controversy.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/17








In relation to these contracts, both Holaluz and Blaner have provided the
following documents (document annexed to the Writ under the name of "Contracts", and
annex II the EscritoBlaner):

Four documents are provided with the documentation mentioned in the

aforementioned paragraphs and that each of them refers to each of the four
supply points

Blaner has confirmed that he carries out the activity of a collaborator of the defendant through
of the telephone and face-to-face sales channels. It also states that it exercises its
activity for the claimed both directly and through "subagents". So,

expresses that the contracts that are the subject of controversy were carried out through the
subagent (...).

FIFTH: According to the report collected from the AXESOR tool, the entity
HOLALUZ-CLIDOM, S.A. is a large company established in 2010, and with a
turnover of 564,590,423 euros in the year 2021.


SIXTH: On April 20, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in
Article 83.5 of the GDPR.


SEVENTH: Notification of the aforementioned initiation agreement in accordance with the established regulations
in Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the claimed party submitted a written
of allegations in which it repeats the response to the request dated April 28,

2022, in summary, stated that: <<that, in relation to the possible violation of the
principle of legality, although it is true that HOLALUZ-CLIDOM, S.A, hereinafter
(CLIDOM) responds and identifies with the definitions referring to the person responsible for
treatment in articles 4 and 24.1 of the GDPR, it is before the contractual relationship that
exists with Blaner Energy 2 S.L. (hereinafter, "Blaner") for the purposes of the contract of
signed with it on March 30, 2017 and updated on December 1, 2017.

December 2021 for the performance of contract promotion services
supply of electricity and acquisition of potential customers, which is attached
for the record for the appropriate purposes as Document number 1 and 2
respectively.

For the fulfillment of the contract, the processing of personal data is required

physical, since Blaner must capture potential clients so that they register with
CLIDOM's energy supply services. Notwithstanding the foregoing, it is
It is important to emphasize that, in the contract signed between the two parties, CLIDOM, as
responsible for the treatment, included, as a contractual obligation, Blaner, as
of treatment manager, the proactive responsibility of collecting the
consent of the interested parties in accordance with the requirements of the GDPR.


That, in this case, a commercial hired by Blaner, posing as
A.A.A. (hereinafter, the Client), registered in CLIDOM the supply points with
CUPS ***ENCODING.1; ***ENCODING.2; ***ENCODING.3;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/17








***ENCODING.4, respectively. which, as can be verified
The commercial then validated both contracts with his own email
(***USUARIO.1@gmail.com), thus perpetuating recruitment fraud:

That the person in charge Blaner, acted against the instructions of CLIDOM as soon as

to the obligation to obtain the consent of the interested parties since, this supplanted
the identity of the affected party and, in addition, signed an invalid consent without
could comply with the principles of transparency, freedom and express consent.
Therefore, Blaner being fully responsible for the negligent actions of
your provider, for breach of article 6.1 of the GDPR.


That is why, on May 10, my client sent an email
addressed to Blaner requesting again the documentation that accredits the
hiring -since it had already been required on previous occasions-.
Likewise, a reminder of the contractually established obligations was made
that concern the Collaborator.


Next, Blaner was contacted again on May 12 after the
negative response from the latter. The email chain between the two is attached
parties involved as Document number 3.

CLIDOM has implemented verification and assurance measures for the

actions entrusted to Blaner, thus complying with the principle of
proactive responsibility.

Likewise, in order to comply with the principle of proactive responsibility, we also
Blaner is requested documentation proving that the interested party has consented to the
treatment of your data for the management of the contracting of your supply of

energy.

In addition, and again to comply with the principle of responsibility
proactively, CLIDOM establishes in its Annex IV different measures to control the
quality of services provided by Collaborators, among which are
verification of the privacy, security and confidentiality policies applied

by the Collaborators, verification of the security controls applied
by Collaborators to their subcontractors, etc. Finally, CLIDOM sent the
document related to the "Recruitment and activation procedures" to all its
Collaborators whose content establishes the clear guidelines set by the
Company for the formalization of contracts.


In the present case, on February 17, Blaner was sent the email
attaching the aforementioned document. It is provided as Document number 5, the document
regarding the Procedures and as Document number 6 the email sent to Blaner.

Request. - That, taking this document as presented, it is served to admit it, and, by virtue,

Consider that the allegations against the Commencement Agreement have been presented in a timely manner
and, in view of the foregoing statements, issue a resolution by which,
Estimating these allegations, disciplinary procedure No. EXP202203969 is
archived>>.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/17








EIGHTH: On May 17, 2023, the instructor of the procedure agreed
practice the following tests: <<1. They are reproduced for probative purposes the
claim filed by Ms. A.A.A. and its documentation, the documents
obtained and generated during the phase of admission to processing of the claim, and the
report of previous investigation actions that are part of the procedure

AI/00230/2022. 2. Likewise, it is considered reproduced for evidentiary purposes, the
allegations to the agreement to initiate the aforementioned sanctioning procedure,
presented by HOLALUZ-CLIDOM, S.A., and the documentation that they
accompanies. The result of these tests may lead to other tests>>.

NINTH: A list of documents in the file is attached as an annex.

procedure.

                                PROVEN FACTS

Of the actions carried out in this procedure and of the information and

Documentation presented has proven the following facts:

First: Holaluz, on July 28, 2021, registered through its collaborator
Blaner four supply points associated with the claimant. The encoding of
said supply points (CUPS) is: ***CODE.1, ***CODE.2,
***CODE.3, and ***CODE.4 that the claimant previously had

subscribed with the marketer Energía XXI using their personal data,
without your consent.

Second: It is verified that the contracting process implies the sending for its
validation, via email, of the contractual conditions to the
email address linked to the holder in the contract itself.


Third: That in the Holaluz database associated with the complaining party there are
the email ***USER.1@gmail.com and the telephone number
***TELEPHONE 1.

Fourth: It is proven that the email address stated in the contract does not

It actually belonged to the owner.

Fifth: It is verified that in the email dated January 17, 2022 addressed
from gestiones@holaluz.es to ***USUARIO.2@blanerenergy.es the
claim received in relation to the contracted CUPS. In it it is stated that
“the contracts were validated from an email that is not yours

***USUARIO.1@gmail.com" and information is requested in this regard.

Sixth: It is verified in the email dated January 24, 2022 addressed
from gestiones@holaluz.es to ***USUARIO.2@blanerenergy.es it is communicated that
has to address the claim since it does not have the "sales call" and expresses

that "the channel will have to take charge of the invoices until the cancellation date."

                           FUNDAMENTALS OF LAW

                                           Yo

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/17








                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                           II
                           Arguments to the initiation agreement

As stated by the claimant in its statement of claim dated March 2
of 2022, that Holaluz has registered the electrical energy supplies of four
properties that the claimant had subscribed with the marketer Energía XXI

using your personal data without your consent

Definitely. The claimant denounces identity theft to contract with
Holaluz four contracts of light. The defendant alleges that the hiring was done by his
in charge of the treatment fraudulently by stating an address of
email different from the one the claimant has.


Well then, the defendant has planned a contract validation system that
carried out by those in charge, and although it indicates that in the present case the
validation correctly, there is no evidence in this regard, since it sends the contracts
without signing as well as sending the email for such validation, but there is no
evidence that such validation has been performed by someone.


It is proven that the defendant processed the personal data of the claimant without
legitimacy for it. It is clear that Holaluz (incoming marketer) had to
manage the withdrawal of the claimant's contracts with the outgoing marketer
(Energía XXI), which is done through the number of CUPS that is associated with the
households.


Law 24/2013, of December 26, of the electricity sector (hereinafter, "Law of the
Electric"), establishes the consumer's right to change company
marketer in accordance with the provisions of the European directives of the market
electricity inside.

For this, the regulations establish the general process that must be carried out between the
new marketer or incoming marketer, the distributor and the

existing marketer or outgoing marketer. Said change implies the registration of
a new energy supply contract with the incoming retailer and the deregistration
of the existing contract with the outgoing marketer, through an agent who
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/17








execute the change that is the distributor.

Likewise, article 46 of the Electricity Sector Law establishes among the obligations
of the marketers, in its section 1 letter g) that of "Formalize the contracts of
supply with consumers in accordance with the regulations that result

of application". The mention by the Law of the obligation to formalize the contract between
the obligations of the marketers shows that it is the
marketer the holder of the supply contract with the consumer. Therefore,
corresponds to the retailer and, in the event of a change of retailer, to the
incoming marketer, verify the identity and the voluntary, correct and informed

provision of consent by the consumer, who is his counterpart in the
supply contract.

In this sense, the new marketer (the defendant) will have to manage the cancellation
of the claimant's contract with its outgoing retailer (Energía XXI), which is
It is done through the CUPS number that is associated with the home. Definitely,
treats your personal data.


Thus, having been accredited that the defendant processed the personal data
of the claimant, who denies her consent to the treatment, and while the first
has not provided any evidence to disprove such evidence, it is estimated that the
facts that are submitted to the evaluation of this Agency could constitute
an infringement of article 6.1 of the GDPR, infringement typified in article 83.5 of the
aforementioned Regulation 2016/679.

                                            II


                                  breached obligation

Article 6.1 of the GDPR establishes the assumptions that allow the use of
processing of personal data.



"1. Processing will only be lawful if it meets at least one of the following
conditions:

a) the interested party gave his consent for the processing of his personal data

for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;


c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect vital interests of the data subject or of another

Physical person.

e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/17








f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said

interests do not outweigh the interests or fundamental rights and freedoms of the
interested party that require the protection of personal data, in particular when the
interested is a child.


The provisions of letter f) of the first paragraph shall not apply to the treatment
carried out by public authorities in the exercise of their functions.”
On this question of the legality of the treatment, Recital 40 also affects
of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the
Personal data must be processed with the consent of the interested party or on

some other legitimate basis established in accordance with Law, either in the present
Regulation or by virtue of another Law of the Union or of the Member States to which
referred to in this Regulation, including the need to comply with the legal obligation
applicable to the data controller or the need to perform a contract with
to which the interested party is a party or in order to take measures at the request of the

concerned prior to the conclusion of a contract."

In relation to the above, it is considered that there is evidence that the treatment
data of the claimant object of this claim has been made without csa
legitimizing the data collected in article 6 of the GDPR.


The GDPR applies to personal data, which is defined as "personal data":
any information about an identified or identifiable natural person ("data subject");
An identifiable natural person shall be considered any person whose identity can be
be determined, directly or indirectly, in particular by means of an identifier, such as
for example a name, an identification number, location data, a

online identifier or one or more elements of physical identity,
physiological, genetic, psychological, economic, cultural or social of said person.

The documentation in the file shows that the defendant violated the
Article 6.1 of the GDPR, since it processed the personal data of

the claimant without having any standing to do so. The personal data of
the claimant were incorporated into the company's information systems, without
that he has proven that he had contracted legitimately, disposed of his
consent to the collection and further processing of your personal data, or
there was some other cause that would make the treatment carried out lawful.

The personal data of the claimant were registered in the files of the

claimed and were processed for the issuance of invoices for services associated with the
claimant. Consequently, it has processed personal data without
that has accredited that it has the legal authorization to do so.

Article 6.1 of the GDPR states that processing "will be lawful if it is necessary for the
performance of a contract to which the interested party is a party.

It was therefore essential that the defendant prove to this Agency that the

claimant had contracted with it for the supply of electricity; that at the time
of the recruitment had deployed (through its treatment manager) the
diligence that the circumstances of the case required to ensure that the person

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/17








who canceled the service with the marketer "Energía XXI", registering with
Holaluz was indeed its headline.

It should be noted that the defendant in his response to the request for information
of this Agency dated April 28, 2022 and in its allegations to the Agreement of
Start dated May 16, 2023 acknowledges that the email address

consigned in the contract did not actually belong to the owner, but was
“knowingly facilitated by the Collaborator to perpetuate his fraud, something that, in
principle, it was impossible to detect on this part, despite the control mechanisms
established”.

Email dated January 17, 2022 addressed from

gestiones@holaluz.es to ***USUARIO.2@blanerenergy.es in which the
claim received in relation to the contracted CUPS. In it it is stated that
“the contracts were validated from an email that is not yours
***USUARIO.1@gmail.com" and information is requested in this regard.

Email dated January 24, 2022 addressed from

gestiones@holaluz.es to ***USUARIO.2@blanerenergy.es in which it communicates
that has to deal with the claim since it does not have the "sales call" and
expresses that "the channel will have to take charge of the invoices until the date of
low".

Well then, Holaluz has planned a contract validation system that

carried out by those in charge, and although it indicates that in the present case the
validation correctly, there is no evidence in this regard, since it sends the contracts
without signing as well as sending the email for such validation, but there is no
certainty that such validation has been performed.


Hence, the defendant does not accredit a basis of legitimacy for the treatment of the
data of the complaining party.

In this sense, Recital 40 of the GDPR states:

 "(40) For processing to be lawful, personal data must be processed with
the consent of the interested party or on some other established legitimate basis
in accordance with Law, either in this Regulation or under another Law

of the Union or of the Member States referred to in this Regulation,
including the need to comply with the legal obligation applicable to the data controller
treatment or the need to execute a contract in which the interested party is a party or
in order to take measures at the request of the interested party prior to the
conclusion of a contract."

                                         IV.

                       Classification and classification of the offense

In accordance with the evidence available at the present time of
agreement to start the disciplinary procedure, and without prejudice to what results from the
instruction, it is considered that the facts exposed fail to comply with the provisions of the
article 6.1 of the GDPR, so it could mean the commission of an infringement

typified in article 83.5 of the GDPR, which provides the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/17









 Violations of the following provisions will be penalized, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9.”


The LOPDGD, for the purposes of the prescription of infringements, qualifies in its article
72.1 of very serious infractions, being in this case the limitation period of three
years, "b) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the Regulation

(EU) 2016/679”.

                                           V
                                 Sanction proposal

In order to determine the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:

"Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
indicated in sections 4, 9 and 6 are effective in each individual case,
proportionate and dissuasive.”

"Administrative fines will be imposed, depending on the circumstances of each

individual case, in addition to or in lieu of the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question

such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infraction;

c) any measure taken by the controller or processor to
alleviate the damages and losses suffered by the interested parties;

d) the degree of responsibility of the controller or processor,
taking into account the technical or organizational measures that they have applied under

of articles 25 and 32;

e) any previous infringement committed by the controller or processor;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the potential adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/17








h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
extent;

i) when the measures indicated in article 58, paragraph 2, have been ordered

previously against the person in charge or the person in charge in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or

indirectly, through the infringement.”

Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

may also be taken into account:

a) The continuing nature of the offence.

b) The link between the activity of the offender and the performance of data processing.

personal information.

c) The benefits obtained as a consequence of the commission of the infraction.

d) The possibility that the conduct of the affected party could have led to the commission

of the offence.

e) The existence of a merger by absorption process subsequent to the commission of the
violation, which cannot be attributed to the absorbing entity.


f) The affectation of the rights of minors.

g) Have, when it is not mandatory, a data protection delegate.

h) Submission by the person responsible or in charge, on a voluntary basis, to

alternative conflict resolution mechanisms, in those cases in which
there are controversies between those and any interested party.”


In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the fine to
impose on the defendant, as responsible for an infraction typified in article

83.5.a) of the GDPR, in an initial assessment, the following are considered concurrent
factors:
- The seriousness of the infringement taking into account the scope of the operation of

treatment, circumstance provided for in article 83.2.a) GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/17










Significant circumstance in the case examined in which it affects that they were

various electricity supply contracts to which the defendant would have linked the
personal data of the claimant and the issuance of the corresponding invoices.




- "The link between the activity of the offender and the performance of treatment of
personal data", circumstance provided for in article 76.2.b) LOPDGDD in connection

with article 83.2.k) GDPR.



The business activity of the defendant necessarily processes personal data. This

characteristic of its business activity has an impact, reinforcing it, on the diligence that
must unfold in compliance with the principles that preside over the treatment of
personal data and the quality and effectiveness of the technical measures and

organizational measures that must be implemented to guarantee respect for the right
fundamental.




As a circumstance that mitigates the liability required, without prejudice to what
results from the instruction, in this phase of the procedure the

provided for in article 83.2. c) GDPR: "any measure taken by the person responsible or
in charge of the treatment to alleviate the damages and losses suffered by the
interested”.




He immediately proceeded to manage the cancellation of the services and the payment of the
billed amounts.


It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 70,000

€ for violation of article 83.5 a) GDPR.

In view of the foregoing, the following is issued


                            PROPOSED RESOLUTION

That the Director of the Spanish Agency for Data Protection sanctions
HOLALUZ-CLIDOM, S.A. with NIF A65445033, for a violation of Article 6.1 of the

GDPR, typified in Article 83.5 of the GDPR, a fine of 70,000 euros (seventy thousand
euro).

Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be
informs that it may, at any time prior to the resolution of this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/17








procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a reduction of 20% of the amount of the same. With the application of this

reduction, the sanction would be established at 56,000 euros and its payment will imply the
completion of the procedure. The effectiveness of this reduction will be conditioned by the
withdrawal or waiver of any administrative action or appeal against the
sanction.


In case you choose to proceed to the voluntary payment of the specified amount
above, in accordance with the provisions of the aforementioned article 85.2, you must do it
effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000
0000 open in the name of the Spanish Data Protection Agency in the entity

bank CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause, for
voluntary payment, reduction of the amount of the sanction. You must also send the
Proof of admission to the Sub-Directorate General of Inspection to proceed to close

The file.

By virtue of this, you are notified of the foregoing, and the procedure is revealed.
so that within TEN DAYS you can allege whatever you consider in your defense and
present the documents and information that it deems pertinent, in accordance with

article 89.2 of the LPACAP).

B.B.B.
INSPECTOR/INSTRUCTOR

































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/17










                                     EXHIBIT
File index EXP202203969

03/02/2022 Claim by A.A.A.
03/30/2022 Claim by A.A.A.
03/31/2022 Transfer of claim to HOLALUZ-CLIDOM S.A.
04/28/2022 Response to HOLALUZ-CLIDOM SA requirement
05/04/2022 Admission for processing to A.A.A.

06/22/2022 Request. information Hello Luz to HOLALUZ-CLIDOM, S.A.
07/28/2022 Response to HOLALUZ-CLIDOM SA requirement
02/06/2023 ORANGE requirement to ORANGE ESPAGNE, S.A.U.
02/06/2023 TELEFONICA request to TELEFÓNICA DE ESPAÑA, S.A.U.
02/08/2023 DEUTSCHE requirement to DEUTSCHE BANK, S.A.E.
02/08/2023 Request TELEFÓNICA MOVILES to TELEFÓNICA MÓVILES ESPA-

ÑA, S.A.U.
02/09/2023 Postal Blaner Requirement to BLANER ENERGY S.L.
02/09/2023 Blaner requirement to BLANER ENERGY S.L.
02/09/2023 HolaLuz 2 requirement to HOLALUZ-CLIDOM, S.A.
02/09/2023 Diligence References

02/13/2023 Allegations of C.C.C.
02/14/2023 Response to DEUTSCHE BANK SAE requirement
02/17/2023 Allegations of D.D.D.
02/17/2023 Response to D.D.D.
02/24/2023 Response to HOLALUZ-CLIDOM SA requirement

03/03/2023 Communication from BLANER ENERGY, LIMITED PARTNERSHIP
03/06/2023 Blaner 2 requirement to BLANER ENERGY S.L.
03/06/2023 DRC requirement to E.E.E.
03/23/2023 Information on planned actions
04/20/2023 Commencement agreement to HOLALUZ-CLIDOM, S.A.
04/24/2023 Information. Claimant to A.A.A.

05/05/2023 HOLALUZ-CLIDOM SA term extension request
05/08/2023 Amp. Term to HOLALUZ-CLIDOM, S.A.
05/16/2023 Allegations of HOLALUZ-CLIDOM SA
05/16/2023 Communication from HOLALUZ-CLIDOM SA
05/17/2023 Notification p. tests to HOLALUZ-CLIDOM, S.A.


>>

SECOND: On July 1, 2023, the claimed party has proceeded to pay the
penalty in the amount of 56,000 euros making use of the reduction provided for in the

motion for a resolution transcribed above.

THIRD: The payment made entails the waiver of any action or resource in the
against the sanction, in relation to the facts referred to in the
resolution proposal.


                         FUNDAMENTALS OF LAW

                                         Yo

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/17








                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character

subsidiary, by the general rules on administrative procedures."

                                           II
                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common for Public Administrations (hereinafter LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:

"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.

3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.

The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.

The percentage reduction provided for in this section may be increased

according to regulations."

According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202203969, in
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to HOLALUZ-CLIDOM, S.A..

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/17










In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                                  968-171022
Mar Spain Marti
Director of the Spanish Data Protection Agency











































28001 – Madrid 6 sedeagpd.gob.es