AEPD (Spain) - EXP202307313: Difference between revisions

AEPD - EXP202307313
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6(1) GDPR Article 83(5) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	13.04.2023
Decided:	31.07.2024
Published:	16.10.2024
Fine:	60,000 EUR
Parties:	Curenergía
National Case Number/Name:	EXP202307313
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	Ao

The DPA fined an energy provider €60,000, after its processor erroneously assigned the data subject to a different company and therefore unlawfully disclosed personal data to that company.

English Summary

Facts

On the 13 April 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, an electricity provider. The data subject had been a customer of the controller until 2021 and on the 12 April 2022 again wanted to register as a customer with the controller. The customer service team of the controller contacted the data subject to confirm his account and telephone number.

The data subject alleged that the controller was still in possession of the data subject’s personal data such as his ID card number, his name and his address as he did not have to provide this data anew.

After supplying data to the customer service team of the controller, the data subject received an email from the controller as well as another electricity company, the partner company of the controller, asking him to sign the attached pdf contract. The contract included personal data such as the data subject’s name, address and IBAN. The data subject therefore concluded that the controller had transferred personal data to its partner company without the data subject’s consent.

After the submission of the complaint, the AEPD launched preliminary investigative procedures to clarify the facts of the case. The partner company submitted to the AEPD that the controller and itself do not maintain any sort of relationship in the processing of personal data and that each company solely processes the data of its own customers without there being any cross-over. However, both companies belong to the Iberdrola Group and use the same processor for their customer service. The partner company ensured that there is a system in place which identifies which customers belong to which company. The partner company further submitted that the customer service employee had made a mistake and sent the contract from the wrong company. Immediate steps were taken to cancel the contract with the partner company.

The controller further submitted that they had responded to the data subjects email notifying them of the mistake just three hours later with an apology.

Holding

On the 31 of July 2024, the AEPD commenced sanctioning proceedings against the controller. It highlighted that the controller had irresponsibly handled the data which led to another entity having access to the data without the data subject's consent. The AEPD demonstrated that the transfer of data to the partner company was processing which the data subject never consented to.

The AEPD considered that the unlawful processing of personal data by the partner company of the controller was caused by an accident but insisted that this does not negate the unlawful act.

The AEPD held that the controller had infringed Article 6(1) GDPR and set a fine of €100,000 based on the controller’s annual turnover (Article 83(5)) GDPR). The fine was reduced to €60,000 as the controller accepted the judgement and the voluntary payment procedure.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/16

File No.: EXP202307313

RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY

PAYMENT

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On July 31, 2024, the Director of the Spanish Data Protection
Agency agreed to initiate sanctioning proceedings against CURENERGÍA
COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U. (hereinafter, the

respondent), by means of the Agreement transcribed below:

<<

File No.: EXP202307313

AGREEMENT TO START SANCTIONING PROCEDURE

From the actions carried out by the Spanish Data Protection Agency and
based on the following:

FACTS

FIRST: D. A.A.A. (hereinafter, the claimant) on April 13, 2023
filed a claim with the Spanish Data Protection Agency. The
claim is directed against CURENERGÍA COMERCIALIZADOR DE ÚLTIMO
RECURSO, S.A.U. with NIF A95554630 (hereinafter, the respondent or
Curenergía). The reasons on which the claim is based are the following:

The complainant states that he was a Curenergía customer until 2021, and that
he subsequently contacted the electricity supplier of last resort (***EMAIL.1) by email on April 12, 2022, to sign up again with Curenergía.

He adds that Curenergía already had the supply data because he had previously been a
customer of said company, so in the customer service area by telephone they only
asked him for some of his data to confirm if they were the same (power, account number and
phone number), while he did not provide the other data (ID, name, postal address).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/16

In confirming the data requested, he received an email from ***EMAIL.1
indicating that "I confirm that I have just sent the policy with electronic signature to your email."

He also received an email from "***EMAIL.2" asking him to electronically
sign the PDF contract, sent by Iberdrola Clients.

Thus, the claimant states that Curenergia transferred all his data (ID, IBAN, name, surname, address) to Iberdrola Clients without his consent so that

it could formalize the electricity supply contract with the latter, having never
maintained any type of relationship with Iberdrola Clients.

The following documentation is provided with the notification:

Email dated April 12, 2023, sent by the claimant to
***EMAIL.3, stating the following:

<<I had this contract Supply contract reference (CURENERGÍA
COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U.): ***TELEPHONE.1 with
CURENERGIA which is currently with another marketer. I wanted to

put it back with CURENERGIA in PVPC>>.
Response from Curenergía Clientes dated April 12, 2023:

<<We confirm that we have received your email and that we have started the
necessary steps to respond to you as soon as possible>>.

Email from Curenergía Clientes dated April 12, 2023 addressed to the
complainant:

<<To carry out the procedure you request, it is necessary that you indicate to me, if you are so kind,
the following information: The name of the marketing company with which you are currently

registered. If you are the current holder or if you are going to change. Bank account
in which you wish to direct debit the payment. Contact telephone number. Contracted power
in each of the sections, peak and off-peak. If you wish to receive correspondence by
regular or electronic mail and address.

Email from the claimant dated April 12, 2023:

<<The name of the marketing company with which you are currently: NATURGY If you are the current holder or if you are going to change: SAME HOLDER Bank account in which you want to direct debit the payment: ***PAYMENT.1 Contact telephone number:
***PHONE.2 Contracted power in each of the sections, peak and valley: No
changes: PEAK 0.100 kW and VALLEY 0.700 kW If you want to receive correspondence by

regular or electronic mail and address: BY EMAIL ***EMAIL.4>>

Email from Curenergía Clientes dated April 12, 1:10 p.m. addressed to the
claimant:

<<I confirm that I have just sent the policy with electronic signature to your email so that if you agree and the data is correct, I ask you to continue these
simple steps: You will receive an email with a link to the document so that you can view it
from your device. When you click on the link, you will be redirected to a website, where you must

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/16

allow access by clicking on the "Start" check. This screen will only appear
on your first access. You will access the platform to view the PDF with the offer and, at
the end of the document, you can accept the offer or reject it>>.

Email from Iberdrola Customers for the claimant dated April 12,
2023, 1:06 p.m. addressed to the claimant:

<<Dear A.A.A., Thank you for your interest in contracting with Iberdrola. To view
and sign the offer and its conditions, click the View document button in this

email. Once the document has been opened, go to the last page and select
the Accept and Sign option. After signing it, you will receive a copy of the document in
your email>>.

Contract sent by Iberdrola Clientes, S.A.U. to the claimant dated April 12,

2023, where the following data appears:

<<ELECTRICITY SUPPLY CONTRACT CONTRACTING PARTIES
Retailer: IBERDROLA CLIENTES, S.A.U. Tax ID: A95758389
Registered Office: Plaza Euskadi 5, 48009 Bilbao Customer Service Telephone:
***TELEPHONE.3 / ***TELEPHONE.4 IBERDROLA CLIENTES, S.A.U. is authorized

by the Directorate General of Energy Policy and Mines of the Ministry of Energy,
Tourism and Digital Agenda for the activity of marketing electricity and
natural gas. CUSTOMER Surname and First Name/Company Name: A.A.A. NIF: ***NIF.1 Date of
Birth: SUPPLY ADDRESS Supply address: ***ADDRESS.1
SPECIFIC CONDITIONS PRODUCTS AND SERVICES TO BE

CONTRACTED Stable Electricity Plan SUPPLY CONDITIONS Type of
contract: Normal Voltage: 1X230 V Access rate: BT 2.0 TD Mode 1 Power
Contracted: Peak: 100 W Valley: 700 W CUPS: ***CUPS.1 Distribution Company:
UFD Distribución de Electricidad, S.A. Attention Network Failures: XXXXXXXXX
ECONOMIC CONDITIONS ELECTRICITY PRICE Power Term

Peak: 34.504864 €/kW and year Power Term Valley: 6.377714 €/kW and year
Energy Term: 0.201984 €/kWh The cost will be added to the prices>>

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party, so that

it could proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to comply with the requirements provided for in the data protection
regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of

October 1, on the Common Administrative Procedure of Public Administrations
(hereinafter, LPACAP), was received on June 1, 2023, as
shown in the acknowledgment of receipt in the file.

No response has been received to this transfer letter.

THIRD: On July 13, 2023, in accordance with article 65 of the
LOPDGDD, the claim submitted by the claimant was admitted for processing.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/16

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
preliminary investigation actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in
article 57.1 and the powers granted in article 58.1 of Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and in

compliance with the provisions of Title VII, Chapter I, Section two, of the
LOPDGDD, being aware of the following points:

1. In relation to the facts claimed, the representatives of IBERDROLA
CLIENTS in response to the request of this Agency, dated October 6, 2023, make the following statements:

Article 12.3 of Law 24/2013, of December 26, on the Electricity Sector,
establishes within the framework of regulation of the separation of activities, that "the
distribution companies and the reference marketing companies that
form part of a group of companies that develops regulated and

free activities in the terms provided for in this law, will not create confusion in their
information and in the presentation of their brand and brand image with respect to the
identity of the subsidiaries of their same group that carry out marketing activities".

As a consequence of the aforementioned provision, IBERDROLA CLIENTES and

CURENERGIA COMERCIALIZADORA DE ÚLTIMO RECURSO, S.A.U (hereinafter "CURENERGIA") do not maintain any type of relationship in the
processing of the personal data of their clients.

Each of the two marketing companies maintains its own treatments, without any confusion or permeability between them, so that each

of the marketing companies only processes the information of its own clients and does not
process any personal data of those who do not have this status.

Both entities belong to the Iberdrola Group and both maintain links with
the same service provider for telephone customer service of the two companies, which acts as the data processor for both companies.

In these cases, the Iberdrola Group has adopted the necessary measures to
guarantee compliance with the obligations related to the separation of activities. The telephone customer service lines for IBERDROLA
CLIENTS are different from those that CURENERGIA makes available to its
clients, having established a system that allows the operator to know if the
interested party has requested the attention of one or the other entity.

Operators have express instructions related to the prohibition of cross-access to the databases of the entities, so that in the event that the interested party has contacted CURENERGIA through the telephone number, it is expressly prohibited to access the databases of IBERCLI, as well as to provide any type of information related to this entity.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/16

In relation to the specific case that is the subject of the claim, and taking into account the content of the information incorporated in the request, the sequence of events is as follows:

• On April 12, 2023, the claimant contacted CURENERGIA to enter into a contract with it,
• That same day, CURENERGIA requested a series of documents from the interested party, which were sent to it by the claimant. The CURENERGIA sales representative informs the claimant that he will send him the contract for his

signature.
• On that same date, the contract is sent to the claimant, however, an error occurs in the sales representative's
actions and he sends a contract from IBERCLI and not from CURENERGIA.
• The contract with IBERCLI was cancelled as a result of the

contracting by the Claimant of the supply with another supplier on April 14, 2023.

Thus, in the process of sending the contract to the claimant, an error occurred
on the part of the person who attended the request, as a result of which
there was a confusion between the two entities to which the operator provided
services.

The correction of this error occurred immediately, through the
cancellation of the contract signed with IBERDROLA CLIENTS.

In relation to the service provider for telephone customer service shared between IBERDROLA CLIENTES and CURENERGIA, the representatives of IBERDROLA CLIENTES declare that they do not have any type of relationship in the processing of personal data of the customers of each of the entities.

Each of the two marketing companies maintains its own processing, without any type of confusion or permeability between the two, so that each of the marketing companies only processes the information of its own customers and does not process any personal data of those who do not have this status.

In any case, given that both companies belong to the Iberdrola Group, both sometimes maintain links with the same service provider. This is the case in the case of telephone service for the customers of both companies, which is carried out in both cases by the same contact center service provider, who will act as the data processor for both companies.

They provide a copy of the contract signed by IBERCLI and UNÍSONO SOLUCIONES DE

NEGOCIO

The representatives of the entity provide a copy of the express instructions

related to the prohibition of cross-access to the databases of the entities. The telephone lines for IBERCLI customers are different from
those that CURENERGIA makes available to its customers, having established

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/16

a system that allows the operator to know if the interested party has requested the
attention of another.

This guide contains express provisions related to the prohibition of access by the operator, in the event that the interested party has contacted
it through the CURENERGIA telephone number, to access the IBERCLI databases, as well as to provide it with any type of information
related to this entity.

To prove the evidence of the cancellation of the contract entered into by mistake with
IBERDROLA CLIENTS. they provide a screenshot of the IBERCLI system where the cancellation of the contract entered into by mistake with the claimant is
evident

1. The representatives of Curenergía indicate the following on October 9, 2023,
in response to the request of this Agency:

In relation to the specific case subject to the claim, the sequence of events is as follows:

• On April 12, 2023, D. A.A.A. (hereinafter, "the Claimant")

contacted CURENERGIA to enter into a contract with it,
• That same day, CURENERGIA requests a series of
documents from the interested party, which are sent to him by the Claimant. The CURENERGIA sales representative informs the Claimant that he will send him the contract

for signature. • On the same date, the contract is sent to the Complainant, although there is an error in the actions of the salesperson and he sends a contract from IBERCLI and not from CURENERGIA.

• Immediately after receiving it, the Complainant contacts the entity, indicating that same day that the contract sent is from IBERCLI and not from CURENERGIA. CURENERGIA responds to the aforementioned email just three hours later, apologizing to the Complainant and indicating that it is an error.
• Finally, on April 13, 2023, that is, just two days after the aforementioned error occurred, the Complainant signs the electricity supply contract number ***CONTRACT.1 with CURENERGIA.

Thus, in the process of sending the contract to the claimant, an error occurred on the part of the person who attended to the request, as a result of which a confusion arose between the two entities to which the operator provided services.

The correction of this error occurred by signing the contract requested from CURENERGIA.

FIFTH: According to the report collected from the AXESOR tool, the entity
Curenergía is a large company established in 2008, and with a turnover of
2,177,703,000 euros in 2022.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/16

LEGAL BASIS

I

Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions
issued in its development and, insofar as they do not contradict them, in a
subsidiary manner, by the general rules on administrative procedures."

II

Unfulfilled Obligation

The respondent is charged with committing an infringement for violating
Article 6 of the GDPR, "Lawfulness of processing", which indicates in its section 1 the
cases in which the processing of third party data is considered lawful:

"1. Processing is only lawful if at least one of the following

conditions is met:

a) the data subject has given consent to the processing of his or her personal data
for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is

party or in order to take steps at the request of the data subject prior to entering into a contract;

c) processing is necessary for compliance with a legal obligation to which the
controller is subject;

d) processing is necessary to protect the vital interests of the data subject or of another

natural person;

e) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller;

f) processing is necessary for the purposes of the legitimate interests pursued
by the controller or by a third party, except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject which require protection of personal
data, in particular where the data subject is a child. The provisions of letter f) of the first paragraph shall not apply to the processing carried out by public authorities in the exercise of their functions.

Moreover, Article 4 of the GDPR, Definitions, in its paragraphs 1, 2 and 11, states

that:

“1) “personal data” means any information relating to an identified or identifiable natural person
(“data subject”); an identifiable natural person is any person
whose identity can be determined, directly or indirectly, in particular by reference to
an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

“2) “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

“11) “consent of the data subject” means any freely given, specific, informed and unequivocal indication of the data subject’s wishes by which he or she accepts, by a statement or by a clear affirmative action, the processing of personal data relating to him or her.”

In the present case, it has been proven that the respondent party violated Article 6.1
of the GDPR, since it processed the personal data of the complainant (NIF, address, universal delivery point code, email, mobile number, bank details) without any legal grounds to do so. The personal data

were incorporated by Curenergía into the information systems of Iberdrola
Clientes, without having proven that it had a legal basis for the collection and
subsequent processing of their personal data by Iberdrola Clientes, as
proven by the fact that the claimant's data were incorporated into the contract
sent by Iberdrola Clientes, S.A.U. to the claimant dated April 12, 2023,
where the following data appear:

<<ELECTRICITY SUPPLY CONTRACT CONTRACTING PARTIES

Supply company: IBERDROLA CLIENTES, S.A.U. Tax ID number: A95758389
Registered office: Plaza Euskadi 5, 48009 Bilbao Customer Service Telephone:
***TELEPHONE.3 / ***TELEPHONE.4 IBERDROLA CLIENTES, S.A.U. is authorized
by the General Directorate of Energy Policy and Mines of the Ministry of Energy,
Tourism and Digital Agenda for the activity of commercialization of electric energy and

natural gas. CLIENT Surname and First Name/Company Name: A.A.A. NIF: ***NIF.1 Date
of Birth: SUPPLY ADDRESS Supply address: ***ADDRESS.1
SPECIFIC CONDITIONS PRODUCTS AND SERVICES TO BE
CONTRACTED Stable Electricity Plan SUPPLY CONDITIONS Type of
contract: Normal Voltage: 1X230 V Access rate: BT 2.0 TD Mode 1 Power
Contracted: Peak: 100 W Valley: 700 W CUPS: ***CUPS.1 Distribution Company:

UFD Distribución de Electricidad, S.A. Attention Network Failures: XXXXXXXXX
ECONOMIC CONDITIONS ELECTRICITY PRICE Power Term

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/16

Peak: 34.504864 €/kW and year Power Term Valley: 6.377714 €/kW and year
Energy Term: 0.201984 €/kWh The cost will be added to the prices>>

Said contract was sent through the email address ***EMAIL.5, an address not
belonging to the respondent party and corresponding to a different entity that did
not participate in the contracting process with the complainant party, which shows the
improper treatment of the data.

Consequently, it has processed personal data without

proving that it has the legal authorization to do so.

In this regard, and this is essential, the respondent does not prove the legitimacy for the
transfer of the complainant's data to Iberdrola Clients.

The respondent states in response to the request of this Agency dated
October 9, 2023 that Curenergía and Iberdrola Clients have subcontracted the customer service to the
same entity.

Both operators can access the customer databases of both entities
simultaneously, but they have express instructions that when a call is received on a telephone of one of the entities,
not to access or provide information relating to the other.

The respondent claims that the facts subject to the claim were due to an error

by the salesperson, which was corrected after the affected party had informed them of what had
happened. However, this circumstance does not invalidate the fact that improper processing has occurred, nor does it remedy the lack of legitimacy in carrying out said processing.

In this regard, article 6.1 of the GDPR states that processing “will be lawful if it is
necessary for the execution of a contract to which the interested party is a party”.

Therefore, Curenergía has acknowledged the existence of an incorrect action in the
management of the data of the complainant, the consequence of which was that an entity
unrelated to the operation had access to the personal data of the complainant without
the latter's consent.

In view of the above, the respondent party fails to prove that it acted
diligently and therefore there was an unlawful processing of the personal data of the complainant, thereby contravening article 6 of the GDPR.

In this regard, Recital 40 of the GDPR states:

“(40) For processing to be lawful, personal data must be processed with the
consent of the data subject or on another legitimate basis established by law, whether in this Regulation, including the need to comply with the
legal obligation applicable to the controller or the need to execute a contract to which the data subject is a party or in order to take steps at the request

of the data subject prior to entering into a contract.”

For the above reasons, without prejudice to the outcome of the investigation of the procedure, it is clear that the personal data of the complainant has been unlawfully processed, consisting of the transfer of his/her data to an unauthorized entity, which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/16

results in a breach of the principle of legality provided for in the aforementioned article 6.1
of the GDPR.

III
Classification and qualification of the infringement

The infringement is classified in article 83.5 of the GDPR, which considers as such:

“5. Infringements of the following provisions shall be punished, in accordance with

section 2, with administrative fines of up to EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total global annual turnover of the previous financial year, whichever is higher:

The basic principles for processing, including the conditions for

consent pursuant to articles 5, 6, 7 and 9.”

For the purposes of the limitation period of the infringement, the LOPDGD classifies in its article 72.1
as a very serious infringement, in this case the limitation period being three years, “b)

The processing of personal data without any of the conditions for the lawfulness of the processing established in article 6 of Regulation (EU) 2016/679 being met.”

IV
Proposal for a penalty

In order to determine the administrative fine to be imposed, the provisions of

Articles 83.1 and 83.2 of the GDPR must be observed, which state:

“Each supervisory authority shall ensure that the imposition of administrative fines
under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are effective, proportionate and dissuasive in each individual case.”

“Administrative fines shall be imposed, depending on the circumstances of

each individual case, as an additional or alternative measure to the measures provided for in
Article 58, paragraph 2, points (a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:

a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question,
as well as the number of data subjects affected and the level of
damage suffered by them;

b) the intentionality or negligence of the infringement;

c) any measures taken by the controller or processor to
mitigate the damage suffered by the data subjects;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/16

d) the degree of responsibility of the controller or processor, taking into account any
technical or organisational measures they have implemented pursuant to Articles 25 and 32;

e) any previous infringement committed by the controller or processor;

(f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate any adverse effects of the breach;

(g) the categories of personal data affected by the breach;

(h) the manner in which the supervisory authority became aware of the breach,
in particular whether the controller or processor notified the breach and, if so, to what extent;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned
in relation to the same matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42; and

(k) any other aggravating or mitigating factors applicable to the circumstances of the

case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the breach.”

Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,
“Sanctions and corrective measures”, provides:

“2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:

a) The continued nature of the infringement.

b) The connection between the offender's activity and the processing of personal data.

c) The benefits obtained as a result of committing the infringement.

d) The possibility that the affected party's conduct could have led to the commission of the infringement.

e) The existence of a merger process after the commission of the infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.

g) Having, when not mandatory, a data protection officer.

h) The submission by the controller or processor, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party.”

In accordance with the provisions transcribed, and without prejudice to what results from the

instruction of the procedure, for the purposes of setting the amount of the fine to be
imposed on the respondent, as responsible for an infringement classified in article
83.5.a) of the GDPR, in an initial assessment, the following factors are considered to be concurrent:

- The seriousness of the infringement taking into account the scope of the processing operation, a circumstance provided for in article 83.2.a) GDPR.

A significant circumstance in the case examined is that it was an
electricity supply contract, to which the respondent would have linked the personal data of the
complainant. In this sense, the seriousness of the scope of the
operation is manifested in the transfer of the data to a third party who was not
authorized and to which the complainant had not given his

consent.

- “The link between the offender's activity and the processing of personal data”, a circumstance provided for in article 76.2.b) LOPDGDD in connection

with article 83.2.k) RGPD.

The business activity of the defendant necessarily processes personal data,

being one of the most important electricity companies in Spain. This characteristic
of its business activity has an impact, reinforcing it, on the diligence that it must

deploy in compliance with the principles that govern the processing of personal data and in the quality and effectiveness of the technical and organizational
measures that it must have implemented to guarantee respect for the fundamental right.

The National Court's ruling of 17/10/2007 (rec. 63/2006), in which,
with respect to entities whose activity involves the continuous processing of customer data,
indicates that "...the Supreme Court has understood that there is
imprudence whenever a legal duty of care is disregarded, that is, when the

offender does not behave with the required diligence. And in assessing the degree of
diligence, the professionalism or lack thereof of the subject must be especially considered, and
there is no doubt that, in the case now examined, when the activity of the appellant
is of constant and abundant handling of personal data, it is necessary to insist on
the rigor and the exquisite care to comply with the legal provisions in this regard."

The penalty to be imposed on the respondent must be graduated and set at the amount of €100,000

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/16

for the infringement of article 83.5 a) RGPD, classified as very serious for the purposes of
the prescription in article 72.1b) of the LOPDGDD.

Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,

IT IS AGREED:

FIRST: TO INITIATE SANCTIONING PROCEDURE against CURENERGÍA
COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U. with NIF A95554630, for the
alleged infringement of article 6.1) classified in article 83.5.a) of the aforementioned RGPD.

SECOND: APPOINT Mr. B.B.B. as instructor and Ms. C.C.C. as secretary,
indicating that either of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, the documents obtained and generated by the General Subdirectorate of Data Inspection.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the
sanction that could be applied would be for the infringement of article 6.1 of the RGPD,
specified in article 83.5 a) of the RGPD, the sanction that would be applied would be a
fine for an amount of 100,000 euros (one hundred thousand euros) without prejudice to what results
from the investigation.

FIFTH: NOTIFY this agreement to CURENERGÍA COMERCIALIZADOR DE
ÚLTIMO RECURSO, S.A.U. with NIF A95554630, granting it a hearing period of
ten business days to formulate the allegations and present the evidence it
deems appropriate. In its written allegations, you must provide your NIF and the
procedure number that appears in the heading of this document.

If you do not make any objections to this initiation agreement within the stipulated period, it

may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, if the
sanction to be imposed is a fine, you may acknowledge your liability within the
period granted for the formulation of objections to this initiation agreement; which

will entail a 20% reduction for the sanction to be imposed
in this procedure, equivalent in this case to twenty thousand euros (€20,000).
With the application of this reduction, the amount of the sanction would be set at
eighty thousand euros (€80,000), and the procedure will be resolved with the imposition of this
sanction.

Likewise, at any time prior to the resolution of this procedure, the applicant may voluntarily pay the proposed fine, in accordance with the provisions of article 85.2 of the LPACAP, which will entail a reduction of 20% of the amount of the fine, equivalent in this case to twenty thousand euros (€20,000) for the alleged infringement. With the application of this reduction, the amount of the fine would be set at eighty thousand euros (€80,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.

The reduction for voluntary payment of the fine may be added to the reduction that must be applied for the acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for submitting objections to the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at sixty thousand euros (€60,000).

In any case, the effectiveness of either of the two reductions mentioned will be subject to the withdrawal or waiver of any action or appeal in administrative proceedings against the fine.

If you choose to make a voluntary payment of any of the amounts indicated above, 80,000 euros or 60,000 euros, you must make the payment
by depositing it in account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK,

S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the reason for the reduction of the amount to which you are applying.

You must also send proof of payment to the Subdirectorate General of Inspection
in order to continue with the procedure in accordance with the amount paid.

The procedure will have a maximum duration of twelve months from the date
of the start agreement. After this period, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of
article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
there is no administrative appeal against this act.

Mar España Martí

Director of the Spanish Data Protection Agency

>>

SECOND: On September 18, 2024, the respondent party has proceeded to

pay the fine in the amount of 60,000 euros using the two
reductions provided for in the Initiation Agreement transcribed above, which implies the
recognition of liability.

THIRD: The payment made, within the period granted to formulate allegations at

the opening of the procedure, entails the waiver of any action or appeal through
administrative means against the fine and the recognition of liability in relation to
the facts referred to in the Initiation Agreement and its legal qualification.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/16

LEGAL BASIS

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and

the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II
Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative

Procedure of Public Administrations (hereinafter, LPACAP), under the heading
"Termination of sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is of a purely monetary nature or when it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, the voluntary payment by the presumed responsible party, at
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the restoration of the altered situation or the determination of
compensation for the damages and losses caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the
body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, these being cumulative with each other.

The aforementioned reductions must be determined in the notification of the initiation
of the procedure and their effectiveness will be conditional on the withdrawal or waiver of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased

by regulation.”

According to the above,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/16

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202307313, in
accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to CURENERGÍA
COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal

before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the

day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

936-151024
Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es