AEPD (Spain) - PS/00232/2020: Difference between revisions

From GDPRhub
No edit summary
 

Latest revision as of 14:20, 13 December 2023

AEPD - PS/00232/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 6(1)(b) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 14.01.2021
Published: 21.01.2021
Fine: 50000 EUR
Parties: Alterna Operador Integral SL
National Case Number/Name: PS/00232/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) imposed a fine of €50,000 on Alterna Operador Integral SL (Flip Energy) for processing a data subject's personal data without a legal basis (Article 6(1) GDPR). Flip Energy had switched switched the data subject over from the energy provider Naturgy to Flip Energy without obtaining consent or a contract for doing so.

English Summary

Facts

The complainant filed an action against Alterna Operador Integral SL (Flip Energy).

The complainant complained that her energy provider was switched from Naturgy to Flip Energy without her consent. Invoices proved that this change had occured.

As such, the complainant's personal data were transferred to Flip Energy without having proof of consent from the concerned data subject, the complainant, or that there were other legitimate purposes for processing that personal data.

Flip Energy claims that the subcontracted company (Sycgestion Global Energy, S.L.) was responsible for contacting and promoting Flip Energy services to the data subject.

Dispute

Is it contrary to Article 6(1) of the GDPR for a customer to have their energy provider switch from one company to another without contracting with them or having gathered their consent prior to the switch?

Holding

The Spanish DPA (AEPD) held that Alterna Operador Integral SL (Flip Energy) infringed Article 6(1) of the GDPR as it processed the complainant's data without a legal basis. The data subject's personal data were incorporated into Flip Energy's information system without proving that it was necessary for a contract, that the data subject had consented to it, or that there was another legal basis making the processing lawful.

The DPA noted that the complainant had taken no action or caution with the subcontracted company (Sycgestion Global Energy, S.L.) responsible for contacting and promoting Flip Energy services to the data subject. However, the DPA held that inactivity by Alterna Operador Integral SL (Flip Energy) lead to failure to take action or precautions.

The DPA also held that the defendant failed to prove that the complainant had contracted for the supply of energy from Flip Energy (and as such contracted for the switch). The defendant did not provide any documents obtained from the complainant indicating a contractual relationship which effectively identified the complainant.

Therefore, the Spanish DPA imposed a fine of €50,000 on Alterna Operador Integral SL for infringing Article 6(1)(b) of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/9










     Procedure No.: PS / 00232/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


                                      ACTS

FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated February 20, 2020
filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against ALTERNA OPERADOR INTEGRAL, S.L. with NIF

B87075982 (FLIP ENERGÍA) (hereinafter, the claimed one).

       The claimant states that there has been a change of
electricity marketer without your consent. The previous company was
Naturgy, and now she is the one claimed.


       Provides Naturgy bills and Flip Energía letters and bills.

SECOND: In view of the facts presented in the claim and the
documentation provided by the claimant, the General Subdirectorate for Inspection of

Data proceeded to transfer it to the claimed entity and request information, of
in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights.

       In writing dated March 31, 2020, information is requested from FLIP
ENERGÍA, S.L., (trade name, ALTERNA) who responds on July 1,

this year stating the following:

       First, they state that the respondent does not make commercial calls
in order to promote their services, but that such work has been subcontracted with
different telemarketing companies


       They add that the claimant hired the services of the defendant through the
telemarketing company Sycgestion Global Energy, S.L., who used its own database
of data to contact her and promote, as responsible for the
treatment of the services of the claimed, and consequently, the responsibility of the

Contact with the claimed was from the aforementioned entity and not from the claimed.

       That the respondent terminated the contract for the provision of services with
Sycgestion Global Energy, S.L., as stated in the accompanying document.

       They point out that the respondent has carried out a series of actions such as the

selection of suppliers that guarantee compliance with the regulations of
data protection, the signing of data transfer and data access contracts with the
suppliers, where appropriate and training and awareness of the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








workers in respect of the principles and obligations contained in the regulations
of data protection.


THIRD: On September 15, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 6.1.b) of the RGPD, typified in the
Article 83.5 of the RGPD.


FOURTH: Once the aforementioned initiation agreement was notified, the respondent requested an extension of
term and subsequently submitted a brief of allegations in which, in summary,
stated what he considered appropriate in defense of his interests, pointing out that the
provider processed the data of his contacts in his own name and on behalf of

through their own business networks through phone calls
(telemarketing), acting as data controller and, when a
user was interested in hiring Alterna's services,
transferred the call to a telemarketer who, acting as manager of the
treatment of Alterna, carried out the verification and recording of the relative call
the characteristics of the contracted service and the consent given by the client.


       That Alterna's actions can only be concluded that it has been diligent and
in accordance with the personal data protection regulations, taking into account that in
in order to guarantee that the personal data flows between Alterna and SYC GESTION
they were properly regulated. That Alterna signed a mixed service contract

of services in which the transfer of personal data and the order of the
treatment, giving clear and precise work instructions to the Supplier both in the
Contract and its Annexes, which are attached to this document as Document No. 1.

       Therefore, they want to highlight the good faith that the Company has shown in each

moment.

       That Alterna made the necessary inquiries to clarify the facts
object of the incident and identified a series of irregularities carried out by
part of the Provider and that allows to conclude that SYC GESTION did not follow its
instructions.


       The provider as data controller guaranteed Alterna the
Lawful origin of the personal data object of the transfer. Specifically SYC
GESTION undertook to obtain the consent of the interested parties to carry out
carry out the transfer of data to the Company, for the purpose of the purpose outlined.


       In relation to the role of the Provider in charge of the treatment, of course
It could be otherwise, in the "Contract for the provision of telemarketing services" and
"Data Access Contract" signed between the parties, regulated the provision of
services with access to data of the Company Provider giving rigorous

compliance with the clauses, article 28 of the RGPD.

       The breaches of the Contract, committed by SYC GESTION, are listed.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








       It also states that the company acted with the utmost speed and
diligence, since at the time that the claimant's granddaughter, in
representation of the claimant, contacted Alterna, on the occasion of

express his will to terminate his contract, proceeded immediately to the
imminent cancellation of the debt with the claimant.

       Consequently, the claimant was registered in their systems as
client only for ten days as she was discharged on January 11, 2020.
In this regard, she was discharged from Alterna on January 21, 2020, having been

registered with another marketer by the claimant.

       It indicates that there was no type of penalty for the termination of the contract or
for the return of their receipts, the Company taking charge of the consumption that was
invoiced. A continuous and fluid communication flow was established with the

claimant, responding at all times to their requirements and once the
Personal data is no longer necessary for the purpose of the management of the
incident, proceeded to block the personal data of the claimant. In the same
The moment Alterna learned of an alleged incident, it contacted
SYC Gestión requesting information and documentation in this regard, through
different communication channels, without obtaining any response, which adopted the

timely measures in order to avoid that, in the future, other customers reveal
facts such as those reported by the claimant and terminated the contract with SYC
MANAGEMENT on June 26, 2020.

       He adds, the measures it has implemented to guarantee quality in the

management of the recruitment process.

       On the other hand, it considers that there was a valid pre-contractual relationship, all
Once there was a contest of wills and taking a series of measures
pre-contractual, in accordance with article 6.1b) RGPD or pursuant to article 6.1 a)

RGPD.

       It also states that the breach would be attributable to SYC GESTON, which
the supplier repeatedly violated the instructions provided by Alterna,
treating the data for which the Company was responsible for the treatment, and must
in this case, SYC Gestión acquires the status of data controller.


       Finally, it points out that in the event that the files are not filed,
actions in the present procedure, the qualified
decrease of guilt and unlawfulness in the conduct of Alterna, who acted with
the greatest possible diligence, and that, consequently, the

Article 83 RGPD and 76 LOPDGDD.

FIFTH: On October 16, 2020, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 03187/2020, as well as the documents
provided by the claimed.


SIXTH: On November 19, 2020, a resolution proposal was formulated,
proposing that the Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9








punish the complained party for an infraction of article 6.1 of the RGPD, typified in the
Article 83. 5) of the RGPD, with a fine of 50,000 euros.


SEVENTH: Once the resolution proposal was notified, the claimed party submitted a written
of allegations being ratified in those made to the Initiation Agreement, that is to say:
but to conclude that the performance of my client in this case has been diligent and
according to the personal data protection regulations and this part wants to highlight
both the quick action and the good faith that ALTERNA has shown in each
moment, fulfilling the duty of diligence required, without prejudice, to the

corresponding responsibilities that, where appropriate, may correspond to the
Provider. SYC GESTION's performance was carried out not only in breach
flagrantly the contract signed with the Company, but rather, this party considers
proven the contractual bad faith of the aforementioned telemarketing entity, as well as a
malicious and potentially fraudulent attitude, which is why this party has

filed the pertinent complaint against the Provider.

In addition, the repeated non-observance of ALTERNA's instructions, as
data controller, necessarily convert SYC GESTION into
responsible for the treatment. My client was the victim of a hoax and understood that
there was a contractual relationship with the complainant. However, the error was corrected

with absolute speed, proceeding with total diligence: the data of the complainant is
remained active in the systems for only ten (10) days, proceeding my
represented, as soon as it became aware of the claimant's intention to
change marketer, to cancel its debt and, subsequently to the blocking of its
personal information. The Company has acted with the highest level of due diligence, of

compliance with its internal procedures, substituting the services of the Provider
by those of other partners who, like the Supplier, guarantee the strict
compliance with data protection regulations and that are more rigorous in their
committed SYC MANAGEMENT. In this sense, my client is immersed in a
process audit in order to carry out robust audits of your

suppliers and collaborators. In any case, it should be understood that there is no
of ALTERNA a subjective element of guilt for which it would be appropriate
decree the file of this sanctioning procedure. Personal information
affected, correspond mainly to contact and character data
identification, without including in any case, data from special categories of data or
criminal offenses. It is obvious and common sense that the activity of the

Company (like any other company) is linked to the treatment of
Personal data. However, the foregoing, ALTERNA's activity is not
linked to the infringing treatment of personal data, if not to the supply
energetic. The actions of the Company have in no case been intentional, or
malicious, nor has it received any kind of benefit. Also, he had no intention

any of violating data protection regulations, or causing damage or harm to
the complainant. That the present brief of
allegations, serve to admit it, and previous the appropriate procedures agree the file
of the referenced file, leaving without effect the procedure initiated against this
trade".


In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9








                                       ACTS

FIRST: A change of electricity marketer has been carried out without the

consent of the claimant. The previous company was Naturgy, and now it is the
claimed.

SECOND: The invoices provided by the claimant include the change of
trading company.


THIRD: The personal data of the claimant were incorporated into the systems
information of the company, without having proven that he had contracted
legitimately, have your consent for the collection and treatment
later of your personal data, or there is any other cause that makes the
treatment carried out.



                               FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Agency for Data Protection is competent to resolve this
process.
                                            II


       The complained party is charged with the commission of an infraction for violation
of Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the
cases in which the processing of third party data is considered lawful:


       "1. The treatment will only be lawful if at least one of the following is met
terms:
      a) the interested party gave their consent for the processing of their data

      personal for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures

      pre-contractual;
      (…) "


       The offense is typified in Article 83.5 of the RGPD, which considers as such:

      "5. Violations of the following provisions will be sanctioned, in accordance

with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


      a) The basic principles for the treatment, including the conditions for the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9








      consent in accordance with articles 5,6,7 and 9. "


       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:


      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:

        (…)

       b) The processing of personal data without the concurrence of any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679. "

                                            III


      The documentation in the file shows that the claimed,
violated article 6.1 of the RGPD, every time he processed the data
claims of the claimant without having any standing to do so. The data
Claimant's personal data were incorporated into the information systems of the

company, without having proven that it had legitimately hired, provided
of your consent for the collection and subsequent processing of your data
personal, or there is any other cause that makes the treatment lawful.

      The personal data of the claimant were recorded in the files of the
claimed and were processed for the issuance of invoices for services associated with the

claimant. Consequently, it has carried out a processing of personal data without
that it has proven that it has the legal authorization for it.

      It should be noted that the claimant did not adopt any kind of measure or
Caution with the outsourced company that you entrusted to carry out

hiring, and in this case the inactivity of the claimed was proven, in the
failure to adopt measures or precautions.

       Article 6.1 RGPD says that the treatment “will be lawful if it is necessary for the
execution of a contract in which the interested party is a party ”.


       It was therefore essential that the respondent accredited to this Agency that
the claimant had contracted with her the electricity supply; that at the time of the
contracting had deployed (through its treatment manager) the diligence
that the circumstances of the case required to ensure that the person who facilitated
as his bank details and other personal data was effectively his

headline.

       The respondent has not provided any document collected from the client at the time
of the contracting that allows its identification.


                                            IV
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9









      In determining the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:


      "Each supervisory authority will guarantee that the imposition of fines
administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "


      "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
        a) the nature, severity and duration of the offense, taking into account the

        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;
        b) intentionality or negligence in the infringement;
        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of
        treatment;

         f) the degree of cooperation with the supervisory authority in order to
        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infraction and, in such

        case, to what extent;
        i) when the measures indicated in Article 58 (2) have been
        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "

      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

      "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

The following may also be taken into account:
        a) The continuing nature of the offense.
        b) The linking of the offender's activity with the performance of treatments

        of personal data.
        c) The benefits obtained as a result of the commission of the offense.
        d) The possibility that the affected person's conduct could have led to the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








        commission of the offense.
        e) The existence of a merger process by absorption after the commission
        of the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.
        g) To have, when not mandatory, a delegate for the protection of
        data.
        h) The submission by the person in charge or in charge, with character
        voluntary, to alternative dispute resolution mechanisms, in those
        cases in which there are controversies between those and any

        interested."

                                            V

       In accordance with the provisions of the RGPD in its art. 83.2, when deciding to impose

an administrative fine and its amount in each individual case will take into account the
aggravating and mitigating factors that are listed in the indicated article, as well as
any other that may be applicable to the circumstances of the case.

       Consequently, the following have been taken into account as aggravating factors:

- The intent or negligence of the offense (art. 83.2 b).


      - Basic identifiers present are affected (name,
          address, bank account number, cups) (art. 83.2 g)

      - The obvious link between the business activity of the claimed and the
          treatment of personal data of clients or third parties (art. 83.2 k of the
          RGPD in relation to art. 76.2 b of the LOPDGDD)


Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the

Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE ALTERNA OPERADOR INTEGRAL, S.L., with NIF
B87075982, for an infraction of Article 6.1.b) of the RGPD, typified in Article
83.5 of the RGPD, a fine of 50,000 euros (fifty thousand euros).


SECOND: NOTIFY this resolution to ALTERNATE OPERADOR INTEGRAL,
S.L.

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the

art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number

of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9









Notification received and once executive, if the execution date is found

Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through

of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es