AEPD (Spain) - EXP202102778: Difference between revisions

From GDPRhub
 

Latest revision as of 13:26, 13 December 2023

AEPD - AEPD PS-00508-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Started: 04.11.2021
Decided:
Published: 10.01.2023
Fine: 24,000 EUR
Parties: FACTOR ENERGIA, S.A.
National Case Number/Name: AEPD PS-00508-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Teresa López

The Spanish DPA fined a controller €24,000 for lack of a valid legal basis when processing a data subject's personal data for direct postal marketing. The controller did not carry out a sufficient legitimate interest assessment.

English Summary

Facts

The data subject received an advertising message by post from Factor Energía, S.A. (the controller), in which they were addressed by their full name, and were given a personalised recommendation based on the characteristics of their energy supply point and consumption habits.

Since the controller was not the data subject's energy provider, the data subject contacted the company to request information on the processing of their data. After the period given by Article 12(3) GDPR had elapsed, the controller informed the data subject that their data was obtained from the database that electricity and natural gas distribution companies make available to marketing companies, for the purposes of being able to make offers on the market (SIPS or Supply Point Information System, in English).

The data subject contacted the entity that manages the Supply Point Information System, the Spanish National Markets and Competition Commission. This entity ensured the data subject that the current legislation prohibited marketers from accessing any information that directly identifies the holder of the supply point.

The data subject filed a complaint with the Spanish DPA who started an investigation. After enquiries from the Spanish DPA, the controller stated that the reply given to the data subject had been delayed due to an informatic virus attack which had encrypted their systems. The controller was also unable to specify the specific sources of the data as a result of the computer virus. Moreover, the controller indicated that the first answer given to the data subject was provided by a trainee, since it had been received during the holiday period. Later, the controller also claimed that the name, surname and postal address of the data subject were obtained from publicly accessible sources. On the other hand, data relating to the technical conditions of the supply point were lawfully obtained from the SIPS. Moreover, the controller added that the consumption data provided to the data subject were estimations not reflecting their real consumption habits, but an aggregated value based on their postal code.

According to the information provided to the DPA, the controller based the processing of the data on their legitimate interest (customer acquisition and an increase of its visibility in the market). Also, the controller shared the legitimate interest assessment where it argued that the data subject's rights did not prevail due to the low impact of the means used (post mail) and the little or no effect on their legal sphere.

Holding

The Spanish DPA held that the controller had violated Article 6(1) GDPR since the legitimate interest assessment on which the processing was based (Article 6(1)(f) GDPR) was understood as insufficient. Contrary to the controller's position, the DPA held that the rights of the data subject prevailed on the controller's interests on several grounds.

First, the DPA noted that the alleged additional safeguards were not an additional layer of protection provided by the controller, but simply protections already mandatory under data protection law.

Second, the DPA rejected the controller's argument stating that post marketing was less invasive than cold calling. The DPA pointed out that with such methods, the data subject may believe that the caller does not have their identification data, whereas the receipt of a postal communication that identifies them, gives the data subject the certainty that the sender of the communication has such information. Furthermore, uncertainty arises in the data subject as to what the source of their data may have been, which leads to doubt about the control over their personal data.

Third, the DPA found that post marketing as a habitual practice in the industry was an insufficient basis to establish a reasonable expectation in the data subject. The DPA recalled their own report 2018/0173, which analysed the legitimacy of direct marketing actions in both electronic and non-electronic media. This report concluded that, even if the data subject has previously been a customer, the criterion for the sending of commercial communications is restricted to the products contracted. Therefore, this is even the case with potential customers.

Fourth, the DPA rejected the controller's argument that the nature of the data processed (contact details) was an indicator of the prevalence of the company's legitimate interest. In this regard, the DPA quoted ART29WP's 06/2014 Opinion: "In general, the more sensitive the information involved, the more consequences there may be for the data subject. This, however, does not mean that data that may in and of themselves seem innocuous, can be freely processed based on Article 7(f) [now Article 6(1)(f) GDPR]. Indeed, even such data, depending on the way they are processed, can have significant impact on individuals (...)".

Fifth, the controller argued that there was no alternative method that allowed to achieve the legitimate interest, to which the DPA disagreed, stating that the post could have been sent without including the personal data.

Finally, the DPA noted the existence of a situation of imbalance between the data subject (consumer) and the controller (electricity supply company).

For these reasons, the DPA held that the infringement in question was serious for the purposes of the GDPR and that the sanction to be imposed should be graduated with the aggravation of negligence Article 83(2)(b) GDPR, since the controller could not point out the public access source of the personal data, and the link between the controller's activity and the processing of personal data (Article 76(1)(b) of the Spanish Data Protection Law). The DPA initially contemplated a €40,000 fine, but offered two grounds for reduction: the possibility of voluntary payment of the fine and the acknowledgment of guilt. The controller invoked both and finally paid €24,000.

Comment

The Spanish DPA did not reflect on other grounds of infringement found in this case, such as the lack of a reply within the due period, the data breach, etc. which could have potentially led to fines in their own right.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/28










File No.: EXP202102778


       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                  BACKGROUND

FIRST: On October 31, 2022, the Director of the Spanish Agency for
Data Protection agreed to start a sanctioning procedure against FACTOR ENERGÍA,

S.A. (hereinafter, the claimed party), through the transcribed Agreement:

<<

File No.: EXP202102778



            AGREEMENT TO START THE SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following

                                      FACTS

FIRST: A.A.A. (hereinafter, the claiming party) dated August 16, 2021
filed a claim with the Spanish Data Protection Agency. The

The claim is directed against FACTOR ENERGÍA, S.A. with NIF A61893871 (in
forward, ENERGY FACTOR). The reasons on which the claim is based are the following:
following:

-The claimant has received an advertising message by post, from

ENERGY FACTOR, where they address him by his first and last name, and they ask him a
personalized recommendation based on the characteristics of your supply point
and their consumption habits.
- Considering that the advertising company is illegally processing your data,
since he has no relationship with it, the affected person has contacted

contact her to request information, and her Data Protection Officer will
has answered that the data comes from the Information System of Points of
Supply (SIPS). This, as they have explained, is the database that the
distribution companies of electricity and natural gas make available to the
trading companies, for the purpose of being able to make offers in the market.
- As it has been able to find out from the Internet, the complaining party explains that the system

SIPS is regulated by Royal Decree 1435/2002 and the exchange of information
that takes place in its context is managed by the National Markets Commission and the
Competition (CNMC). This body has assured the data subject in writing that it will not
has available data on electricity users since, on the 27th of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/28








November 2015, Royal Decree 1074/2015 was approved, which modified different
provisions in the electricity sector. Said decree incorporated the prohibition that the
trading companies and the CNMC could access any information that

directly identify the owner of the supply point.
-The complaining party continues to believe that illegal treatment is taking place
of your personal data. Either the company is getting them from another source, or
you are extracting them from the SIPS, but if so, even your distribution company should not
provide these data, nor the CNMC consult them, nor the other companies
distributors should be able to access them for any treatment, much

less for commercial actions.

Along with the notification is provided:
-Front of a commercial communication sent by FACTORENERGIA, with your
translation into Spanish, in which there are boxes in red that

would correspond to anonymous data.
-Email sent from the address: DPO@factorenergia.com that includes
a spreadsheet with anonymized data.
-Email that the claimant sent to the National Market Commission,
and response from the Data Protection Officer, from the address dpd@cnmc.es


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was forwarded to FACTOR ENERGIA,
to proceed with its analysis and inform this Agency within a month,
of the actions carried out to adapt to the requirements established in the

data protection regulations.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 10/04/2021, as stated in the

acknowledgment of receipt in the file.

On 10/05/2021, this Agency received a written response indicating that
notification has been received with transfer of claim and request for information, but
A copy of the claim submitted and attached documents (if applicable) are not attached.
but only an extract of the relevant information from it, and therefore

interests the right of the undersigned to have access to and obtain a complete copy of said
claim, with the aim of being able to evacuate the information requirement of the
detailed, complete and truthful way possible, verifying the identity and correct
identification of the claimant, as well as the facts described in the request for
information and in the claim submitted.


 THIRD: On November 4, 2021, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out

of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/28








in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:

Relevant documentation provided by the claimant:
    - Copy of the obverse of a commercial communication with header of

       ENERGY FACTOR. Written in Catalan, it is anonymous (not
       contains the recipient's data and no reference to the date). The complaining party
       provides translation and reference to the inclusion of the following categories of
       data: name, surname, address of the recipient, address of the point of
       supply. The communication recommends a type of electrical installation of
       self-consumption (solar panels) based on "a study of your data and habits of

       electrical consumption”.
    - Transcription of part of the response to the exercise of the right of access
       addressed by FACTOR ENERGIA to the claimant, dated August 2
       of 2021. Regarding the origin of the data processed, it expresses:
 “[…] your personal data, and specifically those related to technical conditions of your

point of supply, such as the CUPS (identification number of the point of
supply), access fee, power, etc. (detailed in the attached Excel) have
status obtained lawfully through the Points of Information System
Subministro (SIPS), which is the database that distributor companies of
electricity and natural gas make available to companies
marketers, for the purpose of being able to make offers in the market.

Regarding the consumption habits to which we refer in the communication
business, as we indicated at the bottom of it in point 2, are estimated data
and standardized, not specifically customized according to the
specific characteristics neither of their home nor of their specific consumption habits.”
    - Transcription of the data provided to the claimant by FACTOR
       ENERGY as a response to the right of access. It's not the spreadsheet

       original, but rather the list of categories of data that would have been provided to you.
       Includes the categories name, surname, and address of the supply point,
       in addition to technical data (tariff, power, etc.).
    - Email response from the DPD of the CNMC to the claimant of
       dated August 16, 2021 containing the following paragraphs:
"In strict compliance with the applicable regulations that you point out, the

CNMC does not have data on electricity users since, on December 27,
November 2015, Royal Decree 1074/2015 was approved, which modifies
different provisions in the electricity sector. Said RD incorporated the prohibition that
the trading companies and the CNMC could access any information
that directly identifies the owner of the supply point. Therefore, and in the
assumption that data of this type were being exchanged between companies in the

sector, these data do not come in any case from the CNMC.
The CNMC only has the data of end users of gas (DB of points of
supply), and the marketers do obtain them legally through our
body, but the use they make of them is, logically, their responsibility in
exclusive. However, the user may object to their data being made available.

available to other gas trading companies, expressly indicating it to the
company that supplies you.”

The antecedents that appear in the information systems are the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/28








FACTOR ENERGIA submitted two briefs (of October 5, 2021 and of
November 2021) in which he states:


    - That in July 2021 Mrs. B.B.B. exercised the right of access from the mail
       email from the complaining party.

    - That said exercise could not be attended to normally since on the 24th of

       June 2021, the computer systems of FACTOR ENERGIA were
       affected by a virus that caused a great impact by encrypting systems and
       Company data.


    - That on August 2, 2021, a response to the right exercised was sent, although,
       states that "the person who was in charge of responding to the applicant was
       a trainee since the date coincided with the period

       vacation on the part of the company's personnel, and that such a response lacks
       of a certain lack of accuracy and/or specificity”.

    - That the personal data related to name, surname, and postal address

       They were obtained from publicly available sources. He adds that he cannot specify
       the source of public access as a result of the impact of the virus
       computer.


    - That the data relating to the
       technical conditions of the supply point. Add that you can download the
       SIPS "of the distribution companies and the CNMC periodically in their capacity

       marketer and that does not include the personal data of the applicant
       relating to the name and surnames or their postal address”.

    - That it is still (as of the date of writing -November 3, 2021-)

       immersed in the file recovery process.

In addition, he attached the following relevant documentation:

    - Emails exchanged on June 30, 2021 between the

       IT manager at FACTOR ENERGIA and INCIBE in which
       refers to the ransomware attack suffered by the entity.

    - Writing signed by B.B.B. exercising the right of access against FACTOR

       ENERGIA on July 2, 2021 from the email address of
       the complaining party.

    - Email addressed on August 2, 2021 by FACTOR ENERGIA

       to B.B.B. (to the email address of the complaining party) at
       response to the exercise of the right of access referred to in the previous point.

       Provide a copy of the original in Catalan and a translation into Spanish. Includes the
       following paragraphs:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/28








       “On the other hand, we want to clarify that in no case have we carried out a
       precise and exact study with your data and specific consumption habits, but

       that, as indicated at the bottom of the aforementioned communication (point 2),
       your data is estimated and standardized, not personalized or calculated
       according to the specific characteristics of your home, or your habits of

       consumption, with the understanding that our intention was to highlight
       the advantages offered by photovoltaic self-consumption.

       […] Specifically, in relation to art. 5.1 a) referred to, in our

       communication indicated that your data has been processed lawfully,
       loyal and transparent at all times, since they were collected from sources to which
       which we have access as a marketer and from sources accessible to the

       public, complying with the requirements demanded by the General Regulation of
       Data Protection (RGPD) and Organic Law 3/2018, of December 5, of

       Protection of Personal Data and Guarantee of Digital Rights
       (LOPDGDD).

       [...] Specifically, on our website, it is indicated within the purposes of

       processing of personal data with regard to "Non-customers", the purpose
       following: "Inform about services, promotions and products related to
       our activity".


       […] Your personal data, and specifically those related to conditions
       techniques of your point of supply, such as the CUPS (identification number
       point of supply), access fee, power, etc. (detailed in the Excel

       attached) have been legally obtained through the Information System
       of Supply Points (SIPS), which is the database that companies
       electricity and natural gas distributors make available to the

       marketing companies, for the purpose of being able to make offers in the
       market.

       Regarding the consumption habits to which we refer in the

       commercial communication, as we indicate at the bottom of it in point 2,
       are estimated and standardized data, not specially personalized

       according to the specific characteristics of your home, or your specific habits
       of consumption.

       […] If possible, the expected period of conservation of personal data,

       or, if not possible, the criteria used to determine this term:
       while you do not exercise any of your rights”

       It also refers in this letter to the internet address

       www.factorenergia.com to consult the privacy policy.

INVESTIGATED ENTITIES
During these proceedings, the following entities have been investigated:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/28








    - FACTOR ENERGY, S.A. with NIF A61893871 with address at
       ***ADDRESS.1 (BARCELONA)

RESULT OF INVESTIGATION ACTIONS

In addition to the documentation mentioned above, information is collected from the
following sources:

    - Letter from FACTOR ENERGIA dated June 28, 2022,
       hereinafter Written#1.


    - Letter from FACTOR ENERGIA dated July 19, 2022, in
       forward Writing#2.

    - Proceedings with relevant information for these proceedings

       (Diligence References).

About sending postal advertising to people who are not FACTOR customers
ENERGY


FACTOR ENERGIA states (Written #2) that sending postal communications to
non-customers is not a frequent practice of the company, but is carried out "in
occasions and addressed to a small number of recipients”. It further states that "in

Most of the time the data is obtained from the interested parties themselves. Of
in a more residual manner, and to a lesser extent, commercial communication has been sent by
via post to non-customers whose data was obtained from publicly accessible sources without

restrictions”.

ENERGY FACTOR (Written#2) specifies the conditions that must be met to
use for marketing purposes:


    - "(1) that the recipient has not previously exercised the right of
       opposition".

    - "(2) that the sources to be consulted are updated." Regarding this
       point clarifies FACTOR ENERGIA that these sources of public access are

       correspond to "repertoires or telephone directories whose consultation can be
       performed, by any person and without restrictions, not prevented by a

       limiting norm”. On July 22, 2022, a letter was addressed to FACTOR
       ENERGIA requesting specification in relation to these sources of public access
       which uses. As of the date of signing this report, no response has been received.

       regard.

    - "(3) that the Robinson List advertising exclusion list has been consulted
       (to which we are subscribed) and verify that the interested party to whom it will be sent

       advertising does not appear in it ”. Regarding this, FACTOR ENERGIA points out that
       consult the advertising exclusion system prior to sending and attach


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/28








        (document 1 of Brief #2) copy of the service subscription invoices
        Adigital's Robinson list of 2021 and 2022.


    - "(4) comply with the duty of information to the affected party in accordance with the GDPR and the
        LOPDGDD”. Information is detailed later in this report.
        included in commercial communications that, in relation to the origin of

        personal data states that "they come from sources obtained lawfully
        and/or sources of public access available without restrictions”.

In relation to the volume of recipients of the advertising campaign, he states

ENERGY FACTOR (Written #2) the following:

"In relation to the above, to record that in the month of June 2021 a
advertising campaign by post to publicize the advantages of incorporating the

self-consumption in the electricity supply. Within the target group were
a segment of the campaign targeted at customers (and power supply customers)
electricity, with a communication model) and another target group aimed at

not clients […]:

June 2021: self-consumption advertising campaign to obtain savings on
the cost of light.


No. of recipients: 42,670 recipients (total)

In relation to the foregoing, it should be noted that said campaign had as its territorial scope the
autonomous community of Catalonia (not the entire national territory).”


Information recorded in the Record of Treatment Activities (RAT):

Attach ENERGY FACTOR (document 1 attached to Brief #1) the information included
in the Registry of Treatment Activities (RAT) on the "Activity of management of

not clients”. The record includes the following information:

    - Categories of personal data: name and surname, DNI/NIF, address/mail,
        phone, CUPS. Includes the following annotation: "Includes all

        possible categories of data that it can contain according to the source or lead of
        Contact."

    - Purpose: attracting new customers / managing and responding to requests for

        information, requests or commercial offers, budgets, etc. / report and
        send offers about services, promotions and products related to
        our activity.


    - Legal basis: consent of the interested party / legitimate interest -provided that
        such interests are not overridden by the interests or the rights and freedoms

        of the interested party that require data protection
        personal-.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/28








Legitimate interest as the legal basis for processing:

In relation to the use of legitimate interest as a legal basis for processing

of the personal data of people who are not customers in order to send them
advertising by post, provided by FACTOR ENERGIA (document 3 attached to the
Brief #1) a weighting of interests report dated February 12, 2021.

It includes the following paragraphs:

“2.1. Evaluation of the benefit obtained by Factor Energía

On the part of Factor Energía, the processing of the personal data of the interested parties

(potential customers/non-customers) for the purpose of direct marketing,
previously indicated, aims to reach by postal mail those
non-customer interested parties in order for them to know the services offered by Factor

Energía, making them interested in hiring Factor Energía as
your new electric retailer.

In this sense, the benefits obtained by Factor Energía from the treatment of said

personal data consists of obtaining:

     An increase in the contracting of its services;

     Greater customer acquisition;


     An increase in visibility in the competitive market of marketers
        electrical.

2.2. Evaluation of the interest or rights and freedoms of the interested party


[…] The direct marketing action by postal mail that is intended to be carried out is
will be made based on personal data obtained in accordance with the regulations for the protection of
applicable data (identification data and contact data) and with standardized data

and anonymized of a technical nature.

In order to configure the different commercial offers, the
unprotected public data obtained from the Cadastre, as well as statistical information

and not personnel of a technical nature obtained through the Information System of
Supply Points (SIPS) using the postal code of residence. In this way
Generic information will be obtained to make a standardized estimate of the

voltage, rates and contracted power in certain geographical areas, which
will allow you to carry out advertising communications sent by postal mail, since it is
considers it logical and appropriate that the advertising of an electricity supplier

include information on possible savings in electricity consumption.

The personal data of the interested parties processed for the purpose of marketing

directly refer only to the data necessary to send them the communication
by postal mail (identification data and contact data).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/28








The treatment will in no case have legal or similar effects on the
interested, since the purpose of direct marketing by postal mail does not affect the

access to services, nor to the execution of a contract.

From Factor Energía it is considered that the sending of advertising communications by
postal mail has a minimal impact on the interested parties who will be seen

impacted exclusively by one contact channel: postal mail. said channel
should be considered a less aggressive and invasive method than other channels
commonly used to send advertising, such as commercial calls and/or

or sending emails. Likewise, this type of campaigns are foreseen as
specific actions, which may be reinforced by carrying out other campaigns
subsequent similar ones (after at least a period of six (6) months has elapsed

from the sending of the communications of the previous campaign).

In this weighting, the reasonable expectation of the

interested in the processing of their personal data with this
purpose. In this sense, we must bear in mind that it is common practice in the
market to send advertising by postal mail to potential customers, but also,

In view of the uses of the market, the interested parties are perfectly aware of
the possibility that such communications may appear in your mailbox and that
In addition, they can be beneficial or provide added value to those interested in

their role as consumers in the Spanish electricity market, since such communications
may be of your interest or adjusted to your specific needs, resulting in a
improvement of their economic situation by discovering an electricity trader that

fit more to your needs.

Taking into account all of the aforementioned, from Factor Energía it is not
finds in our assessment no alternative method that allows us to communicate

our interest in offering our services and that likewise allows us to comply with
our legal obligations (inform about the processing of personal data
stakeholders) and with the least impact to stakeholders.


For all these reasons, it is considered that the impact that the treatment has or may have on
the interests, fundamental rights and freedoms of the interested parties is LOW, and not

would result in adverse and negative consequences for them.

23. Guarantees applied to the treatment

Factor Energía has implemented the technical and organizational measures
to carry out the treatment maintaining the security standards of the Company

Among the guarantees applied directly to the treatment are the following:

     Factor Energía has implemented technical security measures and
       necessary organizational measures to guarantee the integrity, availability and

       confidentiality of the information, having also designated a Delegate


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/28








       of Data Protection, in compliance with the provisions of article 37
       of the GDPR.


     Communications by postal mail are sent only to interested parties who
       have not exercised their right of opposition and that do not appear on lists of
       advertising exclusion (Robinson List). Those interested who are in

       advertising exclusion lists and/or have exercised their right of opposition before
       Factor Energía, will not be recipients of advertising campaigns of any
       type.


     The commercial communications received by the interested parties allow them to exercise
       their rights to oppose the sending of advertising in such a way that
       simply and free of charge, interested parties can inform Factor Energía that they are not

       they wish to receive publicity from it.

     These campaigns are foreseen as a specific action, which may be reinforced
       with the realization of other similar campaigns later, having

       At least a period of six (6) months has elapsed from the sending of the
       communications from the previous campaign.

     Factor Energía reinforces the channels to guarantee adequate exercise by

       those interested in the rights established in the regulations for the protection of
       data, establishing both the postal and electronic channels, without prejudice to

       that, in accordance with the provisions of the data protection regulations, the
       The interested party may exercise their rights through the channel they deem
       convenient.


     All communications contain information about the treatment of your
       personal data in accordance with the requirements of articles 13 or 14 of the GDPR.

3. Result


Based on all of the above, it is determined that Factor Energía can carry out the
treatment consisting of the sending by postal mail of advertising communications to
potential customers (direct marketing).


It is a treatment that will have a positive impact on the Energy Factor and that
In turn, it supposes a low impact on the rights and freedoms of the interested parties.”

The use of SIPS data:

Regarding the use of SIPS data, it is provided by FACTOR ENERGIA (document 5

attached to Letter #1) the copy of the code of conduct on data processing
included in the SIPS dated April 24, 2019, from which the following are extracted

paragraphs:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/28








"Specifically, this RD 1435/2002 contemplates the possibility that all
electric power marketers access to consult the available information

in the Supply Point Information System (SIPS) managed by the
distributors, as reading managers, and specifically to certain data there
contents. Therefore, and as can be deduced from the preamble to the aforementioned

RD 1435/2002, the SIPS was configured as a tool to encourage greater
competition in the retail electricity market.

Subsequently, Royal Decree 1074/2015, of November 27, by which

modify different provisions in the electricity sector, introduced some changes in
the regulation of the electricity SIPS database, partially modifying the
art. 7 of Royal Decree 1435/2002, and specifically eliminating the possibility of having

marketers access to certain data from the SIPS database of the
distributors and establishing the obligation of marketers of

sign a code of conduct and guarantee the confidentiality of information
contained in said database.

Regarding the regulation of natural gas, Royal Decree 1434/2002, of 27

December, which regulates the activities of transportation, distribution,
marketing, supply and authorization procedures for gas installations
natural (RD 1434/2002) established in its art. 43 similar regulation, although with some

differences, RD 1434/2002 not being affected by the modifications of RD
1074/2015.

[…] The Company assumes the firm commitment to comply with the following

obligations:

[…] - Process the SIPS Data only for the purposes of the activity of
marketing (electricity and gas, respectively), both in relation to customers

potential/non-customers and customer management, regardless of their
access fee and specific regime applicable in each case (including those covered by
self-consumption in the case of electricity), not using them for a purpose other than the

that justifies its assignment to the Company in its capacity as marketer by
the corresponding distribution company or CNMC.”

Article 7 of Royal Decree 1435/2002 that regulates the content of the SIPS in the sector

electrical specifies the following:

"one. The distribution companies must have a database referring to
all the supply points connected to their networks and to the transport networks of

its area, permanently complete and up-to-date, containing at least the
Following data:

a) Universal Supply Point Code, that is, the complete “CUPS”.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/28








[…] c) Location of the supply point, which includes full address (type of road,
street name, number, floor and door). This information should refer to all

moment to the point of supply and not to the location, population and province of the holder of
said supply point that is required in letter aa) of this same article.

d) Town of the supply point, which includes the name of the town and the

Postal Code. This information must refer at all times to the point of supply
and not to the location, population and province of the owner of said supply point.

e) Name of the Province of the supply point. This information should refer to

at all times to the point of supply and not to the location, population and province of the
owner of said supply point.

[...] z) Name and surnames, or in its case company name and corporate form, of the

owner of the supply point.

[…] aa) Full address of the owner of the supply point. This information should
refer at all times to the owner of the supply point and not to the location,

population and province of said supply point that is required in letter c) of this
same article.

[…] ac) Trading company that currently supplies


[…] In any case, neither the marketing companies nor the National Commission for
Markets and the Competition may access any information that directly
identify the owner of the supply point, and in particular, the data collected in

sections c), z) and aa) of section 1.

Additionally, trading companies will not be able to access the information
of section ac), being accessible to the National Commission of Markets and the

Competition, in the exercise of its functions.”

In relation to the use of electrical SIPS data in order to carry out the
commercial communications to non-customers, expresses FACTOR ENERGIA that uses them

to "obtain estimated and standardized data on the consumption habits of the
population according to household characteristics”. It clarifies that "they do not refer to data

personalized or linked to the personal data of the people to whom
whom the commercial or advertising communication was addressed to”. Thus, it facilitates (document 8
attached to Brief #1) a description of the estimation process that is carried out to

adapt, together with the "installers", the supply of self-consumption
(infrastructure of solar panels, etc.). For this, according to this document,
use:


    - The unprotected public data of the cadastre (mapping and cadastral consultation
        descriptive and graphic -surface, cadastral reference, address, soil class,
        year of construction-).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/28








       Examples of the information have been obtained from the electronic headquarters of the cadastre.
       publicly available.


    - Information not individualized (anonymized) from the SIPS database of
       the distribution company, which allows through aggregation by postal code,
       assign an average installed power, average contracted power,

       estimated average annual consumption to the supplies of a given area,
       according to type of supply.

Article 43 of Royal Decree 1434/2002 that regulates the content of the "System of

exchange of information for the management of the change of supplier" in the sector
gas operator specifies the following:

"2. The distribution companies must have as support the system of

exchange of information from a database referring to all points of
supply connected to their networks and to the transport networks in their area,
permanently complete and updated, containing at least the following

data related to the point of supply:

1st Supply point identification code, that is, the complete “CUPS”.

[…] 3rd Location of the supply point: address, population and province, which includes

complete address (type of road, name of the road, number, floor and door), name of the
population, postal code and name of the province. This information should refer to
at all times to the point of supply and not to the location, population and province of the

owner of said supply point that is required in ordinal 16 of this same
pulled apart

[…] 14. Data relating to the owner of the supply point: natural person or person

legal.

15. Name and surname, or, where appropriate, company name and corporate form, of the

owner of the supply point.

16. Full address of the owner of the supply point. This information should
refer at all times to the owner of the supply point and not to the location,

population and province of said supply point that is required in ordinal 3 of
this same section.

5. Traders registered in the corresponding section of the Registry

Administrative of Distributors, Marketers and Direct Consumers in
Market, as well as the Supplier Changes Office, in accordance with the standard
regulating its operation, they will be able to freely access the databases

of supply points of each distribution company”

Thus, according to the CNMC website (see Diligence References):


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/28








"However, it must be clarified that the CNMC's electrical SIPS does not have
information that identifies the owner of a supply point. This information was

eliminated by Royal Decree 1074/2015, of November 27, which modifies
different provisions in the electricity sector. In the second article of the aforementioned Royal
Decree, a modification of article 7.2 of Royal Decree 1435/2002 was approved,

including that: «In any case, neither the marketing companies nor the Commission
National Markets and Competition will be able to access any information
that directly identifies the owner of the supply point […]”.


[…] In the field of natural gas, the SIPS accessed contains the identification
of the owner of the supply point and his address.”

FACTOR ENERGIA is registered in the List of Electricity Suppliers and

of gas from the CNMC.

In relation to the duty of information to the interested party:

ENERGY FACTOR declares that it is fulfilled through the consignment, in the

advertising communication, of the following text: "In accordance with the regulations of
protection of personal data, that is, in accordance with the Regulation
General Data Protection (RGPD) and Organic Law 3/2018, of December 5,

Protection of Personal Data and guarantee of digital rights (LOPDGDD),
We indicate that the data comes from sources obtained lawfully and/or sources of

public access available without restrictions, and that this communication is made
according to the admissible requirements in the indicated regulations. You can exercise your
rights of access, rectification, cancellation, opposition, transparency of the

information, deletion, limitation and portability by contacting FACTOR ENERGIA,
SA by postal mail to the address av. Diagonal, 612 Entl. 08021 of Barcelona or by
email to dpo@factorenergia.com. Likewise, you will have the right to direct your

claims before the data protection authorities. For more information
consult our privacy policy on our website www.factorenergia.com.”
It also states that its website (www.factorenergia.com) includes the

privacy policy (document 4 attached to Brief #1). It contains sections with
information on: data of the person in charge and contact of the DPO; purposes of the

treatments; bases of legitimacy of the treatments; recipients; possibility of
exercise rights and file a claim with the AEPD; conservation periods;
additional information (indication of implementation of security measures and guarantees

with those in charge of article 28 of the GDPR).

Regarding the specific case that is the object of the claim

FACTOR ENERGIA (Written #1) states that the personal data of the party

claimant that appear in their systems are: name and surname; postal address.
It reiterates that the origin of these data are "public sources, without the fact that to date
we can accurately identify its exact traceability”. It states that the period of

Data retention is one year, although "in this case there are
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/28








blocked and are only kept by the fact of having responded to the
previous requirement related to the file at the referred margin and without the company

carry out or will carry out any other treatment of said data.”

As previously seen, FACTOR ENERGIA states that it also has
the technical data of the supply points extracted from the SIPS (article 7 of the Royal

Decree 1435/2002) that periodically unloads from the distribution companies. With
them, as has been seen, obtains "estimated and standardized data on the habits of
consumption of the population according to the characteristics of the households" that "do not refer to

to personalized data or linked to the personal data of people
to whom the commercial or advertising communication was directed.

In relation to compliance with the duty of information, FACTOR ENERGIA provides

(document 7 attached to Brief #1) the one that manifests would be the reverse of the
Communication provided by the complaining party, which includes the aforementioned paragraph

previously (translation into Spanish of the original in Catalan):

In accordance with the personal data protection regulations, it is
that is, in accordance with the General Data Protection Regulation (RGPD) and the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (LOPDGDD), we indicate that the data comes from sources
lawfully obtained and/or publicly accessible sources available without restriction, and

that this communication is carried out according to the admissible requirements in the regulations
marked. You can exercise your rights of access, rectification, cancellation,
opposition, transparency of information, deletion, limitation and portability

by contacting FACTOR ENERGIA, SA by postal mail at the address av. Diagonal,
612 Int. 08021 Barcelona or by email at dpo@factorenergia.com.
Likewise, you will have the right to direct your claims before the authorities of

Data Protection. For more information see our privacy policy at
our website www.factorenergia.com.”)

                           FUNDAMENTALS OF LAW


                                           Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/28









                                            II
Article 6 of the GDPR, Lawfulness of the treatment, establishes in point 1 that:


       "one. Processing will only be lawful if at least one of the following is fulfilled
       conditions:
       a) the interested party gave his consent for the processing of his data
       personal for one or more specific purposes;
       b) the processing is necessary for the performance of a contract in which the

       interested party or for the application at the request of this of measures
       pre-contractual;
       c) the processing is necessary for compliance with a legal obligation
       applicable to the data controller;
       d) the processing is necessary to protect vital interests of the data subject or

       of another physical person;
       e) the treatment is necessary for the fulfillment of a mission carried out in
       public interest or in the exercise of public powers conferred on the person responsible
       of the treatment;
         f) the processing is necessary for the satisfaction of legitimate interests
       pursued by the data controller or by a third party, provided that

       such interests are not overridden by the interests or the rights and freedoms
       of the interested party that require the protection of personal data,
       in particular when the interested party is a child.

       The provisions of letter f) of the first paragraph shall not apply to the

       processing carried out by public authorities in the exercise of their
       functions.”

 On the other hand, article 4 of the GDPR, Definitions, in its sections 1, 2 and 11,
notes that:


       “1) “personal data” means any information about an identified natural person
       or identifiable ("the data subject"); Any identifiable natural person shall be considered
       person whose identity can be determined, directly or indirectly, in
       by means of an identifier, such as a name, a number
       identification, location data, an online identifier, or one or more

       elements of physical, physiological, genetic, psychological,
       economic, cultural or social of said person; “

       2) "processing": any operation or set of operations carried out
       about personal data or sets of personal data, either by

       automated procedures or not, such as the collection, registration, organization,
       structuring, conservation, adaptation or modification, extraction, consultation,
       use, communication by transmission, diffusion or any other form of
       authorization of access, comparison or interconnection, limitation, deletion or
       destruction; “


       11) "consent of the interested party": any manifestation of free will,
       specific, informed and unequivocal for which the interested party accepts, either


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/28








       by means of a declaration or a clear affirmative action, the processing of data
       personal matters that concern you."


In the present case, in order to analyze the validity of this legitimizing basis,
examine each of the elements that concur in it to prove the
legality of the treatment. The criteria established for this should be taken into account.
in Opinion 06/2014, of April 9, on the concept of legitimate interest of the
data controller under Article 7 of the Directive
95/46/CE, of the Article 29 Working Group (hereinafter, Opinion 06/2014)


    1. Legitimate interest of the controller

Recital 47 of the GDPR establishes the following:


“The legitimate interest of a data controller, including that of a data controller
that personal data may be communicated, or that of a third party, may constitute a
legal basis for the treatment, provided that the interests or interests of the
rights and freedoms of the data subject, taking into account reasonable expectations
of the interested parties based on their relationship with the controller. Such legitimate interest
This could occur, for example, when there is a relevant and appropriate relationship between the

interested party and the controller, such as in situations where the interested party is a customer or
is at the service of the person in charge. In any case, the existence of a legitimate interest
would require careful evaluation, even if a stakeholder can clearly foresee
reasonable, at the time and in the context of the collection of personal data, that
processing can take place for this purpose. In particular, the interests and rights

Fundamentals of the interested party could prevail over the interests of the person in charge
of the treatment when proceeding to the processing of personal data in
circumstances in which the data subject does not reasonably expect that a
further treatment. Since it corresponds to the legislator to establish by law the basis
law for the processing of personal data by public authorities,

this legal basis should not apply to processing carried out by authorities
public in the exercise of their functions. Processing of personal data
strictly necessary for the prevention of fraud is also an interest
lawful name of the person responsible for the treatment in question. Data processing
personal information for direct marketing purposes may be considered made by
legitimate interest.”


For its part, Opinion 06/2014 contains a similar pronouncement. Initially
indicates that:

“An interest must be articulated clearly enough to allow evidence to be

of balancing is carried out against the interests and rights
fundamentals of the interested party. In addition, the interest at stake must also be
"persecuted by the data controller". This requires a real and current interest,
that corresponds to present activities or expected benefits in a
very near future. In other words, interests that are too vague or

speculative will not suffice.”

In this sense, the opinion clarifies, a legitimate interest that is relevant must:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/28








    - Be lawful (i.e. in accordance with national and EU law
       applicable);
    - Be articulated clearly enough to allow proof of

       balancing is carried out against the interests and rights
       fundamentals of the data subject (i.e. sufficiently specific);
    - represent a real and current interest (ie not speculative).

And then it includes a non-exhaustive list of some of the most
common areas where the question of legitimate interest within the meaning of Article

article 7, letter f). Among them it includes "conventional prospecting and other forms of
marketing or advertising.

In principle, it could be considered that the performance of data processing for
of “direct marketing” and “business prospecting and other forms of advertising”

would constitute a principle of legitimate interest. This does not imply that it can be considered
all treatment for said purpose as covered by the legitimizing basis of the
legitimate interest. Indeed, Opinion 06/2014 clarifies:

“The legitimacy of the interest of the data controller is only a starting point,
one of the elements to be analyzed under article 7, letter f). If he

Article 7(f) can be used as a legal basis or not will depend on the
result of the following weighing test”

Therefore, the person responsible for the treatment of the information remains
weighting provided for in article 6.1.f) GDPR, by virtue of which the treatment will be

lawful if "it is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that such interests are not
the interests or fundamental rights and freedoms of the data subject prevail
that require the protection of personal data, in particular when the interested party
be a child.”


    1. Weighting of rights and interests

In order to carry out the weighting provided for in the Regulation, the defendant has
argued:


    - As an interest of the person in charge: attracting customers and an "increase in their
       visibility in the market

    - As a possible affectation of rights of the complaining party. The responsible
       minimized with various arguments. Among them: scarcity and minor

       of the data processed (identity and contact details); the absence of effects
       legal on the interested party (hiring, access to services); affectation
       minimum in the sphere of the interested party (receipt of a postal communication, of
       less invasive than other routes); the existence of guarantees applicable to the
       treatment; respect for those who exercise their right of opposition; the

       existence of channels for the exercise of rights in terms of protection of
       data, guarantees that are imposed by law, not because the person responsible
       bestow graciously


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/28









    1. Rights of the data owner


If the legitimate interest alleged by the person in charge of the
treatment, it must also be analyzed in what way the rights and
interests of the interested party, so that the weighting judgment can be concluded

In this regard, special attention should be paid to the impact that the treatment may
generate the interested The claimed party focuses on declaring that this would not be

significant depending on the means used (postal) and the little or no affectation
in the legal sphere of the owner of the data. However, they are not the only ones
parameters to take into account. In this regard, Opinion 06/2014 states:

"The legitimate interest of the data controller, when it is minor and not very

compelling, in general, only annuls the interests and rights of those interested in
cases where the impact on these rights and interests is even more trivial.”

In the case at hand, it is clear that the interest of the person responsible cannot
qualified as "pressing", since as he himself indicates, it leads back to his
interest in attracting new customers. This means, as the opinion indicates, that it should be

more demanding in terms of the affected rights of the claimant. The opinion
continues:

“The term «impact» as used in this Opinion covers any possible
consequence (potential or actual) of data processing. The concept is not

related to the notion of breach of personal data and is much broader
than the repercussions that may derive from said violation.”

And as for the type of affectation that the processing of the data may cause in your
holder, declares the following:


“In addition to adverse outcomes that may be specifically anticipated,
the more emotional repercussions must also be taken into consideration.
general, such as anger, fear and anguish that may result from the loss
of control over personal information by the interested party or knowledge
that such personal information has been or may be misused or is seen

compromised, for example, through its exposure on the Internet. The effect
intimidating statement about protected behavior, such as freedom of investigation or
freedom of expression, which may result from supervision or monitoring
continuous must also be taken into account.”


It cannot be forgotten that the claim was filed by the claimant before the
event of having received a postal communication of a promotional nature, which was
directly addressed to her because it contains her identification and contact information. For
Therefore, the criterion used by the claimed party cannot be shared in the sense of
state that "This [postal] channel should be considered a less aggressive and

invasive than other channels commonly used to send advertising, such as
commercial calls and/or sending emails”.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/28








In this regard, it is necessary to indicate that, although channels such as the telephone could in
principle be considered more "invasive", the truth is that whoever receives the
call may believe that the caller does not have their data

identifiers, while receiving a postal communication with data
identification and contact details, makes the data owner certain that whoever
sends the communication has said data. Not being a client of the entity,
In addition, uncertainty arises about what could have been the source of knowledge of
the data, which leads the owner to doubt his power to dispose of them


This leads us to the concept of "reasonable expectation" as a criterion to be taken into account.
in the processing of data based on legitimate interest

    2. Reasonable expectation in data processing


As previously mentioned, Recital 47 GDPR establishes in
relation to the legitimizing basis of the legitimate interest that this could concur when
the interest of the person in charge does not prevail over the rights of the interested party "taking into account
account the reasonable expectations of data subjects based on their relationship with the
responsible. Such legitimate interest could arise, for example, where there is a
relevant and appropriate relationship between the data subject and the controller, as in

situations in which the interested party is a client or is at the service of the person in charge”.

The reasonable expectation that the interested party may have in the processing of the data
It is crucial in the balance judgment between the interests of the person responsible and the rights of the
interested. Opinion 06/2014 states:


“The reasonable expectations of the data subject in relation to the use and disclosure of
Data is also very relevant in this regard. As it was put
manifest with respect to the analysis of the purpose limitation principle, it is
It is important to consider whether the position of the data controller, the nature of the

relationship or the service provided, or the applicable legal or contractual obligations
(or other promises made at the time of data collection) could give
give rise to reasonable expectations of stricter confidentiality and limitations
more stringent regarding its further use.”

The clearest example of reasonable expectation in cases of receipt of

advertising communications comes from the fact of having previously been a client of a
company or at least have contacted it to inquire about the
products or services marketed by it.

In the present case, the claiming party has not been a client of the claimed party and

nor has he contacted her to inquire about the services of the
business questioned Hence his surprise at the receipt of a communication
commercial with your identification and contact information

The defendant, for its part, alleges that:


"In this consideration, the reasonable expectation of the
interested in the processing of their personal data with this
purpose. In this sense, we must bear in mind that it is common practice in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/28








market to send advertising by postal mail to potential customers, but also,
In view of the uses of the market, the interested parties are perfectly aware of
the possibility that such communications may appear in your mailbox and that

In addition, they can be beneficial or provide added value to those interested in
their role as consumers

That is, it does not provide any justification for the existence of a reasonable expectation,
beyond indicating that any citizen can expect to receive a communication
advertising postcard in your mailbox, without previously being a customer or being interested in the

services of a company.

It is worth mentioning the Report of the Legal Department of this Agency 2018/0173,
that analyzes the legitimacy of direct marketing actions insofar as in the field
the use of electronic media like others. In this regard, even if

an interested party has previously been a client of a company, or has been interested
for their goods or services, clarifies that direct marketing actions must
limited to goods or services similar to those previously contracted.

“As indicated in the report just reproduced, the general criteria for
consider that the treatment of the data can be based on the rule of equilibrium of the

legitimate interest of the person in charge would be that the services and products offered
were those of the person in charge. In this sense, it was clarified that, when talking about
financial credit institutions, such publicity should be understood as referring to the
that entity's own asset or liability products, but not to other products
financial, such as, expressly indicated, insurance. This is based on

that in relation to such products there is no reasonable expectation of the
interested in having their data processed by the bank for the offer of
products that in principle are not related to those contracted when going to
she."


Bearing in mind that even having previously been a client, the criterion is
restrictive for the sending of commercial communications (and must be restricted to the
contracted products), even more so in the event that there has not been
been a customer, in which said products and services do not exist.



    3. Data processed

Another of the defendant's arguments consists of insisting on the nature
of the data, which would consist only of the identity of the claimant and his address
Postcard. In this regard, it should be noted that, although it is true that they are not involved

data of special protection of article 9 GDPR, Opinion 06/2014 clarifies that

“In general, the more sensitive the information in question, the more consequences
may have for the interested party. However, this does not mean that the data you
seem in and of themselves innocuous can be treated freely

based on article 7, letter f). Of course, even such data, depending
the way they are treated, they can have a significant impact on people”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/28








This, in combination with the absence of a reasonable expectation of the data subject in
the processing of your data, means that the nature of the data processed, by itself, does not
can justify the legitimate interest in the treatment.



    4. How the data is processed

Another aspect to take into account when weighing rights and interests would be the
judgment of necessity, suitability and proportionality in data processing. To this

Regarding Opinion 06/2014, it indicates the following:

“In general, the more negative and uncertain the impact of treatment may be, the more
it is unlikely that the processing will be considered, on the whole, legitimate. Disponibility
of alternative methods to achieve the objectives pursued by the person in charge

of the treatment, with less negative impact on the interested party, should be, without
Certainly a pertinent consideration in this context."

In this regard, the defendant alleges that "from Factor Energía there is no
in our assessment no alternative method that allows us to communicate our
interest in offering our services and that likewise allows us to comply with

our legal obligations (inform about the processing of personal data
stakeholders) and with the least impact to stakeholders.”

Suffice it to say that it would have been enough to carry out a mailing activity, without
Inclusion of the claimant's data. This is especially so when the claimed party itself has

clarified that the indication of appropriate rates based on consumption, which is
included in the letter, are not based on specific data from the complaining party, but on
zone estimates. Based on this statement, it would not be necessary for the letter
be accompanied by identification data.


With this, the treatment carried out does not exceed the judgment of proportionality, nor the principle
minimal intervention, as there are methods that would not require treatment.

    5. Position of the controller and the interested party

Facing the judgment of weighting, it is necessary to pay attention to the position of

claimant vs. defendant. Thus, in the first case we find
a citizen or user, while the claimed party is a company
electricity marketer.

In this regard, Opinion 06/2014 advises paying attention to the situation of

imbalance between the two

"Depending on whether the data controller is a person or a
small organization, a large multinational company or an industry body
public, and from the specific circumstances, his position may be more or less

dominant with respect to the interested party

The fact of whether the interested party is an employee, a student, a patient, or if he exists
otherwise an imbalance in the relationship between the position of the person concerned and that of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/28








controller must, of course, also be considered relevant. Is
It is important to assess the effect of actual treatment on individual individuals.”


    6. Conclusions on the weighting of rights and interests

Based on the factors analysed, it cannot be concluded that in the present case the
defense of legitimate interests, in comparison with the affectation of the rights of the
claimant, justify the use of the legitimizing basis of the legitimate interest for the
processing of data for direct marketing purposes. This is based on:


    - The existence of an impact has been determined in the field of rights and
       interests of the complaining party. This has received a commercial communication
       of a company of which he was not a client, processing his personal data
       name and surname and address, causing a situation of uncertainty

       about the origin of the data and whether they could be available to other
       entities

    - The existence of a reasonable expectation on the part of the
       complaining party that their data may be being processed by this
       company for these purposes. This is above all due to the fact that, in the case of

       of a direct marketing action, it has not been justified that the
       claimant was previously a customer and had not been interested in the services
       of the claimed party.

    - The non-existence of alternative methods has not been justified, in application of the

       principle of minimal intervention, which did not involve data processing
       personal, to carry out marketing activities in the
       conditions in which they were being carried out by the claimant

    - The existence of an unbalanced situation has been determined between the

       position of the claimant (consumer) and of the claimed party (company
       distributor of the electricity sector)

                                           II
In accordance with the evidence available at the present time of
agreement to start the disciplinary procedure, and without prejudice to what results from the

investigation, it is considered that the known facts could constitute a
infringement, attributable to the claimed party, for violation of article 6.1 of the GDPR,
since the data processing carried out, that is, the activity of
marketing by postal mail, addressed to the complaining party with his name,
surnames and address, has been made without legitimizing cause.


                                           IV.
If confirmed, the aforementioned infringement of article 6.1 of the GDPR could lead to the
commission of the offenses typified in article 83.5 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:


Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/28








total annual global business volume of the previous financial year, opting for
the highest amount:


a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:

"The acts and behaviors referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.

For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:


"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:


b) The processing of personal data without the fulfillment of any of the conditions of
legitimacy established in article 6 of Regulation (EU) 2016/679. (…)”

                                           V
For the purposes of deciding on the imposition of an administrative fine and its amount,

In accordance with the evidence available at the present time of
agreement to start disciplinary proceedings, and without prejudice to what results from the
investigation, it is considered that the offense in question is serious for the purposes of the
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following
criteria established in article 83.2 of the GDPR:


As aggravating factors:
    -Negligence in the offence. (Art. 83.2.b). It must be taken into account that FACTOR
    ENERGIA has not even been able to prove the source from which it obtained the data
    of the complaining party, indicating that they were obtained from "sources of
    public access”, without being able to specify the specific source. This indicates when

    least, a considerable lack of diligence.

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:


As aggravating factors:
     - Linking the activity of the offender with the processing of
    personal information. (Art. 76.1.b). FACTOR ENERGIA, a company dedicated to
    electricity trade, handles a high number of personal data for

    which must have extensive knowledge of the regulations relating to the protection of
    data and its management.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/28








The balance of the circumstances contemplated in article 83.2 of the GDPR and the
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the
established in article 6.1 of the GDPR, allows the initial setting of a penalty of

€40,000 (FORTY THOUSAND euros).


                                          SAW
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
adequate measures to adjust its performance to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the
which each control authority may "order the person responsible or in charge of the
processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a certain
specified term…”. The imposition of this measure is compatible with the sanction

consisting of an administrative fine, according to the provisions of art. 83.2 of the GDPR.

It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
opening of a subsequent administrative sanctioning procedure.


Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:


FIRST: INITIATE SANCTION PROCEDURE against FACTOR ENERGÍA, S.A.,
with NIF A61893871, for the alleged violation of Article 6.1 of the GDPR, typified in
Article 83.5 of the GDPR.

SECOND: APPOINT as instructor C.C.C. and, as secretary, D.D.D.,

indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).

THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the

documents obtained and generated by the Sub-directorate General of Inspection of
Data in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the

sanction that could correspond would be, for the alleged violation of article 6.1 of the
GDPR, typified in article 83.5 of said regulation, administrative fine of amount
€40,000.00

FIFTH: NOTIFY this agreement to FACTOR ENERGÍA, S.A., with NIF
A61893871, granting a hearing period of ten business days to formulate

the allegations and present the evidence it deems appropriate. In his writing of
allegations must provide your NIF and the procedure number that appears in the
heading of this document.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/28









If, within the stipulated period, he does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the

sanction that should be imposed in this proceeding. With the application of this
reduction, the sanction would be established at 32,000.00 euros, resolving the
procedure with the imposition of this sanction.

In the same way, it may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 32,000.00 euros and its payment will imply the termination
of the procedure.

The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain

established at 24,000.00 euros.

In any case, the effectiveness of any of the two aforementioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (32,000.00 euros or 40,000.00 euros), you must make it effective
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to
name of the Spanish Data Protection Agency in the bank
CAIXABANK, S.A., indicating in the concept the reference number of the

procedure that appears in the heading of this document and the cause of
reduction of the amount to which it receives.

Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue with the procedure in accordance with the quantity

entered.

The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/28










                                                                               935-110422
Mar Spain Marti
Director of the Spanish Data Protection Agency



>>

SECOND: On November 17, 2022, the claimed party has proceeded to the

payment of the penalty in the amount of 24,000 euros using the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to

the opening of the procedure, entails the waiver of any action or appeal via
against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Commencement Agreement.



                           FUNDAMENTALS OF LAW

                                           Yo
                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                           II
                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading

"Termination in disciplinary proceedings" provides the following:

"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/28








inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.

3. In both cases, when the sanction is solely pecuniary in nature, the

The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.


The percentage reduction provided for in this section may be increased
according to regulations."


According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202102778, in
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to FACTOR ENERGÍA, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal

administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.


                                                                                 936-040822
Mar Spain Marti
Director of the Spanish Data Protection Agency














C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es