AEPD (Spain) - EXP202307313: Difference between revisions
m (added links) |
|||
Line 74: | Line 74: | ||
After supplying data to the customer service team of the controller, the data subject received an email from the controller as well as another company (Iberdrola Clientes) asking him to sign the attached pdf contract. The contract included personal data such as the data subject’s name, address and IBAN . The data subject therefore concluded that the controller had transferred personal data to its partner Iberdrola Clientes without the data subject’s consent. | After supplying data to the customer service team of the controller, the data subject received an email from the controller as well as another company (Iberdrola Clientes) asking him to sign the attached pdf contract. The contract included personal data such as the data subject’s name, address and IBAN . The data subject therefore concluded that the controller had transferred personal data to its partner Iberdrola Clientes without the data subject’s consent. | ||
After the submission of the complaint, the AEPD launched preliminary investigative procedures to clarify the facts of the case. The partner company submitted to the AEPD that the controller and itself do not maintain any sort of relationship in the processing of personal data and that each company solely processes the data of its own customers without there being any cross-over. However, both companies belong to the Iberdrola Group and use the same service provider for their customer service. Iberdrola Clientes ensured that there is a system in place which identifies which customers belong to which company. Iberdrola further submitted that the customer service employee had made a mistake and sent the contract from the wrong company. Immediate steps were taken to cancel the contract with Iberdrola. | |||
The controller further submitted that they had responded to the data subjects email notifying them of the mistake just three hours later with an apology. | The controller further submitted that they had responded to the data subjects email notifying them of the mistake just three hours later with an apology. | ||
=== Holding === | === Holding === | ||
On the 31 of July 2024, | On the 31 of July 2024, the AEPD commenced sanctioning proceedings against the controller. The AEPD considered that the unlawful processing of personal data by the partner company of the controller was caused by an accident but insisted that this does not negate the unlawful act. | ||
The AEPD held that the controller had infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] and set a fine of €100,000 based on the controller’s annual turnover ([[Article 83 GDPR|Article 83(5)) GDPR]]). The fine was reduced to €60,000 as the controller | The AEPD held that the controller had infringed [[Article 6 GDPR#1|Article 6(1) GDPR]] and set a fine of €100,000 based on the controller’s annual turnover ([[Article 83 GDPR|Article 83(5)) GDPR]]). The fine was reduced to €60,000 as the controller accepted the judgement and the voluntary payment procedure. | ||
== Comment == | == Comment == |
Revision as of 13:02, 28 October 2024
AEPD - EXP202307313 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 83(5) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 13.04.2023 |
Decided: | 31.07.2024 |
Published: | 16.10.2024 |
Fine: | 60,000 EUR |
Parties: | Curenergía |
National Case Number/Name: | EXP202307313 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Ao |
The DPA fined a controller €60,000 for unlawfully disclosing personal data of its clients to its partner company.
English Summary
Facts
On the 13 April 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, an electricity provider. The data subject had been a customer of the controller until 2021 and on the 12 April 2022 again wanted to register as a customer with the controller. The customer service team of the controller contacted the data subject to confirm his account and telephone number.
The data subject alleged that the controller was still in possession of the data subject’s personal data such as his ID card number, his name and his address as he did not have to provide this data anew.
After supplying data to the customer service team of the controller, the data subject received an email from the controller as well as another company (Iberdrola Clientes) asking him to sign the attached pdf contract. The contract included personal data such as the data subject’s name, address and IBAN . The data subject therefore concluded that the controller had transferred personal data to its partner Iberdrola Clientes without the data subject’s consent.
After the submission of the complaint, the AEPD launched preliminary investigative procedures to clarify the facts of the case. The partner company submitted to the AEPD that the controller and itself do not maintain any sort of relationship in the processing of personal data and that each company solely processes the data of its own customers without there being any cross-over. However, both companies belong to the Iberdrola Group and use the same service provider for their customer service. Iberdrola Clientes ensured that there is a system in place which identifies which customers belong to which company. Iberdrola further submitted that the customer service employee had made a mistake and sent the contract from the wrong company. Immediate steps were taken to cancel the contract with Iberdrola.
The controller further submitted that they had responded to the data subjects email notifying them of the mistake just three hours later with an apology.
Holding
On the 31 of July 2024, the AEPD commenced sanctioning proceedings against the controller. The AEPD considered that the unlawful processing of personal data by the partner company of the controller was caused by an accident but insisted that this does not negate the unlawful act.
The AEPD held that the controller had infringed Article 6(1) GDPR and set a fine of €100,000 based on the controller’s annual turnover (Article 83(5)) GDPR). The fine was reduced to €60,000 as the controller accepted the judgement and the voluntary payment procedure.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 File No.: EXP202307313 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On July 31, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U. (hereinafter, the respondent), by means of the Agreement transcribed below: << File No.: EXP202307313 AGREEMENT TO START SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following: FACTS FIRST: D. A.A.A. (hereinafter, the claimant) on April 13, 2023 filed a claim with the Spanish Data Protection Agency. The claim is directed against CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U. with NIF A95554630 (hereinafter, the respondent or Curenergía). The reasons on which the claim is based are the following: The complainant states that he was a Curenergía customer until 2021, and that he subsequently contacted the electricity supplier of last resort (***EMAIL.1) by email on April 12, 2022, to sign up again with Curenergía. He adds that Curenergía already had the supply data because he had previously been a customer of said company, so in the customer service area by telephone they only asked him for some of his data to confirm if they were the same (power, account number and phone number), while he did not provide the other data (ID, name, postal address). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/16 In confirming the data requested, he received an email from ***EMAIL.1 indicating that "I confirm that I have just sent the policy with electronic signature to your email." He also received an email from "***EMAIL.2" asking him to electronically sign the PDF contract, sent by Iberdrola Clients. Thus, the claimant states that Curenergia transferred all his data (ID, IBAN, name, surname, address) to Iberdrola Clients without his consent so that it could formalize the electricity supply contract with the latter, having never maintained any type of relationship with Iberdrola Clients. The following documentation is provided with the notification: Email dated April 12, 2023, sent by the claimant to ***EMAIL.3, stating the following: <<I had this contract Supply contract reference (CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO S.A.U.): ***TELEPHONE.1 with CURENERGIA which is currently with another marketer. I wanted to put it back with CURENERGIA in PVPC>>. Response from Curenergía Clientes dated April 12, 2023: <<We confirm that we have received your email and that we have started the necessary steps to respond to you as soon as possible>>. Email from Curenergía Clientes dated April 12, 2023 addressed to the complainant: <<To carry out the procedure you request, it is necessary that you indicate to me, if you are so kind, the following information: The name of the marketing company with which you are currently registered. If you are the current holder or if you are going to change. Bank account in which you wish to direct debit the payment. Contact telephone number. Contracted power in each of the sections, peak and off-peak. If you wish to receive correspondence by regular or electronic mail and address. Email from the claimant dated April 12, 2023: <<The name of the marketing company with which you are currently: NATURGY If you are the current holder or if you are going to change: SAME HOLDER Bank account in which you want to direct debit the payment: ***PAYMENT.1 Contact telephone number: ***PHONE.2 Contracted power in each of the sections, peak and valley: No changes: PEAK 0.100 kW and VALLEY 0.700 kW If you want to receive correspondence by regular or electronic mail and address: BY EMAIL ***EMAIL.4>> Email from Curenergía Clientes dated April 12, 1:10 p.m. addressed to the claimant: <<I confirm that I have just sent the policy with electronic signature to your email so that if you agree and the data is correct, I ask you to continue these simple steps: You will receive an email with a link to the document so that you can view it from your device. When you click on the link, you will be redirected to a website, where you must C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/16 allow access by clicking on the "Start" check. This screen will only appear on your first access. You will access the platform to view the PDF with the offer and, at the end of the document, you can accept the offer or reject it>>. Email from Iberdrola Customers for the claimant dated April 12, 2023, 1:06 p.m. addressed to the claimant: <<Dear A.A.A., Thank you for your interest in contracting with Iberdrola. To view and sign the offer and its conditions, click the View document button in this email. Once the document has been opened, go to the last page and select the Accept and Sign option. After signing it, you will receive a copy of the document in your email>>. Contract sent by Iberdrola Clientes, S.A.U. to the claimant dated April 12, 2023, where the following data appears: <<ELECTRICITY SUPPLY CONTRACT CONTRACTING PARTIES Retailer: IBERDROLA CLIENTES, S.A.U. Tax ID: A95758389 Registered Office: Plaza Euskadi 5, 48009 Bilbao Customer Service Telephone: ***TELEPHONE.3 / ***TELEPHONE.4 IBERDROLA CLIENTES, S.A.U. is authorized by the Directorate General of Energy Policy and Mines of the Ministry of Energy, Tourism and Digital Agenda for the activity of marketing electricity and natural gas. CUSTOMER Surname and First Name/Company Name: A.A.A. NIF: ***NIF.1 Date of Birth: SUPPLY ADDRESS Supply address: ***ADDRESS.1 SPECIFIC CONDITIONS PRODUCTS AND SERVICES TO BE CONTRACTED Stable Electricity Plan SUPPLY CONDITIONS Type of contract: Normal Voltage: 1X230 V Access rate: BT 2.0 TD Mode 1 Power Contracted: Peak: 100 W Valley: 700 W CUPS: ***CUPS.1 Distribution Company: UFD Distribución de Electricidad, S.A. Attention Network Failures: XXXXXXXXX ECONOMIC CONDITIONS ELECTRICITY PRICE Power Term Peak: 34.504864 €/kW and year Power Term Valley: 6.377714 €/kW and year Energy Term: 0.201984 €/kWh The cost will be added to the prices>> SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party, so that it could proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on June 1, 2023, as shown in the acknowledgment of receipt in the file. No response has been received to this transfer letter. THIRD: On July 13, 2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the claimant was admitted for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/16 FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in compliance with the provisions of Title VII, Chapter I, Section two, of the LOPDGDD, being aware of the following points: 1. In relation to the facts claimed, the representatives of IBERDROLA CLIENTS in response to the request of this Agency, dated October 6, 2023, make the following statements: Article 12.3 of Law 24/2013, of December 26, on the Electricity Sector, establishes within the framework of regulation of the separation of activities, that "the distribution companies and the reference marketing companies that form part of a group of companies that develops regulated and free activities in the terms provided for in this law, will not create confusion in their information and in the presentation of their brand and brand image with respect to the identity of the subsidiaries of their same group that carry out marketing activities". As a consequence of the aforementioned provision, IBERDROLA CLIENTES and CURENERGIA COMERCIALIZADORA DE ÚLTIMO RECURSO, S.A.U (hereinafter "CURENERGIA") do not maintain any type of relationship in the processing of the personal data of their clients. Each of the two marketing companies maintains its own treatments, without any confusion or permeability between them, so that each of the marketing companies only processes the information of its own clients and does not process any personal data of those who do not have this status. Both entities belong to the Iberdrola Group and both maintain links with the same service provider for telephone customer service of the two companies, which acts as the data processor for both companies. In these cases, the Iberdrola Group has adopted the necessary measures to guarantee compliance with the obligations related to the separation of activities. The telephone customer service lines for IBERDROLA CLIENTS are different from those that CURENERGIA makes available to its clients, having established a system that allows the operator to know if the interested party has requested the attention of one or the other entity. Operators have express instructions related to the prohibition of cross-access to the databases of the entities, so that in the event that the interested party has contacted CURENERGIA through the telephone number, it is expressly prohibited to access the databases of IBERCLI, as well as to provide any type of information related to this entity. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/16 In relation to the specific case that is the subject of the claim, and taking into account the content of the information incorporated in the request, the sequence of events is as follows: • On April 12, 2023, the claimant contacted CURENERGIA to enter into a contract with it, • That same day, CURENERGIA requested a series of documents from the interested party, which were sent to it by the claimant. The CURENERGIA sales representative informs the claimant that he will send him the contract for his signature. • On that same date, the contract is sent to the claimant, however, an error occurs in the sales representative's actions and he sends a contract from IBERCLI and not from CURENERGIA. • The contract with IBERCLI was cancelled as a result of the contracting by the Claimant of the supply with another supplier on April 14, 2023. Thus, in the process of sending the contract to the claimant, an error occurred on the part of the person who attended the request, as a result of which there was a confusion between the two entities to which the operator provided services. The correction of this error occurred immediately, through the cancellation of the contract signed with IBERDROLA CLIENTS. In relation to the service provider for telephone customer service shared between IBERDROLA CLIENTES and CURENERGIA, the representatives of IBERDROLA CLIENTES declare that they do not have any type of relationship in the processing of personal data of the customers of each of the entities. Each of the two marketing companies maintains its own processing, without any type of confusion or permeability between the two, so that each of the marketing companies only processes the information of its own customers and does not process any personal data of those who do not have this status. In any case, given that both companies belong to the Iberdrola Group, both sometimes maintain links with the same service provider. This is the case in the case of telephone service for the customers of both companies, which is carried out in both cases by the same contact center service provider, who will act as the data processor for both companies. They provide a copy of the contract signed by IBERCLI and UNÍSONO SOLUCIONES DE NEGOCIO The representatives of the entity provide a copy of the express instructions related to the prohibition of cross-access to the databases of the entities. The telephone lines for IBERCLI customers are different from those that CURENERGIA makes available to its customers, having established C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/16 a system that allows the operator to know if the interested party has requested the attention of another. This guide contains express provisions related to the prohibition of access by the operator, in the event that the interested party has contacted it through the CURENERGIA telephone number, to access the IBERCLI databases, as well as to provide it with any type of information related to this entity. To prove the evidence of the cancellation of the contract entered into by mistake with IBERDROLA CLIENTS. they provide a screenshot of the IBERCLI system where the cancellation of the contract entered into by mistake with the claimant is evident 1. The representatives of Curenergía indicate the following on October 9, 2023, in response to the request of this Agency: In relation to the specific case subject to the claim, the sequence of events is as follows: • On April 12, 2023, D. A.A.A. (hereinafter, "the Claimant") contacted CURENERGIA to enter into a contract with it, • That same day, CURENERGIA requests a series of documents from the interested party, which are sent to him by the Claimant. The CURENERGIA sales representative informs the Claimant that he will send him the contract for signature. • On the same date, the contract is sent to the Complainant, although there is an error in the actions of the salesperson and he sends a contract from IBERCLI and not from CURENERGIA. • Immediately after receiving it, the Complainant contacts the entity, indicating that same day that the contract sent is from IBERCLI and not from CURENERGIA. CURENERGIA responds to the aforementioned email just three hours later, apologizing to the Complainant and indicating that it is an error. • Finally, on April 13, 2023, that is, just two days after the aforementioned error occurred, the Complainant signs the electricity supply contract number ***CONTRACT.1 with CURENERGIA. Thus, in the process of sending the contract to the claimant, an error occurred on the part of the person who attended to the request, as a result of which a confusion arose between the two entities to which the operator provided services. The correction of this error occurred by signing the contract requested from CURENERGIA. FIFTH: According to the report collected from the AXESOR tool, the entity Curenergía is a large company established in 2008, and with a turnover of 2,177,703,000 euros in 2022. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/16 LEGAL BASIS I Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants to each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures." II Unfulfilled Obligation The respondent is charged with committing an infringement for violating Article 6 of the GDPR, "Lawfulness of processing", which indicates in its section 1 the cases in which the processing of third party data is considered lawful: "1. Processing is only lawful if at least one of the following conditions is met: a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) processing is necessary for compliance with a legal obligation to which the controller is subject; d) processing is necessary to protect the vital interests of the data subject or of another natural person; e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The provisions of letter f) of the first paragraph shall not apply to the processing carried out by public authorities in the exercise of their functions. Moreover, Article 4 of the GDPR, Definitions, in its paragraphs 1, 2 and 11, states that: “1) “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; “2) “processing” means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; “11) “consent of the data subject” means any freely given, specific, informed and unequivocal indication of the data subject’s wishes by which he or she accepts, by a statement or by a clear affirmative action, the processing of personal data relating to him or her.” In the present case, it has been proven that the respondent party violated Article 6.1 of the GDPR, since it processed the personal data of the complainant (NIF, address, universal delivery point code, email, mobile number, bank details) without any legal grounds to do so. The personal data were incorporated by Curenergía into the information systems of Iberdrola Clientes, without having proven that it had a legal basis for the collection and subsequent processing of their personal data by Iberdrola Clientes, as proven by the fact that the claimant's data were incorporated into the contract sent by Iberdrola Clientes, S.A.U. to the claimant dated April 12, 2023, where the following data appear: <<ELECTRICITY SUPPLY CONTRACT CONTRACTING PARTIES Supply company: IBERDROLA CLIENTES, S.A.U. Tax ID number: A95758389 Registered office: Plaza Euskadi 5, 48009 Bilbao Customer Service Telephone: ***TELEPHONE.3 / ***TELEPHONE.4 IBERDROLA CLIENTES, S.A.U. is authorized by the General Directorate of Energy Policy and Mines of the Ministry of Energy, Tourism and Digital Agenda for the activity of commercialization of electric energy and natural gas. CLIENT Surname and First Name/Company Name: A.A.A. NIF: ***NIF.1 Date of Birth: SUPPLY ADDRESS Supply address: ***ADDRESS.1 SPECIFIC CONDITIONS PRODUCTS AND SERVICES TO BE CONTRACTED Stable Electricity Plan SUPPLY CONDITIONS Type of contract: Normal Voltage: 1X230 V Access rate: BT 2.0 TD Mode 1 Power Contracted: Peak: 100 W Valley: 700 W CUPS: ***CUPS.1 Distribution Company: UFD Distribución de Electricidad, S.A. Attention Network Failures: XXXXXXXXX ECONOMIC CONDITIONS ELECTRICITY PRICE Power Term C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/16 Peak: 34.504864 €/kW and year Power Term Valley: 6.377714 €/kW and year Energy Term: 0.201984 €/kWh The cost will be added to the prices>> Said contract was sent through the email address ***EMAIL.5, an address not belonging to the respondent party and corresponding to a different entity that did not participate in the contracting process with the complainant party, which shows the improper treatment of the data. Consequently, it has processed personal data without proving that it has the legal authorization to do so. In this regard, and this is essential, the respondent does not prove the legitimacy for the transfer of the complainant's data to Iberdrola Clients. The respondent states in response to the request of this Agency dated October 9, 2023 that Curenergía and Iberdrola Clients have subcontracted the customer service to the same entity. Both operators can access the customer databases of both entities simultaneously, but they have express instructions that when a call is received on a telephone of one of the entities, not to access or provide information relating to the other. The respondent claims that the facts subject to the claim were due to an error by the salesperson, which was corrected after the affected party had informed them of what had happened. However, this circumstance does not invalidate the fact that improper processing has occurred, nor does it remedy the lack of legitimacy in carrying out said processing. In this regard, article 6.1 of the GDPR states that processing “will be lawful if it is necessary for the execution of a contract to which the interested party is a party”. Therefore, Curenergía has acknowledged the existence of an incorrect action in the management of the data of the complainant, the consequence of which was that an entity unrelated to the operation had access to the personal data of the complainant without the latter's consent. In view of the above, the respondent party fails to prove that it acted diligently and therefore there was an unlawful processing of the personal data of the complainant, thereby contravening article 6 of the GDPR. In this regard, Recital 40 of the GDPR states: “(40) For processing to be lawful, personal data must be processed with the consent of the data subject or on another legitimate basis established by law, whether in this Regulation, including the need to comply with the legal obligation applicable to the controller or the need to execute a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.” For the above reasons, without prejudice to the outcome of the investigation of the procedure, it is clear that the personal data of the complainant has been unlawfully processed, consisting of the transfer of his/her data to an unauthorized entity, which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/16 results in a breach of the principle of legality provided for in the aforementioned article 6.1 of the GDPR. III Classification and qualification of the infringement The infringement is classified in article 83.5 of the GDPR, which considers as such: “5. Infringements of the following provisions shall be punished, in accordance with section 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher: The basic principles for processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9.” For the purposes of the limitation period of the infringement, the LOPDGD classifies in its article 72.1 as a very serious infringement, in this case the limitation period being three years, “b) The processing of personal data without any of the conditions for the lawfulness of the processing established in article 6 of Regulation (EU) 2016/679 being met.” IV Proposal for a penalty In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state: “Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are effective, proportionate and dissuasive in each individual case.” “Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional or alternative measure to the measures provided for in Article 58, paragraph 2, points (a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them; b) the intentionality or negligence of the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/16 d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32; e) any previous infringement committed by the controller or processor; (f) the degree of cooperation with the supervisory authority in order to remedy the breach and mitigate any adverse effects of the breach; (g) the categories of personal data affected by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the breach.” Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: “2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The connection between the offender's activity and the processing of personal data. c) The benefits obtained as a result of committing the infringement. d) The possibility that the affected party's conduct could have led to the commission of the infringement. e) The existence of a merger process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Having, when not mandatory, a data protection officer. h) The submission by the controller or processor, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party.” In accordance with the provisions transcribed, and without prejudice to what results from the instruction of the procedure, for the purposes of setting the amount of the fine to be imposed on the respondent, as responsible for an infringement classified in article 83.5.a) of the GDPR, in an initial assessment, the following factors are considered to be concurrent: - The seriousness of the infringement taking into account the scope of the processing operation, a circumstance provided for in article 83.2.a) GDPR. A significant circumstance in the case examined is that it was an electricity supply contract, to which the respondent would have linked the personal data of the complainant. In this sense, the seriousness of the scope of the operation is manifested in the transfer of the data to a third party who was not authorized and to which the complainant had not given his consent. - “The link between the offender's activity and the processing of personal data”, a circumstance provided for in article 76.2.b) LOPDGDD in connection with article 83.2.k) RGPD. The business activity of the defendant necessarily processes personal data, being one of the most important electricity companies in Spain. This characteristic of its business activity has an impact, reinforcing it, on the diligence that it must deploy in compliance with the principles that govern the processing of personal data and in the quality and effectiveness of the technical and organizational measures that it must have implemented to guarantee respect for the fundamental right. The National Court's ruling of 17/10/2007 (rec. 63/2006), in which, with respect to entities whose activity involves the continuous processing of customer data, indicates that "...the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or lack thereof of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity of the appellant is of constant and abundant handling of personal data, it is necessary to insist on the rigor and the exquisite care to comply with the legal provisions in this regard." The penalty to be imposed on the respondent must be graduated and set at the amount of €100,000 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/16 for the infringement of article 83.5 a) RGPD, classified as very serious for the purposes of the prescription in article 72.1b) of the LOPDGDD. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: TO INITIATE SANCTIONING PROCEDURE against CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U. with NIF A95554630, for the alleged infringement of article 6.1) classified in article 83.5.a) of the aforementioned RGPD. SECOND: APPOINT Mr. B.B.B. as instructor and Ms. C.C.C. as secretary, indicating that either of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, the documents obtained and generated by the General Subdirectorate of Data Inspection. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the sanction that could be applied would be for the infringement of article 6.1 of the RGPD, specified in article 83.5 a) of the RGPD, the sanction that would be applied would be a fine for an amount of 100,000 euros (one hundred thousand euros) without prejudice to what results from the investigation. FIFTH: NOTIFY this agreement to CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U. with NIF A95554630, granting it a hearing period of ten business days to formulate the allegations and present the evidence it deems appropriate. In its written allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If you do not make any objections to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, if the sanction to be imposed is a fine, you may acknowledge your liability within the period granted for the formulation of objections to this initiation agreement; which will entail a 20% reduction for the sanction to be imposed in this procedure, equivalent in this case to twenty thousand euros (€20,000). With the application of this reduction, the amount of the sanction would be set at eighty thousand euros (€80,000), and the procedure will be resolved with the imposition of this sanction. Likewise, at any time prior to the resolution of this procedure, the applicant may voluntarily pay the proposed fine, in accordance with the provisions of article 85.2 of the LPACAP, which will entail a reduction of 20% of the amount of the fine, equivalent in this case to twenty thousand euros (€20,000) for the alleged infringement. With the application of this reduction, the amount of the fine would be set at eighty thousand euros (€80,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for voluntary payment of the fine may be added to the reduction that must be applied for the acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for submitting objections to the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at sixty thousand euros (€60,000). In any case, the effectiveness of either of the two reductions mentioned will be subject to the withdrawal or waiver of any action or appeal in administrative proceedings against the fine. If you choose to make a voluntary payment of any of the amounts indicated above, 80,000 euros or 60,000 euros, you must make the payment by depositing it in account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are applying. You must also send proof of payment to the Subdirectorate General of Inspection in order to continue with the procedure in accordance with the amount paid. The procedure will have a maximum duration of twelve months from the date of the start agreement. After this period, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar España Martí Director of the Spanish Data Protection Agency >> SECOND: On September 18, 2024, the respondent party has proceeded to pay the fine in the amount of 60,000 euros using the two reductions provided for in the Initiation Agreement transcribed above, which implies the recognition of liability. THIRD: The payment made, within the period granted to formulate allegations at the opening of the procedure, entails the waiver of any action or appeal through administrative means against the fine and the recognition of liability in relation to the facts referred to in the Initiation Agreement and its legal qualification. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/16 LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, the voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for the damages and losses caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of the initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” According to the above, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/16 the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202307313, in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to CURENERGÍA COMERCIALIZADOR DE ÚLTIMO RECURSO, S.A.U.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. 936-151024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es