AEPD (Spain) - EXP202202898
From GDPRhub
AEPD - PS/00286/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 14.02.2022 |
Decided: | 03.11.2022 |
Published: | 29.12.2022 |
Fine: | 24,000 EUR |
Parties: | SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. |
National Case Number/Name: | PS/00286/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
to be updated
English Summary
Facts
The data subject was billed by an electricity and gas company (controller) without his consent.
The data subject filed a complaint at the Spanish DPA (DPA) on 14 february 2022, because he had been charged without his consent. The data subject provided several invoices
Holding
to be updated
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 File No.: EXP202202898 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On September 9, 2022, the Director of the Spanish Agency of Data Protection agreed to start a sanctioning procedure against SUPPLIER IBÉRICO DE ENERGÍA, S.L. (hereinafter the claimed party). Notified the agreement beginning and after analyzing the allegations presented, on November 3, In 2022, the resolution proposal that is transcribed below was issued: << File No.: EXP202202898 PROPOSED RESOLUTION OF SANCTION PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D.A.A.A. (hereinafter, the claiming party) on February 14, 2022 filed a claim with the Spanish Data Protection Agency. The The claim is directed against SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. with NIF B67421867 (hereinafter, the claimed party or SIE). The reasons on which the claim are as follows: The claimant states that there has been a change in the company of the electricity and gas supply without your consent. Provide invoices associated with non-consensual contracting, charges made on your bank account and claims filed with the claimed party. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/13 The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on March 14, 2022 as It appears in the acknowledgment of receipt that is in the file. On April 18, 2022, this Agency received a written response indicating: <<According to the Complainant, during the call the salesperson pretended to work for a third company, with the aim of misleading him and hiring his services without knowing that he was changing electricity supplier. Notwithstanding the foregoing, it is necessary to indicate that the procedures for the formalization of the electricity supply contract in SIE require, of course, the verification and authentication of the manifestation of the client's willingness to proceed upon signing the contract. This implies that, when a service provider telemarketing formalizes a supply contract on behalf of SIE, it must provide the Recording of the sales process. In this way, SIE can verify that the contracting has been carried out properly. After reviewing the recordings of the phone call, we were able to verify that the commercial at no time said that he worked for the third company in question, but rather carried out the contracting process indicating to the Claimant that said contracting would be carried out with Más Energía, which is a brand that sells SIE. Regarding the origin of the personal data referred to by the Complainant, The following considerations should be made about the contracting process when This is done by a company that provides telemarketing services: - The telemarketing service provider transfers to SIE the personal data of stakeholders to whom SIE products and services will be offered. Later, The telemarketing service provider acts as the person in charge of the treatment of SIE to carry out the activities of offering its products and services and contracting of the corresponding products and services. - Notwithstanding the foregoing, the telemarketing service provider may only carry out commercial actions on those interested parties who have provided them with your consent for the transfer of your personal data to SIE for said purpose. Taking into account the above, from SIE it is not possible to determine where the telemarketing service provider the personal data of the Complainant, since that he obtained them as the person responsible for the independent treatment of SIE. However, at the time of signing the contract for the provision of services, said provider of telemarketing services acquired the commitment to assign only the personal data of those interested who have given their consent for said purpose. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 Additionally, the service provider undertook to inform the interested parties duly and in accordance with the regulations on data protection about of the transfer to SIE of your data. 2. As a result of the receipt of the transfer of claim and request for information that motivates this writing, from SIE an internal investigation was initiated, in order to determine whether there had been any non-compliance with the regulations on of data protection in the organization during the contracting process with the claimant. However, this party acknowledges an error in the contract signing process, which caused unjustified hiring and, therefore, the issuance of invoices that did not correspond either: SIE has a contract signing process with two steps: A first step in which the conditions of the service are reported via telephone and that, if the client accepts said conditions by the same means, The contract is sent to you for your signature via SMS. In the case of this claim, the interested party accepted the conditions of the service by telephone and, despite not having signed the contract via SMS, it appeared as formalized in the SIE information systems due to an error in synchronization of these systems. 4. SIE is the first party interested in having its services contracted always in accordance with current legislation. Therefore, and although in this case it has been possible to determine after the investigations made that their action has been in accordance with the data protection regulations personal, because incidents of a different nature have been detected in the contracting procedure for its services, SIE has adopted as a measure the total stoppage of the contracting procedure for its services since the past March 4, 2022 and until they are resolved>>. THIRD: In accordance with article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LOPDGDD), when submitted to the Spanish Data Protection Agency (hereinafter, AEPD) a claim, it must evaluate its admissibility for processing, must notify the claimant of the decision on the admission or non-admission to procedure, within three months from the date the claim was entered into this Agency. If, after this period, said notification does not take place, it will be understood that the processing of the claim continues in accordance with the provisions of Title VIII of Law. Said provision is also applicable to the procedures that the AEPD would have to process in exercise of the powers that were attributed to it by other laws. In this case, taking into account the foregoing and that the claim is filed with this Agency, on February 14, 2022, it is communicated that your The claim has been admitted for processing on May 14, 2022, having elapsed three months from the time it entered the AEPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 FOURTH: On September 9, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the claimed party submitted a written of allegations in which, in summary, he stated that: <<as we already explained in our response to the request for information sent to the AEPD, our procedure for contracting our services consists of a process of verification and authentication of the manifestation of the client's willingness to proceed to the formalization of the supply contract. This implies that, when the service provider telemarketing services formalizes a supply contract on behalf of SIE, the latter must provide the recording of the sale process, in this way, SIE can verify that recruitment has been carried out properly. Once we have reviewed the recording of the telephone call, we can affirm that: 1. The commercial at no time indicated that he worked for a third company. The indicates that the contract will be carried out with Más Luz Energía, a brand marketed by SIE. 2. The interested party expresses his will during the call to hire both supplies (electricity and gas) with the SIE company through the Más Luz Energía brand. We attach as Annex I the transcript of the call where the interested party expresses its willingness to contract both supplies. This party explained that the contracting process for the services offered by SIE is is done by means of a double acceptance, a first acceptance occurs during the phone call and a second by sending an SMS to finish formalize the contract. Although in this specific case this second acceptance is not was carried out when the SMS was not sent to the interested party, to which they had to respond with a “YES”. This party understands that, although the formalization of the contract was not carried out through the sending of the corresponding SMS due to a human error not attributable to SIE, yes the claimant clearly stated his willingness to contract with SIE (as can be seen in the transcript of the call provided), and consequently the treatment carried out would fall within the expectation of the interested party. For this reason, as a result of the internal investigations into what happened in the process of contracting its services, SIE halted the contracting of its services with undefined character. For all of the foregoing, that the Proceedings File be filed by the AEPD>>. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 SIXTH: On October 3, 2022, the procedure instructor agreed perform the following tests: <<1. The claim filed by D. A.A.A. and its documentation, the documents obtained and generated during the phase admission to process the claim. 2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement initiation of the referenced sanctioning procedure, presented by SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., and the documentation that they accompanies>>. SEVENTH: A list of documents in the file is attached as an annex. process. Of the actions carried out in this procedure and of the documentation in the file, the following have been accredited: PROVEN FACTS FIRST: On February 14, 2022, it has entered the Spanish Agency for Data Protection a letter from the complaining party in which it states that it has been carried out a change of the electricity and gas supply company without your consent. Provide invoices associated with non-consensual contracting, charges made on your bank account and claims filed with the claimed party. SECOND: SIE acknowledges in its brief of April 18, 2022 and in the allegations to the present proceeding on September 30 of the same year, which at the time of the signing of the contract an error occurred which caused a contracting unjustified and, therefore, the issuance of invoices that did not correspond either. That SIE has a contract signing process with two steps: A first step in which the conditions of the service are informed by telephone and that, in the case If the client accepts said conditions in the same way, the contract is sent to him for your signature via SMS. THIRD: It is clear that despite not having signed the contract via SMS, the party claimant, it appeared as formalized in the information systems of the party claimed. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II In response to the allegations presented by the respondent entity, it should be noted the next: Article 6.1 of the GDPR establishes the assumptions that allow the use of processing of personal data. "one. Processing will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect the vital interests of the data subject or of another Physical person. e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not outweigh the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions.” On this question of the legality of the treatment, Recital 40 also affects of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the Personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance with Law, either in the present Regulation or by virtue of another Law of the Union or of the Member States to which referred to in this Regulation, including the need to comply with the legal obligation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 applicable to the data controller or the need to perform a contract with to which the interested party is a party or in order to take measures at the request of the concerned prior to the conclusion of a contract." Well then, in response to the allegations presented by the defendant, it is It should be noted that there is evidence that the data processing of the person who appears in the contract object of this claim has been made without cause legitimizing the data collected in article 6 of the GDPR. The GDPR applies to personal data, which is defined as "personal data": any information about an identified or identifiable natural person ("data subject"); An identifiable natural person shall be considered any person whose identity can be be determined, directly or indirectly, in particular by means of an identifier, such as for example a name, an identification number, location data, a online identifier or one or more elements of physical identity, physiological, genetic, psychological, economic, cultural or social of said person. It has been verified, as the defendant acknowledges, that the data of the person claimant "However, this party acknowledges an error in the process of signing the contract, which caused an unjustified hiring and, therefore, the issuance of some invoices that did not correspond either: SIE has a contract signing process with two steps: A first step in which the conditions of service are reported by by telephone and that, if the client accepts said conditions for the same via, the contract is sent to you for your signature via SMS. In the case of this claim, the interested party accepted the conditions of the service by telephone and, despite not having signed the contract via SMS, it appeared as formalized in the SIE information systems due to an error in synchronization of said systems" were treated without legitimizing basis and without The signature of the complaining party was recorded in the contract, and that there was a contract fraudulent. And, in the allegations to the present procedure of September 30, 2022, The defendant states that <<Although in this specific case this second Acceptance was not made as the SMS to which it was due was not sent to the interested party. answer with a “YES”>>. According to what has been stated, data processing requires the existence of a legal basis that legitimizes it, such as the consent of the interested party provided validly, and in this specific case there is no legitimating basis since the contract it was not formalized. II In accordance with the available evidence, it is considered that the facts exposed do not comply with the provisions of article 6.1. of the GDPR, therefore could involve the commission of an offense classified in article 83.5 of the GDPR, which provides the following: Violations of the following provisions will be penalized, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/13 in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22; […].” For the purposes of the limitation period for infringements, the infringement indicated in the previous paragraph is considered very serious and prescribes after three years, in accordance with the Article 72.1 of the LOPDGDD, which establishes that: According to what is established in article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the fulfillment of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. (…)» IV. In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR, precepts that state: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 9 and 6 are effective in each individual case, proportionate and dissuasive.” "Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of stakeholders affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or the person in charge of the processing, taking into account the technical or organizational measures that have applied under articles 25 and 32; e) any previous infringement committed by the person in charge or in charge of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the breach and mitigate the potential adverse effects of the breach; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, to what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, direct or indirectly, through the infraction.” Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) Submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party.” Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 That it is a company whose main activity is linked to the processing of personal data, in accordance with the provisions of article 76.2.b) of the LOPDGDD. The development of business activity The defendant performs requires continuous data processing customer personal. V It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 30,000 € for violation of article 83.5 a) GDPR. In view of the foregoing, the following is issued PROPOSED RESOLUTION That the Director of the Spanish Agency for Data Protection sanctions SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., with NIF B67421867, for a infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, with a a fine of 30,000 euros (thirty thousand euros). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs that it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will mean a reduction of 20% of the amount of the same. With the application of this reduction, the sanction would be established at 24,000 euros (twenty-four thousand euros) and Your payment will imply the termination of the procedure. The effectiveness of this reduction will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In case you choose to proceed to the voluntary payment of the specified amount above, in accordance with the provisions of the aforementioned article 85.2, you must do it effective by entering the restricted account IBAN number: 0000 0000 0000 0000 0000 0000 open in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A., indicating the reference number in the concept of the procedure that appears in the heading of this document and the cause, for voluntary payment, reduction of the amount of the sanction. You must also send the Proof of admission to the Sub-Directorate General of Inspection to proceed to close The file. By virtue of this, you are notified of the foregoing, and the procedure is revealed. so that within TEN DAYS you can allege whatever you consider in your defense and present the documents and information that it deems pertinent, in accordance with Article 89.2 of the LPACAP. B.B.B. INSPECTOR/INSTRUCTOR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/13 EXHIBIT File index EXP202202898 02/14/2022 A.A.A. 03/14/2022 Transfer of claim to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. 04/14/2022 Communication from SUMINISTRADOR IBERICO DE ENERGIA S.L. 05/14/2022 Communication to A.A.A. 09/09/2022 A. opening of SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. 09/12/2022 Info. Complainant to A.A.A. 09/15/2022 Request for extension of term of SUMINISTRADOR IBERICO DE ENERGY S.L. 09/16/2022 Amp. Term to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. 09/30/2022 Response to IBERICO ENERGY SUPPLIER requirement GIA S.L. 10/03/2022 Notification p. evidence to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. >> SECOND: On November 15, 2022, the claimed party has proceeded to the payment of the penalty in the amount of 24,000 euros using the reduction provided for in the motion for a resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource in the against the sanction, in relation to the facts referred to in the resolution proposal. FUNDAMENTALS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202202898, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to SUMINISTRADOR IBÉRICO DE ENERGY, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 968-171022 Mar Spain Marti C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es