AEPD (Spain) - EXP202102778
AEPD - AEPD PS-00508-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(f) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 04.11.2021 |
Decided: | |
Published: | 10.01.2023 |
Fine: | 24,000 EUR |
Parties: | FACTOR ENERGIA, S.A. |
National Case Number/Name: | AEPD PS-00508-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Teresa López |
The Spanish DPA fined a controller €24,000 for lack of legitimate basis when processing a data subject's personal data for direct postal marketing.
English Summary
Facts
The data subject received an advertising message by post from Factor Energía, S.A. (the controller), in which they were addressed by their full name, and were given a personalised recommendation based on the characteristics of their energy supply point and consumption habits.
Since the controller was not the data subject's energy provider, they contacted the company to request information on the processing of their data. After the period given by Article 12(3) GDPR had elapsed, the controller informed the data subject that their data was obtained from the database that electricity and natural gas distribution companies make available to marketing companies, for the purposes of being able to make offers on the market (SIPS or Supply Point Information System, in English).
The data subject contacted the entity that manages the Supply Point Information System, the Spanish National Markets and Competition Commission. This entity ensured the data subject that the current legislation prohibits marketers from accessing any information that directly identifies the holder of the supply point.
After enquiries from the Spanish Data Protection Authority, the controller stated that the reply given to the data subject had been delayed due to an informatic virus attack which had encrypted their systems. Moreover, the controller indicated that the first answer given to the data subject had been provided by a trainee, since it was received during the holiday period. The controller justified this way the following changes to their reply: That the personal data relating to name, surname and postal address were obtained from publicly accessible sources. The controller was unable to specify the source as a result of the computer virus. On the other hand, the data relating to the technical conditions of the supply point were lawfully obtained from the SIPS. Moreover, the controller added that the consumption data provided to the data subject were estimations not reflecting their real consumption habits, but an aggregated value based on their postal code.
According to the information provided to the DPA, the controller based the processing of the data in their legitimate interest (customer acquisition and an increase of its visibility in the market). Also, the controller shared the legitimate interest assessment where it argued that the data subject's rights did not prevail due to the low impact of the means used (post) and the little or no effect on their legal sphere.
Holding
The Data Protection Authority held that the controller had violated Article 6(1) GDPR since the legitimate interest assessment on which the processing was based was understood as insufficient, therefore not being able to rely on Article 6(1)(f) GDPR as a legal basis.
Contrary to the controller's position, the DPA held that the rights of the data subject prevailed to the controller's interests on several grounds.
First, the DPA noted that the alleged additional safeguards were not an additional layer of protection provided by the controller, but simply protections already mandatory by data protection law.
Second, the DPA rejected the controller's argument stating that post marketing was less invasive than cold calling. The Authority pointed out that with such methods, the data subject may believe that the caller does not have their identification data, whereas the receipt of a postal communication that identifies them gives the data subject the certainty that the sender of the communication has such data. Furthermore, uncertainty arises in the data subject as to what the source of their data may have been, which leads to doubt about their power of disposal of the data.
Third, the DPA found that post marketing being an habitual practice in the industry was an insufficient basis to establish a reasonable expectation in the data subject. The Authority recalled their own report 2018/0173, which analyses the legitimacy of direct marketing actions in both electronic and non-electronic media. This report concluded that, even if the data subject has previously been a customer, the criterion for the sending of commercial communications is restrictive (to the products contracted). Therefore, this is even more so in the case of not having been a customer (as in the present case).
Fourth, the DPA rejected the controller's argument that the nature of the data processed (contact details) was an indicator of the prevalence of the company's legitimate interest. In this sense, the Authority quoted ART29WP's 06/2014 Opinion: "In general, the more sensitive the information involved, the more consequences there may be for the data subject. This, however, does not mean that data that may in and of themselves seem innocuous, can be freely processed based on Article 7(f) GDPR. Indeed, even such data, depending on the way they are processed, can have significant impact on individuals (...)".
Fifth, the controller argued that there was no other less-impact method that allowed to achieve the legitimate interest, to which the DPA disagreed, stating that the post could have been sent without including the personal data.
Finally, the Data Protection Authority noted the existence of a situation of imbalance between the data subject (consumer) and the controller (electricity supply company).
For these reasons, the DPA held that the infringement in question was serious for the purposes of the GDPR and that the sanction to be imposed should be graduated with the aggravation of negligence Article 83(2)(b) GDPR, since the controller could not point out the public access source of the personal data, and the link between the controller's activity and the processing of personal data (Article 76(1)(b) of the Spanish Data Protection Law). The DPA initially contemplated a €40,000 fine, but offered two grounds for reduction: the possibility of voluntary payment of the fine and the acknowledgment of guilt. The controller invoked both and finally paid €24,000.
Comment
The Spanish Data Protection Authority did not reflect on other grounds of infringement found in this case, such as the lack of a reply within the due period, the data breach, etc. which could have potentially led to fines by their own right.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/28 File No.: EXP202102778 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On October 31, 2022, the Director of the Spanish Agency for Data Protection agreed to start a sanctioning procedure against FACTOR ENERGÍA, S.A. (hereinafter, the claimed party), through the transcribed Agreement: << File No.: EXP202102778 AGREEMENT TO START THE SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the claiming party) dated August 16, 2021 filed a claim with the Spanish Data Protection Agency. The The claim is directed against FACTOR ENERGÍA, S.A. with NIF A61893871 (in forward, ENERGY FACTOR). The reasons on which the claim is based are the following: following: -The claimant has received an advertising message by post, from ENERGY FACTOR, where they address him by his first and last name, and they ask him a personalized recommendation based on the characteristics of your supply point and their consumption habits. - Considering that the advertising company is illegally processing your data, since he has no relationship with it, the affected person has contacted contact her to request information, and her Data Protection Officer will has answered that the data comes from the Information System of Points of Supply (SIPS). This, as they have explained, is the database that the distribution companies of electricity and natural gas make available to the trading companies, for the purpose of being able to make offers in the market. - As it has been able to find out from the Internet, the complaining party explains that the system SIPS is regulated by Royal Decree 1435/2002 and the exchange of information that takes place in its context is managed by the National Markets Commission and the Competition (CNMC). This body has assured the data subject in writing that it will not has available data on electricity users since, on the 27th of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/28 November 2015, Royal Decree 1074/2015 was approved, which modified different provisions in the electricity sector. Said decree incorporated the prohibition that the trading companies and the CNMC could access any information that directly identify the owner of the supply point. -The complaining party continues to believe that illegal treatment is taking place of your personal data. Either the company is getting them from another source, or you are extracting them from the SIPS, but if so, even your distribution company should not provide these data, nor the CNMC consult them, nor the other companies distributors should be able to access them for any treatment, much less for commercial actions. Along with the notification is provided: -Front of a commercial communication sent by FACTORENERGIA, with your translation into Spanish, in which there are boxes in red that would correspond to anonymous data. -Email sent from the address: DPO@factorenergia.com that includes a spreadsheet with anonymized data. -Email that the claimant sent to the National Market Commission, and response from the Data Protection Officer, from the address dpd@cnmc.es SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was forwarded to FACTOR ENERGIA, to proceed with its analysis and inform this Agency within a month, of the actions carried out to adapt to the requirements established in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on 10/04/2021, as stated in the acknowledgment of receipt in the file. On 10/05/2021, this Agency received a written response indicating that notification has been received with transfer of claim and request for information, but A copy of the claim submitted and attached documents (if applicable) are not attached. but only an extract of the relevant information from it, and therefore interests the right of the undersigned to have access to and obtain a complete copy of said claim, with the aim of being able to evacuate the information requirement of the detailed, complete and truthful way possible, verifying the identity and correct identification of the claimant, as well as the facts described in the request for information and in the claim submitted. THIRD: On November 4, 2021, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/28 in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: Relevant documentation provided by the claimant: - Copy of the obverse of a commercial communication with header of ENERGY FACTOR. Written in Catalan, it is anonymous (not contains the recipient's data and no reference to the date). The complaining party provides translation and reference to the inclusion of the following categories of data: name, surname, address of the recipient, address of the point of supply. The communication recommends a type of electrical installation of self-consumption (solar panels) based on "a study of your data and habits of electrical consumption”. - Transcription of part of the response to the exercise of the right of access addressed by FACTOR ENERGIA to the claimant, dated August 2 of 2021. Regarding the origin of the data processed, it expresses: “[…] your personal data, and specifically those related to technical conditions of your point of supply, such as the CUPS (identification number of the point of supply), access fee, power, etc. (detailed in the attached Excel) have status obtained lawfully through the Points of Information System Subministro (SIPS), which is the database that distributor companies of electricity and natural gas make available to companies marketers, for the purpose of being able to make offers in the market. Regarding the consumption habits to which we refer in the communication business, as we indicated at the bottom of it in point 2, are estimated data and standardized, not specifically customized according to the specific characteristics neither of their home nor of their specific consumption habits.” - Transcription of the data provided to the claimant by FACTOR ENERGY as a response to the right of access. It's not the spreadsheet original, but rather the list of categories of data that would have been provided to you. Includes the categories name, surname, and address of the supply point, in addition to technical data (tariff, power, etc.). - Email response from the DPD of the CNMC to the claimant of dated August 16, 2021 containing the following paragraphs: "In strict compliance with the applicable regulations that you point out, the CNMC does not have data on electricity users since, on December 27, November 2015, Royal Decree 1074/2015 was approved, which modifies different provisions in the electricity sector. Said RD incorporated the prohibition that the trading companies and the CNMC could access any information that directly identifies the owner of the supply point. Therefore, and in the assumption that data of this type were being exchanged between companies in the sector, these data do not come in any case from the CNMC. The CNMC only has the data of end users of gas (DB of points of supply), and the marketers do obtain them legally through our body, but the use they make of them is, logically, their responsibility in exclusive. However, the user may object to their data being made available. available to other gas trading companies, expressly indicating it to the company that supplies you.” The antecedents that appear in the information systems are the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/28 FACTOR ENERGIA submitted two briefs (of October 5, 2021 and of November 2021) in which he states: - That in July 2021 Mrs. B.B.B. exercised the right of access from the mail email from the complaining party. - That said exercise could not be attended to normally since on the 24th of June 2021, the computer systems of FACTOR ENERGIA were affected by a virus that caused a great impact by encrypting systems and Company data. - That on August 2, 2021, a response to the right exercised was sent, although, states that "the person who was in charge of responding to the applicant was a trainee since the date coincided with the period vacation on the part of the company's personnel, and that such a response lacks of a certain lack of accuracy and/or specificity”. - That the personal data related to name, surname, and postal address They were obtained from publicly available sources. He adds that he cannot specify the source of public access as a result of the impact of the virus computer. - That the data relating to the technical conditions of the supply point. Add that you can download the SIPS "of the distribution companies and the CNMC periodically in their capacity marketer and that does not include the personal data of the applicant relating to the name and surnames or their postal address”. - That it is still (as of the date of writing -November 3, 2021-) immersed in the file recovery process. In addition, he attached the following relevant documentation: - Emails exchanged on June 30, 2021 between the IT manager at FACTOR ENERGIA and INCIBE in which refers to the ransomware attack suffered by the entity. - Writing signed by B.B.B. exercising the right of access against FACTOR ENERGIA on July 2, 2021 from the email address of the complaining party. - Email addressed on August 2, 2021 by FACTOR ENERGIA to B.B.B. (to the email address of the complaining party) at response to the exercise of the right of access referred to in the previous point. Provide a copy of the original in Catalan and a translation into Spanish. Includes the following paragraphs: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/28 “On the other hand, we want to clarify that in no case have we carried out a precise and exact study with your data and specific consumption habits, but that, as indicated at the bottom of the aforementioned communication (point 2), your data is estimated and standardized, not personalized or calculated according to the specific characteristics of your home, or your habits of consumption, with the understanding that our intention was to highlight the advantages offered by photovoltaic self-consumption. […] Specifically, in relation to art. 5.1 a) referred to, in our communication indicated that your data has been processed lawfully, loyal and transparent at all times, since they were collected from sources to which which we have access as a marketer and from sources accessible to the public, complying with the requirements demanded by the General Regulation of Data Protection (RGPD) and Organic Law 3/2018, of December 5, of Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). [...] Specifically, on our website, it is indicated within the purposes of processing of personal data with regard to "Non-customers", the purpose following: "Inform about services, promotions and products related to our activity". […] Your personal data, and specifically those related to conditions techniques of your point of supply, such as the CUPS (identification number point of supply), access fee, power, etc. (detailed in the Excel attached) have been legally obtained through the Information System of Supply Points (SIPS), which is the database that companies electricity and natural gas distributors make available to the marketing companies, for the purpose of being able to make offers in the market. Regarding the consumption habits to which we refer in the commercial communication, as we indicate at the bottom of it in point 2, are estimated and standardized data, not specially personalized according to the specific characteristics of your home, or your specific habits of consumption. […] If possible, the expected period of conservation of personal data, or, if not possible, the criteria used to determine this term: while you do not exercise any of your rights” It also refers in this letter to the internet address www.factorenergia.com to consult the privacy policy. INVESTIGATED ENTITIES During these proceedings, the following entities have been investigated: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/28 - FACTOR ENERGY, S.A. with NIF A61893871 with address at ***ADDRESS.1 (BARCELONA) RESULT OF INVESTIGATION ACTIONS In addition to the documentation mentioned above, information is collected from the following sources: - Letter from FACTOR ENERGIA dated June 28, 2022, hereinafter Written#1. - Letter from FACTOR ENERGIA dated July 19, 2022, in forward Writing#2. - Proceedings with relevant information for these proceedings (Diligence References). About sending postal advertising to people who are not FACTOR customers ENERGY FACTOR ENERGIA states (Written #2) that sending postal communications to non-customers is not a frequent practice of the company, but is carried out "in occasions and addressed to a small number of recipients”. It further states that "in Most of the time the data is obtained from the interested parties themselves. Of in a more residual manner, and to a lesser extent, commercial communication has been sent by via post to non-customers whose data was obtained from publicly accessible sources without restrictions”. ENERGY FACTOR (Written#2) specifies the conditions that must be met to use for marketing purposes: - "(1) that the recipient has not previously exercised the right of opposition". - "(2) that the sources to be consulted are updated." Regarding this point clarifies FACTOR ENERGIA that these sources of public access are correspond to "repertoires or telephone directories whose consultation can be performed, by any person and without restrictions, not prevented by a limiting norm”. On July 22, 2022, a letter was addressed to FACTOR ENERGIA requesting specification in relation to these sources of public access which uses. As of the date of signing this report, no response has been received. regard. - "(3) that the Robinson List advertising exclusion list has been consulted (to which we are subscribed) and verify that the interested party to whom it will be sent advertising does not appear in it ”. Regarding this, FACTOR ENERGIA points out that consult the advertising exclusion system prior to sending and attach C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/28 (document 1 of Brief #2) copy of the service subscription invoices Adigital's Robinson list of 2021 and 2022. - "(4) comply with the duty of information to the affected party in accordance with the GDPR and the LOPDGDD”. Information is detailed later in this report. included in commercial communications that, in relation to the origin of personal data states that "they come from sources obtained lawfully and/or sources of public access available without restrictions”. In relation to the volume of recipients of the advertising campaign, he states ENERGY FACTOR (Written #2) the following: "In relation to the above, to record that in the month of June 2021 a advertising campaign by post to publicize the advantages of incorporating the self-consumption in the electricity supply. Within the target group were a segment of the campaign targeted at customers (and power supply customers) electricity, with a communication model) and another target group aimed at not clients […]: June 2021: self-consumption advertising campaign to obtain savings on the cost of light. No. of recipients: 42,670 recipients (total) In relation to the foregoing, it should be noted that said campaign had as its territorial scope the autonomous community of Catalonia (not the entire national territory).” Information recorded in the Record of Treatment Activities (RAT): Attach ENERGY FACTOR (document 1 attached to Brief #1) the information included in the Registry of Treatment Activities (RAT) on the "Activity of management of not clients”. The record includes the following information: - Categories of personal data: name and surname, DNI/NIF, address/mail, phone, CUPS. Includes the following annotation: "Includes all possible categories of data that it can contain according to the source or lead of Contact." - Purpose: attracting new customers / managing and responding to requests for information, requests or commercial offers, budgets, etc. / report and send offers about services, promotions and products related to our activity. - Legal basis: consent of the interested party / legitimate interest -provided that such interests are not overridden by the interests or the rights and freedoms of the interested party that require data protection personal-. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/28 Legitimate interest as the legal basis for processing: In relation to the use of legitimate interest as a legal basis for processing of the personal data of people who are not customers in order to send them advertising by post, provided by FACTOR ENERGIA (document 3 attached to the Brief #1) a weighting of interests report dated February 12, 2021. It includes the following paragraphs: “2.1. Evaluation of the benefit obtained by Factor Energía On the part of Factor Energía, the processing of the personal data of the interested parties (potential customers/non-customers) for the purpose of direct marketing, previously indicated, aims to reach by postal mail those non-customer interested parties in order for them to know the services offered by Factor Energía, making them interested in hiring Factor Energía as your new electric retailer. In this sense, the benefits obtained by Factor Energía from the treatment of said personal data consists of obtaining: An increase in the contracting of its services; Greater customer acquisition; An increase in visibility in the competitive market of marketers electrical. 2.2. Evaluation of the interest or rights and freedoms of the interested party […] The direct marketing action by postal mail that is intended to be carried out is will be made based on personal data obtained in accordance with the regulations for the protection of applicable data (identification data and contact data) and with standardized data and anonymized of a technical nature. In order to configure the different commercial offers, the unprotected public data obtained from the Cadastre, as well as statistical information and not personnel of a technical nature obtained through the Information System of Supply Points (SIPS) using the postal code of residence. In this way Generic information will be obtained to make a standardized estimate of the voltage, rates and contracted power in certain geographical areas, which will allow you to carry out advertising communications sent by postal mail, since it is considers it logical and appropriate that the advertising of an electricity supplier include information on possible savings in electricity consumption. The personal data of the interested parties processed for the purpose of marketing directly refer only to the data necessary to send them the communication by postal mail (identification data and contact data). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/28 The treatment will in no case have legal or similar effects on the interested, since the purpose of direct marketing by postal mail does not affect the access to services, nor to the execution of a contract. From Factor Energía it is considered that the sending of advertising communications by postal mail has a minimal impact on the interested parties who will be seen impacted exclusively by one contact channel: postal mail. said channel should be considered a less aggressive and invasive method than other channels commonly used to send advertising, such as commercial calls and/or or sending emails. Likewise, this type of campaigns are foreseen as specific actions, which may be reinforced by carrying out other campaigns subsequent similar ones (after at least a period of six (6) months has elapsed from the sending of the communications of the previous campaign). In this weighting, the reasonable expectation of the interested in the processing of their personal data with this purpose. In this sense, we must bear in mind that it is common practice in the market to send advertising by postal mail to potential customers, but also, In view of the uses of the market, the interested parties are perfectly aware of the possibility that such communications may appear in your mailbox and that In addition, they can be beneficial or provide added value to those interested in their role as consumers in the Spanish electricity market, since such communications may be of your interest or adjusted to your specific needs, resulting in a improvement of their economic situation by discovering an electricity trader that fit more to your needs. Taking into account all of the aforementioned, from Factor Energía it is not finds in our assessment no alternative method that allows us to communicate our interest in offering our services and that likewise allows us to comply with our legal obligations (inform about the processing of personal data stakeholders) and with the least impact to stakeholders. For all these reasons, it is considered that the impact that the treatment has or may have on the interests, fundamental rights and freedoms of the interested parties is LOW, and not would result in adverse and negative consequences for them. 23. Guarantees applied to the treatment Factor Energía has implemented the technical and organizational measures to carry out the treatment maintaining the security standards of the Company Among the guarantees applied directly to the treatment are the following: Factor Energía has implemented technical security measures and necessary organizational measures to guarantee the integrity, availability and confidentiality of the information, having also designated a Delegate C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/28 of Data Protection, in compliance with the provisions of article 37 of the GDPR. Communications by postal mail are sent only to interested parties who have not exercised their right of opposition and that do not appear on lists of advertising exclusion (Robinson List). Those interested who are in advertising exclusion lists and/or have exercised their right of opposition before Factor Energía, will not be recipients of advertising campaigns of any type. The commercial communications received by the interested parties allow them to exercise their rights to oppose the sending of advertising in such a way that simply and free of charge, interested parties can inform Factor Energía that they are not they wish to receive publicity from it. These campaigns are foreseen as a specific action, which may be reinforced with the realization of other similar campaigns later, having At least a period of six (6) months has elapsed from the sending of the communications from the previous campaign. Factor Energía reinforces the channels to guarantee adequate exercise by those interested in the rights established in the regulations for the protection of data, establishing both the postal and electronic channels, without prejudice to that, in accordance with the provisions of the data protection regulations, the The interested party may exercise their rights through the channel they deem convenient. All communications contain information about the treatment of your personal data in accordance with the requirements of articles 13 or 14 of the GDPR. 3. Result Based on all of the above, it is determined that Factor Energía can carry out the treatment consisting of the sending by postal mail of advertising communications to potential customers (direct marketing). It is a treatment that will have a positive impact on the Energy Factor and that In turn, it supposes a low impact on the rights and freedoms of the interested parties.” The use of SIPS data: Regarding the use of SIPS data, it is provided by FACTOR ENERGIA (document 5 attached to Letter #1) the copy of the code of conduct on data processing included in the SIPS dated April 24, 2019, from which the following are extracted paragraphs: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/28 "Specifically, this RD 1435/2002 contemplates the possibility that all electric power marketers access to consult the available information in the Supply Point Information System (SIPS) managed by the distributors, as reading managers, and specifically to certain data there contents. Therefore, and as can be deduced from the preamble to the aforementioned RD 1435/2002, the SIPS was configured as a tool to encourage greater competition in the retail electricity market. Subsequently, Royal Decree 1074/2015, of November 27, by which modify different provisions in the electricity sector, introduced some changes in the regulation of the electricity SIPS database, partially modifying the art. 7 of Royal Decree 1435/2002, and specifically eliminating the possibility of having marketers access to certain data from the SIPS database of the distributors and establishing the obligation of marketers of sign a code of conduct and guarantee the confidentiality of information contained in said database. Regarding the regulation of natural gas, Royal Decree 1434/2002, of 27 December, which regulates the activities of transportation, distribution, marketing, supply and authorization procedures for gas installations natural (RD 1434/2002) established in its art. 43 similar regulation, although with some differences, RD 1434/2002 not being affected by the modifications of RD 1074/2015. […] The Company assumes the firm commitment to comply with the following obligations: […] - Process the SIPS Data only for the purposes of the activity of marketing (electricity and gas, respectively), both in relation to customers potential/non-customers and customer management, regardless of their access fee and specific regime applicable in each case (including those covered by self-consumption in the case of electricity), not using them for a purpose other than the that justifies its assignment to the Company in its capacity as marketer by the corresponding distribution company or CNMC.” Article 7 of Royal Decree 1435/2002 that regulates the content of the SIPS in the sector electrical specifies the following: "one. The distribution companies must have a database referring to all the supply points connected to their networks and to the transport networks of its area, permanently complete and up-to-date, containing at least the Following data: a) Universal Supply Point Code, that is, the complete “CUPS”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/28 […] c) Location of the supply point, which includes full address (type of road, street name, number, floor and door). This information should refer to all moment to the point of supply and not to the location, population and province of the holder of said supply point that is required in letter aa) of this same article. d) Town of the supply point, which includes the name of the town and the Postal Code. This information must refer at all times to the point of supply and not to the location, population and province of the owner of said supply point. e) Name of the Province of the supply point. This information should refer to at all times to the point of supply and not to the location, population and province of the owner of said supply point. [...] z) Name and surnames, or in its case company name and corporate form, of the owner of the supply point. […] aa) Full address of the owner of the supply point. This information should refer at all times to the owner of the supply point and not to the location, population and province of said supply point that is required in letter c) of this same article. […] ac) Trading company that currently supplies […] In any case, neither the marketing companies nor the National Commission for Markets and the Competition may access any information that directly identify the owner of the supply point, and in particular, the data collected in sections c), z) and aa) of section 1. Additionally, trading companies will not be able to access the information of section ac), being accessible to the National Commission of Markets and the Competition, in the exercise of its functions.” In relation to the use of electrical SIPS data in order to carry out the commercial communications to non-customers, expresses FACTOR ENERGIA that uses them to "obtain estimated and standardized data on the consumption habits of the population according to household characteristics”. It clarifies that "they do not refer to data personalized or linked to the personal data of the people to whom whom the commercial or advertising communication was addressed to”. Thus, it facilitates (document 8 attached to Brief #1) a description of the estimation process that is carried out to adapt, together with the "installers", the supply of self-consumption (infrastructure of solar panels, etc.). For this, according to this document, use: - The unprotected public data of the cadastre (mapping and cadastral consultation descriptive and graphic -surface, cadastral reference, address, soil class, year of construction-). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/28 Examples of the information have been obtained from the electronic headquarters of the cadastre. publicly available. - Information not individualized (anonymized) from the SIPS database of the distribution company, which allows through aggregation by postal code, assign an average installed power, average contracted power, estimated average annual consumption to the supplies of a given area, according to type of supply. Article 43 of Royal Decree 1434/2002 that regulates the content of the "System of exchange of information for the management of the change of supplier" in the sector gas operator specifies the following: "2. The distribution companies must have as support the system of exchange of information from a database referring to all points of supply connected to their networks and to the transport networks in their area, permanently complete and updated, containing at least the following data related to the point of supply: 1st Supply point identification code, that is, the complete “CUPS”. […] 3rd Location of the supply point: address, population and province, which includes complete address (type of road, name of the road, number, floor and door), name of the population, postal code and name of the province. This information should refer to at all times to the point of supply and not to the location, population and province of the owner of said supply point that is required in ordinal 16 of this same pulled apart […] 14. Data relating to the owner of the supply point: natural person or person legal. 15. Name and surname, or, where appropriate, company name and corporate form, of the owner of the supply point. 16. Full address of the owner of the supply point. This information should refer at all times to the owner of the supply point and not to the location, population and province of said supply point that is required in ordinal 3 of this same section. 5. Traders registered in the corresponding section of the Registry Administrative of Distributors, Marketers and Direct Consumers in Market, as well as the Supplier Changes Office, in accordance with the standard regulating its operation, they will be able to freely access the databases of supply points of each distribution company” Thus, according to the CNMC website (see Diligence References): C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/28 "However, it must be clarified that the CNMC's electrical SIPS does not have information that identifies the owner of a supply point. This information was eliminated by Royal Decree 1074/2015, of November 27, which modifies different provisions in the electricity sector. In the second article of the aforementioned Royal Decree, a modification of article 7.2 of Royal Decree 1435/2002 was approved, including that: «In any case, neither the marketing companies nor the Commission National Markets and Competition will be able to access any information that directly identifies the owner of the supply point […]”. […] In the field of natural gas, the SIPS accessed contains the identification of the owner of the supply point and his address.” FACTOR ENERGIA is registered in the List of Electricity Suppliers and of gas from the CNMC. In relation to the duty of information to the interested party: ENERGY FACTOR declares that it is fulfilled through the consignment, in the advertising communication, of the following text: "In accordance with the regulations of protection of personal data, that is, in accordance with the Regulation General Data Protection (RGPD) and Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD), We indicate that the data comes from sources obtained lawfully and/or sources of public access available without restrictions, and that this communication is made according to the admissible requirements in the indicated regulations. You can exercise your rights of access, rectification, cancellation, opposition, transparency of the information, deletion, limitation and portability by contacting FACTOR ENERGIA, SA by postal mail to the address av. Diagonal, 612 Entl. 08021 of Barcelona or by email to dpo@factorenergia.com. Likewise, you will have the right to direct your claims before the data protection authorities. For more information consult our privacy policy on our website www.factorenergia.com.” It also states that its website (www.factorenergia.com) includes the privacy policy (document 4 attached to Brief #1). It contains sections with information on: data of the person in charge and contact of the DPO; purposes of the treatments; bases of legitimacy of the treatments; recipients; possibility of exercise rights and file a claim with the AEPD; conservation periods; additional information (indication of implementation of security measures and guarantees with those in charge of article 28 of the GDPR). Regarding the specific case that is the object of the claim FACTOR ENERGIA (Written #1) states that the personal data of the party claimant that appear in their systems are: name and surname; postal address. It reiterates that the origin of these data are "public sources, without the fact that to date we can accurately identify its exact traceability”. It states that the period of Data retention is one year, although "in this case there are C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/28 blocked and are only kept by the fact of having responded to the previous requirement related to the file at the referred margin and without the company carry out or will carry out any other treatment of said data.” As previously seen, FACTOR ENERGIA states that it also has the technical data of the supply points extracted from the SIPS (article 7 of the Royal Decree 1435/2002) that periodically unloads from the distribution companies. With them, as has been seen, obtains "estimated and standardized data on the habits of consumption of the population according to the characteristics of the households" that "do not refer to to personalized data or linked to the personal data of people to whom the commercial or advertising communication was directed. In relation to compliance with the duty of information, FACTOR ENERGIA provides (document 7 attached to Brief #1) the one that manifests would be the reverse of the Communication provided by the complaining party, which includes the aforementioned paragraph previously (translation into Spanish of the original in Catalan): In accordance with the personal data protection regulations, it is that is, in accordance with the General Data Protection Regulation (RGPD) and the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD), we indicate that the data comes from sources lawfully obtained and/or publicly accessible sources available without restriction, and that this communication is carried out according to the admissible requirements in the regulations marked. You can exercise your rights of access, rectification, cancellation, opposition, transparency of information, deletion, limitation and portability by contacting FACTOR ENERGIA, SA by postal mail at the address av. Diagonal, 612 Int. 08021 Barcelona or by email at dpo@factorenergia.com. Likewise, you will have the right to direct your claims before the authorities of Data Protection. For more information see our privacy policy at our website www.factorenergia.com.”) FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/28 II Article 6 of the GDPR, Lawfulness of the treatment, establishes in point 1 that: "one. Processing will only be lawful if at least one of the following is fulfilled conditions: a) the interested party gave his consent for the processing of his data personal for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party or for the application at the request of this of measures pre-contractual; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect vital interests of the data subject or of another physical person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not overridden by the interests or the rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the processing carried out by public authorities in the exercise of their functions.” On the other hand, article 4 of the GDPR, Definitions, in its sections 1, 2 and 11, notes that: “1) “personal data” means any information about an identified natural person or identifiable ("the data subject"); Any identifiable natural person shall be considered person whose identity can be determined, directly or indirectly, in by means of an identifier, such as a name, a number identification, location data, an online identifier, or one or more elements of physical, physiological, genetic, psychological, economic, cultural or social of said person; “ 2) "processing": any operation or set of operations carried out about personal data or sets of personal data, either by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, comparison or interconnection, limitation, deletion or destruction; “ 11) "consent of the interested party": any manifestation of free will, specific, informed and unequivocal for which the interested party accepts, either C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/28 by means of a declaration or a clear affirmative action, the processing of data personal matters that concern you." In the present case, in order to analyze the validity of this legitimizing basis, examine each of the elements that concur in it to prove the legality of the treatment. The criteria established for this should be taken into account. in Opinion 06/2014, of April 9, on the concept of legitimate interest of the data controller under Article 7 of the Directive 95/46/CE, of the Article 29 Working Group (hereinafter, Opinion 06/2014) 1. Legitimate interest of the controller Recital 47 of the GDPR establishes the following: “The legitimate interest of a data controller, including that of a data controller that personal data may be communicated, or that of a third party, may constitute a legal basis for the treatment, provided that the interests or interests of the rights and freedoms of the data subject, taking into account reasonable expectations of the interested parties based on their relationship with the controller. Such legitimate interest This could occur, for example, when there is a relevant and appropriate relationship between the interested party and the controller, such as in situations where the interested party is a customer or is at the service of the person in charge. In any case, the existence of a legitimate interest would require careful evaluation, even if a stakeholder can clearly foresee reasonable, at the time and in the context of the collection of personal data, that processing can take place for this purpose. In particular, the interests and rights Fundamentals of the interested party could prevail over the interests of the person in charge of the treatment when proceeding to the processing of personal data in circumstances in which the data subject does not reasonably expect that a further treatment. Since it corresponds to the legislator to establish by law the basis law for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by authorities public in the exercise of their functions. Processing of personal data strictly necessary for the prevention of fraud is also an interest lawful name of the person responsible for the treatment in question. Data processing personal information for direct marketing purposes may be considered made by legitimate interest.” For its part, Opinion 06/2014 contains a similar pronouncement. Initially indicates that: “An interest must be articulated clearly enough to allow evidence to be of balancing is carried out against the interests and rights fundamentals of the interested party. In addition, the interest at stake must also be "persecuted by the data controller". This requires a real and current interest, that corresponds to present activities or expected benefits in a very near future. In other words, interests that are too vague or speculative will not suffice.” In this sense, the opinion clarifies, a legitimate interest that is relevant must: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/28 - Be lawful (i.e. in accordance with national and EU law applicable); - Be articulated clearly enough to allow proof of balancing is carried out against the interests and rights fundamentals of the data subject (i.e. sufficiently specific); - represent a real and current interest (ie not speculative). And then it includes a non-exhaustive list of some of the most common areas where the question of legitimate interest within the meaning of Article article 7, letter f). Among them it includes "conventional prospecting and other forms of marketing or advertising. In principle, it could be considered that the performance of data processing for of “direct marketing” and “business prospecting and other forms of advertising” would constitute a principle of legitimate interest. This does not imply that it can be considered all treatment for said purpose as covered by the legitimizing basis of the legitimate interest. Indeed, Opinion 06/2014 clarifies: “The legitimacy of the interest of the data controller is only a starting point, one of the elements to be analyzed under article 7, letter f). If he Article 7(f) can be used as a legal basis or not will depend on the result of the following weighing test” Therefore, the person responsible for the treatment of the information remains weighting provided for in article 6.1.f) GDPR, by virtue of which the treatment will be lawful if "it is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that such interests are not the interests or fundamental rights and freedoms of the data subject prevail that require the protection of personal data, in particular when the interested party be a child.” 1. Weighting of rights and interests In order to carry out the weighting provided for in the Regulation, the defendant has argued: - As an interest of the person in charge: attracting customers and an "increase in their visibility in the market - As a possible affectation of rights of the complaining party. The responsible minimized with various arguments. Among them: scarcity and minor of the data processed (identity and contact details); the absence of effects legal on the interested party (hiring, access to services); affectation minimum in the sphere of the interested party (receipt of a postal communication, of less invasive than other routes); the existence of guarantees applicable to the treatment; respect for those who exercise their right of opposition; the existence of channels for the exercise of rights in terms of protection of data, guarantees that are imposed by law, not because the person responsible bestow graciously C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/28 1. Rights of the data owner If the legitimate interest alleged by the person in charge of the treatment, it must also be analyzed in what way the rights and interests of the interested party, so that the weighting judgment can be concluded In this regard, special attention should be paid to the impact that the treatment may generate the interested The claimed party focuses on declaring that this would not be significant depending on the means used (postal) and the little or no affectation in the legal sphere of the owner of the data. However, they are not the only ones parameters to take into account. In this regard, Opinion 06/2014 states: "The legitimate interest of the data controller, when it is minor and not very compelling, in general, only annuls the interests and rights of those interested in cases where the impact on these rights and interests is even more trivial.” In the case at hand, it is clear that the interest of the person responsible cannot qualified as "pressing", since as he himself indicates, it leads back to his interest in attracting new customers. This means, as the opinion indicates, that it should be more demanding in terms of the affected rights of the claimant. The opinion continues: “The term «impact» as used in this Opinion covers any possible consequence (potential or actual) of data processing. The concept is not related to the notion of breach of personal data and is much broader than the repercussions that may derive from said violation.” And as for the type of affectation that the processing of the data may cause in your holder, declares the following: “In addition to adverse outcomes that may be specifically anticipated, the more emotional repercussions must also be taken into consideration. general, such as anger, fear and anguish that may result from the loss of control over personal information by the interested party or knowledge that such personal information has been or may be misused or is seen compromised, for example, through its exposure on the Internet. The effect intimidating statement about protected behavior, such as freedom of investigation or freedom of expression, which may result from supervision or monitoring continuous must also be taken into account.” It cannot be forgotten that the claim was filed by the claimant before the event of having received a postal communication of a promotional nature, which was directly addressed to her because it contains her identification and contact information. For Therefore, the criterion used by the claimed party cannot be shared in the sense of state that "This [postal] channel should be considered a less aggressive and invasive than other channels commonly used to send advertising, such as commercial calls and/or sending emails”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/28 In this regard, it is necessary to indicate that, although channels such as the telephone could in principle be considered more "invasive", the truth is that whoever receives the call may believe that the caller does not have their data identifiers, while receiving a postal communication with data identification and contact details, makes the data owner certain that whoever sends the communication has said data. Not being a client of the entity, In addition, uncertainty arises about what could have been the source of knowledge of the data, which leads the owner to doubt his power to dispose of them This leads us to the concept of "reasonable expectation" as a criterion to be taken into account. in the processing of data based on legitimate interest 2. Reasonable expectation in data processing As previously mentioned, Recital 47 GDPR establishes in relation to the legitimizing basis of the legitimate interest that this could concur when the interest of the person in charge does not prevail over the rights of the interested party "taking into account account the reasonable expectations of data subjects based on their relationship with the responsible. Such legitimate interest could arise, for example, where there is a relevant and appropriate relationship between the data subject and the controller, as in situations in which the interested party is a client or is at the service of the person in charge”. The reasonable expectation that the interested party may have in the processing of the data It is crucial in the balance judgment between the interests of the person responsible and the rights of the interested. Opinion 06/2014 states: “The reasonable expectations of the data subject in relation to the use and disclosure of Data is also very relevant in this regard. As it was put manifest with respect to the analysis of the purpose limitation principle, it is It is important to consider whether the position of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of data collection) could give give rise to reasonable expectations of stricter confidentiality and limitations more stringent regarding its further use.” The clearest example of reasonable expectation in cases of receipt of advertising communications comes from the fact of having previously been a client of a company or at least have contacted it to inquire about the products or services marketed by it. In the present case, the claiming party has not been a client of the claimed party and nor has he contacted her to inquire about the services of the business questioned Hence his surprise at the receipt of a communication commercial with your identification and contact information The defendant, for its part, alleges that: "In this consideration, the reasonable expectation of the interested in the processing of their personal data with this purpose. In this sense, we must bear in mind that it is common practice in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/28 market to send advertising by postal mail to potential customers, but also, In view of the uses of the market, the interested parties are perfectly aware of the possibility that such communications may appear in your mailbox and that In addition, they can be beneficial or provide added value to those interested in their role as consumers That is, it does not provide any justification for the existence of a reasonable expectation, beyond indicating that any citizen can expect to receive a communication advertising postcard in your mailbox, without previously being a customer or being interested in the services of a company. It is worth mentioning the Report of the Legal Department of this Agency 2018/0173, that analyzes the legitimacy of direct marketing actions insofar as in the field the use of electronic media like others. In this regard, even if an interested party has previously been a client of a company, or has been interested for their goods or services, clarifies that direct marketing actions must limited to goods or services similar to those previously contracted. “As indicated in the report just reproduced, the general criteria for consider that the treatment of the data can be based on the rule of equilibrium of the legitimate interest of the person in charge would be that the services and products offered were those of the person in charge. In this sense, it was clarified that, when talking about financial credit institutions, such publicity should be understood as referring to the that entity's own asset or liability products, but not to other products financial, such as, expressly indicated, insurance. This is based on that in relation to such products there is no reasonable expectation of the interested in having their data processed by the bank for the offer of products that in principle are not related to those contracted when going to she." Bearing in mind that even having previously been a client, the criterion is restrictive for the sending of commercial communications (and must be restricted to the contracted products), even more so in the event that there has not been been a customer, in which said products and services do not exist. 3. Data processed Another of the defendant's arguments consists of insisting on the nature of the data, which would consist only of the identity of the claimant and his address Postcard. In this regard, it should be noted that, although it is true that they are not involved data of special protection of article 9 GDPR, Opinion 06/2014 clarifies that “In general, the more sensitive the information in question, the more consequences may have for the interested party. However, this does not mean that the data you seem in and of themselves innocuous can be treated freely based on article 7, letter f). Of course, even such data, depending the way they are treated, they can have a significant impact on people” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/28 This, in combination with the absence of a reasonable expectation of the data subject in the processing of your data, means that the nature of the data processed, by itself, does not can justify the legitimate interest in the treatment. 4. How the data is processed Another aspect to take into account when weighing rights and interests would be the judgment of necessity, suitability and proportionality in data processing. To this Regarding Opinion 06/2014, it indicates the following: “In general, the more negative and uncertain the impact of treatment may be, the more it is unlikely that the processing will be considered, on the whole, legitimate. Disponibility of alternative methods to achieve the objectives pursued by the person in charge of the treatment, with less negative impact on the interested party, should be, without Certainly a pertinent consideration in this context." In this regard, the defendant alleges that "from Factor Energía there is no in our assessment no alternative method that allows us to communicate our interest in offering our services and that likewise allows us to comply with our legal obligations (inform about the processing of personal data stakeholders) and with the least impact to stakeholders.” Suffice it to say that it would have been enough to carry out a mailing activity, without Inclusion of the claimant's data. This is especially so when the claimed party itself has clarified that the indication of appropriate rates based on consumption, which is included in the letter, are not based on specific data from the complaining party, but on zone estimates. Based on this statement, it would not be necessary for the letter be accompanied by identification data. With this, the treatment carried out does not exceed the judgment of proportionality, nor the principle minimal intervention, as there are methods that would not require treatment. 5. Position of the controller and the interested party Facing the judgment of weighting, it is necessary to pay attention to the position of claimant vs. defendant. Thus, in the first case we find a citizen or user, while the claimed party is a company electricity marketer. In this regard, Opinion 06/2014 advises paying attention to the situation of imbalance between the two "Depending on whether the data controller is a person or a small organization, a large multinational company or an industry body public, and from the specific circumstances, his position may be more or less dominant with respect to the interested party The fact of whether the interested party is an employee, a student, a patient, or if he exists otherwise an imbalance in the relationship between the position of the person concerned and that of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/28 controller must, of course, also be considered relevant. Is It is important to assess the effect of actual treatment on individual individuals.” 6. Conclusions on the weighting of rights and interests Based on the factors analysed, it cannot be concluded that in the present case the defense of legitimate interests, in comparison with the affectation of the rights of the claimant, justify the use of the legitimizing basis of the legitimate interest for the processing of data for direct marketing purposes. This is based on: - The existence of an impact has been determined in the field of rights and interests of the complaining party. This has received a commercial communication of a company of which he was not a client, processing his personal data name and surname and address, causing a situation of uncertainty about the origin of the data and whether they could be available to other entities - The existence of a reasonable expectation on the part of the complaining party that their data may be being processed by this company for these purposes. This is above all due to the fact that, in the case of of a direct marketing action, it has not been justified that the claimant was previously a customer and had not been interested in the services of the claimed party. - The non-existence of alternative methods has not been justified, in application of the principle of minimal intervention, which did not involve data processing personal, to carry out marketing activities in the conditions in which they were being carried out by the claimant - The existence of an unbalanced situation has been determined between the position of the claimant (consumer) and of the claimed party (company distributor of the electricity sector) II In accordance with the evidence available at the present time of agreement to start the disciplinary procedure, and without prejudice to what results from the investigation, it is considered that the known facts could constitute a infringement, attributable to the claimed party, for violation of article 6.1 of the GDPR, since the data processing carried out, that is, the activity of marketing by postal mail, addressed to the complaining party with his name, surnames and address, has been made without legitimizing cause. IV. If confirmed, the aforementioned infringement of article 6.1 of the GDPR could lead to the commission of the offenses typified in article 83.5 of the GDPR that under the The heading "General conditions for the imposition of administrative fines" provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/28 total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that: "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 72 "Infractions considered very serious” of the LOPDGDD indicates: "one. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the fulfillment of any of the conditions of legitimacy established in article 6 of Regulation (EU) 2016/679. (…)” V For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available at the present time of agreement to start disciplinary proceedings, and without prejudice to what results from the investigation, it is considered that the offense in question is serious for the purposes of the GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: -Negligence in the offence. (Art. 83.2.b). It must be taken into account that FACTOR ENERGIA has not even been able to prove the source from which it obtained the data of the complaining party, indicating that they were obtained from "sources of public access”, without being able to specify the specific source. This indicates when least, a considerable lack of diligence. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 "Sanctions and measures corrective measures" of the LOPDGDD: As aggravating factors: - Linking the activity of the offender with the processing of personal information. (Art. 76.1.b). FACTOR ENERGIA, a company dedicated to electricity trade, handles a high number of personal data for which must have extensive knowledge of the regulations relating to the protection of data and its management. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/28 The balance of the circumstances contemplated in article 83.2 of the GDPR and the Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the established in article 6.1 of the GDPR, allows the initial setting of a penalty of €40,000 (FORTY THOUSAND euros). SAW If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of adequate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the which each control authority may "order the person responsible or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a certain specified term…”. The imposition of this measure is compatible with the sanction consisting of an administrative fine, according to the provisions of art. 83.2 of the GDPR. It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: INITIATE SANCTION PROCEDURE against FACTOR ENERGÍA, S.A., with NIF A61893871, for the alleged violation of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SECOND: APPOINT as instructor C.C.C. and, as secretary, D.D.D., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the Sub-directorate General of Inspection of Data in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be, for the alleged violation of article 6.1 of the GDPR, typified in article 83.5 of said regulation, administrative fine of amount €40,000.00 FIFTH: NOTIFY this agreement to FACTOR ENERGÍA, S.A., with NIF A61893871, granting a hearing period of ten business days to formulate the allegations and present the evidence it deems appropriate. In his writing of allegations must provide your NIF and the procedure number that appears in the heading of this document. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/28 If, within the stipulated period, he does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a reduction of 20% of the sanction that should be imposed in this proceeding. With the application of this reduction, the sanction would be established at 32,000.00 euros, resolving the procedure with the imposition of this sanction. In the same way, it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 32,000.00 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate allegations at the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 24,000.00 euros. In any case, the effectiveness of any of the two aforementioned reductions will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (32,000.00 euros or 40,000.00 euros), you must make it effective by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to name of the Spanish Data Protection Agency in the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it receives. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/28 935-110422 Mar Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On November 17, 2022, the claimed party has proceeded to the payment of the penalty in the amount of 24,000 euros using the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal via against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Commencement Agreement. FUNDAMENTALS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter, LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/28 inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202102778, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to FACTOR ENERGÍA, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 936-040822 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es