AEPD (Spain) - EXP202305278
AEPD - EXP202305278 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 19.11.2024 |
Decided: | 14.01.2025 |
Published: | 13.01.2025 |
Fine: | 42,000 EUR |
Parties: | EDP Solar Spain |
National Case Number/Name: | EXP202305278 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ao |
The DPA fined a solar panel provider €42,000 for sending documents including personal information to all participants of a solar neighbourhood project.
English Summary
Facts
Ecodes ran a solar neighbourhood project where 100 residents can take advantage of the solar energy generated on the roof of a municipal building in their area, for a monthly fee and without the need to pay any additional costs.
In order to sign up to the project, interested individuals had to sign up on a website provided by EDP, here the controller. The entered details were then sent to the Ecodes email account, here the processor, which selected eligible candidates and then sent their information to EDP in order for them to be added to the participant list.
The data subject was one of the participants in the project. The data subject had received an email to which a pdf had been attached which contained the following parts of personal data belonging to 99 different people: name, surname, ID numbers, mobile phone number, e-mail address, postal address, town and postcode and the individuals’ signatures.
The data subjected contacted Ecodes informing them of the data breach and requesting Ecodes to restrict the excesive processing of personal data. Ecodes then sent the data subject an email explaining that the information had to be disclosed as the document sent was the contract on which the project was based. It explained that every participant had to be provided with a copy of the contact they had entered into.
The data subject lodged a complaint with the Spanish DPA (Agencia Española de Protección de Datos – AEPD) The email had been sent from an Ecodes domain but at the bottom of the email, you could see the EDP logo and during the investigation, it was established that EDP had instructed Ecodes to send the email. The investigation showed that the pdf file included several documents which were relevant to the contract such as the powers of attorney of each participant but also included the personal information listed above.
Holding
The AEPD determined that EDP acted as the controller and Ecodes as the processor as Ecodes had been instructed to send the pdf file. The AEPD found that it had been unnecessary to disclose to all participants in the project each others personal information in the pdf contract. It therefore found an infringement of Article 5(1)(c) GDPR.
The AEPD found that while the controller lacked intention for the infringement, there was also a clear lack of due diligence.
The AEPD initially set the responding fine at €70,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €42,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/36 File No.: EXP202305278 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On November 19, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against EDP SOLAR ESPAÑA, S.A. (hereinafter, the respondent party), through the Agreement that is transcribed: << File No.: EXP202305278 AGREEMENT TO START SANCTIONING PROCEDURE.................................................1 FACTS.......................................................................................................................1 FIRST: Content of the claim and documentation attached by the claimant ...................................................................................................................................1 SECOND: Transfer of the claim...................................................................................5 THIRD: Admission to processing...................................................................................19 FOURTH: Preliminary investigation actions......................................................................19 FIFTH: Consult data of the company EDP SOLAR ESPAÑA, S.A................................21 LEGAL BASIS...................................................................................................21 I Jurisdiction........................................................................................................21 II Obligation breach........................................................................................................21 III Classification of the offending conduct..........................................................................27 IV Proposed sanction...........................................................................................................28 V Adoption of measures...........................................................................................31 IT IS AGREED:................................................................................................................32 AGREEMENT TO START SANCTIONING PROCEDURE C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/36 Of the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: Content of the claim and documentation attached by the claimant A.A.A. (hereinafter, A.A.A.) on 3/03/2023, filed a claim with the Spanish Data Protection Agency. The reasons on which it is based are the following: On 02/22/2023, he received an email from the domain @ECODES.org, in which he and “at least 99 different people, including me” were attached … an attached file in PDF format that contained, among others, the following personal data: -“name, surname, ID, mobile phone number, email address, postal address, town, postal code; of at least 99 different people, including myself.” He provides: - in DOCUMENT 1, a copy of an email received on 02/22/2023, at “***EMAIL.1@gmail.com” with the title: “marketing notification-Pabellón siglo XXI”, “Bcc”, only the address of the claimant, “as a participant in Actur Barrio Solar”. The letter informs about the connection of photovoltaic installations, self-consumption of solar energy, and: “As part of the process, last Friday, the distribution company has notified all the distributors of the participants of Barrio Solar that they have to enable self-consumption in their domestic contracts. That is why it is likely that you have received some communication from your electricity supplier, either by telephone or email, asking you for a series of information about the self-consumption installation to which you are registered. The documentation that each of you must send them and that we attach in this email is the following: -Distribution Coefficients Contract (PDF) -TXT file (notebook “ (the two ATTACHED documents are seen in the email, one in .txt format, the other with a number followed by the name: “(...)_List of powers.pdf”, although the claimant does not provide them openly to see their content, therefore, these are not displayed). At the bottom of the email appears the EDP SOLAR logo. The claimant also provides as part of DOC 1: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/36 -an email sent by the claimant to ECODES.org, of the same 02/22/2023, 19:16. in which he asks him why he has sent “all the personal data of the people participating in the Barrio Solar project, in the annex of the email, not just mine”. - an email from ECODES.org to the complainant, dated 02/23/2023, 9:52, with the following text: “The documents we have sent you and their contents are those required by the process of activating collective self-consumption of a community photovoltaic installation. The distribution document follows a regulated model and must include the data of the participants and the signature. In this case, EDP acts on behalf of the participants, and in these cases it is required that the acceptance of this representation of all of them be included together with the distribution document, a document that EDP has sent us for annexation.” -another email from the complainant to ECODES.org, dated 24/02/2023 at 18:37, requesting to be informed of the person responsible for processing his/her data. -email from ECODES.org to the complainant, dated 27/02/2023, with a copy to dpd@edpenergia.es, in which, in response to his/her request, he/she is informed that “the data controller in the Actur Barrio Solar project to whom he/she should address his/her request is EDP SOLAR ESPAÑA SA”, (hereinafter EDP) indicating his/her address and the contact details of his/her DPD. Adding that “the data processor is Fundación Ecología y Desarrollo, ECODES”, along with his/her DPD contact details. -email from the complainant dated 28/02/2023 to EDP, indicating that from the ECODES address, an email was sent to him in which “all recipients were sent a file in which the following personal data can be read: name, surname, ID, mobile phone number, email address, postal address, town, postal code”, and he exercises his right of access. -in the attached file of the complaint (…), a copy of the email from EDP to the complainant, dated 2/03/2023: which responds to the claimant's request, indicating among others: “EDP is processing personal data relating to you, which were originally provided by ECODES, to whom you expressed your interest in being part of the Barrio Solar project and which were subsequently completed by you for the formalization of the participation contract in it. The data subject to processing are the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/36 Identification data: Name and Surname, Address, CIF, Contact details: Telephone, Email Data of the supply point: Address, Number, Floor, Staircase, Letter, Postal Code, Town, Municipality, Country, CUPS Data of the contracted Product: Number of participation shares, Payment Method, Billing data: IBAN Shared documents: Invoice and ID. Your data is processed for the purpose of managing, maintaining, developing, fulfilling and controlling the contracting and operation of the “Barrio Solar” service, as well as to provide you with complementary services related to solar installations, complementary inspection services, technical assistance or maintenance. Additionally, as specifically requested, the specific data processing carried out within the framework of the contract carried out by you within the framework of the “Barrio Solar” project is set out below: The process of consumer participation in collective self-consumption is established in Royal Decree 244/2019, of 5/04, which regulates the administrative, technical and economic conditions of self-consumption of electrical energy, for which the Guide “IDAE 021: Professional Guide for Processing Self-Consumption” of the Institute for Energy Diversification and Savings, dependent on the Ministry for Ecological Transition, was published. In compliance with the obligations set out in this regulation and following the indications of the Guide, as you know, the following were carried out: - the signing of a mandate in favour of EDP to be able to carry out the corresponding procedures with the electricity distribution and marketing companies, as well as - the management of the acceptance by all interested consumers of the corresponding agreement in which the criteria for the distribution of self-consumption are included Both you and the rest of the consumers signed the mandate through an electronic signature system provided by a qualified trust service provider, whose operation is regulated by the e-IDAS regulation: Regulation (EU) No 910/2014 of the European Parliament and of the Council, of 23/07/2014, regarding electronic identification and trust services for electronic transactions in the internal market. This system generated an electronic receipt of the signatures made. Subsequently, the EDP representative signed the general distribution agreement on behalf of all the consumers who had authorized him to do so, including you. For this agreement to be valid, it is necessary that the mandates signed by the consumers be included in it. In this case, since the authorization was made by digital means, instead of a physical signature, proof of the digital signature is provided, which contains the information that you refer to in your query, which is why it is included in the agreement. Finally, the agreement was made available to all participating consumers, so that they have proof of the agreement signed in their name, as part of it. As this is a digital contract, it must be delivered with its entire content, since any alteration would imply that the digital copy delivered would be detected as manipulated, and would therefore not serve to justify the agreement signed. Therefore, as stated, the exchange of information carried out complies with the regulatory requirements for the creation of the energy self-consumption community. However, we inform you that, in response to your request, a matter has been processed before the Spanish Data Protection Agency to clarify all the points of the process regulated in the regulation and interpreted in the IDAE guide. In addition to what was previously reported, we inform you that, during the validity of the contract, your data may be communicated to the following entities: The corresponding distribution company, with which there will be a permanent exchange of information for the adequate provision of the service. Public Organizations and Administrations that correspond by law. Banks and financial institutions for the collection of services provided. Other companies of the business group, solely for internal administrative purposes and the management of the contracted products and services.” SECOND: Transfer of the claim In accordance with article 65.4 of Organic Law 3/2018, of 5/12, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), on 04/27/2023, said claim was transferred to FUNDACIÓN ECOLOGÍA Y DESARROLLO, ECODES, and EDP SOLAR ESPAÑA SA so that they could send the following information to this Agency, in order to know the circumstances of the specific case and admit or not the claim for processing: 1. DETAILED AND CHRONOLOGICAL DESCRIPTION OF THE EVENTS THAT OCCURRED. 1.1 On 05/24/2023, a response was received from FUNDACIÓN ECOLOGÍA Y DESARROLLO, ECODES (ECODES hereinafter) which begins by indicating that it is an independent non-profit organization that has been working for sustainable and environmentally friendly development since 1992. The “Barrio Solar” project is a pioneering collective self-consumption initiative, where 100 residents can take advantage of the solar energy generated on the roof of a municipal building in their area, by paying a monthly fee and without having to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/36 install anything in their homes. This is what is technically called a collective self-consumption solar energy project. To implement the project, an agreement was signed between EDP ENERGÍA SAU, a Spanish company belonging to the EDP España group, dedicated to the production of electric energy, the City Council of Zaragoza and ECODES. This agreement contains an annex relating to the processing of personal data, which establishes that EDP is responsible for the processing of data and ECODES is in charge of processing. It states that a contact form was made available on its website, so that those interested in taking part in the project could enter their email address and/or telephone number. The data contained in this form arrives at a single email account on ECODES.org, managed by ECODES, an account that is only accessed by two people from ECODES, its purpose being to compile the list of participants and potential reserves of those interested in the project. “In the event that the person requesting information through the aforementioned email wants to finally participate in the initiative, ECODES gives the contact details, the email and telephone number to EDP, the company in charge of the project, who contacts them and begins the process of formalizing the participation contract for which it is ” (cuts off). And continues: “To formalize the participation, the interested parties end up providing EDP with their personal data directly, either via the web or by telephone (including address, CUPS and account number, among others).” At one point in the process, EDP asks ECODES to, following the process established in the aforementioned Royal Decree 244/2019 of 5/04, which regulates the administrative, technical and economic conditions of collective self-consumption of electric energy, forward an email to the 100 participants. ECODES does so, following the guidelines received from EDP. Send an email with a blind copy to all participants. Attach in Excel format, the content of the story that happened with the complainant and the communications received and issued, with the date of the actions carried out. 1.2 On 05/26/2023, a response is received from EDP hereafter, indicating that in the framework of the creation of a "community" of associated consumers for the collective self-consumption of energy, under the regulations contained in Royal Decree 244/2019, of 04/05, the creation of said community was carried out, bringing together, for this purpose, the consumers interested in participating in it, amounting to a total of 99 consumers, including the current complainant. “In order to carry out, in accordance with current regulations, the registration process for the community with the energy distribution and marketing companies, the following was carried out: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/36 - the signing of a mandate in favour of EDP to be able to carry out the corresponding procedures with the electricity distribution and marketing companies, in accordance with the express authorisation provided for in the Annex of the Royal Decree referred to above in order to be able to carry out the process, as well as, - the management of the signature by all participants of the corresponding agreement in which the criteria for the distribution of self-consumption are included, in accordance with the provisions of article 4.3 of the aforementioned regulation, as well as. This process was carried out digitally, sending the consumers involved a copy of the agreement through the electronic signature system provided by EDP for these purposes, so that, once validated, they could express their agreement, responding affirmatively to their participation in the community in the terms communicated. Additionally, a mandate contract is sent so that they can authorize EDP to sign the distribution agreement on their behalf and carry out the necessary procedures for the completion of the contract with the energy distribution and marketing companies. In this way, the electronic system used to carry out the electronic acceptance process of the mandate allows users to communicate their acceptance, guaranteeing that it has been effectively expressed by the user, who has previously been identified by EDP as a consumer participating in the self-consumption community, the exact moment in which the acceptance process is carried out, as well as the integrity of the document actually signed.” EDP informs that for the electronic acceptance process of the mandate they have “a trusted third-party service provider in the field of qualified time stamps, in accordance with the national legislation applicable in Spain in reference to the eIDAS Regulation (Regulation (EU) No 910/2014 of the European Parliament and of the Council, of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93 / EC and that the process involves the processing of the contact data referred to in order to generate the corresponding evidence, in accordance with the provisions of article 3 of the eIDAS Regulation, and in relation to the provisions of article 42 of the same legal text, in order to be able to accredit the appropriate information to comply with the qualified time stamping service and to allow generating evidence of the acceptance of the agreements and mandates in accordance with the cited eIDAS Regulation. That is, the contact details are what ultimately binds the participant to the acceptance of the terms of the contract and the mandate, being essential to be able to verify this fact, as well as to justify that the copy has been duly delivered, as required by consumer regulations (attached as document no. 1 Report on contracting via SMS and email in the provider's service). Once the management of the individual signatures of the mandates has been completed, the general distribution agreement accepted by the participating consumers is generated with all the CUPS and percentage of participation of each consumer in the community (for which all the representation mandates of the participants are attached) and is signed by the EDP representative for submission to the corresponding distribution and marketing entities and is made available to all participating consumers in the community, so that they have proof of the agreement signed in their name. Specifically, these documents have been prepared with the content provided in the Guide “IDAE 021: Professional Guide for Processing Self-Consumption” of the Institute for the Diversification and Saving of Energy, dependent on the Ministry for the Ecological Transition, specifically model 5. When complying with these last procedures, in the final document made available to the participating consumers, some contact information may be included, derived from the means used to sign the mandates, since, as indicated, the signing of these documents is done by electronic means, whose digital evidence includes this information. Since EDP acts as the agent of the consumers, and not on its own behalf, it must make the content of the agreement available to them, since each of them is a party to it. Similarly, since the agreement is signed digitally, any manipulation or modification of its content (to eliminate personal information from the signature) would mean that the copy delivered would not serve the consumer as complete evidence of the content of the contract, since it would not comply with the integrity requirement, having been, in fact, modified." As a specific response to the chronology and description of the events, EDP stated that the claimant signed a COLLECTIVE SELF-CONSUMPTION AND ENERGY EFFICIENCY SERVICES CONTRACT WITH EDP on 07/05/2021, provides DOCUMENT 2. On the same date, the claimant granted special power to EDP to carry out, in his name and representation, certain acts within the framework of the contracting of the “Barrio Solar” Project, provides DOCUMENT 3 From DOCUMENT 2, the following stands out among others: Encompassed by a first document which is the “confirmation of the EDP contract” in which the third party trusted service provider intervenes, electronic document. The EDP SOLAR CONTRACT is listed as sent for acceptance by SMS, and the claimant's mobile phone number and email address, which matches the one provided in his claim where the attached file subject to the claim was sent, are listed among the data sent. His full name and surname are also included, a document generated on 07/05/2021. In the "request tracking" section, the chronology of the confirmation of the contract with SMS messages is displayed, with the first message being sent on 07/02/2021, "EDP Solar Contract: (...)", so that he "responded with a YES to this message to confirm the contract" with confirmation dated 07/05/2021. Next is the document: “SERVICE CONTRACT WITH EDP” which is a sheet “that contains, perhaps pre-filled in computer type, the name and surname, the customer's address, the NIF, the telephone number, the address of the supply point C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/36 and the electricity CUP and the IBAN data for account debit”. Next is the section: “specific conditions of the contract”. -A second page that does not contain any logo or signature, which (also lacking a page number) contains the following information about personal data: “Personal data will be processed by EDP Solar España SA as the data controller for the maintenance, development, compliance and management of the contractual relationship, fraud prevention, profiling based on information provided by the customer and/or derived from the provision of the service by EDP, as well as sending commercial communications such as those related to products and services related to solar installations and energy consumption and which may be personalized based on your customer profile, and as reported in the general conditions, being able to oppose at any time the sending of commercial communications. This contract will also maintain the purpose of the client receiving information and being able to participate in the activities associated with the Solar Neighborhood: workshops and conducting surveys in relation to participation in said project, monitoring energy consumption and sending advice on electricity consumption and use of the solar energy produced. It is followed by the informative clause of the “general conditions of the EDP Solar Neighborhood service”, with the following characteristics: It includes a section 8: “Protection of personal data”, which highlights: 8.1 Purposes, for the formalization of the contract 8.2 categories of personal data, 8.3 Communications and recipients of the data 8.4 rights. -It relates the chronological detail indicating that on the aforementioned date the claimant granted power in favor of EDP to carry out in his name and representation certain acts within the framework of the contracting of the project. They provide a copy of document 3 “power of representation and confirmation of signature”, which is a trusted third party document containing an SMS message, “EDP SOLAR power of representation”, sent by SMS to the claimant’s recipient phone number, so that they respond with a Yes to the SMS to confirm, containing details at another address, sent on 07/05/2021, and with a response on the same day (yes). Another document entitled “power of representation” is attached, dated 07/03/2021, which includes: 1. All the necessary procedures for the registration, modification and/or deregistration of the solar installation in which the Client participates (hereinafter the Installation) in the Administrative Records of Self-Consumption and, where applicable, of Electric Power Production Installations. 2. Signing, on behalf of the Client, the Agreement for the Sharing of the energy generated by the Installation, after determining the coefficient that corresponds to the Client based on C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/36 the capacity of the Installation, the number of associated consumers who share it and what has been agreed in the contract signed between the Client and EDP. 3. Signing, on behalf of the Client, any modifications to the Sharing Agreement that are necessary. 4. Making any necessary communications in relation to the Sharing Agreement to the distribution company and the marketer with whom the Client has contracted the supply. 5. Any other communication with the distributor, the marketer, the Autonomous Communities or any competent body that is necessary to process or confirm the registration, modification or cancellation of self-consumption by the Customer, as well as any communication in relation to the Distribution Agreement. In particular, EDP SOLAR ESPAÑA, S.A. is authorized to request from the Customer's distributor and/or marketer confirmation of the date on which self-consumption has been activated for the Customer, as well as any cancellation or modifications, as well as to know at any time the status of the processing of the processes associated with self-consumption by said companies.” EDP declares that these documents have been prepared with the content provided in the IDAE Guide 021, "Professional Guide for Self-Consumption Processing" of the INSTITUTE FOR ENERGY DIVERSIFICATION AND SAVING, dependent on the Ministry for Ecological Transition, specifically model 5. -It goes on to report that on 02/27/2023, it received a letter from the complainant, which appears in Annex 1 of the claim. On 02/28/2023, the exercise of the claimant's right of access was received, which was attended to on 03/02/2023, also appearing in ANNEX 1 of the claimant. It also provides document 5, which according to EDP is titled “email sent by the complainant to EDP on 03/03/2023”, with the following literal: “I attach an email in which I expressly indicated at the time of contracting that I did not consent to the processing of my personal data to other companies or third parties other than those strictly necessary for the contractual relationship I reiterate my request and ask you to limit the processing and transfer of my personal data to the purposes strictly necessary for the contractual relationship” According to EDP, it is that “The now Complainant sends a reply to EDP SOLAR accepting the explanations provided in relation to the processing of his data in the email of 03/02/2023, as well as, reiterating that his data is processed strictly for those purposes necessary to comply with the contractual relationship.” -EDP states that on 02/28/2023, Following the email received, EDP submitted a query to the AEPD in order to clarify whether sharing certain personal data with the rest of the community members in order to fully comply with the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/36 process regulated by Royal Decree 244/2019, of 5/04, which regulates the administrative, technical and economic conditions of self-consumption of electrical energy and the IDAE Guide 021: Professional Guide for Processing Self-Consumption, could have a negative impact on interested parties from the perspective of privacy and protection of their personal data. A copy of the Query raised to the AEPD is provided as document no. 4. In this query that you provide, there is a probable error in the date of the document, which indicates 27/02/2022. The following points stand out from the consultation, among other points necessary to relate the consultation and its terms, with the eventual response, according to the order given in the consultation: Within the framework of the creation of a community of associated consumers for the collective self-consumption of energy, the creation of the same was carried out, with 99 interested consumers participating, citing RD 244/2019 of 5/04. All participants signed a mandate in favor of EDP to carry out the corresponding procedures before the electricity distribution and marketing companies, in accordance with the express authorization provided for in the Annex of the aforementioned Royal Decree to be able to carry out the process (it does not mention which of the annexes it refers to) specifying that "a model contract and a model power of representation are included", not knowing exactly which documents were sent. He states that, “in addition, a power of attorney contract is sent so that EDP can be empowered to sign the distribution agreement on his behalf and carry out the necessary steps to finalize the contract with the energy distribution and marketing companies.” “once the management of the individual signatures of the mandates has been completed, the general distribution agreement accepted by the participating consumers is generated with all the CUPS and percentage of participation of each consumer of the community (for which all the representation mandates of the participants are attached) and is signed by the EDP representative for its referral to the corresponding distribution and marketing entities and is made available to all participating consumers of the community so that they have proof of the agreement signed on their behalf Specifically, these documents have been prepared with the content provided in the IDAE 021 guide, professional guide for processing self-consumption, model 5. This guide can be accessed and in the agreement models on distribution criteria it is indicated that in application of RD 244/2019, of 5/04, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/36 The following consumers agreed to join the installation of collective self-consumption of electric energy with the following characteristics, including a list to be completed with the data of the associated consumer-owner of the supply - in which they must enter NIF, CUPS, and distribution coefficient. The respondent states that: "When complying with these last procedures, it was detected that the final document made available to the participating consumers may include some contact information of these, derived from the means used to sign the mandates, since as indicated, the signing of these documents is done by electronic means whose digital evidence includes this information (a confirmation model of power of representation is attached). It should be noted that point 13 of the IDAE guide requires that this agreement be signed by all and must be sent by each consumer to the distribution company, either directly or through its marketing company. If, in order to achieve collective self-consumption, it had been decided to form a Community of renewable energies, this could represent the associated consumers in all these procedures, provided that the associated consumers authorize it appropriately.” Since EDP must act as the consumer's agent, and not on its own behalf, it must make the content of the agreement available to them, since each of them is a party to it. Likewise, since the agreement is signed digitally, any manipulation of its content to remove personal information from the signature would imply that the copy delivered would not serve the consumer as complete evidence of the content of the contract, since it would not comply with the integrity requirement, having been effectively modified - the AEPD is asked if it considers that the procedure required by Royal Decree 244/2019 and the IDAE guide is a procedure that may be in accordance with the regulations on personal data protection, since all members of the community, signatories of the documentation, may have access to certain personal data of the other consumers, since they are all part of the same contract, thus attending to the literal of what is required by the referenced Royal Decree and, where appropriate, the referenced IDAE Guide, all this taking into account that to date, this type of consumer communities have not been established in Spain, the one that has been proposed to EDP being the first existing at a national level, as well as the legal period established to be able to send the documentation indicated by the Royal Decree to the energy supplier of the consumers is a very short period of time, 10 calendar days. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/36 Specifically, the main concern that EDP has is none other than that, in the event of full compliance with the literal required by the Royal Decree and, where appropriate, by the IDAE Guide, it necessarily entails that all members of the community know certain personal data of the rest of the members of the community, something that, although from the point of view of energy regulations seems reasonable and justified in Law, it seems that it could have a negative impact on consumers from the perspective of privacy and protection of their personal data” EDP states that on 03/14/2023, a response was received from the AEPD, indicating EDP that “in this sense, it should be noted that the AEPD did not object or does not refer that the detailed process carried out by EDP was contrary to the provisions of the data protection regulations.” Provides DOCUMENT 6, which shows the response date of 03/14/2023, and which should be highlighted among other aspects: In general, it reviews the bases of legitimacy and refers to the sectorial regulation, whereby the one in 6.1.c) of the RGPD may exist, and if this were the case, the consent of those affected would not be required. Adds respect for the principles of the RGPD, highlighting the minimization of article 5.1.c) of the RGPD and the principle of proactive responsibility. It ends by indicating that “This response constitutes a purely informative activity of the AEPD; it has no binding effects, does not modify the legal situation of the applicant and does not constitute an appealable act.” 1. DETAILED SPECIFICATION OF THE CAUSES THAT MADE THE INCIDENT POSSIBLE. ECODES stated that the procedure established in RD 244/2019 of 5/04 and the IDAE self-consumption guide have been followed, in which the distribution document is established, with a pre-established format necessary to be able to register and process collective self-consumption. It states that the only personal data processed, which are not expressly mentioned in the aforementioned Royal Decree, are the e-mail and the telephone number; but it has been necessary to collect them by EDP in order to be able to carry out the representation via electronic signature (a procedure that was provided for in the aforementioned documentation). EDP stated that in no case can the detailed facts be considered as an incident in the area of Data Protection, based on the fact that the sharing of certain data with the rest of the members of the community complies with the regulatory requirements in energy matters, as well as the Data Protection regulations. The personal data of the complainant were processed within the framework of the contract that he carried out in the project called "Barrio Solar". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/36 “In accordance with the conditions established by RD 244/2019 of 5/04 and the IDAE Guide, the acceptance by all interested consumers of the corresponding agreement was managed, which includes the criteria for the distribution of self-consumption, as well as the signing of a mandate in favor of EDP to carry out the procedures before the electricity distribution and marketing companies.” Both the complainant and the rest of the consumers signed the mandate using an electronic signature system provided by a qualified trusted service provider. Subsequently, EDP, as agent, proceeded to sign the general distribution agreement on behalf of the consumers who had empowered it for this purpose. In order for this agreement to be valid, it is necessary that the mandates signed by the consumers appear in it. In this case, as the empowerment is carried out by digital means, instead of a physical signature, proof of the digital signature is provided, which contains information on the rest of the participants, hence they are included in the agreement. Finally, the agreement was made available to all participating consumers, so that they have proof of the agreement signed in their name, as part of it. Since this is a digital contract, it must be delivered with its entire content, since any alteration would imply that the digital copy delivered would be detected as manipulated, and would therefore not serve to justify the agreement signed. Therefore, as stated, the exchange of information carried out complies with the regulatory requirements for the creation of the energy self-consumption community. Likewise, and in accordance with the response to the query posed to the AEPD, the points of the process regulated in the standard and interpreted in the IDAE guide are fully compatible with the data protection regulations.” 1. NUMBER OF PEOPLE AFFECTED BY THE VIOLATION OF THE SECURITY OF PERSONAL DATA. ECODES indicates that “100 people have had their personal data communicated to the other 99 participants in the project.” EDP stated that “there has not been an incident or security breach that affects the rights and freedoms of the interested parties and, therefore, there are no affected persons. Notwithstanding the above, and for purely informative purposes, we must clarify that the total number of consumers participating in the “Barrio Solar” project, including the current complainant, amounts to 99 consumers, although the exchange of certain data with the rest of the participants is lawful and complies with the requirements of the sectorial regulations, as well as the data protection regulations.” 4. CATEGORY OF PERSONAL DATA INVOLVED. ECODES indicates that “the data revealed have been of a general category: name, surname, ID, mobile phone number, email address, postal address, town, CUPS and postal code.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/36 EDP stated that: “no personal data was detected involved, given that, as has been made clear, the exchange of personal data was carried out in strict compliance with Royal Decree 244/2019, of 5/04, as well as the IDAE Guide, therefore, we cannot consider that there are affected persons involved and, consequently, categories of personal data involved since the existence of a security incident has not been reported.” However, it indicates that the only data that was exchanged within the framework of the signing process by the participants of the community are: Partners - Identification Data, Personal Contact Data, Commercial and Contractual Conditions. 5. POSSIBLE CONSEQUENCES FOR THE AFFECTED PERSONS. ECODES stated that the consequences, although with little probability of occurrence, may be the following: Loss of control over personal data, reputational damage and, to a lesser extent (because it is limited to one hundred residents of the neighborhood), being the victim of phishing/spamming campaigns.” EDP stated that no consequences have been detected in affected persons, since no security incident has materialized. “The exchange of information was carried out at all times with a fully lawful basis of legitimacy and in compliance with the energy regulations that are applicable to the Data Controller, especially when said process was made known to the AEPD and it did not oppose or raise any objection to it.” 6. DETAILED DESCRIPTION OF THE ACTIONS TAKEN TO SOLVE THE INCIDENT AND MINIMIZE ITS IMPACT ON THE AFFECTED PERSONS. ECODES responds that “the actions taken were the measures provided for in the implementation of the General Data Protection System, prior to the claim; namely: -immediate and diligent response to the affected party; -immediate notification to the data controller, upon becoming aware of the situation, -transfer of the response to the affected party, -telephone and email follow-up in both directions (to the affected party and to the data controller). -On 02/03/2023, the Data Controller submitted a question to the Spanish Data Protection Agency to clarify that all points of the process regulated in the standard and interpreted in the IDAE guide are fully compatible with data protection regulations. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/36 -ECODES proposal to improve the procedure consisting of EDP, making use of its power of representation, sending the distribution document directly to the marketers. This proposal was accepted by Endesa and Iberdrola as a valid procedure for their participating customers, but it is unknown whether the rest of the marketers will adopt it, as it is not the procedure established by RD 244/2019.” EDP stated that “there has not been a security incident that requires actions to minimize the impact on the possible affected persons, on the part of EDP SOLAR and, as indicated in the chronological description of the events, in compliance with the principle of proactive responsibility, and after receiving the emails from the now claimant, it raised a prior consultation with the AEPD in order to corroborate and verify whether, in fact, the process carried out in accordance with the energy regulations was in accordance with the data protection regulations”. EDP also reiterates that “considering the response provided by the AEPD, we can interpret that the process was lawful and complied with the data protection regulations”, citing parts of the response, based on legitimacy and principles of treatment. 7. SECURITY MEASURES FOR THE PROCESSING OF PERSONAL DATA ADOPTED PRIOR TO THE INCIDENT, AS WELL AS THE DOCUMENTATION SUPPORTING THE RISK ANALYSIS THAT HAS LEADED THE IMPLEMENTATION OF SAID SECURITY MEASURES AND, IF APPLICABLE, A COPY OF THE IMPACT ASSESSMENTS OF THE PROCESSING WHERE THE SECURITY VIOLATION OF PERSONAL DATA HAS OCCURRED. ECODES responded that “At the beginning of the project, ECODES was identified in this phase as the Data Processor of the personal data and the pertinent security measures were taken to guarantee the adequacy of the processing to the legality. The only assets of ECODES involved in this project are an ad hoc email account and an Excel file operated by only two people (shared on Google Drive only by them), following ECODES security guidelines. The processing of the personal data that gave rise to the claim has been deliberate, following the guidelines of Royal Decree 244/2019; in ECODES' opinion there has been no security breach, since at no time has there been an unintentional disclosure of data. The email was sent with a blind copy to all of them. As regards ECODES, it acted diligently.” EDP stated that it adopted security measures, stating various ones such as preparation of a RAT, DOCUMENT 7, which they describe as “management of the contracting process for sales of EDP Solar installations and services”, with C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/36 the purpose of “managing the contracting of EDP Solar installations and services”, and based on the lawfulness of processing “execution of the contract”. In “data communications,” among others, it appears “electrical marketing and distribution entities,” and “partners-execution of the contract-“ and risk analysis in DOCUMENT 8, indicating that “According to the level of risk detected, the minimum applicable security measures are determined,” among which the following can be mentioned: -those related to personnel with access to data, the signing of a written confidentiality commitment, knowledge of rules and procedures that must be adopted, they have a procedure for controlling access to data, backup copies, archiving of media and devices for storage, inventory and control of entry and exit of documents and media, definition and implementation of a procedure for anonymizing personal data in cases where it is technically possible. Document 8 of the “risk analysis of processing” provided is an Excel table with two columns that simply answers No to all the questions, such as: Automated processing Large-scale special categories Large-scale systematic observation of a publicly accessible area Profile assessment Automated decisions Systematic observation of interested parties Very or very personal sensitive data Large-scale data processing Big data interconnection Data relating to vulnerable interested parties Use of innovative technologies Unavoidable processing/restriction of the exercise of rights 8. Copy of the Activity Record of the processing where the incident occurred. ECODES attaches the RAT of “File group: Barrio Solar”, Description: “control of participants and reservations of the community solar self-consumption project Barrio Solar”. Purpose and uses: Process the inclusion of participants/reservations in the self-consumption project”. Legitimation: consent of the interested party Conservation: They will be kept for the stipulated time to determine the possible responsibilities that could arise from said purpose, after the completion of the project”. Origin of the data: The interested party C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/36 Recipients of data transfers: EDP Security officer, with a person, Exercise of rights, “Fundación Ecología y Desarrollo”, and the address, telephone number, same data as the footer of the email sent to the claimant. Information fields: CIF/NIF, CUPS, energy consumption, name and surname, electronic postal address, manual or digital signature, telephone number. Then, in the files, it indicates the existence of two: - ACTURBARRIOSOLAR@ECODES.ORG: described email account dedicated to receiving applications from those interested in the Barrio Solar project, “information fields”: Name and surname, Address (postal/electronic), Telephone, with “supervisor” appearing as a physical person. “BARRIO SOLAR”: described as “contact for participants and reservations for the “Barrio Solar” project”, “information fields”: “energy consumption, belonging or not to Zaragoza housing, CUPS, CIF, NIF, manual or digitalized signature, name and surname, postal-electronic address telephone”, with “supervisor” appearing as a physical person. EDP stated that it provides a copy of the RAT in document 7. 9. IF THE SECURITY BREACH HAS BEEN COMMUNICATED TO THE AFFECTED PERSONS, INDICATE THE CHANNEL USED, DATE OF THE COMMUNICATION AND DETAILS OF THE MESSAGE SENT. IF NOT, INDICATE THE REASONS ECODES responded that: “since it was not understood that there had been a security breach, the process of communicating it to the interested parties or to the AEPD was not initiated, according to the procedure for Incidents and security breaches established in the Data Protection Management System. However, as described in the statement of facts, action was taken with diligence and proactivity in communicating it to the person responsible. “An email was sent to all participants warning them not to respond, to await further instructions.” EDP stated that since there was no security breach affecting the interested parties, it was not necessary to make any communication. 10. INDICATE WHETHER THE SECURITY BREACH HAS BEEN NOTIFIED TO THIS CONTROL AUTHORITY. If not, indicate the reasons why the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/36 security breach has not been notified to this Control Authority before 72 hours have elapsed since it was discovered. You can obtain information on the management and notification of security breaches at the following Agency link: https://www.aepd.es/sites/default/files/2019- 09/guia-brechas- seguridad.pdf ECODES indicates that “It has not been notified, since we did not understand that it was a security breach, but rather the communication of data according to the procedure necessary for participation in the “Barrio Solar” collective self-consumption project, established by Royal Decree 244/2019” EDP stated that there was no security breach and that notification to the control authority was not necessary, “raising in an exercise of transparency with the AEPD and in compliance with the principle of proactive responsibility, a consultation was carried out with the AEPD” in which the process carried out in compliance with the regulations was detailed in detail. in energy matters in order to confirm whether it was in accordance with data protection regulations. It reiterates that the generation of a general distribution agreement accepted by all participating consumers in which the CUPS and the percentage of participation of each consumer are detailed, considering that EDP acted as a representative of the consumers, not on its own behalf, “must make the full content of the agreement available to the participating consumers, although when complying with this procedure of making it available, it was detected that the final document included certain contact information of the rest of the consumers”. It reiterates that “the agreement is signed digitally, any manipulation or modification of its content (to eliminate personal information from the signature) would imply that the copy delivered would not serve the consumer as full evidence of the content of the contract, therefore, it would not comply with the integrity requirement as it had been modified. In addition, EDP has consulted the qualified trust service provider regarding whether all the data included in the signature vouchers for the mandates are essential, confirming that the data corresponding to the telephone number and the email are an essential part to demonstrate what happened in the communication and identify the signatory." 11. MEASURES THAT IT PLANS TO ADOPT SO THAT A SIMILAR INCIDENT DOES NOT OCCUR AGAIN IN THE FUTURE. ECODES indicates that: "The Data Controller submitted a question to the Spanish Data Protection Agency on 02/03/2023 to clarify that all the points of the process regulated in the standard and interpreted in the IDAE guide are fully compatible with the data protection regulations. It is pending to communicate this to all participants in the project and modify the procedure in future calls.” EDP stated that “in order to maximize compliance standards in terms of privacy, it has decided that, from now on, the copy of the agreement will be sent to the rest of the participants without including proof of signature of the mandates C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/36 thus preventing the telephone number and email address from being viewed by the rest of the participants. However, the above and, in the event that one or more of the participants request a full copy of the agreement, the proof of signature of the mandates must be provided, although, and, in any case, said exchange of information would be in accordance with the provisions of the regulations on energy matters, as as well as, with the criteria of the AEPD, especially when in the response to the query raised no opposition is expressed or an objection is referred to in relation to the legality of the process carried out.” 12. ANY OTHER THAT IT CONSIDERS RELEVANT. ECODES indicated that “it has limited itself to acting according to the mandate established in the specifications of Royal Decree 244/2019, the guidelines and forms proposed by IDAE and following the guidelines of the Data Controller, EDP.” THIRD: Admission for processing On 06/03/2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing. FOURTH: Preliminary investigation actions The Subdirectorate General for Data Inspection proceeded to carry out preliminary investigation actions AI/00239/2023, to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the LOPDGDD, having knowledge of the following points: On 15/11/2023, THE COMPLAINANT is requested to provide a copy of the document that was attached to the email that motivates his complaint, on which the complaint was forwarded to the two entities above, called: "(...)_List powers.pdf", mentioned in page 4 of the attached document “01_Mail.pdf” included in the REGAGE(...) entry. The shipment was delivered on the same day and the same day the AEPD sent a response, concerning: - The annex contains 319 pages in pdf. First, there is the “AGREEMENT FOR THE SHARING OF ENERGY FOR COLLECTIVE SELF-CONSUMPTION FACILITIES WITH SURPLUS NOT EQUALIZED FOR COMPENSATION”, dated 3/10/2022. It contains the introduction, which states: “In application of Royal Decree 244/2019 of 5/04, the following consumers agree to join the self-consumption installation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/36 of the electric energy collective”, self-consumption code CAU: (...). It contains an excel-type list with FIVE fields. The first with a list of 99 NIFs, (FIVE of them are for legal entities) the next with the corresponding CUPS (unique supply point code), followed by the field: UTM with two different numbering series for each person, followed by the Cadastre ref., and the last, the distribution coefficient. At the bottom of the last page is the following: “we ask you to receive this communication and proceed to carry out the necessary procedures”, with a person signing on “behalf and on behalf of the aforementioned associated consumers according to the powers of representation ATTACHED TO THIS DOCUMENT”. -Following this in the same pdf file for each of the 99 members of the association is the document “confirmation of power of representation” “to confirm the contract” which was sent and generated by BTP ONETEC SL (trusted third party) for each associated consumer (request for confirmation response) which reflects for signature the data of the telephone number and email of the associated consumer recipient who grant the power. Generally on the dates of June, July 2021. -The document that complements the previous one follows, “power of representation” to EDP, which also includes the names and surnames, your NIF and your address for, among others: - the necessary procedures for the registration, modification or deregistration of the solar installation in which the client participates, and for, - the signature, on behalf of the Client, of the Agreement for the Distribution of the energy generated by the Installation, after determining the coefficient that corresponds to the Client based on the capacity of the Installation, the number of associated consumers that share it and what has been agreed in the contract signed between the Client and EDP. - “Making the communications that are necessary in relation to the Distribution Agreement to the distribution company and the marketer with which the Client has contracted the supply.” By date, the oldest power of attorney is signed on 06/21/2021 The claimant's power of attorney contract is included among all those sent and also appears in the list of the 99 NIFs. FIFTH: Consult data of the company EDP SOLAR ESPAÑA, S.A. According to the report collected from the AXESOR tool, the entity EDP SOLAR ESPAÑA, S.A. is part of the economic group VERBUND GREEN POWER GMBH, EU size: Corporate C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/36 In financial information in 2022, (…) euros appear as turnover, in type of company: group subsidiary, 60 employees, medium-sized, parent company global VERBUND GREEN POWER GMBH with more than a thousand employees LEGAL BASIS I Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants to each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of 5/12, on Personal Data Protection and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Unfulfilled obligation In the GDPR, it is defined in its article 4.1), 2) and 7: “1)“personal data”: all information about an identified or identifiable natural person (“the interested party”); An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; “2)“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/36 7) “data controller” or “controller”: the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing; If Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its appointment may be established by Union or Member State law In this case, for the purposes of personal data protection, the content of the ANNEX sent by email on 22/02/2023 on behalf of the respondent, EDP, to the participants in an electrical self-consumption process in order to enable self-consumption in their domestic contracts, once the distribution agreement between the participants was signed by EDP on behalf of and by mandate of each of the participants in the project. To carry out the incorporation of each participant in their individual electricity supply contracts, and to complete a procedure, EDP sent the email to all the participants, giving them a common annex that is the subject of the complaint. The reason for sending the email with the attached file was, according to the letter of the email, that the marketing companies would probably contact them, and the 99 participants in the process, most of them natural persons, (except FIVE, who are legal entities) were sent an attached pdf file (319 pages) with the documentation and the data that each participant theoretically had to provide to their marketing company. The person responsible for the treatment determines the purposes and means of the treatment; that is, the why and the how of the treatment. He must decide on both the purposes and the means. EDP's status as data controller is fulfilled because the participants in the self-consumption project, after each of them accepts it, establish a contractual relationship with EDP, with which they sign the contracts, for the purpose of managing, maintaining, developing, completing and controlling the contracting and operation of the "Barrio Solar" service, including the empowerment of EDP by the participants to sign the distribution agreement on their behalf and to carry out the necessary procedures for the completion of the contract between the energy distribution and marketing companies. EDP also states that it decided on the means, in the first instance with a trusted third party to guarantee participation in the self-consumption community, and a mandate for them to empower EDP so that EDP signs the distribution agreement on their behalf, as well as sending emails to the participants in the self-consumption project, as a means of processing their data, and their specific content. In the course of that relationship, EDP processed the data of the claimant and other participants (94 natural persons, FIVE were legal persons) defining the purposes, such as the way to obtain the result or achieve the objective, and how it will achieve that objective, meeting its status as data controller C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/36 The issue is that, in that file attached to the email, addressed to all participants, entitled, (...)_List of powers.pdf, there were data of all participants, which were related to the document called: “distribution contract”. In summary, the following characteristics should be highlighted: -document of the “COLLECTIVE SELF-CONSUMPTION ENERGY SHARING AGREEMENT FOR INSTALLATIONS WITH SURPLUS NOT ELIGIBLE FOR COMPENSATION”, dated 10/3/2022 It consists of an Excel table containing the data of all consumers participating in the self-consumption installation, of 99 people (FIVE of them legal entities), with: NIF, CUPS code (unique supply point code), UTM, cadastral reference of each home and the distribution coefficient. -Next on the same page of the 319-page PDF file, a copy of the documents "confirmation of power of representation" made by a trusted third party, in which you can see the telephone number and email address of the 99 people participating in the project (FIVE of them legal entities), along with a copy of the power of representation documents of 99 people (FIVE of them legal entities) with the details of name and surname and the NIF, and the postal address in favor of EDP, to, among other acts, sign in its name, the "agreement for the distribution of the energy generated by the installation" and "Making the communications that are necessary in relation to the Distribution Agreement to the distribution company and to the marketer with which the Client has contracted the supply." That is, the email is sent so that the participants can carry out an act, although in the services included in the contracts, it appears that EDP would communicate such a distribution agreement to the marketing companies, for which it held the representation. The RAT also stated that data is communicated, among others, to (…)”. It should be noted that all processing of personal data must comply, on the one hand, with the principles relating to data processing set out in Article 5 of the GDPR and, on the other, with one of the principles relating to the lawfulness of processing listed in Article 6 of the Regulation (see, in this regard, the judgment of 16/01/2019, Deutsche Post, C-496/17, EU:C:2019:26, paragraph 57 and cited case law). Furthermore, whatever the legal basis legitimising the processing, any controller, and the respondent EDP is one, must respect the principles of processing set out in Article 5 of the GDPR. We will highlight Article 5.1.c) of the GDPR, which states that: “1. Personal data shall be c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);” Article that is related to recital 39 of the GDPR, which states on data processing that “…the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that their retention period is limited to a strict minimum. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/36 Also, related to the legal basis on which EDP entrusts the processing of data, article 6.1.b) of the GDPR, which indicates that “the processing will only be lawful if at least one of the following conditions is met: “the processing is necessary for the execution of a contract to which the interested party is a party…”. Article 5.1.c of the GDPR reflects the principle of proportionality (see judgment of 11/12/2019, Asociaţia de Propietario bloc M5A-ScaraA, C-708/18, EU:C:2019:1064, paragraph 48), in the sense that, if there are alternatives to fulfill the same purpose intended by the respondent, the least invasive must be chosen. The principle of proportionality must be observed since the use of personal data restricts rights and freedoms, such as the right to data protection, when processing such data. Regarding the common characteristics of the administrative, technical, economic conditions of self-consumption of electrical energy, Royal Decree 244/2019 regulates them, and the modalities of self-consumption of electrical energy are defined in article 9 of Law 24/2013 of 26/12, of the Electrical Sector. One of the steps, almost at the end of the process of the self-consumption installation procedures, relates the distribution agreement of the consumers associated with the self-consumption, with the distributor/marketer of the electric energy (generally, with which each owner has contracted the service. The aforementioned Royal Decree 244/2019, establishes in Annex I, the format of the file that must be used to communicate the distribution coefficients to the distribution company. In principle, these "Distribution Agreements" signed by all participants, must be sent individually by each consumer to the distribution company, either directly or through its marketer. If for the realization of the collective self-consumption it had been decided to form a community of renewable energies, it could exercise the representation of the associated consumers in all these procedures. Any other duly authorized agent can be a representative, acting as a self-consumption manager. In ANNEX 1 of the aforementioned Royal Decree, it is indicated that “The energies and powers for billing and settlement purposes defined in article 3 of this Royal Decree will be calculated in accordance with the following: 1 “coefficients and requirements of the distribution coefficients””. For each consumer and participant in collective self-consumption, this coefficient will take the values that appear in an agreement signed by all the consumers participating in collective self-consumption and notified to the distribution company as in charge of reading the consumption On behalf of the txt file CAU CUPS coefficient C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/36 Model 5 of the IDAE Guide (Institute for Diversification, professional guide for self-consumption processing, edition v.5.1, January 2023) contains a model of an agreement for the distribution of collective self-consumption energy, installations with surpluses not covered by compensation”, in an excel sheet with the data of the consumer-owner of the supply, the NIF, CUPS and distribution coefficient, which is the document that must be signed. However, EDP sent other documents unrelated to the distribution agreement, which contained: telephone number, email, postal address of the holder, UTM and cadastral reference, which exceed the distribution document and were contained in different documents related to the power of representation to EDP to manage on behalf of each client, among others, the signing of the distribution agreement The Guide describes the steps necessary for the processing of self-consumption electricity generation installations. The Guide establishes on page 12 that: “To carry out collective self-consumption, a renewable energy community may be established provided that the necessary requirements are met and it may act as a representative of the associated consumers when they grant the corresponding authorizations. However, collective self-consumption may be carried out without establishing a renewable energy community, simply by agreement between the consumers. Any other duly authorised agent may also be the representative, acting as a self-consumption manager.” The IDAE guide defines the difference between “marketing companies”, which are those that sell energy to consumers through supply contracts that are signed with them, and “distribution companies”, which are the owners of the electricity distribution network that provide the distribution service and are responsible for its management, operation and maintenance. They are responsible for analysing, and where appropriate, accepting or denying access and connection requests.”“They are also responsible for providing marketing companies with the necessary data so that billing and settlement of energy and of the tolls, charges and amounts that apply can be carried out.” According to the IDAE Guide, the distribution agreements must be sent by each consumer to the distribution company, directly or through its marketing company. (All consumers must send the same signed agreement) for collective self-consumption if it has been decided to form a renewable energy community, this may represent the associated consumers in all these procedures. Any other duly authorized agent can be a representative, acting as a self-consumption manager” (section 13 Distribution agreement and surplus compensation contract). Page 132 of the aforementioned Guide “collective self-consumption WITH surpluses not subject to compensation” reiterates that “it is necessary for the participants to sign an agreement with the criteria for distribution of the energy generated. This agreement must be signed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/36 by all associated consumers and sent individually by each associated consumer to the distribution company - directly or through its marketing company - In the file that consumers must send "in a plain text file with a "txt" extension that will contain the value of the coefficients of the consumers who participate in self-consumption", containing the fields: Self-consumption code, CUPS, time, coefficient In this specific case, the claimant states that an email is sent to him on 02/22/2023. ECODES and EDP acknowledge that it was sent on the latter's orders, containing a file that EDP transfers for submission to the participants in the self-consumption project (99 people), (FIVE of them legal entities) with two annexes. One of the attached annexes, in pdf “(...) (which responds to the CAU self-consumption code) List of powers.pdf, certifies that it contains the DISTRIBUTION COEFFICIENTS, with personal data beyond the MINIMUM CONTENT that determines the applicable sectorial norm, because each participating partner is also sent the powers of representation with data that have no relation to the aforementioned distribution coefficient document Having analyzed the context of the sending of the cited email of 02/22/2023 in which the attached pdf file is sent with the data that are the subject of a claim regarding the progress in the self-consumption supply process, it indicated that it could be that the electricity marketers asked the participants, “a series of information on the self-consumption installation to which you are registered”, and it was instructed that “The documentation that each of you has to send them and that you We attach in this email the following: Distribution Coefficients Contract (PDF).” Thus, the context in which the email and the attached file are sent in the specific case has nothing to do with the repeated thesis of EDP that the distribution agreement is sent for transparency and no element can be removed, because in that case it would not require the submission of the powers of each associate with their data or the data of the signed contract. The signed distribution agreement, for which the defendant held the power of the partners, must be distinguished from the documents that serve as a basis and instrument to achieve that distribution agreement. Alternatively, the content that EDP gave to that distribution agreement, introducing data of the participants that do not appear either in the Royal Decree that regulates the matter, or in the IADE Guide. Finally, the provision in an annex sent to the participants by email, containing that information referring to participating persons that goes beyond the legitimacy for which the participants provided the data to EDP, framed in the purpose of the provision of the service, for which such data are not limited to what is necessary. Neither the consent of each user to register for the project granted through a trusted third party, with the data contained therein (NIF, email, telephone number) would form part of said distribution agreement, both due to the nature of the document and its purposes and its lack of relation to the distribution agreement, being a mere instrument for its subsequent achievement. The same can be said of the general granting of powers for the various activities that make up the self-consumption project to EDP, which are also attached in the attachment sent by email. The address C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/36 of the participating consumers was contained here, which may not be that of the supply headquarters, and their NIF. Therefore, the purpose of the case in question, according to the literal meaning of the email sent, does not respond to that reason but to the sending of the distribution agreement to the marketing company that contains the distribution coefficients. It is therefore concluded that the principle of data minimization has been broken by sending the annex by email that contained part of the data that was inadequate, pertinent, and excessive for what was necessary in relation to the purposes for which they are processed. In this specific case, it is observed in a first internal aspect of the data processing that: - Each associated consumer gave power to the respondent, EDP, not only to sign the distribution agreement on behalf of each client, but also, among others: -quote literally from the document "power of representation" to EDP- for the "realization of the communications that are necessary in relation to the distribution agreement to the distribution company and the marketer with which the client has contracted the supply", so it is not understandable that all the data referred to in the attached file is sent to each associated consumer, since it would have been EDP SOLAR ESPAÑA, S.A.'s responsibility to send the said documentation to each distributor, not to each user. -Here, we are analyzing not what would be brought to the attention of the Distributor/Retailer, but what was brought to the attention of the associates in the “Barrio Solar” self-consumption project, and its necessity and proportionality. In order to recognize that the distribution agreement signed by all associated consumers identifies the holders, at least for the distributor/retailer, the aforementioned distribution agreement should also contain the name and surname as a necessary minimum identifying value. -The data: NIF, cadastral reference, address of each participant, telephone number and email are not necessary to be made known to all the participants in the self-consumption process. Having examined the circumstances and purpose of the sending, it is agreed that it was not necessary or pertinent and that EDP SOLAR ESPAÑA, S.A., has exceeded the limits of the content of personal data included in the attached file that is the subject of the claim, disseminating all the data among all the components of the aforementioned self-consumption. It is therefore considered that EDP SOLAR ESPAÑA may have infringed article 5.1.c) of the RGPD. III Classification of the infringing conduct In accordance with the evidence available, it is considered that the respondent has processed data that was excessive as it was not necessary, adequate or proportionate for the purpose pursued and intended. The known facts constitute an infringement, attributable to the respondent, of article 5.1.c) of the GDPR, with the scope expressed in the Legal Basis C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/36 previous, which, if confirmed, could entail the commission of the infringement classified in article 83.5, a) of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides that: “Infringements of the following provisions shall be sanctioned, in accordance with section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is greater amount: a) the basic principles for the treatment, including the conditions for consent under articles 5, 6, 7 and 9;” In this regard, the LOPDGDD, in its article 71 establishes that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: “Article 72. Infringements considered very serious. “1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and shall be subject to a three-year statute of limitations: a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. IV Proposed sanction In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state: “Each supervisory authority shall ensure that the imposition of administrative fines in accordance with this Article for infringements of this Regulation indicated in paragraphs 4, 5 and 6 are effective, proportionate and dissuasive in each individual case.” “Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of: a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/36 b) the intentionality or negligence of the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; (d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures implemented by them pursuant to Articles 25 and 32; (e) any previous infringement committed by the controller or processor; (a) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement; (e) the categories of personal data affected by the infringement; (a) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (b) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (c) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and (d) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” Regarding section k) of Article 83.2 of the GDPR, the LOPDGDD, Article 76, “Penalties and corrective measures”, provides: “2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The connection between the offender's activity and the processing of personal data. c) The benefits obtained as a result of the commission of the infringement. d) The possibility that the affected party's conduct could have led to the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/36 g) Having, when not mandatory, a data protection officer. h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party.” Article 83.1 of the GDPR states that when imposing administrative fines for infringement of the GDPR, the Control Authority will ensure that they are in each case “effective, proportionate and dissuasive”. These criteria that govern the determination of the amount of the fine oblige all circumstances to be taken into consideration. In this case, the following circumstances are considered to be concurrent: - Article 83.2.a) of the GDPR: “Nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered” The Agency considers that the nature of the infringement entails a loss of disposition and control over personal data to the participants in the self-consumption electricity project. The data processed in the processing operation of sending the file improperly were: the cadastral reference, the UTM code, the telephone number, the email, the address of the holders, which is a circumstance that affected 99 users (FIVE of them legal entities). - Article 83.2.b) of the GDPR. Intentionality or negligence in the infringement: The Supreme Court in its judgment of 23/10/2010 - appeal no. 1,067/2006 - points out that, "although the guilt of the conduct must also be the subject of proof, it must be considered in order to assume the corresponding burden, that ordinarily the volitional and cognitive elements necessary to assess it form part of the typical proven conduct, and that its exclusion requires that the absence of such elements be proven, or in its normative aspect, that the diligence that was required by the person claiming their nonexistence has been used; in short, invoking the absence of guilt is not enough for exculpation in the face of typically unlawful behavior." There can be no talk of administrative sanction without the existence of the subjective element of guilt. The conduct of EDP SOLAR ESPAÑA, S.A., would not be punishable if there were no intent or fault. In the conduct of EDP, which acted as agent of a large number of people, bilaterally arranging, on the one hand, the service contracts with the self-consumption partners, and, on the other hand, managed the common distribution document, which was the one that had to be presented to the marketer. It was clear that, as agent, it could not ignore that the contract and mandate documents, that of the claimant dated 07/05/2021, prior to the distribution agreement document, dated 10/03/2022, contained components and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/36 their purposes were totally different. The first, arising from the bilateral relationship associated with EDP SOLAR ESPAÑA, S.A., and mandate, while the distribution agreement had to contain a limited number of data of the entire group of users of self-consumption associated with the same project, among which were not those contained in the mandate and contract documents. A fact that seems clear. The fact of consulting the AEPD if the treatment was being carried out correctly, ignored that, in the email addressed to 99 people, (FIVE of them legal entities), there was an attached file that did not maintain the proportionality and necessity in the treatment of such data. EDP SOLAR ESPAÑA, S.A., has maintained throughout the entire transfer of the claim and in previous investigation actions, that its action conformed to the model established in the Royal Decree and in the IDAE Guide as determined in the model and annex, when it must obviously be recognized from the beginning that more data has been processed and communicated to the associates of self-consumption... Therefore, although the Agency considers that there was no intention on the part of EDP SOLAR ESPAÑA, S.A., there is a lack of diligence in this conduct, not ensuring compliance with the data protection that was incumbent on it With their deterrent effect, administrative fines contribute to reinforcing the protection of natural persons with regard to the processing of personal data and constitute, therefore, a key element to guarantee respect for the rights of said persons, in accordance with the purpose of the aforementioned Regulation to ensure a high level of of protection of these persons with regard to the processing of personal data, which lead to determining that the fine to be imposed is 70,000 euros, without prejudice to what results from the instruction of the procedure. V Adoption of measures If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may "order the person responsible or in charge of the treatment that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...". The imposition of this measure is compatible with the sanction consisting of an administrative fine, according to the provisions of art. 83.2 of the RGPD. Please note that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. In relation to the measure, you must adjust the data processing when communicating to participants the data that is strictly necessary. Therefore, this measure would be imposed within 30 days from the notification of the resolution issued. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/36 IT IS AGREED: FIRST: TO INITIATE SANCTIONING PROCEDURE against EDP SOLAR ESPAÑA, S.A., with NIF A74466178, for the alleged infringement of article 5.1 c) of the RGPD, in accordance with article 83.5.a) of the RGPD, and classified as very serious for the purposes of prescription in article 721.a) of the LOPDGDD. SECOND: TO APPOINT B.B.B. as instructor. and, as secretary, to C.C.C., indicating that they may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1/10, on the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations, (hereinafter, LPACAP), the sanction that may correspond would be 70,000 euros, without prejudice to what results from the instruction. FIFTH: NOTIFY this agreement to EDP SOLAR ESPAÑA, S.A., with NIF A74466178, granting it a hearing period of ten working days to formulate the allegations and present the evidence it considers appropriate. In its written allegations, it must provide its NIF and the file number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, it may be considered a resolution proposal, as established in article 64.2.f) of the LPACAP. In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your responsibility within the period granted for the formulation of allegations to this initiation agreement; which will entail a 20% reduction of the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at 56,000 euros, the procedure being resolved with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, make the voluntary payment of the proposed sanction, which will entail a 20% reduction of its amount. With the application of this reduction, the sanction would be set at 56,000 euros, and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for voluntary payment of the fine may be added to the reduction that must be applied for the acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for making objections to the opening of the procedure. Voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at 42,000 euros. In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the withdrawal or waiver of any action or appeal through administrative course against the sanction. If you choose to proceed with the voluntary payment of any of the amounts indicated above 56,000 euros, or 42,000 euros, you must make the payment by depositing it in the account number IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are entitled. Likewise, you must send proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid. The procedure will have a maximum duration of twelve months from the date of the start agreement. After this period, it will expire and, consequently, the proceedings will be archived; in accordance with the provisions of article 64 of the LOPDGDD. In compliance with articles 14, 41 and 43 of the LPACAP, you are advised that, from now on, the notifications sent to you will be made exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the file, considering the procedure to be carried out and the procedure to be followed. You are informed that you can identify an email address with this Agency to receive the notice of the availability of notifications and that the lack of practice of this notice will not prevent the notification from being considered fully valid. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-30102023 Mar España Martí Director of the Spanish Data Protection Agency >> SECOND: On December 5, 2024, the respondent party has proceeded to pay the fine in the amount of 42,000 euros using the two reductions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/36 provided for in the initiation agreement transcribed above, which implies the recognition of responsibility. THIRD: Payment made within the period granted to submit objections to the opening of the procedure entails the waiver of any action or appeal through administrative course against the sanction and the recognition of responsibility in relation to the facts referred to in the Initiation Agreement and its legal qualification. FOURTH: In the Initiation Agreement transcribed above it was indicated that, if the infringement were confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may "order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...". Having recognized the responsibility for the infringement, the imposition of the measures included in the Initiation Agreement is appropriate. BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/36 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for the damages and losses caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be accumulated with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Presidency of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202305278, in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER EDP SOLAR ESPAÑA, S.A. to notify the Agency within 30 days from the date this resolution becomes final and enforceable of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to EDP SOLAR ESPAÑA, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law. 1259-101224 Olga Pérez Sanjuán The Deputy Director General of Data Inspection, in accordance with art. 48.2 LOPDGDD, due to vacancy in the position of President and Deputy C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es