AEPD (Spain) - EXP202303792
AEPD - EXP202303792 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(1) GDPR Article 83(2)(b) GDPR Article 83(2)(k) GDPR §63 LOPDGDD §64 LOPDGDD §65 LOPDGDD §72 LOPDGDD LPACAP |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 10.04.2023 |
Decided: | 17.05.2023 |
Published: | 27.01.2025 |
Fine: | 48000 EUR |
Parties: | Birou Gas, S.L |
National Case Number/Name: | EXP202303792 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | Agencia Espanola Proteccion datos (in ES) |
Initial Contributor: | r_e_ |
The DPA imposed a fine of €48,000 on a energy company for failing to provide access to information required by the DPA as part of its investigative powers granted under Article 58(1) GDPR.
English Summary
Facts
The DPA received a complaint against the controller Birou Gas S.L, following which the DPA requested information from the controller as part of the investigation process. Two initial requests were answered by the controller within the 10 working day deadline. However, the controller did not respond to two later requests for information, received on 1 and 2 February 2023.
The DPA initiated fine procedures on 10 April 2023 for the controller’s infringement of Article 58(1) GDPR in failing to respond to the requests for information. The controller subsequently requested suspension of the proposed fine because the person in charge of downloading the requests for information had been dismissed during this time, which was why the requests were misplaced by the controller. The controller also argued that the fine should be calculated according to the annual turnover of the company authorised by the controller to be the signatory to the contract agreed with the initial complainant.
Holding
The DPA found that the controller had violated Article 58(1) GDPR in failing to respond to the requests for information. The DPA did not accept the controller’s arguments regarding the dismissal of the person in charge of downloading the notifications, as receipts were available showing the controller had accepted the notifications on 2 February 2023. The fact the controller had previously responded to requests for information was also not relevant to the current fine procedure.
Additionally, the DPA did not accept the controller’s argument that the fine recipient should be the contract signatory, as the requests for information were sent to the controller.
The DPA took the following factors into account when issuing an administrative fine of €48,000 to the controller (Article 83(2)(b) GDPR):
- the controller was aware of the DPA’s actions to clarify the facts by receiving successive requests and requirements for information but intentionally or negligently omitted the information required; and
- the controller had been active since 2014, together with an annual turnover of approximately €50,000,000, so it should have established procedures for compliance with data protection regulation obligations (including responding to DPA requests via a reliable procedure that ensured requests were answered).
The DPA also applied a further aggravating factor by considering the financial benefits obtained or the losses avoided from the infringement (Article 83(2)(k) GDPR). The controller’s lack of response hindered the DPA's work of supervising the guarantees of the personal data processing of new clients on behalf of the controller by third parties, and which the controller used to obtain new income.
A fine of €60,000 was originally ordered, but reduced by 20% to €48,000 following the controller’s voluntary agreement to pay the fine.
Comment
The DPA archived the original complaint against the controller, EXP202202261, due to a lack of sufficient information to make a determination on the matters complained of by the complainant.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: EXP202303792 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY PAYMENT From the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On April 10, 2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BIROU GAS, S.L. (hereinafter the respondent party). Once the start agreement was notified and after analyzing the allegations presented, on May 17, 2023, the resolution proposal was issued, which is transcribed below: << File No.: EXP202303792 From the procedure instructed by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: As a result of a claim filed with the Spanish Data Protection Agency against BIROU GAS, S.L. with NIF B39806062 (hereinafter, the respondent party), with indications of a possible breach of the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), proceedings were initiated with file number EXP202202261. In accordance with the provisions of article 65 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD hereinafter), the claim was forwarded to the person responsible or to the Data Protection Officer that he or she had designated, requesting that he or she send to this Agency the information and documentation indicated. On February 25, 2022, in a registered entry document with number O00007128e2200009122, the respondent party presents a copy of the contract signed with the complainant and states that said contract was entered by MULTIGAS ASESORES, S.L. and that they carried out the registration since all the data was correct. As there were reasonable indications of a possible violation of the rules within the scope of the powers of the Spanish Data Protection Agency, the claim was admitted for processing on April 11, 2022. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 SECOND: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the investigative powers granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the aforementioned LOPDGDD. Within the framework of the investigation actions, two requests for information were sent to the respondent party, relating to the claim mentioned in the first section, so that within ten working days it would submit to this Agency the information and documentation indicated therein. The first of them was registered as outgoing on June 21, 2022, while the second was registered on September 28, 2022. THIRD: The requests for information, which were notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), were collected by the respondent party on June 22, 2022 and September 29, 2022, as shown in the receipts in the file. FOURTH: On October 6, 2022, the respondent sent to this Agency the registered entry document with the number REGAGE22e00044783031. In this document, the respondent again presents the copy of the contract signed with the complainant. In addition, it states that the complainant requested the contract and the recordings and that, since there were no recordings because it was a face-to-face sale, the complainant sent the contract by email. It also adds that the complainant requested information on how the contract was made, to which it was responded that the contract was generated by the company MULTIGAS ASESORES, S.L. In relation to the contract, the respondent indicates that it provides screenshots of the data it has. FIFTH: The respondent party having stated in the documents with registration numbers O00007128e2200009122 and REGAGE22e00044783031 that the contract was carried out on September 24, 2021 through the third party MULTIGAS ASESORES, S.L., in relation to these facts two requests for information were sent to the respondent party, so that within ten business days it would submit to this Agency information and documentation on the contract of assignment with that third party. The first of them was registered as leaving on February 1, 2023, while the second was registered on February 2, 2023. The information requests, which were notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), were collected by the respondent party on February 2, 2023, as stated in the acknowledgements of receipt in the file. SIXTH: Regarding the requested information, the respondent party has not sent a response to this Spanish Data Protection Agency within the time limits granted for this purpose within the framework of the actions with file number EXP202202261. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 SEVENTH: According to the report collected from the AXESOR tool, the entity BIROU GAS, S.L. is a SME (Medium), established in 2014, and with a turnover of 49,848,815 euros in 2021. EIGHTH: On April 10, 2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged infringement of Article 58.1 of the GDPR, classified in Article 83.5 of the GDPR. NINTH: The aforementioned initiation agreement was collected by the respondent party on April 11, 2023, as stated in the acknowledgment of receipt in the file. TENTH: On April 24, 2023 and with entry registration number REGAGE23e00026031401, the respondent party submitted a written statement of allegations in which it states, with an express request for suspension of the payment period for the proposed fine, that the person in charge of downloading the notifications of the uncontested requests for information was dismissed during the period in which said notifications were produced, which was the reason why they were misplaced and not downloaded in an absolutely involuntary manner by the respondent party. To prove this, the respondent party offers to provide the documentation that is considered necessary. Regarding the information requested, the respondent party indicates that the contract by which MULTIGAS ASESORES is authorized to attract clients for both services and supplies was not signed by the respondent party but by the company DIGITALIZACIÓN ENERGÉTICA, S.L., with CIF B02827335, which is contracted by the respondent party to carry out the work of attracting and contracting commercial channels. A contract is provided between DIGITALIZACIÓN ENERGÉTICA, S.L. and the respondent party, in which it appears in its annex I that the person responsible for the treatment is the respondent party. In turn, the respondent party indicates that MULTIGAS ASESORES is the commercial name used to carry out its activity by A.A.A., with DNI ***NIF.1, and a contract is provided between DIGITALIZACIÓN ENERGÉTICA, S.L. and A.A.A., which states in its annex I that the data controller is DIGITALIZACIÓN ENERGÉTICA, S.L. It adds that the attached contract contains the Code of Good Commercial Practices that must govern the actions of the salesperson and regulate the conditions under which the contract must be carried out. Additionally, the respondent explains that the policy for validating contracts is carried out by its Distributor customer service department, in which a verification procedure has been established for both the documentation that is provided and the contracts that are intended to be registered through the different commercial channels. The respondent clarifies that in this procedure different verifications are carried out, depending on the type of contract, the type of consumer and the Channel that carries out the acquisition, and in the event that any irregularity is detected, the process is terminated with a verification call to the specific client. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 The respondent also provides the internal validation code that it carries out and states that this procedure was the one followed to verify the veracity of the documents and data that appear in the claimant's contract. It reiterates that it did not respond to the latest requests made by this Agency because the person responsible for the download was dismissed from the company, and due to an administrative error, these notifications remained pending download and answer, proof of this being that the previous ones were downloaded and answered in the time frame, providing the requested documentation. As for the amount of the penalty, the respondent argues that the company that contracts with MULTIGAS ASESORES is DIGITALIZACIÓN ENERGÉTICA, S.L., so it understands that, in the event of a penalty being imposed, in application of article 83.5 of the GDPR, it should be adapted to 4% of the total global volume of the annual exercise of the latter company and not of BIROU GAS S.L. Finally, the respondent requests that, having already attended to the requests for information and taking into account the circumstances that occurred regarding its notification, the present sanctioning procedure be filed without any penalty being imposed or, taking into account the principle of proportionality of administrative sanctions, a sanction be imposed at a minimum level. ELEVENTH: A list of documents included in the procedure is attached as an annex. From the actions carried out in this procedure and from the documentation in the file, the following have been proven: PROVEN FACTS FIRST: The requests for information indicated in the fifth antecedent were notified to the respondent party in accordance with the provisions of the LPACAP and recorded as proven in the receipts in the file. SECOND: The respondent party has not responded to the requests for information made by the Agency before the agreement to initiate this sanctioning procedure was issued. THIRD: The notification of the agreement to initiate this sanctioning procedure was received by the respondent party on April 11, 2023. FOURTH: The respondent party has submitted objections to the agreement to initiate this sanctioning procedure included in the tenth antecedent. FUNDAMENTALS OF LAW I Competence C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Objections to the initiation agreement In response to the objections presented by the respondent party, the following should be noted. The requests for information that were not attended to, for which a response period of ten working days was granted, were duly notified on February 2, 2023, as stated in the receipts included in the file. Therefore, the statement made by the respondent party regarding the notifications remaining pending download cannot be accepted by this Agency, since the respondent entity appeared before the DEHÚ through its representative, accepting the notifications made available to it on the indicated date. Likewise, the start of the sanctioning procedure was agreed on April 10, 2023, without any response to said requests having been received until that date. The response to the requests for information during the investigation of this procedure does not affect the existence of the proven facts constituting an infringement. With regard to the information provided with the intention of responding to the requests for information in file EXP202202261, this Agency acknowledges receipt and incorporates it into said file, without this statement implying any pronouncement on it. Based on the information provided, the Court also requests that the penalty be imputed to the entity DIGITALIZACIÓN ENERGÉTICA, S.L., as it is the party contracting with MULTIGAS ASESORES, pursuant to Article 83.5 of the GDPR. In this regard, it should be noted that this issue should have been clarified, where appropriate, in file EXP202202261 which was resolved on March 27, 2023. In the present procedure, the infringement is only attributable to BIROU GAS, S.L., since it is caused by the lack of response to the requests for information made by this Agency to this entity, as reflected in the facts and in the grounds of the initiation agreement and this resolution proposal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 Finally, regarding the request for suspension of the payment period of the proposed fine, it is reported that the deadlines reported in the initiation agreement correspond to the possibility of taking advantage of the reductions regulated in article 85 of the LPACAP prior to the end of the procedure. The first reduction of 20% is linked to the recognition of responsibility within the period granted for the formulation of the allegations to the initiation agreement. The second, to the voluntary payment of the proposed fine at any time prior to the resolution of the present procedure. These reductions can only be made in the indicated cases and with the reported conditions, and their extension does not correspond to other periods or procedural moments other than those indicated. As reported in the final part of this resolution proposal, you may still benefit from the second reduction corresponding to the voluntary payment of the proposed fine. If you do not benefit from voluntary advance payment, the corresponding period for payment of the fine will formally begin when the resolution ending the procedure is issued and it becomes enforceable. III Obligation not fulfilled According to the evidence available, it is considered that the respondent party has not provided the Spanish Data Protection Agency with the information it required. With the aforementioned conduct of the respondent party, the power of investigation that Article 58.1 of the GDPR confers on the control authorities, in this case, the AEPD, has been hindered. Therefore, the facts described in the section “Proven facts” are considered to constitute an infringement, attributable to the respondent party, for violation of Article 58.1 of the GDPR, which provides that each supervisory authority shall have, among its investigative powers: “a) order the controller and the processor and, where applicable, the representative of the controller or the processor, to provide any information required for the performance of their tasks; b) carry out investigations in the form of data protection audits; c) carry out a review of the certifications issued pursuant to Article 42, paragraph 7; d) notify the controller or the processor of the alleged infringements of this Regulation; e) obtain from the controller and the processor access to all personal data and all information necessary for the performance of their tasks; (f) obtain access to all premises of the controller and the processor, including any data processing equipment and means, in accordance with Union or Member State procedural law.” IV Classification and qualification of the infringement In accordance with the evidence available, it is considered that the facts set forth could constitute an infringement, attributable to the respondent party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 This infringement is classified under Article 83.5.e) of the GDPR, which considers as such: “failing to provide access in breach of Article 58, paragraph 1.” The same article establishes that this infringement may be sanctioned with a fine of twenty million euros (€20,000,000) as a maximum or, in the case of a company, an amount equivalent to four percent (4%) as a maximum of the total global annual turnover of the previous financial year, choosing the higher amount. For the purposes of the limitation period for infringements, the imputed infringement has a three-year statute of limitations, in accordance with article 72.1 of the LOPDGDD, which classifies the following conduct as very serious: “ñ) Not facilitating access by the personnel of the competent data protection authority to personal data, information, premises, equipment and means of processing that are required by the data protection authority for the exercise of its investigative powers. o) Resistance or obstruction of the exercise of the inspection function by the competent data protection authority.” V Proposed sanction In light of the facts set out, it is considered that the respondent party should be charged with violating Article 58.1 of the GDPR, as defined in Article 83.5 e) of the GDPR. The sanction that should be imposed is an administrative fine. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Consequently, the sanction to be imposed must be graduated in accordance with the criteria established in article 83.2 of the GDPR, and with the provisions of article 76 of the LOPDGDD, with respect to section k) of the aforementioned article 83.2 GDPR. It is noted that no mitigating circumstances apply and the following facts have been considered as aggravating circumstances: - Art. 83.2 b) GDPR: the intentionality or negligence in the infringement. This is a company that is aware of the actions that this Agency is carrying out to clarify the facts that are the subject of the claim by receiving successive requests and requirements for information, and that, despite this knowledge, intentionally or negligently, omits the information required to clarify its legal relationship with the third party in which the liability arises. In addition, this is a company that has been active since 2014, and a turnover of close to 50 million euros, so it should have established procedures for compliance with the obligations contemplated in the data protection regulations, among them, to respond to the requests of the control authority, having established a procedure to not leave the notifications made by this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 Agency unanswered, also taking into account that, contrary to what was stated by the respondent, these notifications were carried out reliably. - Art. 83.2 k) GDPR: any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement. By not responding to the request for information made, the respondent party is hindering this Agency's work of supervising the guarantees of the processing of personal data of new clients collected for it by third parties, and which the respondent uses to obtain new income. In view of the above, the following is issued: PROPOSED RESOLUTION That the Director of the Spanish Data Protection Agency sanction BIROU GAS, S.L., with NIF B39806062, for an infringement of Article 58.1 of the RGPD, classified in Article 83.5 of the RGPD, with a fine of €60,000.00 (sixty thousand euros). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you are informed that you may, at any time prior to the resolution of this procedure, make the voluntary payment of the proposed penalty, which will imply a reduction of 20% of the amount of the penalty. With the application of this reduction, the penalty would be set at 48,000.00 euros and its payment will imply the termination of the procedure. The effectiveness of this reduction will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the penalty. If you choose to make voluntary payment of the amount specified above, in accordance with the provisions of article 85.2 cited above, you must make the payment by depositing it in the restricted account number IBAN: ES00-0000-0000-0000- 0000-0000 (BIC/SWIFT code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason, due to voluntary payment, for the reduction of the amount of the penalty. You must also send proof of payment to the General Subdirectorate of Inspection to proceed with closing the file. By virtue of this, you are hereby notified of the above, and the procedure is made known to you so that within a period of TEN DAYS you may allege whatever you consider in your defense and submit the documents and information that you consider pertinent, in accordance with article 89.2 of the LPACAP. 1105-020323 B.B.B. INSTRUCTOR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 ANNEX File index EXP202303792 03/09/2023 Internal note 03/22/2023 COMMERCIAL_REPORT_BIROU_GAS_SL 03/23/2023 Diligence 04/11/2023 Agreement to start with BIROU GAS, S.L. 04/24/2023 Response to BIROU GAS SL's request >> SECOND: On May 25, 2023, the respondent party has proceeded to pay the fine in the amount of 48,000 euros, making use of the reduction provided for in the resolution proposal transcribed above. THIRD: The payment made entails the waiver of any action or appeal in administrative course against the fine, in relation to the facts referred to in the resolution proposal. LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for the damages and losses caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be accumulated with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202303792, in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to BIROU GAS, S.L.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. 968-171022 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es