Banner1.jpg

AEPD (Spain) - EXP202303792

From GDPRhub
AEPD - EXP202303792
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1) GDPR
Article 83(2)(b) GDPR
Article 83(2)(k) GDPR
§63 LOPDGDD
§64 LOPDGDD
§65 LOPDGDD
§72 LOPDGDD
LPACAP
Type: Investigation
Outcome: Violation Found
Started: 10.04.2023
Decided: 17.05.2023
Published: 27.01.2025
Fine: 48000 EUR
Parties: Birou Gas, S.L
National Case Number/Name: EXP202303792
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: Agencia Espanola Proteccion datos (in ES)
Initial Contributor: r_e_

The DPA imposed a fine of €48,000 on a energy company for failing to provide access to information required by the DPA as part of its investigative powers granted under Article 58(1) GDPR.

English Summary

Facts

The DPA received a complaint against the controller Birou Gas S.L, following which the DPA requested information from the controller as part of the investigation process. Two initial requests were answered by the controller within the 10 working day deadline. However, the controller did not respond to two later requests for information, received on 1 and 2 February 2023.

The DPA initiated fine procedures on 10 April 2023 for the controller’s infringement of Article 58(1) GDPR in failing to respond to the requests for information. The controller subsequently requested suspension of the proposed fine because the person in charge of downloading the requests for information had been dismissed during this time, which was why the requests were misplaced by the controller. The controller also argued that the fine should be calculated according to the annual turnover of the company authorised by the controller to be the signatory to the contract agreed with the initial complainant.

Holding

The DPA found that the controller had violated Article 58(1) GDPR in failing to respond to the requests for information. The DPA did not accept the controller’s arguments regarding the dismissal of the person in charge of downloading the notifications, as receipts were available showing the controller had accepted the notifications on 2 February 2023. The fact the controller had previously responded to requests for information was also not relevant to the current fine procedure.

Additionally, the DPA did not accept the controller’s argument that the fine recipient should be the contract signatory, as the requests for information were sent to the controller.

The DPA took the following factors into account when issuing an administrative fine of €48,000 to the controller (Article 83(2)(b) GDPR):

- the controller was aware of the DPA’s actions to clarify the facts by receiving successive requests and requirements for information but intentionally or negligently omitted the information required; and

- the controller had been active since 2014, together with an annual turnover of approximately €50,000,000, so it should have established procedures for compliance with data protection regulation obligations (including responding to DPA requests via a reliable procedure that ensured requests were answered).

The DPA also applied a further aggravating factor by considering the financial benefits obtained or the losses avoided from the infringement (Article 83(2)(k) GDPR). The controller’s lack of response hindered the DPA's work of supervising the guarantees of the personal data processing of new clients on behalf of the controller by third parties, and which the controller used to obtain new income.

A fine of €60,000 was originally ordered, but reduced by 20% to €48,000 following the controller’s voluntary agreement to pay the fine.

Comment

The DPA archived the original complaint against the controller, EXP202202261, due to a lack of sufficient information to make a determination on the matters complained of by the complainant.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10

 File No.: EXP202303792

RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY

PAYMENT

From the procedure instructed by the Spanish Data Protection Agency and based

on the following

BACKGROUND

FIRST: On April 10, 2023, the Director of the Spanish Data Protection Agency

agreed to initiate sanctioning proceedings against BIROU GAS, S.L. (hereinafter

the respondent party). Once the start agreement was notified and after analyzing the allegations presented, on May 17, 2023, the resolution proposal was issued, which is transcribed below:

<<

File No.: EXP202303792

From the procedure instructed by the Spanish Data Protection Agency and based on
the following:

BACKGROUND

FIRST: As a result of a claim filed with the Spanish Data Protection Agency
against BIROU GAS, S.L. with NIF B39806062 (hereinafter, the

respondent party), with indications of a possible breach of the provisions of Regulation (EU) 2016/679 (General Data Protection Regulation,
hereinafter RGPD), proceedings were initiated with file number EXP202202261.

In accordance with the provisions of article 65 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights

(LOPDGDD hereinafter), the claim was forwarded to the person responsible or to the Data Protection Officer that he or she had designated, requesting that he or she send
to this Agency the information and documentation indicated.

On February 25, 2022, in a registered entry document with number

O00007128e2200009122, the respondent party presents a copy of the contract signed with
the complainant and states that said contract was entered by MULTIGAS
ASESORES, S.L. and that they carried out the registration since all the data was correct.

As there were reasonable indications of a possible violation of the rules within the scope of the powers of the Spanish Data Protection Agency, the claim was admitted for processing on April 11, 2022.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10

SECOND: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the investigative powers granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the aforementioned LOPDGDD.

Within the framework of the investigation actions, two requests for information were sent to the respondent party,
relating to the claim mentioned in the first section,

so that within ten working days it would submit to this Agency the information and
documentation indicated therein. The first of them was
registered as outgoing on June 21, 2022, while the second was registered
on September 28, 2022.

THIRD: The requests for information, which were notified in accordance with the
rules established in Law 39/2015, of October 1, on the Common Administrative
Procedure of Public Administrations (hereinafter, LPACAP),
were collected by the respondent party on June 22, 2022 and September 29, 2022, as shown in the receipts in the file.

FOURTH: On October 6, 2022, the respondent sent to this Agency the
registered entry document with the number REGAGE22e00044783031. In this document,
the respondent again presents the copy of the contract signed with the
complainant. In addition, it states that the complainant requested the contract and the
recordings and that, since there were no recordings because it was a face-to-face sale, the
complainant sent the contract by email. It also adds that the complainant
requested information on how the contract was made, to which it was responded that the
contract was generated by the company MULTIGAS ASESORES, S.L. In relation to the
contract, the respondent indicates that it provides screenshots of the data it has.

FIFTH: The respondent party having stated in the documents with registration numbers O00007128e2200009122 and REGAGE22e00044783031 that the contract was carried out on September 24, 2021 through the third party MULTIGAS ASESORES, S.L., in relation to these facts two requests for information were sent to the respondent party, so that within ten business days it would submit to this Agency information and documentation on the contract of assignment with that third party. The first of them was registered as leaving on February 1, 2023,
while the second was registered on February 2, 2023.

The information requests, which were notified in accordance with the rules
established in Law 39/2015, of October 1, on the Common Administrative

Procedure of Public Administrations (hereinafter, LPACAP), were collected by
the respondent party on February 2, 2023, as stated in the
acknowledgements of receipt in the file.

SIXTH: Regarding the requested information, the respondent party has not sent

a response to this Spanish Data Protection Agency within the time limits granted
for this purpose within the framework of the actions with file number EXP202202261.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10

SEVENTH: According to the report collected from the AXESOR tool, the entity
BIROU GAS, S.L. is a SME (Medium), established in 2014, and with a
turnover of 49,848,815 euros in 2021.

EIGHTH: On April 10, 2023, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against the respondent party,
in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged
infringement of Article 58.1 of the GDPR, classified in Article 83.5 of the GDPR.

NINTH: The aforementioned initiation agreement was collected by the respondent party on April 11, 2023, as stated in the acknowledgment of receipt in the file.

TENTH: On April 24, 2023 and with entry registration number
REGAGE23e00026031401, the respondent party submitted a written statement of allegations in which

it states, with an express request for suspension of the payment period for the proposed fine, that the person in charge of downloading the notifications of the
uncontested requests for information was dismissed during the period in which said notifications were
produced, which was the reason why they were misplaced and not downloaded in an absolutely involuntary manner by the respondent party. To
prove this, the respondent party offers to provide the documentation that

is considered necessary. Regarding the information requested, the respondent party indicates that the contract by which MULTIGAS ASESORES is authorized to attract clients for both services and supplies was not signed by the respondent party but by the company DIGITALIZACIÓN ENERGÉTICA, S.L., with CIF B02827335, which is contracted by the respondent party to carry out the work of attracting and contracting commercial channels. A contract is provided between DIGITALIZACIÓN ENERGÉTICA, S.L. and the respondent party, in which it appears in its annex I that the person responsible for the treatment is the respondent party.

In turn, the respondent party indicates that MULTIGAS ASESORES is the commercial name used to carry out its activity by A.A.A., with DNI ***NIF.1, and a contract is provided between DIGITALIZACIÓN ENERGÉTICA, S.L. and A.A.A., which states
in its annex I that the data controller is DIGITALIZACIÓN ENERGÉTICA,
S.L.

It adds that the attached contract contains the Code of Good Commercial Practices that must govern the actions of the salesperson and regulate the
conditions under which the contract must be carried out.

Additionally, the respondent explains that the policy for validating contracts is carried out by its
Distributor customer service department, in which a verification procedure has been established for both the documentation that is provided and the contracts that are intended to be registered through the different commercial channels.

The respondent clarifies that in this procedure different verifications are carried out, depending on the type of contract, the type of consumer and the Channel that carries out the acquisition, and in the event that any irregularity is detected, the process is terminated with a verification call to the specific client.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10

The respondent also provides the internal validation code that it carries out
and states that this procedure was the one followed to verify the veracity of

the documents and data that appear in the claimant's contract.

It reiterates that it did not respond to the latest requests made by this Agency
because the person responsible for the download was dismissed from the company, and due to an
administrative error, these notifications remained pending download and
answer, proof of this being that the previous ones were downloaded and answered in

the time frame, providing the requested documentation.

As for the amount of the penalty, the respondent argues that the company that
contracts with MULTIGAS ASESORES is DIGITALIZACIÓN ENERGÉTICA, S.L., so
it understands that, in the event of a penalty being imposed, in application of article 83.5 of

the GDPR, it should be adapted to 4% of the total global volume of the annual exercise of
the latter company and not of BIROU GAS S.L.

Finally, the respondent requests that, having already attended to the requests for
information and taking into account the circumstances that occurred regarding its
notification, the present sanctioning procedure be filed without any

penalty being imposed or, taking into account the principle of proportionality of administrative
sanctions, a sanction be imposed at a minimum level.

ELEVENTH: A list of documents included in the procedure is attached as an annex.

From the actions carried out in this procedure and from the documentation in the file, the following have been proven:

PROVEN FACTS

FIRST: The requests for information indicated in the fifth antecedent
were notified to the respondent party in accordance with the provisions of the LPACAP and
recorded as proven in the receipts in the file.

SECOND: The respondent party has not responded to the requests for information
made by the Agency before the agreement to initiate this sanctioning
procedure was issued.

THIRD: The notification of the agreement to initiate this sanctioning
procedure was received by the respondent party on April 11, 2023.

FOURTH: The respondent party has submitted objections to the agreement to initiate this
sanctioning procedure included in the tenth antecedent.

FUNDAMENTALS OF LAW

I
Competence

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them, on a
subsidiary basis, by the general rules on administrative procedures."

II
Objections to the initiation agreement

In response to the objections presented by the respondent party, the
following should be noted.

The requests for information that were not attended to, for which a response period of ten working days was granted, were duly notified on February 2,
2023, as stated in the receipts included in the file. Therefore, the statement made by the respondent party regarding the notifications remaining pending

download cannot be accepted by this Agency, since the respondent entity appeared before the DEHÚ
through its representative, accepting the notifications made available to it on the indicated date.

Likewise, the start of the sanctioning procedure was agreed on April 10, 2023, without

any response to said requests having been received until that date. The
response to the requests for information during the investigation of this
procedure does not affect the existence of the proven facts constituting an
infringement.

With regard to the information provided with the intention of responding to

the requests for information in file EXP202202261, this Agency
acknowledges receipt and incorporates it into said file, without this statement
implying any pronouncement on it.

Based on the information provided, the Court also requests that the penalty be imputed to the

entity DIGITALIZACIÓN ENERGÉTICA, S.L., as it is the party contracting with MULTIGAS
ASESORES, pursuant to Article 83.5 of the GDPR. In this regard, it should be noted that this
issue should have been clarified, where appropriate, in file EXP202202261
which was resolved on March 27, 2023. In the present procedure, the
infringement is only attributable to BIROU GAS, S.L., since it is caused by the

lack of response to the requests for information made by this Agency
to this entity, as reflected in the facts and in the grounds of the initiation
agreement and this resolution proposal.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10

Finally, regarding the request for suspension of the payment period of the proposed fine, it is reported that the deadlines reported in the initiation agreement correspond to the possibility of taking advantage of the reductions regulated in article 85 of the LPACAP prior to the end of the procedure. The first reduction of 20% is linked to the recognition of responsibility within the period granted for the formulation of the allegations to the initiation agreement. The second, to the voluntary payment of the proposed fine at any time prior to the resolution of the present procedure. These reductions can only be made in the indicated cases and with the reported conditions, and their extension does not correspond to other periods or procedural moments other than those indicated. As reported in the
final part of this resolution proposal, you may still benefit from the second
reduction corresponding to the voluntary payment of the proposed fine. If you do not benefit from
voluntary advance payment, the corresponding period for payment of the fine will
formally begin when the resolution ending the procedure is issued and

it becomes enforceable.

III
Obligation not fulfilled

According to the evidence available, it is considered that the respondent party has
not provided the Spanish Data Protection Agency with the information it
required.

With the aforementioned conduct of the respondent party, the power of investigation that

Article 58.1 of the GDPR confers on the control authorities, in this case, the AEPD,
has been hindered.

Therefore, the facts described in the section “Proven facts” are considered
to constitute an infringement, attributable to the respondent party, for violation of
Article 58.1 of the GDPR, which provides that each supervisory authority shall have, among

its investigative powers:

“a) order the controller and the processor and, where applicable, the
representative of the controller or the processor, to provide any information
required for the performance of their tasks; b) carry out investigations in

the form of data protection audits; c) carry out a review of the
certifications issued pursuant to Article 42, paragraph 7; d) notify the
controller or the processor of the alleged infringements of this
Regulation; e) obtain from the controller and the processor access
to all personal data and all information necessary for the performance of their

tasks; (f) obtain access to all premises of the controller and the processor, including any data processing equipment and means, in accordance with Union or Member State procedural law.”

IV
Classification and qualification of the infringement

In accordance with the evidence available, it is considered that the facts set forth could constitute an infringement, attributable to the respondent party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10

This infringement is classified under Article 83.5.e) of the GDPR, which considers as such: “failing to
provide access in breach of Article 58, paragraph 1.”

The same article establishes that this infringement may be sanctioned with a fine of
twenty million euros (€20,000,000) as a maximum or, in the case of a
company, an amount equivalent to four percent (4%) as a maximum of the
total global annual turnover of the previous financial year, choosing the
higher amount.

For the purposes of the limitation period for infringements, the imputed infringement
has a three-year statute of limitations, in accordance with article 72.1 of the LOPDGDD, which classifies the following conduct as
very serious:

“ñ) Not facilitating access by the personnel of the competent data protection
authority to personal data, information, premises, equipment and means of
processing that are required by the data protection authority for the
exercise of its investigative powers.

o) Resistance or obstruction of the exercise of the inspection function by the competent data
protection authority.”

V
Proposed sanction

In light of the facts set out, it is considered that the respondent party should be charged with

violating Article 58.1 of the GDPR, as defined in Article 83.5 e) of the GDPR. The sanction that should be imposed is an administrative fine.

The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR.

Consequently, the sanction to be imposed must be graduated in accordance with the criteria
established in article 83.2 of the GDPR, and with the provisions of article 76 of the
LOPDGDD, with respect to section k) of the aforementioned article 83.2 GDPR.

It is noted that no mitigating circumstances apply and the following facts have been considered as
aggravating circumstances:

- Art. 83.2 b) GDPR: the intentionality or negligence in the infringement. This is a
company that is aware of the actions that this Agency is carrying out to clarify
the facts that are the subject of the claim by receiving successive requests and requirements for
information, and that, despite this knowledge, intentionally or negligently,

omits the information required to clarify its legal relationship with the third party in which
the liability arises. In addition, this is a company that has been active since 2014,
and a turnover of close to 50 million euros, so it should

have established procedures for compliance with the obligations contemplated in the data protection regulations, among them, to respond to the
requests of the control authority, having established a procedure to not leave the notifications made by this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10

Agency unanswered, also taking into account that, contrary to what was stated by the respondent,
these notifications were carried out reliably.

- Art. 83.2 k) GDPR: any other aggravating or mitigating factor applicable to the
circumstances of the case, such as the financial benefits obtained or the losses
avoided, directly or indirectly, through the infringement. By not responding
to the request for information made, the respondent party is hindering this

Agency's work of supervising the guarantees of the processing of personal data of new clients
collected for it by third parties, and which the respondent uses to obtain new income.

In view of the above, the following is issued:

PROPOSED RESOLUTION

That the Director of the Spanish Data Protection Agency sanction
BIROU GAS, S.L., with NIF B39806062, for an infringement of Article 58.1 of the RGPD,

classified in Article 83.5 of the RGPD, with a fine of €60,000.00 (sixty thousand
euros).

Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you are informed that you may, at any time prior to the resolution of this procedure,
make the voluntary payment of the proposed penalty, which will
imply a reduction of 20% of the amount of the penalty. With the application of this
reduction, the penalty would be set at 48,000.00 euros and its payment will imply the
termination of the procedure. The effectiveness of this reduction will be conditional on the
withdrawal or waiver of any action or appeal in administrative proceedings against the
penalty. If you choose to make voluntary payment of the amount specified above, in accordance with the provisions of article 85.2 cited above, you must make the payment by depositing it in the restricted account number IBAN: ES00-0000-0000-0000-

0000-0000 (BIC/SWIFT code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the
heading of this document and the reason, due to voluntary payment, for the reduction of the
amount of the penalty. You must also send proof of payment to the

General Subdirectorate of Inspection to proceed with closing the file.

By virtue of this, you are hereby notified of the above, and the procedure is made known to you
so that within a period of TEN DAYS you may allege whatever you consider in your defense and
submit the documents and information that you consider pertinent, in accordance with

article 89.2 of the LPACAP.

1105-020323
B.B.B.
INSTRUCTOR

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10

ANNEX
File index EXP202303792

03/09/2023 Internal note
03/22/2023 COMMERCIAL_REPORT_BIROU_GAS_SL
03/23/2023 Diligence
04/11/2023 Agreement to start with BIROU GAS, S.L.
04/24/2023 Response to BIROU GAS SL's request

>>

SECOND: On May 25, 2023, the respondent party has proceeded to pay
the fine in the amount of 48,000 euros, making use of the reduction provided for in

the resolution proposal transcribed above.

THIRD: The payment made entails the waiver of any action or appeal in administrative
course against the fine, in relation to the facts referred to in the
resolution proposal.

LEGAL BASIS

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to

initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II

Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations (hereinafter LPACAP), under the heading
"Termination of sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10

2. When the sanction is of a purely monetary nature or when it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of
compensation for the damages and losses caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the
body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, which may be accumulated with each other.
The aforementioned reductions must be determined in the notification of initiation of the procedure
and their effectiveness will be conditional on the withdrawal or waiver of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased
by regulation.”

In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202303792, in
accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to BIROU GAS, S.L..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

968-171022
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es