Banner1.jpg

AEPD (Spain) - EXP202305278

From GDPRhub
AEPD - EXP202305278
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started: 19.11.2024
Decided: 14.01.2025
Published: 13.01.2025
Fine: 42,000 EUR
Parties: EDP Solar Spain
National Case Number/Name: EXP202305278
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA fined a solar panel provider €42,000 for sending contractual documents to all participants of a solar neighbourhood project. In violation of the principle of data minimisation, these documents unnecessarily contained personal information of all participants.

English Summary

Facts

Ecodes, here the processor, ran a solar neighbourhood project where 100 residents could take advantage of the solar energy generated on the roof of a municipal building in their area for a set monthly fee.

In order to sign up to the project, interested individuals had to register on a website provided by EDP Solar, a solar panel provider and here the controller. The entered details were then sent to the Ecodes email account, here the processor, which selected eligible candidates and then sent their information to EDP Solar in order for them to be added to the participant list.

The data subject was one of the participants in the project. The data subject had received an email to which a pdf had been attached which contained the following parts of personal data belonging to 99 different people: name, surname, ID numbers, mobile phone number, e-mail address, postal address, town and postcode and the individuals’ signatures.

The data subjected contacted Ecodes informing them of the data breach and requesting Ecodes to restrict the excesive processing of personal data. Ecodes then sent the data subject an email explaining that the information had to be disclosed as the document sent was the contract on which the project was based. It explained that every participant had to be provided with a copy of the contract they had entered into.

The data subject lodged a complaint with the Spanish DPA (Agencia Española de Protección de Datos – AEPD).

The email had been sent from an Ecodes domain but at the bottom of the email, you could see the EDP logo and during the investigation, it was established that EDP Solar had instructed Ecodes to send the email. The investigation showed that the pdf file included several documents which were relevant to the contract such as the powers of attorney of each participant but also included the personal information listed above.

Holding

The AEPD determined that EDP Solar acted as the controller and Ecodes as the processor as Ecodes had been instructed to send the pdf file.

The AEPD found that it had been unnecessary to disclose to all participants in the project each others personal information in the pdf contract. It therefore found an infringement of Article 5(1)(c) GDPR.

The AEPD found that while the controller lacked intention for the infringement, there was also a clear lack of due diligence.

The AEPD initially set the responding fine at €70,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €42,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/36

 File No.: EXP202305278

RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY

PAYMENT

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On November 19, 2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against EDP SOLAR
ESPAÑA, S.A. (hereinafter, the respondent party), through the Agreement that is

transcribed:

<<
File No.: EXP202305278

AGREEMENT TO START SANCTIONING PROCEDURE.................................................1

FACTS.......................................................................................................................1
FIRST: Content of the claim and documentation attached by the claimant

...................................................................................................................................1

SECOND: Transfer of the claim...................................................................................5
THIRD: Admission to processing...................................................................................19

FOURTH: Preliminary investigation actions......................................................................19

FIFTH: Consult data of the company EDP SOLAR ESPAÑA, S.A................................21

LEGAL BASIS...................................................................................................21

I Jurisdiction........................................................................................................21

II Obligation breach........................................................................................................21

III Classification of the offending conduct..........................................................................27
IV Proposed sanction...........................................................................................................28

V Adoption of measures...........................................................................................31

IT IS AGREED:................................................................................................................32

AGREEMENT TO START SANCTIONING PROCEDURE

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/36

Of the actions carried out by the Spanish Data Protection Agency and
based on the following

FACTS

FIRST: Content of the claim and documentation attached by the claimant

A.A.A. (hereinafter, A.A.A.) on 3/03/2023, filed a claim with the
Spanish Data Protection Agency. The reasons on which it is based are the
following:

On 02/22/2023, he received an email from the domain @ECODES.org, in which he and “at least 99 different people, including me” were attached … an attached file
in PDF format that contained, among others, the following personal data:

-“name, surname, ID, mobile phone number, email address,

postal address, town, postal code; of at least 99 different people, including
myself.”

He provides:

- in DOCUMENT 1, a copy of an email received on 02/22/2023, at

“***EMAIL.1@gmail.com” with the title: “marketing notification-Pabellón siglo XXI”, “Bcc”, only the address of the claimant, “as a participant in Actur Barrio Solar”.

The letter informs about the connection of photovoltaic installations, self-consumption of solar energy, and:

“As part of the process, last Friday, the distribution company has notified
all the distributors of the participants of Barrio Solar that they have to
enable self-consumption in their domestic contracts. That is why it is likely that you have
received some communication from your electricity supplier, either by telephone

or email, asking you for a series of information about the self-consumption installation to which you are registered.

The documentation that each of you must send them and that we attach in this email is the following:

-Distribution Coefficients Contract (PDF)
-TXT file (notebook “

(the two ATTACHED documents are seen in the email, one in .txt format, the

other with a number followed by the name: “(...)_List of powers.pdf”, although the

claimant does not provide them openly to see their content, therefore, these are not
displayed). At the bottom of the email appears the EDP SOLAR logo.

The claimant also provides as part of DOC 1:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/36

-an email sent by the claimant to ECODES.org, of the same
02/22/2023, 19:16. in which he asks him why he has sent “all the personal data of the people participating in the Barrio Solar project, in the annex of the

email, not just mine”.

- an email from ECODES.org to the complainant, dated 02/23/2023, 9:52, with the following text:

“The documents we have sent you and their contents are those required by the

process of activating collective self-consumption of a community photovoltaic
installation.

The distribution document follows a regulated model and must include the data of the

participants and the signature. In this case, EDP acts on behalf of the

participants, and in these cases it is required that the acceptance of this representation of all of them be included
together with the distribution document, a document that EDP has sent us for

annexation.”

-another email from the complainant to ECODES.org, dated 24/02/2023 at 18:37,

requesting to be informed of the person responsible for processing his/her data.

-email from ECODES.org to the complainant, dated 27/02/2023, with a copy to
dpd@edpenergia.es, in which, in response to his/her request, he/she is informed that “the
data controller in the Actur Barrio Solar project to whom he/she

should address his/her request is EDP SOLAR ESPAÑA SA”, (hereinafter EDP) indicating his/her
address and the contact details of his/her DPD. Adding that “the data processor is Fundación Ecología y Desarrollo, ECODES”, along with his/her DPD contact details.

-email from the complainant dated 28/02/2023 to EDP, indicating that from the
ECODES address, an email was sent to him in which “all recipients were sent a file in which the following personal data can be read: name, surname, ID, mobile phone number, email address, postal address, town, postal code”, and he exercises his right of access.

-in the attached file of the complaint (…), a copy of the email from EDP to the
complainant, dated 2/03/2023: which responds to the claimant's request, indicating
among others:

“EDP is processing personal data relating to you, which were originally provided
by ECODES, to whom you expressed your interest in being part of the
Barrio Solar project and which were subsequently completed by you for the
formalization of the participation contract in it.

The data subject to processing are the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/36

Identification data: Name and Surname, Address, CIF,
Contact details: Telephone, Email
Data of the supply point: Address, Number, Floor, Staircase, Letter, Postal Code, Town, Municipality, Country, CUPS
Data of the contracted Product: Number of participation shares, Payment Method,

Billing data: IBAN
Shared documents: Invoice and ID.

Your data is processed for the purpose of managing, maintaining, developing,
fulfilling and controlling the contracting and operation of the “Barrio Solar” service,
as well as to provide you with complementary services related to

solar installations, complementary inspection services, technical assistance or
maintenance.

Additionally, as specifically requested, the specific data processing carried out within the framework of the contract

carried out by you within the framework of the “Barrio Solar” project is set out below:

The process of consumer participation in collective self-consumption is
established in Royal Decree 244/2019, of 5/04, which regulates the administrative,
technical and economic conditions of self-consumption of electrical energy, for
which the Guide “IDAE 021: Professional Guide for Processing Self-Consumption” of the Institute for Energy

Diversification and Savings, dependent on the Ministry for Ecological Transition, was published.

In compliance with the obligations set out in this regulation and following the
indications of the Guide, as you know, the following were carried out:

- the signing of a mandate in favour of EDP to be able to carry out the corresponding procedures
with the electricity distribution and marketing companies, as well as

- the management of the acceptance by all interested consumers of the

corresponding agreement in which the criteria for the distribution of self-consumption are included

Both you and the rest of the consumers signed the mandate through
an electronic signature system provided by a qualified trust service provider, whose operation is regulated by the e-IDAS regulation: Regulation (EU)

No 910/2014 of the European Parliament and of the Council, of 23/07/2014, regarding electronic
identification and trust services for electronic transactions in the internal market. This system generated an electronic receipt of
the signatures made.

Subsequently, the EDP representative signed the general distribution agreement on behalf of all the consumers who had authorized him to do so, including you. For this agreement to be valid, it is
necessary that the mandates signed by the consumers be included in it. In
this case, since the authorization was made by digital means, instead of a physical signature, proof of the digital signature is provided, which contains the information that you refer to in your query, which is why it is included in the agreement.

Finally, the agreement was made available to all participating consumers,
so that they have proof of the agreement signed in their name, as part of it. As this is a digital contract, it must be delivered with its entire content, since any alteration would imply that the digital copy delivered would be detected as manipulated, and would therefore not serve to justify the agreement signed.

Therefore, as stated, the exchange of information carried out complies with the regulatory requirements for the creation of the energy self-consumption community.

However, we inform you that, in response to your request, a matter has been processed before the Spanish Data Protection Agency to clarify all the points of the process regulated in the regulation and interpreted in the IDAE guide.

In addition to what was previously reported, we inform you that, during the validity of the contract, your data may be communicated to the following entities:

The corresponding distribution company, with which there will be a permanent exchange of information for the adequate provision of the service.

Public Organizations and Administrations that correspond by law.

Banks and financial institutions for the collection of services provided.

Other companies of the business group, solely for internal administrative purposes
and the management of the contracted products and services.”

SECOND: Transfer of the claim

In accordance with article 65.4 of Organic Law 3/2018, of 5/12, on the Protection
of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), on
04/27/2023, said claim was transferred to FUNDACIÓN ECOLOGÍA Y
DESARROLLO, ECODES, and EDP SOLAR ESPAÑA SA so that they could send

the following information to this Agency, in order to know the circumstances of the
specific case and admit or not the claim for processing:

1. DETAILED AND CHRONOLOGICAL DESCRIPTION OF THE EVENTS THAT OCCURRED.

1.1 On 05/24/2023, a response was received from FUNDACIÓN ECOLOGÍA Y
DESARROLLO, ECODES (ECODES hereinafter) which begins by indicating that it is
an independent non-profit organization that has been working for sustainable and environmentally friendly
development since 1992.

The “Barrio Solar” project is a pioneering collective self-consumption initiative, where

100 residents can take advantage of the solar energy generated on the roof of a municipal
building in their area, by paying a monthly fee and without having to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/36

install anything in their homes. This is what is technically called a
collective self-consumption solar energy project.

To implement the project, an agreement was signed between EDP ENERGÍA SAU, a Spanish company belonging to the EDP España group, dedicated to the production of
electric energy, the City Council of Zaragoza and ECODES. This agreement contains
an annex relating to the processing of personal data, which establishes that EDP
is responsible for the processing of data and ECODES is in charge of
processing.

It states that a contact form was made available on its website, so that those
interested in taking part in the project could enter their email address and/or
telephone number. The data contained in this form arrives at a single email account
on ECODES.org, managed by ECODES, an account that is only accessed by two

people from ECODES, its purpose being to compile the list of participants and
potential reserves of those interested in the project.

“In the event that the person requesting information through the aforementioned email wants to
finally participate in the initiative, ECODES gives the contact details, the
email and telephone number to EDP, the company in charge of the project, who contacts

them and begins the process of formalizing the participation contract for which it is
” (cuts off).

And continues: “To formalize the participation, the interested parties end up
providing EDP with their personal data directly, either via the web or

by telephone (including address, CUPS and account number, among others).”

At one point in the process, EDP asks ECODES to, following the process
established in the aforementioned Royal Decree 244/2019 of 5/04, which regulates the
administrative, technical and economic conditions of collective self-consumption of

electric energy, forward an email to the 100 participants.

ECODES does so, following the guidelines received from EDP. Send an email with a blind copy to all participants.

Attach in Excel format, the content of the story that happened with the complainant and the

communications received and issued, with the date of the actions carried out.

1.2 On 05/26/2023, a response is received from EDP hereafter, indicating that
in the framework of the creation of a "community" of associated consumers for the

collective self-consumption of energy, under the regulations contained in Royal
Decree 244/2019, of 04/05, the creation of said community was carried out,
bringing together, for this purpose, the consumers interested in participating in it,
amounting to a total of 99 consumers, including the current complainant.

“In order to carry out, in accordance with current regulations, the registration process for the community with the energy distribution and marketing companies, the following was carried out:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/36

- the signing of a mandate in favour of EDP to be able to carry out the corresponding procedures with the electricity distribution and marketing companies,
in accordance with the express authorisation provided for in the Annex of the Royal Decree

referred to above in order to be able to carry out the process, as well as,

- the management of the signature by all participants of the corresponding agreement
in which the criteria for the distribution of self-consumption are included, in accordance with the provisions of article 4.3 of the aforementioned regulation, as well as.

This process was carried out digitally, sending the consumers involved a copy of the agreement through the electronic signature system provided by EDP for these purposes, so that, once validated, they could express their agreement,
responding affirmatively to their participation in the community in the terms communicated. Additionally, a mandate contract is sent so that they can authorize

EDP to sign the distribution agreement on their behalf and carry out the necessary procedures for the completion of the contract with the energy distribution and marketing companies. In this way, the electronic system used to
carry out the electronic acceptance process of the mandate allows users to
communicate their acceptance, guaranteeing that it has been effectively expressed by the
user, who has previously been identified by EDP as a consumer participating in the
self-consumption community, the exact moment in which the acceptance process is carried
out, as well as the integrity of the document actually signed.”

EDP informs that for the electronic acceptance process of the mandate they have

“a trusted third-party service provider in the field of qualified time stamps, in accordance with the national legislation applicable in Spain in
reference to the eIDAS Regulation (Regulation (EU) No 910/2014 of the European Parliament and of the Council, of July 23, 2014, on electronic identification and
trust services for electronic transactions in the internal market and repealing Directive 1999/93 / EC and that the process involves the processing
of the contact data referred to in order to generate the corresponding evidence, in
accordance with the provisions of article 3 of the eIDAS Regulation, and in relation to
the provisions of article 42 of the same legal text, in order to be able to accredit the
appropriate information to comply with the qualified time stamping service and to
allow generating evidence of the acceptance of the agreements and mandates in accordance with the cited eIDAS Regulation. That is, the contact details are
what ultimately binds the participant to the acceptance of the terms
of the contract and the mandate, being essential to be able to verify this fact,
as well as to justify that the copy has been duly delivered, as required
by consumer regulations (attached as document no. 1 Report on

contracting via SMS and email in the provider's service).

Once the management of the individual signatures of the mandates has been completed, the general distribution agreement accepted by the participating consumers is generated with all the CUPS and percentage of participation of each consumer in the community (for which all the representation mandates of the participants are attached) and is signed by the EDP representative for submission to the corresponding distribution and marketing entities and is made available to all participating consumers in the community, so that they have proof of the agreement signed in their name.

Specifically, these documents have been prepared with the content provided
in the Guide “IDAE 021: Professional Guide for Processing Self-Consumption” of the Institute
for the Diversification and Saving of Energy, dependent on the Ministry for the
Ecological Transition, specifically model 5.

When complying with these last procedures, in the final document made available to
the participating consumers, some contact information may be included, derived from the means used to sign the mandates,
since, as indicated, the signing of these documents is done by electronic means,
whose digital evidence includes this information.

Since EDP acts as the agent of the consumers, and not on its own behalf,
it must make the content of the agreement available to them, since each of them is a party to it. Similarly, since the agreement is signed digitally,
any manipulation or modification of its content (to eliminate personal information from the
signature) would mean that the copy delivered would not serve the consumer as
complete evidence of the content of the contract, since it would not comply with the
integrity requirement, having been, in fact, modified."

As a specific response to the chronology and description of the events, EDP
stated that the claimant signed a COLLECTIVE SELF-CONSUMPTION AND ENERGY EFFICIENCY SERVICES CONTRACT WITH EDP on 07/05/2021, provides

DOCUMENT 2.

On the same date, the claimant granted special power to EDP to carry out, in
his name and representation, certain acts within the framework of the contracting of the
“Barrio Solar” Project, provides DOCUMENT 3

From DOCUMENT 2, the following stands out among others:

 Encompassed by a first document which is the “confirmation of the EDP contract” in
which the third party trusted service provider intervenes, electronic document. The EDP SOLAR CONTRACT is listed as sent for acceptance by SMS, and the claimant's mobile phone number and email address, which matches the one provided in his claim where the attached file subject to the claim was sent, are listed among the data sent. His full name and surname are also included, a document generated on 07/05/2021.

In the "request tracking" section, the chronology of the confirmation of the contract with SMS messages is displayed, with the first message being sent on 07/02/2021, "EDP Solar Contract: (...)", so that he "responded with a YES to this message to confirm the contract" with confirmation dated 07/05/2021.

 Next is the document: “SERVICE CONTRACT WITH EDP” which is a sheet
“that contains, perhaps pre-filled in computer type, the name and surname, the
customer's address, the NIF, the telephone number, the address of the supply point

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/36

and the electricity CUP and the IBAN data for account debit”. Next is the section:
“specific conditions of the contract”.

-A second page that does not contain any logo or signature, which (also lacking a page number) contains the following information about personal data:

“Personal data will be processed by EDP Solar España SA as the data controller for the maintenance, development, compliance and management

of the contractual relationship, fraud prevention, profiling based on information provided by the customer and/or derived from the provision of the service by EDP, as well as sending commercial communications such as those related to
products and services related to solar installations and energy consumption
and which may be personalized based on your customer profile, and as reported in

the general conditions, being able to oppose at any time the sending of commercial
communications. This contract will also maintain the purpose of the
client receiving information and being able to participate in the activities associated with the Solar
Neighborhood: workshops and conducting surveys in relation to participation in said
project, monitoring energy consumption and sending advice on electricity
consumption and use of the solar energy produced.

 It is followed by the informative clause of the “general conditions of the EDP Solar
Neighborhood service”, with the following characteristics:

It includes a section 8: “Protection of personal data”, which highlights:

8.1 Purposes, for the formalization of the contract
8.2 categories of personal data,

8.3 Communications and recipients of the data
8.4 rights.

-It relates the chronological detail indicating that on the aforementioned date the claimant granted
power in favor of EDP to carry out in his name and representation

certain acts within the framework of the contracting of the project. They provide a copy of
document 3 “power of representation and confirmation of signature”, which is a
trusted third party document containing an SMS message, “EDP SOLAR power of representation”, sent by SMS to the claimant’s recipient phone number, so that they respond
with a Yes to the SMS to confirm, containing details at another address, sent on

07/05/2021, and with a response on the same day (yes). Another document entitled
“power of representation” is attached, dated 07/03/2021, which includes:

1. All the necessary procedures for the registration, modification and/or deregistration of the
solar installation in which the Client participates (hereinafter the Installation) in the
Administrative Records of Self-Consumption and, where applicable, of Electric Power

Production Installations.

2. Signing, on behalf of the Client, the Agreement for the Sharing of the energy generated by the
Installation, after determining the coefficient that corresponds to the Client based on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/36

the capacity of the Installation, the number of associated consumers who share it and what has been agreed in the contract signed between the Client and EDP.

3. Signing, on behalf of the Client, any modifications to the Sharing Agreement that are necessary.

4. Making any necessary communications in relation to the Sharing Agreement to the distribution company and the marketer with whom the Client has contracted the supply.

5. Any other communication with the distributor, the marketer, the
Autonomous Communities or any competent body that is necessary
to process or confirm the registration, modification or cancellation of self-consumption by the
Customer, as well as any communication in relation to the Distribution Agreement.

In particular, EDP SOLAR ESPAÑA, S.A. is authorized to request from the
Customer's distributor and/or marketer confirmation of the date on which
self-consumption has been activated for the Customer, as well as any cancellation or
modifications, as well as to know at any time the status of the processing of
the processes associated with self-consumption by said companies.”

EDP declares that these documents have been prepared with the content provided
in the IDAE Guide 021, "Professional Guide for Self-Consumption Processing" of the
INSTITUTE FOR ENERGY DIVERSIFICATION AND SAVING, dependent
on the Ministry for Ecological Transition, specifically model 5.

-It goes on to report that on 02/27/2023, it received a letter from the
complainant, which appears in Annex 1 of the claim.

On 02/28/2023, the exercise of the claimant's right of access was received, which

was attended to on 03/02/2023, also appearing in ANNEX 1 of the claimant.

It also provides document 5, which according to EDP is titled “email sent
by the complainant to EDP on 03/03/2023”, with the following literal:

“I attach an email in which I expressly indicated at the time of contracting

that I did not consent to the processing of my personal data to other companies or third parties
other than those strictly necessary for the contractual relationship

I reiterate my request and ask you to limit the processing and transfer of my personal

data to the purposes strictly necessary for the contractual relationship”

According to EDP, it is that “The now Complainant sends a reply to
EDP SOLAR accepting the explanations provided in relation to the
processing of his data in the email of 03/02/2023, as well as, reiterating
that his data is processed strictly for those purposes necessary to
comply with the contractual relationship.”

-EDP states that on 02/28/2023, Following the email received, EDP
submitted a query to the AEPD in order to clarify whether sharing certain personal data
with the rest of the community members in order to fully comply with the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/36

process regulated by Royal Decree 244/2019, of 5/04, which regulates the
administrative, technical and economic conditions of self-consumption of electrical energy
and the IDAE Guide 021: Professional Guide for Processing Self-Consumption,
could have a negative impact on interested parties from the perspective of privacy
and protection of their personal data. A copy of the Query raised to the

AEPD is provided as document no. 4.

In this query that you provide, there is a probable error in the date of the document, which
indicates 27/02/2022.

The following points stand out from the consultation, among other points necessary to relate the consultation and

its terms, with the eventual response, according to the order given in the consultation:

 Within the framework of the creation of a community of associated consumers
for the collective self-consumption of energy, the creation of the same was carried out, with 99 interested consumers
participating, citing RD 244/2019 of 5/04.

 All participants signed a mandate in favor of EDP to carry
out the corresponding procedures before the electricity distribution and
marketing companies, in accordance with the express authorization provided for in the Annex of the aforementioned Royal Decree to be able
to carry out the process (it does not mention which of the annexes it refers to)
specifying that "a model contract and a model power of representation are
included", not knowing exactly which documents were sent.

 He states that, “in addition, a power of attorney contract is sent so that EDP can be empowered to sign the distribution agreement on his behalf and carry out the necessary steps to finalize the contract with the energy distribution and marketing companies.”

 “once the management of the individual signatures of the mandates has been completed,
the general distribution agreement accepted by the participating consumers is generated with all the CUPS and percentage of participation of each consumer of the community (for which all the representation mandates of the participants are attached) and is signed by the EDP representative for its referral to the corresponding distribution and marketing entities and is made available to all participating consumers of the community so that they have proof of the agreement signed on their behalf

Specifically, these documents have been prepared with the content provided in the IDAE 021 guide, professional guide for processing self-consumption, model 5.

This guide can be accessed and in the agreement models on distribution criteria it is indicated that in application of RD 244/2019, of 5/04, the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/36

The following consumers agreed to join the installation of collective self-consumption of electric energy with the following
characteristics, including a list to be completed with the data of the associated consumer-owner of the supply - in which they must enter
NIF, CUPS, and distribution coefficient.

The respondent states that: "When complying with these last procedures, it was detected that the final document made available to the participating consumers may include some contact information of these, derived from the means used to sign the mandates, since as indicated, the signing of these
documents is done by electronic means whose digital evidence
includes this information (a confirmation model of power of representation is attached).

It should be noted that point 13 of the IDAE guide requires that this agreement
be signed by all and must be sent by each consumer to the distribution company, either directly or through its
marketing company. If, in order to achieve collective self-consumption, it had been decided to form a Community of renewable energies, this

could represent the associated consumers in all these procedures, provided that the associated consumers authorize it

appropriately.”

Since EDP must act as the consumer's agent, and not

on its own behalf, it must make the content of the agreement available to them, since each of them is a party to it.

Likewise, since the agreement is signed digitally, any
manipulation of its content to remove personal information from the
signature would imply that the copy delivered would not serve the consumer as
complete evidence of the content of the contract, since it would not comply
with the integrity requirement, having been effectively modified

- the AEPD is asked if it considers that the procedure
required by Royal Decree 244/2019 and the IDAE guide is

a procedure that may be in accordance with the regulations on personal data
protection, since all members of the community, signatories of the
documentation, may have access to certain personal data of the other consumers, since
they are all part of the same contract, thus attending to the literal of

what is required by the referenced Royal Decree and, where appropriate, the referenced IDAE Guide, all this taking into account that to date, this type of consumer
communities have not been established in Spain, the one that has been proposed to EDP being the
first existing at a national level, as well as the legal period

established to be able to send the documentation indicated by the Royal Decree to the energy supplier of the
consumers is a very short period of time, 10 calendar days.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/36

Specifically, the main concern that EDP has is none other than that, in the event of full compliance with the literal required by
the Royal Decree and, where appropriate, by the IDAE Guide,

it necessarily entails that all members of the community
know certain personal data of the rest of the members of the
community, something that, although from the point of view of energy regulations
seems reasonable and justified in Law, it seems that
it could have a negative impact on consumers from the perspective of
privacy and protection of their personal data”

EDP states that on 03/14/2023, a response was received from the AEPD, indicating
EDP that “in this sense, it should be noted that the AEPD did not object or does not refer that the
detailed process carried out by EDP was contrary to the provisions of the data protection regulations.” Provides DOCUMENT 6, which shows the response date of 03/14/2023, and which should be highlighted among other aspects:

 In general, it reviews the bases of legitimacy and refers to the sectorial regulation, whereby the one in 6.1.c) of the RGPD may exist, and if this were the case, the consent of those affected would not be required.

 Adds respect for the principles of the RGPD, highlighting the minimization of article 5.1.c) of the RGPD and the principle of proactive responsibility.

It ends by indicating that “This response constitutes a purely informative activity of the AEPD; it has no binding effects, does not modify the legal situation of the applicant and does not constitute an appealable act.”

1. DETAILED SPECIFICATION OF THE CAUSES THAT MADE THE INCIDENT POSSIBLE.

 ECODES stated that the procedure established in RD 244/2019 of 5/04 and the IDAE self-consumption guide have been followed, in which the distribution document is established, with a pre-established format necessary to be able to register and process collective self-consumption. It states that the only personal data processed, which are not expressly mentioned in the aforementioned Royal Decree, are the e-mail and the telephone number; but it has been necessary to collect them by EDP in order to be able to carry out the representation via electronic signature (a procedure that was provided for in the aforementioned documentation).

 EDP stated that in no case can the detailed facts be considered
as an incident in the area of Data Protection, based on the fact that the sharing
of certain data with the rest of the members of the community complies with the
regulatory requirements in energy matters, as well as the Data Protection

regulations.

The personal data of the complainant were processed within the framework of the contract that
he carried out in the project called "Barrio Solar".

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/36

“In accordance with the conditions established by RD 244/2019 of 5/04 and the IDAE Guide, the acceptance by all interested consumers of the corresponding agreement was managed, which includes the criteria for the distribution of self-consumption, as well as the signing of a mandate in favor of EDP to carry out the procedures before the electricity distribution and marketing companies.”

Both the complainant and the rest of the consumers signed the mandate using
an electronic signature system provided by a qualified trusted service provider.

Subsequently, EDP, as agent, proceeded to sign the general distribution agreement
on behalf of the consumers who had empowered it for this purpose. In order for this agreement to be valid, it is necessary that the mandates signed by the consumers appear in it. In this case, as the empowerment is carried out by

digital means, instead of a physical signature, proof of the digital signature is provided,
which contains information on the rest of the participants, hence they are included in the agreement.

Finally, the agreement was made available to all participating consumers,
so that they have proof of the agreement signed in their name, as part of it. Since this is a digital contract, it must be delivered with its entire content,

since any alteration would imply that the digital copy delivered would be
detected as manipulated, and would therefore not serve to justify the agreement signed.

Therefore, as stated, the exchange of information carried out complies with
the regulatory requirements for the creation of the energy self-consumption
community. Likewise, and in accordance with the response to the query posed to

the AEPD, the points of the process regulated in the standard and interpreted in the IDAE guide
are fully compatible with the data protection regulations.”

1. NUMBER OF PEOPLE AFFECTED BY THE VIOLATION OF THE
SECURITY OF PERSONAL DATA.

 ECODES indicates that “100 people have had their personal data communicated to
the other 99 participants in the project.”

 EDP stated that “there has not been an incident or security breach that

affects the rights and freedoms of the interested parties and, therefore, there are no affected
persons. Notwithstanding the above, and for purely informative purposes, we must
clarify that the total number of consumers participating in the “Barrio Solar” project, including the current complainant, amounts to 99 consumers, although
the exchange of certain data with the rest of the participants is lawful and

complies with the requirements of the sectorial regulations, as well as the data protection
regulations.”

4. CATEGORY OF PERSONAL DATA INVOLVED.

 ECODES indicates that “the data revealed have been of a general category: name,
surname, ID, mobile phone number, email address, postal address,
town, CUPS and postal code.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/36

 EDP stated that: “no personal data was detected involved, given that,
as has been made clear, the exchange of personal data was carried out in
strict compliance with Royal Decree 244/2019, of 5/04, as well as the IDAE Guide,

therefore, we cannot consider that there are affected persons involved
and, consequently, categories of personal data involved since the existence of a security
incident has not been reported.” However, it indicates that the
only data that was exchanged within the framework of the signing process by the
participants of the community are:

Partners - Identification Data, Personal Contact Data, Commercial and
Contractual Conditions.

5. POSSIBLE CONSEQUENCES FOR THE AFFECTED PERSONS.

 ECODES stated that the consequences, although with little probability of
occurrence, may be the following:

Loss of control over personal data, reputational damage and, to a

lesser extent (because it is limited to one hundred residents of the neighborhood), being the

victim of phishing/spamming campaigns.”

 EDP stated that no consequences have been detected in affected persons,
since no security incident has materialized. “The exchange of

information was carried out at all times with a fully lawful basis of legitimacy and in compliance with the energy

regulations that are applicable to the Data Controller, especially when said process was made
known to the AEPD and it did not oppose or raise any objection to it.”

6. DETAILED DESCRIPTION OF THE ACTIONS TAKEN TO SOLVE

THE INCIDENT AND MINIMIZE ITS IMPACT ON THE AFFECTED PERSONS.

 ECODES responds that “the actions taken were the measures provided for in the implementation of the General Data Protection System,

prior to the claim; namely:

-immediate and diligent response to the affected party;

-immediate notification to the data controller, upon
becoming aware of the situation,

-transfer of the response to the affected party,

-telephone and email follow-up in both directions (to the affected party and to the
data controller).

-On 02/03/2023, the Data Controller submitted a
question to the Spanish Data Protection Agency to clarify that
all points of the process regulated in the standard and interpreted in the IDAE guide are fully compatible with data protection regulations.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/36

-ECODES proposal to improve the procedure consisting of EDP,
making use of its power of representation, sending the distribution document directly to the
marketers.

This proposal was accepted by Endesa and Iberdrola as a valid procedure for

their participating customers, but it is unknown whether the rest of the marketers will adopt it, as it is not the procedure established by RD 244/2019.”

 EDP stated that “there has not been a security incident that requires
actions to minimize the impact on the possible affected persons, on the part

of EDP SOLAR and, as indicated in the chronological description of the events, in compliance with the principle of proactive responsibility, and after receiving the
emails from the now claimant, it raised a prior consultation with the AEPD in order
to corroborate and verify whether, in fact, the process carried out in accordance with the
energy regulations was in accordance with the data protection regulations”.

EDP also reiterates that “considering the response provided by the AEPD, we can
interpret that the process was lawful and complied with the data protection regulations”, citing parts of the response, based on legitimacy and principles of
treatment.

7. SECURITY MEASURES FOR THE PROCESSING OF PERSONAL DATA

ADOPTED PRIOR TO THE INCIDENT, AS WELL AS THE
DOCUMENTATION SUPPORTING THE RISK ANALYSIS THAT HAS
LEADED THE IMPLEMENTATION OF SAID SECURITY MEASURES AND, IF APPLICABLE, A COPY OF THE IMPACT ASSESSMENTS OF THE PROCESSING
WHERE THE SECURITY VIOLATION OF PERSONAL DATA HAS OCCURRED.

 ECODES responded that “At the beginning of the project, ECODES was identified in this
phase as the Data Processor of the personal data and the pertinent
security measures were taken to guarantee the adequacy of the processing to the
legality.

The only assets of ECODES involved in this project are an ad hoc email account
and an Excel file operated by only two people
(shared on Google Drive only by them), following ECODES security guidelines.

The processing of the personal data that gave rise to the claim has been
deliberate, following the guidelines of Royal Decree 244/2019; in ECODES' opinion
there has been no security breach, since at no time has there been
an unintentional disclosure of data.

The email was sent with a blind copy to all of them. As regards
ECODES, it acted diligently.”

 EDP stated that it adopted security measures, stating various ones such as
preparation of a RAT, DOCUMENT 7, which they describe as “management of the

contracting process for sales of EDP Solar installations and services”, with
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/36

the purpose of “managing the contracting of EDP Solar installations and services”, and
based on the lawfulness of processing “execution of the contract”. In “data communications,”
among others, it appears “electrical marketing and distribution entities,”
and
“partners-execution of the contract-“ and risk analysis in DOCUMENT 8,
indicating that “According to the level of risk detected, the minimum applicable
security measures are determined,” among which the following can be mentioned:

-those related to personnel with access to data, the signing of a written
confidentiality commitment, knowledge of rules and procedures that must be adopted,
they have a procedure for controlling access to data, backup copies, archiving of media and devices for storage, inventory and
control of entry and exit of documents and media, definition and implementation of a
procedure for anonymizing personal data in cases where it is
technically possible.

Document 8 of the “risk analysis of processing” provided is an Excel table
with two columns that simply answers No to all the questions, such as:

Automated processing
Large-scale special categories

Large-scale systematic observation of a publicly accessible area
Profile assessment
Automated decisions
Systematic observation of interested parties
Very or very personal sensitive data

Large-scale data processing
Big data interconnection
Data relating to vulnerable interested parties
Use of innovative technologies
Unavoidable processing/restriction of the exercise of rights

8. Copy of the Activity Record of the processing where the incident occurred.

 ECODES attaches the RAT of “File group: Barrio Solar”,

Description: “control of participants and reservations of the community solar self-consumption
project Barrio Solar”.

Purpose and uses: Process the inclusion of participants/reservations in the
self-consumption project”.

Legitimation: consent of the interested party

Conservation: They will be kept for the stipulated time to determine the
possible responsibilities that could arise from said purpose, after the

completion of the project”.

Origin of the data: The interested party

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/36

Recipients of data transfers: EDP

Security officer, with a person,

Exercise of rights, “Fundación Ecología y Desarrollo”, and the address, telephone number,
same data as the footer of the email sent to the claimant.

Information fields: CIF/NIF, CUPS, energy consumption, name and surname,
electronic postal address, manual or digital signature, telephone number.

Then, in the files, it indicates the existence of two:

- ACTURBARRIOSOLAR@ECODES.ORG: described email account
dedicated to receiving applications from those interested in the Barrio Solar project,

“information fields”: Name and surname, Address (postal/electronic), Telephone,
with “supervisor” appearing as a physical person.

“BARRIO SOLAR”: described as “contact for participants and reservations for the “Barrio Solar”
project”, “information fields”: “energy consumption, belonging or not to
Zaragoza housing, CUPS, CIF, NIF, manual or digitalized signature, name and surname,
postal-electronic address telephone”, with “supervisor” appearing as a physical person.

 EDP stated that it provides a copy of the RAT in document 7.

9. IF THE SECURITY BREACH HAS BEEN COMMUNICATED TO THE
AFFECTED PERSONS, INDICATE THE CHANNEL USED, DATE OF THE COMMUNICATION AND

DETAILS OF THE MESSAGE SENT. IF NOT, INDICATE THE REASONS

 ECODES responded that: “since it was not understood that there had been a security breach, the process of communicating it to the interested parties or to the AEPD was not initiated,

according to the procedure for Incidents and security breaches established in the
Data Protection Management System.

However, as described in the statement of facts, action was taken with diligence and
proactivity in communicating it to the person responsible.

“An email was sent to all participants warning them not to respond, to
await further instructions.”

 EDP stated that since there was no security breach affecting the

interested parties, it was not necessary to make any communication.

10. INDICATE WHETHER THE SECURITY BREACH HAS BEEN NOTIFIED TO THIS
CONTROL AUTHORITY. If not, indicate the reasons why the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/36

security breach has not been notified to this Control Authority before 72 hours have elapsed since it was discovered. You can obtain
information on the management and notification of security breaches at the following

Agency link: https://www.aepd.es/sites/default/files/2019- 09/guia-brechas-
seguridad.pdf

 ECODES indicates that “It has not been notified, since we did not understand that it was a
security breach, but rather the communication of data according to the procedure

necessary for participation in the “Barrio Solar” collective self-consumption project,
established by Royal Decree 244/2019”

 EDP stated that there was no security breach and that notification to the
control authority was not necessary, “raising in an exercise of transparency with

the AEPD and in compliance with the principle of proactive responsibility, a
consultation was carried out with the AEPD” in which the process carried out in compliance with the regulations was detailed in detail. in energy matters in order to
confirm whether it was in accordance with data protection regulations.

It reiterates that the generation of a general distribution agreement accepted by all participating
consumers in which the CUPS and the percentage of participation of each consumer are
detailed, considering that EDP acted as a representative of the
consumers, not on its own behalf, “must make the full content of the agreement available to the participating
consumers, although when complying with this procedure of making it available, it was detected that the final document included certain contact
information of the rest of the consumers”.

It reiterates that “the agreement is signed digitally, any manipulation or modification
of its content (to eliminate personal information from the signature) would imply that the copy
delivered would not serve the consumer as full evidence of the content of the
contract, therefore, it would not comply with the integrity requirement as it had been
modified. In addition, EDP has consulted the qualified trust service provider regarding whether all the data included in the
signature vouchers for the mandates are essential, confirming that the data corresponding to the telephone number and the email are an essential part
to demonstrate what happened in the communication and identify the signatory."

11. MEASURES THAT IT PLANS TO ADOPT SO THAT A SIMILAR INCIDENT DOES NOT OCCUR AGAIN IN THE FUTURE.

 ECODES indicates that: "The Data Controller submitted a question to the Spanish Data Protection Agency on

02/03/2023 to clarify that all the points of the process regulated in the standard and interpreted in the IDAE guide are fully compatible with the data protection regulations.

It is pending to communicate this to all participants in the project and

modify the procedure in future calls.”

 EDP stated that “in order to maximize compliance standards in terms of
privacy, it has decided that, from now on, the copy of the agreement will be

sent to the rest of the participants without including proof of signature of the mandates
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/36

thus preventing the telephone number and email address from being viewed by
the rest of the participants. However, the above and, in the event that one or more
of the participants request a full copy of the agreement, the
proof of signature of the mandates must be provided, although, and, in any case, said exchange of
information would be in accordance with the provisions of the regulations on energy matters, as

as well as, with the criteria of the AEPD, especially when in the response to the query
raised no opposition is expressed or an objection is referred to in relation to the legality of
the process carried out.”

12. ANY OTHER THAT IT CONSIDERS RELEVANT.

 ECODES indicated that “it has limited itself to acting according to the mandate established in the
specifications of Royal Decree 244/2019, the guidelines and forms
proposed by IDAE and following the guidelines of the Data Controller,
EDP.”

THIRD: Admission for processing

On 06/03/2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing.

FOURTH: Preliminary investigation actions

The Subdirectorate General for Data Inspection proceeded to carry out preliminary investigation actions AI/00239/2023, to clarify the
facts in question, by virtue of the functions assigned to the control authorities
in article 57.1 and the powers granted in article 58.1 of Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the
LOPDGDD, having knowledge of the following points:

On 15/11/2023, THE COMPLAINANT is requested to provide a copy of the document
that was attached to the email that motivates his complaint, on which

the complaint was forwarded to the two entities above, called: "(...)_List
powers.pdf", mentioned in page 4 of the attached document “01_Mail.pdf” included
in the REGAGE(...) entry.

The shipment was delivered on the same day and the same day the AEPD sent a response,
concerning:

- The annex contains 319 pages in pdf.

First, there is the “AGREEMENT FOR THE SHARING OF ENERGY FOR
COLLECTIVE SELF-CONSUMPTION FACILITIES WITH SURPLUS NOT
EQUALIZED FOR COMPENSATION”, dated 3/10/2022. It contains the

introduction, which states: “In application of Royal Decree 244/2019 of 5/04, the

following consumers agree to join the self-consumption installation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/36

of the electric energy collective”, self-consumption code CAU: (...). It contains an
excel-type list with FIVE fields.

The first with a list of 99 NIFs, (FIVE of them are for legal entities) the
next with the corresponding CUPS (unique supply point code), followed by the
field: UTM with two different numbering series for each person, followed by the
Cadastre ref., and the last, the distribution coefficient.

At the bottom of the last page is the following: “we ask you to receive this communication and proceed to

carry out the necessary procedures”, with a person signing on “behalf and
on behalf of the aforementioned associated consumers according to the powers of
representation ATTACHED TO THIS DOCUMENT”.

-Following this in the same pdf file for each of the 99 members of the association is

the document “confirmation of power of representation” “to confirm the contract”
which was sent and generated by BTP ONETEC SL (trusted third party) for each
associated consumer (request for confirmation response) which reflects for signature
the data of the telephone number and email of the associated consumer recipient
who grant the power. Generally on the dates of June, July 2021.

-The document that complements the previous one follows, “power of representation” to
EDP, which also includes the names and surnames, your NIF and your
address for, among others:

- the necessary procedures for the registration, modification or deregistration of the
solar installation in which the client participates, and for,

- the signature, on behalf of the Client, of the Agreement for the Distribution of the energy
generated by the Installation, after determining the coefficient that corresponds to the
Client based on the capacity of the Installation, the number of associated consumers
that share it and what has been agreed in the contract signed between
the Client and EDP.

- “Making the communications that are necessary in relation to the
Distribution Agreement to the distribution company and the marketer with which the
Client has contracted the supply.”

By date, the oldest power of attorney is signed on 06/21/2021

The claimant's power of attorney contract is included among all those sent and also appears in the list of the 99 NIFs.

FIFTH: Consult data of the company EDP SOLAR ESPAÑA, S.A.

According to the report collected from the AXESOR tool, the entity EDP
SOLAR ESPAÑA, S.A. is part of the economic group VERBUND GREEN POWER
GMBH, EU size: Corporate

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/36

In financial information in 2022, (…) euros appear as turnover,
in type of company: group subsidiary, 60 employees, medium-sized, parent company
global VERBUND GREEN POWER GMBH with more than a thousand employees

LEGAL BASIS

I Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants to each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of
Organic Law 3/2018, of 5/12, on Personal Data Protection and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve
this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions
issued in its development and, insofar as they do not contradict them, on a
subsidiary basis, by the general rules on administrative procedures."

II Unfulfilled obligation

In the GDPR, it is defined in its article 4.1), 2) and 7:

“1)“personal data”: all information about an identified or

identifiable natural person (“the interested party”); An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

“2)“processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;”

(…)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/36

7) “data controller” or “controller”: the natural or legal person, public authority,
service or other body which, alone or jointly with others, determines the purposes and
means of the processing; If Union or Member State law

determines the purposes and means of processing, the controller or the
specific criteria for its appointment may be established by Union or Member State law

In this case, for the purposes of personal data protection, the
content of the ANNEX sent by email on 22/02/2023 on behalf of the respondent,
EDP, to the participants in an electrical self-consumption process in order to
enable self-consumption in their domestic contracts, once the distribution agreement between the participants was signed by EDP on behalf of and by mandate of each of

the participants in the project. To carry out the incorporation of each participant in
their individual electricity supply contracts, and to complete a procedure, EDP sent the email to all the participants, giving them a common annex that is the subject of the
complaint.

The reason for sending the email with the attached file was, according to the letter of the email, that
the marketing companies would probably contact them, and the 99 participants in the process, most of them natural persons, (except FIVE, who are
legal entities) were sent an attached pdf file (319 pages) with the documentation
and the data that each participant theoretically had to provide to their

marketing company.

The person responsible for the treatment determines the purposes and means of the treatment; that is, the
why and the how of the treatment. He must decide on both the purposes and the

means.

EDP's status as data controller is fulfilled
because the participants in the self-consumption project, after each of them accepts it,
establish a contractual relationship with EDP, with which they sign the contracts, for the

purpose of managing, maintaining, developing, completing and controlling the contracting and
operation of the "Barrio Solar" service, including the empowerment of EDP by the
participants to sign the distribution agreement on their behalf and to carry out the
necessary procedures for the completion of the contract between the energy
distribution and marketing companies. EDP also states that it decided on the means, in

the first instance with a trusted third party to guarantee participation in the
self-consumption community, and a mandate for them to empower EDP so that EDP
signs the distribution agreement on their behalf, as well as sending emails to
the participants in the self-consumption project, as a means of processing their data, and their
specific content. In the course of that relationship, EDP processed the data of the claimant and
other participants (94 natural persons, FIVE were legal persons) defining the

purposes, such as the way to obtain the result or achieve the objective, and how
it will achieve that objective, meeting its status as data controller

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/36

The issue is that, in that file attached to the email, addressed to all participants,
entitled, (...)_List of powers.pdf, there were data of all participants, which were
related to the document called: “distribution contract”. In summary, the following characteristics should be highlighted:

-document of the “COLLECTIVE SELF-CONSUMPTION ENERGY SHARING AGREEMENT FOR INSTALLATIONS WITH SURPLUS NOT ELIGIBLE FOR
COMPENSATION”, dated 10/3/2022

It consists of an Excel table containing the data of all consumers participating in the self-consumption installation, of 99 people (FIVE of them legal entities), with: NIF, CUPS code (unique supply point code),

UTM, cadastral reference of each home and the distribution coefficient. -Next on the same page of the 319-page PDF file, a copy of the documents

"confirmation of power of representation" made by a trusted third party, in which you can see the telephone number and email address of the 99 people participating in the project (FIVE of them legal entities), along with a copy of
the power of representation documents of 99 people (FIVE of them legal entities) with the details of name and surname and the NIF, and the postal address in favor of
EDP, to, among other acts, sign in its name, the "agreement for the distribution of the
energy generated by the installation" and "Making the communications that are necessary in relation to the Distribution Agreement to the distribution company and
to the marketer with which the Client has contracted the supply." That is, the email is sent so that the participants can carry out an act, although in the services included in the contracts, it appears that EDP would communicate such a distribution agreement to the marketing companies, for which it held the representation.

The RAT also stated that data is communicated, among others, to (…)”.
It should be noted that all processing of personal data must comply, on the one hand, with the principles relating to data processing set out in

Article 5 of the GDPR and, on the other, with one of the principles relating to the lawfulness of processing listed in Article 6 of the Regulation (see, in this regard,
the judgment of 16/01/2019, Deutsche Post, C-496/17, EU:C:2019:26, paragraph 57 and
cited case law). Furthermore, whatever the legal basis legitimising the
processing, any controller, and the respondent EDP is one, must
respect the principles of processing set out in Article 5 of the GDPR.

We will highlight Article 5.1.c) of the GDPR, which states that:

“1. Personal data shall be

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are
processed (“data minimisation”);”

Article that is related to recital 39 of the GDPR, which states on data
processing that “…the specific purposes of the processing of personal
data must be explicit and legitimate, and must be determined at the time of
collection. Personal data must be adequate, relevant and limited to what is
necessary for the purposes for which they are processed. This requires, in particular,
ensuring that their retention period is limited to a strict minimum. Personal data
should only be processed if the purpose of the processing cannot reasonably be

achieved by other means.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/36

Also, related to the legal basis on which EDP entrusts the processing of data, article 6.1.b) of the GDPR, which indicates that “the processing will only be lawful if at least one of the following conditions is met: “the processing is necessary for the

execution of a contract to which the interested party is a party…”.

Article 5.1.c of the GDPR reflects the principle of proportionality (see judgment
of 11/12/2019, Asociaţia de Propietario bloc M5A-ScaraA, C-708/18, EU:C:2019:1064,
paragraph 48), in the sense that, if there are alternatives to fulfill the
same purpose intended by the respondent, the least invasive must be chosen.

The principle of proportionality must be observed since the use of
personal data restricts rights and freedoms, such as the right to data
protection, when processing such data.

Regarding the common characteristics of the administrative, technical,

economic conditions of self-consumption of electrical energy, Royal Decree 244/2019 regulates
them, and the modalities of self-consumption of electrical energy are defined in
article 9 of Law 24/2013 of 26/12, of the Electrical Sector.

One of the steps, almost at the end of the process of the self-consumption installation procedures, relates the distribution agreement of the consumers associated with the

self-consumption, with the distributor/marketer of the electric energy
(generally, with which each owner has contracted the service.

The aforementioned Royal Decree 244/2019, establishes in Annex I, the format of the file that
must be used to communicate the distribution coefficients to the distribution company.

In principle, these "Distribution Agreements" signed by all participants, must
be sent individually by each consumer to the distribution company,

either directly or through its marketer. If for the realization of the
collective self-consumption it had been decided to form a community of renewable
energies, it could exercise the representation of the associated consumers in
all these procedures. Any other duly authorized agent can be a
representative, acting as a self-consumption manager.

In ANNEX 1 of the aforementioned Royal Decree, it is indicated that “The energies and powers for billing and settlement purposes defined in article 3 of this Royal Decree will be calculated in accordance with the following:

1 “coefficients and requirements of the distribution coefficients””.

For each consumer and participant in collective self-consumption, this coefficient
will take the values that appear in an agreement signed by all the consumers participating in
collective self-consumption and notified to the distribution company as

in charge of reading the consumption
On behalf of the txt file

CAU

CUPS

coefficient

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/36

Model 5 of the IDAE Guide (Institute for Diversification, professional guide for
self-consumption processing, edition v.5.1, January 2023) contains a model of an agreement
for the distribution of collective self-consumption energy, installations with surpluses not
covered by compensation”, in an excel sheet with the data of the consumer-owner
of the supply, the NIF, CUPS and distribution coefficient, which is the document that

must be signed.

However, EDP sent other documents unrelated to the distribution agreement, which

contained: telephone number, email, postal address of the holder, UTM and
cadastral reference, which exceed the distribution document and were contained in
different documents related to the power of representation to EDP to
manage on behalf of each client, among others, the signing of the distribution agreement

The Guide describes the steps necessary for the processing of self-consumption
electricity generation installations.

The Guide establishes on page 12 that: “To carry out collective
self-consumption, a renewable energy community may be established provided that the
necessary requirements are met and it may act as a representative of the
associated consumers when they grant the corresponding
authorizations. However, collective self-consumption may be carried out without
establishing a renewable energy community, simply by agreement between the
consumers.

Any other duly authorised agent may also be the representative,
acting as a self-consumption manager.”

The IDAE guide defines the difference between “marketing companies”, which are those that
sell energy to consumers through supply contracts that are signed with them, and “distribution companies”, which are the owners of the electricity distribution network that provide the distribution service and are

responsible for its management, operation and maintenance. They are responsible for
analysing, and where appropriate, accepting or denying access and connection requests.”“They are
also responsible for providing marketing companies with the necessary data
so that billing and settlement of energy and of the tolls, charges and amounts that apply can be carried out.”

According to the IDAE Guide, the distribution agreements must be sent by each

consumer to the distribution company, directly or through its marketing company. (All consumers must send the same signed agreement)
for collective self-consumption if it has been decided to form a
renewable energy community, this may represent the associated
consumers in all these procedures. Any other duly authorized agent
can be a representative, acting as a self-consumption manager”

(section 13 Distribution agreement and surplus compensation contract).

Page 132 of the aforementioned Guide “collective self-consumption WITH surpluses not subject to
compensation” reiterates that “it is necessary for the participants to sign an agreement
with the criteria for distribution of the energy generated. This agreement must be signed

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/36

by all associated consumers and sent individually by each associated consumer to the distribution company - directly or through its
marketing company - In the file that consumers must send "in a plain text file with a "txt" extension that will contain the value of the coefficients of the consumers who participate in self-consumption", containing the fields:

Self-consumption code, CUPS, time, coefficient

In this specific case, the claimant states that an email is sent to him on 02/22/2023. ECODES and EDP acknowledge that it was sent on the latter's orders, containing a file that EDP transfers for submission to the participants in the self-consumption project (99 people), (FIVE of them legal entities) with
two annexes. One of the attached annexes, in pdf “(...) (which responds to the CAU self-consumption code) List of powers.pdf, certifies that it contains the DISTRIBUTION COEFFICIENTS, with personal data beyond the MINIMUM CONTENT that
determines the applicable sectorial norm, because each participating partner is also sent the powers of representation with data that have no relation

to the aforementioned distribution coefficient document

Having analyzed the context of the sending of the cited email of 02/22/2023 in which the attached pdf file is sent with the data that are the subject of a claim regarding the progress in the
self-consumption supply process, it indicated that it could be that the electricity
marketers asked the participants, “a series of information
on the self-consumption installation to which you are registered”, and it was instructed that “The

documentation that each of you has to send them and that you We attach
in this email the following: Distribution Coefficients Contract (PDF).”

Thus, the context in which the email and the attached file are sent in the
specific case has nothing to do with the repeated thesis of EDP that the distribution agreement is sent for transparency and no element can be removed, because

in that case it would not require the submission of the powers of each associate with
their data or the data of the signed contract.

The signed distribution agreement, for which the defendant
held the power of the partners, must be distinguished from the documents that serve as a basis and
instrument to achieve that distribution agreement. Alternatively, the content that
EDP gave to that distribution agreement, introducing data of the participants that
do not appear either in the Royal Decree that regulates the matter, or in the IADE Guide. Finally, the
provision in an annex sent to the participants by email, containing that
information referring to participating persons that goes beyond the legitimacy for which
the participants provided the data to EDP, framed in the purpose of the
provision of the service, for which such data are not limited to what is necessary.

Neither the consent of each user to register for the project granted through a

trusted third party, with the data contained therein (NIF, email, telephone
number) would form part of said distribution agreement, both due to the nature of the
document and its purposes and its lack of relation to the distribution agreement, being a
mere instrument for its subsequent achievement.

The same can be said of the general granting of powers for the various

activities that make up the self-consumption project to EDP, which are also
attached in the attachment sent by email. The address
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/36

of the participating consumers was contained here, which may not be that of the supply headquarters, and their
NIF.

Therefore, the purpose of the case in question, according to the literal meaning of the email sent, does not respond
to that reason but to the sending of the distribution agreement to the marketing company that
contains the distribution coefficients. It is therefore concluded that the principle of data minimization

has been broken by sending the annex by email that contained part of the data that was
inadequate, pertinent, and excessive for what was necessary in relation to
the purposes for which they are processed.

In this specific case, it is observed in a first internal aspect of the data processing that:

- Each associated consumer gave power to the respondent, EDP, not only to
sign the distribution agreement on behalf of each client, but also, among others: -quote

literally from the document "power of representation" to EDP- for the "realization of the communications that are necessary in relation to the distribution agreement to the
distribution company and the marketer with which the client has contracted the supply", so it is not understandable that all the data referred to in the attached file is sent to each associated consumer, since it would have been EDP SOLAR ESPAÑA, S.A.'s responsibility to send the
said documentation to each distributor, not to each user.

-Here, we are analyzing not what would be brought to the attention of the
Distributor/Retailer, but what was brought to the attention of the associates
in the “Barrio Solar” self-consumption project, and its necessity and proportionality. In order
to recognize that the distribution agreement signed by all associated consumers
identifies the holders, at least for the distributor/retailer, the aforementioned distribution agreement should
also contain the name and surname as a necessary
minimum identifying value.

-The data: NIF, cadastral reference, address of each participant, telephone number
and email are not necessary to be made known to all the
participants in the self-consumption process.

Having examined the circumstances and purpose of the sending, it is agreed that it was not necessary or
pertinent and that EDP SOLAR ESPAÑA, S.A., has exceeded the limits of the content of

personal data included in the attached file that is the subject of the claim,
disseminating all the data among all the components of the aforementioned self-consumption.

It is therefore considered that EDP SOLAR ESPAÑA may have infringed article 5.1.c) of the
RGPD.

III Classification of the infringing conduct

In accordance with the evidence available, it is considered that the

respondent has processed data that was excessive as it was not necessary, adequate or
proportionate for the purpose pursued and intended.

The known facts constitute an infringement, attributable to the respondent, of
article 5.1.c) of the GDPR, with the scope expressed in the Legal Basis
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/36

previous, which, if confirmed, could entail the commission of the infringement
classified in article 83.5, a) of the GDPR, which under the heading “General conditions
for the imposition of administrative fines” provides that:

“Infringements of the following provisions shall be sanctioned, in accordance with

section 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total global annual turnover of the previous financial year, whichever is greater
amount:

a) the basic principles for the treatment, including the conditions for consent

under articles 5, 6, 7 and 9;”

In this regard, the LOPDGDD, in its article 71 establishes that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute
infringements”.

For the purposes of the limitation period, article 72 of the LOPDGDD indicates:

“Article 72. Infringements considered very serious.

“1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and shall be subject to a three-year statute of limitations:

a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679.

IV Proposed sanction

In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:

“Each supervisory authority shall ensure that the imposition of administrative fines
in accordance with this Article for infringements of this Regulation
indicated in paragraphs 4, 5 and 6 are effective,
proportionate and dissuasive in each individual case.”

“Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:

a) the nature, seriousness and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/36

b) the intentionality or negligence of the infringement;

c) any measures taken by the controller or processor to
mitigate the damage suffered by the data subjects;

(d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures implemented by them pursuant to Articles 25 and 32;

(e) any previous infringement committed by the controller or processor;

(a) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement;

(e) the categories of personal data affected by the infringement;

(a) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement;

(b) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;

(c) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and

(d) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”

Regarding section k) of Article 83.2 of the GDPR, the LOPDGDD, Article 76,
“Penalties and corrective measures”, provides:

“2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:

a) The continued nature of the infringement.

b) The connection between the offender's activity and the processing of personal data.

c) The benefits obtained as a result of the commission of the infringement.

d) The possibility that the affected party's conduct could have led to the commission of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/36

g) Having, when not mandatory, a data protection officer.

h) The voluntary submission by the controller or processor to
alternative dispute resolution mechanisms, in those cases in which
there are disputes between them and any interested party.”

Article 83.1 of the GDPR states that when imposing administrative fines for
infringement of the GDPR, the Control Authority will ensure that they are in each case
“effective, proportionate and dissuasive”. These criteria that govern the
determination of the amount of the fine oblige all circumstances to be taken into
consideration. In this case, the following circumstances are considered to be concurrent:

- Article 83.2.a) of the GDPR:

“Nature, seriousness and duration of the infringement, taking into account the nature,
scope or purpose of the processing operation in question, as well as the
number of interested parties affected and the level of damages they have
suffered”

The Agency considers that the nature of the infringement entails a loss of
disposition and control over personal data to the participants in the
self-consumption electricity project. The data processed in the processing operation of sending the
file improperly were: the cadastral reference, the UTM code, the telephone
number, the email, the address of the holders, which is a circumstance that
affected 99 users (FIVE of them legal entities).

- Article 83.2.b) of the GDPR.

Intentionality or negligence in the infringement:

The Supreme Court in its judgment of 23/10/2010 - appeal no. 1,067/2006 - points out
that, "although the guilt of the conduct must also be the subject of proof, it must be
considered in order to assume the corresponding burden, that ordinarily
the volitional and cognitive elements necessary to assess it form part

of the typical proven conduct, and that its exclusion requires that the absence of such elements be proven, or in its normative aspect, that the diligence that was
required by the person claiming their nonexistence has been used; in short, invoking the absence of
guilt is not enough for exculpation in the face of typically unlawful behavior."

There can be no talk of administrative sanction without the existence of the subjective element

of guilt. The conduct of EDP SOLAR ESPAÑA, S.A., would not be punishable
if there were no intent or fault. In the conduct of EDP, which acted as agent
of a large number of people, bilaterally arranging, on the one hand, the service contracts with the self-consumption partners, and, on the other hand, managed the
common distribution document, which was the one that had to be presented to the

marketer. It was clear that, as agent, it could not ignore that the
contract and mandate documents, that of the claimant dated 07/05/2021, prior to the
distribution agreement document, dated 10/03/2022, contained components and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/36

their purposes were totally different. The first, arising from the bilateral relationship
associated with EDP SOLAR ESPAÑA, S.A., and mandate, while the distribution agreement
had to contain a limited number of data of the entire group of users of self-consumption

associated with the same project, among which were not those
contained in the mandate and contract documents. A fact that seems clear.
The fact of consulting the AEPD if the treatment was being carried out correctly,
ignored that, in the email addressed to 99 people, (FIVE of them legal entities),
there was an attached file that did not maintain the proportionality and necessity in the
treatment of such data. EDP SOLAR ESPAÑA, S.A., has maintained throughout the entire

transfer of the claim and in previous investigation actions, that its action
conformed to the model established in the Royal Decree and in the IDAE Guide as
determined in the model and annex, when it must obviously be recognized from the
beginning that more data has been processed and communicated to the associates of
self-consumption... Therefore, although the Agency considers that there was no intention on the
part of EDP SOLAR ESPAÑA, S.A., there is a lack of diligence in this
conduct, not ensuring compliance with the data protection that was incumbent on it

With their deterrent effect, administrative fines contribute to reinforcing the
protection of natural persons with regard to the processing of personal
data and constitute, therefore, a key element to guarantee respect for the
rights of said persons, in accordance with the purpose of the aforementioned

Regulation to ensure a high level of of protection of these persons with regard to
the processing of personal data, which lead to determining that the
fine to be imposed is 70,000 euros, without prejudice to what results from the instruction of the
procedure.

V Adoption of measures

If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which

each supervisory authority may "order the person responsible or in charge of the treatment that the processing operations comply with the provisions of
this Regulation, where appropriate, in a certain manner and within a specified period...". The imposition of this measure is compatible with the sanction
consisting of an administrative fine, according to the provisions of art. 83.2 of the RGPD.

Please note that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered an
administrative infringement in accordance with the provisions of the GDPR, classified as an
infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a
subsequent administrative sanctioning procedure.

In relation to the measure, you must adjust the data processing when communicating to
participants the data that is strictly necessary. Therefore, this
measure would be imposed within 30 days from the notification of the resolution issued.

Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/36

IT IS AGREED:

FIRST: TO INITIATE SANCTIONING PROCEDURE against EDP SOLAR ESPAÑA,

S.A., with NIF A74466178, for the alleged infringement of article 5.1 c) of the RGPD, in
accordance with article 83.5.a) of the RGPD, and classified as very serious for the purposes of
prescription in article 721.a) of the LOPDGDD.

SECOND: TO APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,

indicating that they may be challenged, if applicable, in accordance with the provisions of
articles 23 and 24 of Law 40/2015, of 1/10, on the Legal Regime of the Public Sector
(LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the

documents obtained and generated by the General Subdirectorate of Data Inspection
in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1/10, of the
Common Administrative Procedure of Public Administrations, (hereinafter, LPACAP), the sanction that may correspond would be 70,000 euros, without
prejudice to what results from the instruction.

FIFTH: NOTIFY this agreement to EDP SOLAR ESPAÑA, S.A., with NIF

A74466178, granting it a hearing period of ten working days to formulate
the allegations and present the evidence it considers appropriate. In its written allegations, it must provide its NIF and the file number that appears in the
heading of this document.

If within the stipulated period it does not make allegations to this initiation agreement, it

may be considered a resolution proposal, as established in article
64.2.f) of the LPACAP.

In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your
responsibility within the period granted for the formulation of allegations to

this initiation agreement; which will entail a 20% reduction of the
sanction to be imposed in this procedure. With the application of this
reduction, the sanction would be set at 56,000 euros, the procedure being
resolved with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this
procedure, make the voluntary payment of the proposed sanction, which
will entail a 20% reduction of its amount. With the application of this reduction,
the sanction would be set at 56,000 euros, and its payment will imply the termination
of the procedure, without prejudice to the imposition of the corresponding measures.

The reduction for voluntary payment of the fine may be added to the reduction that must be applied for the acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for making objections to the opening of the procedure. Voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at 42,000 euros.

In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the withdrawal or waiver of any action or appeal through administrative
course against the sanction.

If you choose to proceed with the voluntary payment of any of the amounts
indicated above 56,000 euros, or 42,000 euros, you must make the payment
by depositing it in the account number IBAN: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data
Protection Agency in the banking entity CAIXABANK, S.A., indicating in the

concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are entitled.

Likewise, you must send proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid.

The procedure will have a maximum duration of twelve months from the date of the start agreement. After this period, it will expire and, consequently, the proceedings will be archived; in accordance with the provisions of
article 64 of the LOPDGDD.

In compliance with articles 14, 41 and 43 of the LPACAP, you are advised that, from now on, the notifications sent to you will be made exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es), and

that, if you do not access them, your rejection will be recorded in the file, considering the procedure to be carried out and the procedure to be followed. You are informed that you can
identify an email address with this Agency to receive the notice of the availability of notifications and that the lack of practice of this notice will not
prevent the notification from being considered fully valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
there is no administrative appeal against this act.

935-30102023

Mar España Martí
Director of the Spanish Data Protection Agency

>>

SECOND: On December 5, 2024, the respondent party has proceeded to
pay the fine in the amount of 42,000 euros using the two reductions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 35/36

provided for in the initiation agreement transcribed above, which implies the
recognition of responsibility.

THIRD: Payment made within the period granted to submit objections to the
opening of the procedure entails the waiver of any action or appeal through administrative
course against the sanction and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement and its legal qualification.

FOURTH: In the Initiation Agreement transcribed above it was indicated that, if

the infringement were confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which
each supervisory authority may "order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of

this Regulation, where appropriate, in a certain manner and within a specified period...".

Having recognized the responsibility for the infringement, the imposition of
the measures included in the Initiation Agreement is appropriate.

BASIS OF LAW

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II

Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), under the heading
"Termination of sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 36/36

2. When the sanction is of a purely monetary nature or when it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of
compensation for the damages and losses caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the
body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, which may be accumulated with each other.
The aforementioned reductions must be determined in the notification of initiation of the procedure
and their effectiveness will be conditional on the withdrawal or waiver of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased
by regulation.”

In accordance with the above,
the Presidency of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202305278, in
accordance with the provisions of article 85 of the LPACAP.

SECOND: ORDER EDP SOLAR ESPAÑA, S.A. to notify the Agency within 30
days from the date this resolution becomes final and enforceable of the adoption of the
measures described in the legal grounds of the
Initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to EDP SOLAR ESPAÑA, S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law.

1259-101224
Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with art. 48.2
LOPDGDD, due to vacancy in the position of President and Deputy

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es