AEPD (Spain) - PS/00099/2022
AEPD - ps-00099-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 83(4) GDPR Article 83(5) GDPR §71 LOPDGDD §72LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 35.000 EUR |
Parties: | n/a |
National Case Number/Name: | ps-00099-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA imposed a €35,000 fine on an energy company for the violation of Article 5(1)(f) GDPR and 32 GDPR because an employee accidentally sent an email to the data subject with personal data belonging to other clients.
English Summary
Facts
The data subject submitted a complaint against a gas and electric company (the controller) for receiving emails containing personal data belonging to different people, including names, surnames, ID numbers, signatures, and the universal supply point code (which is a unique and permanent code that identifies every home or business which receives energy). The data subject had a contract with another company called “Free Energy” whose corporate address was the same as the controller’s and proceeded to request the deletion of their data from the controller before submitting the complaint to the Spanish DPA.
The DPA started an investigation against the controller for a violation of Article 5(1)(f) and 32 GDPR and found out that the submission of those emails to the data subject was carried out by mistake by an employee of the company and that they were intended for another internal department. Moreover, the personal data breach was not noticed, therefore, not communicated to the DPA within 72 hours as foreseen in the GDPR. There were two affected persons and there was no evidence of access to those data by third persons other than the recipient. Finally, the controller proceeded with the deletion of data as requested by the data subject.
After the notification of the proposed fines, the controller claimed, in the first place, that the DPA would be infringing the principle ‘ne bis in idem’ by sanctioning the company both under Articles 5 and 32 GDPR. Secondly, the controller argued that a fine would be disproportionate to the infringement. In the third place, the infringement was not intentional. Finally, after the incident, the company implemented a list of technical and organisational measures to ensure security of the processing.
Holding
The DPA stated that for the application of the principle ‘ne bis in idem’, it is mandatory that a similarity existed between subject, facts and grounds, which was not observed in the case. Both Article 5(1)(f) and Article 32 GDPR related to different facts, since the former was applicable because the personal data of two persons had been unlawfully exposed to a third party, the data subject. The latter provision applied to the present case due to the obligation of the controller to implement technical and organisational measures to ensure an adequate security level, an obligation that was not observed since the company did not have a protocol to avoid or to filter the inclusion of client’s emails addresses in internal communications.
Regarding the second claim, the DPA noted that the violation of the mentioned provisions was foreseen as grievous under the national legislation (Articles 71 and 72 LOPDGDD) and that both extenuating and aggravating circumstances have been taken into account, thus the fines were proportionate.
Finally, DPA made clear that there was no attribution of intention to the controller but only responsibility. For this, it referred to the Supreme Court case law regarding the concept of culpability in administrative sanctions, which can be observed as a consequence of acts or omissions based on malice, imprudence, negligence or inexcusable ignorance. It also alluded to the recent Supreme Court case (Sentencia 188/2022 de 15/02/2022), which asserted that legal entities are responsible for their employees' acts. It is not an objective responsibility but the lack of due care that is transferred to the legal entities.
Considering the above, the Spanish DPA upheld the complaint and sanctioned the controller with €10,000 for the violation of Article 5(1)(f) GDPR and €25,000 for the violation of Article 32 GDPR.
Comment
There is a pattern in the Spanish DPA resolutions regarding the consideration as aggravating circumstances the industry to which the controller belongs and the amount of data that is meant to handle due to their activity. In the same sense, it is considered as an extenuating circumstance the fact that the breach of security did not affect more than three persons.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 File No.: PS/00099/2022 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated March 28, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against OES GLOBAL ENERGY S.L. with NIF B01901941 (in forward, OES). The grounds on which the claim is based are as follows: Indicates that you have gas and energy supply contracts with the company FREE ENERGY, but has received an email from OES, whose address coincides with that of FREE ENERGÍA, in which withdrawal documents of some electricity contracts signed by two other customers, identified by their name and DNI. Provide, along with your written claim: - Print email dated March 18, 2021 sent by clients@oesenergia.com (indicated to be from the Department of SAC and Incidences) to various email addresses, including that of the claiming party. In this email, it is indicated that the email of a client is attached requesting the withdrawal of contracts, and the name and surname of a client with 10 CUPS, and name and surname of another client with 2 CUPS. The names of these two clients are different from the claimant. - Printing of two pages of the annex to the previous mail that are the last page of withdrawals with SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. – OES ENERGÍA (with NIF B67421875) and the two clients that appeared in the mail. Of These two clients show the following data: name, surname, DNI, CUPS and handwritten signature. - Printing of email dated March 26, 2021 sent by the claimant to datos@oesenergia.com in which you request the deletion of your data because has received an email with data from other clients, and attaches the previous email from date March 18, 2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/12 hereinafter LOPDGDD), said claim was transferred to OES so that proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was not collected by the person in charge; reiterating the transfer on 05/26/2021 by certified mail, it was returned again for "unknown". No response has been received to this transfer letter. THIRD: On June 28, 2021, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the authorities of control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following ends: INVESTIGATED ENTITIES During these proceedings, the following entity has been investigated: OES GLOBAL ENERGY S.L. with NIF B01901941 with address in RAMBLA DEL GARRAF, Nº 76 - 08812 SANT PERE DE RIBES (BARCELONA) RESULT OF THE INVESTIGATION ACTIONS The following information is provided, among others: 1. Indication that the incident described by the claimant occurred due to a punctual error when including the email address of the claimant as recipient of an internal company email. 2. Indication that this incident was not reported to the AEPD within 72 hours because, Since the security breach was not detected, the possibility of notify the AEPD or those affected. 3. Indication that, since there are two affected parties and due to the type of data, the incident does not imply a risk to the rights and freedoms of those affected. 4. Indication that there is no evidence that third parties have accessed the data, apart from the claimant. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/12 5. Indication that the mail sent by the complaining party was not detected due to a human error; for this reason, OES did not respond to the request to delete the claimant until this file was sent to her by the AEPD. 6. Printing of email dated February 17, 2022 sent by juridico@grupovisalia.com to the email of the complaining party in which indicates that the response to your request to OES is attached. And also attached a letter addressed to the claimant with the following content: In response to your request for data protection, we inform you that, In accordance with the same, OES ENERGÍA has proceeded to process the deletion of your personal data. Notwithstanding the foregoing, and in accordance with the provisions of article 17.3 RDPG, we will proceed to keep your data for the fulfillment of the legal obligations that may arise from its legal relationship with the company, as well as, where appropriate, to comply with judicial requirements. For all these reasons, and given that OES ENERGÍA wants to scrupulously respect the exercise of your rights, we inform you that we remain at your disposal for any clarification you need. FIFTH: On April 4, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, and Article 32 of the RGPD, typified in article 83.4 of the RGPD Once notified of the initiation agreement, OES submitted a brief of arguments in which synthesis stated: -That he considers the proposal for an economic sanction disproportionate for the alleged Non-compliance with the normative precepts indicated, since the criterion that has followed by the AEPD when imposing sanctions for presumed infractions of the precepts included in articles 5.1.f) and 32 RGPD in other files, diverges established in this Sanctioning Procedure, suffering OES a grievance comparative. OES adds that it does not quite understand what is the reason why the proposal for penalty of this Penalty Procedure is so high, especially considering account that the sanctioning activity of the Administration is subject to the principle of proportionality, and that it understands that the amount of the sanctions imposed has not been seen properly modulated. -In this regard, this Agency points out that, although the penalty initially set is within the framework established by articles 83.5 and 83.4 of the RGPD, for the infringement of articles 5.1.f) RGPD and 32 RGPD, respectively, it is no less true that there are several factors that must be considered when setting the sanction so that it is proportional and appropriate to the infraction analyzed in each case. Taking, then, consideration all the factors, studying the allegations made by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/12 OES in this regard, it can be concluded that it would be appropriate to estimate partially the same in the sense of reducing the amount of the fines initially proposed. -That one of the principles that governs the sanctioning administrative law is the “non bis in idem” principle, which implies that two or more sanctions on the same facts, and that the fact that prompts this Procedure Sanctioning is the sending, due to a human and punctual error, of an internal mail to a client who was mistakenly put as the recipient of the same. OES understands that this fact is sanctioned by the AEPD twice, once by infringement of article 5.1.f) RGPD in relation to the non-observance of the principle of confidentiality and integrity, and another for the breach of article 32 RGPD in regarding the lack of adoption of technical and organizational measures that result appropriate to guarantee a level of security appropriate to the risk of the treatment, must be sanctioned for a single infraction. -In this regard, it should be noted that Law 40/2015, of October 1, on Regime Legal Men of the Public Sector (LRJSP) includes the NON BIS IN IDEM principle, by establishing in its article 31.1: “The facts that have been criminal or administrative may not be sanctioned. mind, in cases in which the identity of the subject, fact and fundamentals unto”. In the present sanctioning procedure, the necessary presuppositions are not given. since different facts are imputed, each one of them, likewise, pified in different articles of the RGPD. The assumption typified in the article 5.1.f) of the RGPD refers to the fact that the personal data of two clients of OES were exposed to a third party. The assumption typified in article 32 refers to the fact that both the person in charge and the person in charge of the treatment Appropriate technical and organizational measures must be taken to ensure level of security appropriate to the risk, concluding that such measures do not had been adopted in the present case. -That the facts that have led to the initiation of the Sanctioning Procedure are not they obey, in no case, to a desire to break the confidentiality of the data of OES clients, nor to any other type of intention of OES to breach with its obligations in terms of data protection, not concurring the necessary requirement of guilt to be able to impose an administrative sanction since it is established the jurisprudential criterion that any sanction should be ruled out apart from faulty or negligent conduct (principle of culpability in sanctioning matters); so they want to show that, in no case, OES has sought a re- result of disclosure of the personal data of its clients and that has only been pro- duced a claim for these facts, being, as previously mentioned- mind, due to human and punctual error. -In this regard, this agency cites the Judgments of the Supreme Court of 12 (rec. 388/1994) and May 19, 1998, Sixth Section, which state that "in the scope of administrative responsibility it is not enough that the conduct is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/12 unlawful and typical, but it is also necessary that he be guilty, that is, consequence of an action or omission attributable to its author due to malice or prudence, negligence or inexcusable ignorance (...)” In the present case, it can be seen that OES is responsible and, therefore, guilty, in the sense indicated by the aforementioned judgments, of the infractions imputed das, without being excused in the lack of intentionality, because there is no doubt that his conduct has been at least imprudent, in sending by co- e-mail to a client the contracts corresponding to two other people. nas, contracts containing personal data. -That, from the moment you became aware of the security breach that has originated in a first moment the Initial Requirement and, later, the Sanctioning Procedure, has applied the following technical and organizational measures: you go (in addition to those indicated in the response to the Initial Request): • Implement training courses for employees • Configuration of the e-mail of all the personnel, eliminating the predictive mail autocomplete. • Study of the feasibility of forwarding email to an external mail server. terno to filter recipients. -In this regard, this Agency has nothing to object to or add to the measures days implemented. SIXTH: On June 1, 2022, a resolution proposal was formulated, proposing That the Director of the Spanish Data Protection Agency sanction OES GLOBAL ENERGY S.L., with NIF B01901941: -for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the RGPD, with a fine of €25,000 (twenty-five thousand euros). -for an infringement of Article 32 of the RGPD, typified in Article 83.4 of the RGPD, with a fine of €10,000 (ten thousand euros). SEVENTH: Once the proposed resolution has been notified, OES presents a new written allegations dated 08/04/2022, in which all the allegations are considered reproduced made in the previous writings, and adds that: - In relation to the reasoning set forth by the AEPD in response to the allegation third in the motion for a resolution, does not share this argument by the following reasons: 1st. The AEPD on the one hand indicates that OES cannot be exonerated from its lack of intentionality, but justifies the same in the existence of a conduct that “has been reckless to say the least." This part understands that intentionality (fraud) and imprudence are opposite terms and cannot be malicious conduct C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/12 consequence of reckless conduct or, in other words, he cannot be attribute to OES having acted intentionally when the conduct that allegedly originates the fraud in the action is qualified as guilty by the AEPD. 2nd. In any case, the allegedly infringing conduct indicated by the AEPD and imputes OES as "reckless", this part understands that it could only be attributable to an alleged infringement of OES of article 32 RGPD in relation to the technical and organizational measures applied to the processing of personal data since, where appropriate, it would be up to the data controller to design and implement those that are necessary to safeguard the security of the data personal treated. However, the fact that in the field of activity of the company, a worker, imprudently, has made a copy of the claimant in an email whose recipients should have been only internal personnel of the company, constitutes a circumstance that, more beyond the possible technical and/or organizational measures that OES could have implemented at the time, escapes the effective control of the company as soon as it is a human and punctual error that has consisted in not checking the recipients of a internal email prior to shipment. In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: It is proven that the claimant party had signed contracts of gas and energy supply with the company FREE ENERGÍA. SECOND: It is proven that the complaining party received an email of OES, whose address coincides with that of FREE ENERGÍA, in which are attached withdrawal documents from some electricity contracts signed by two other customers, identified with their name and ID. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/12 II In relation to the allegations presented to the resolution proposal, OES considers reproduced those already presented above and adds that: 1-In relation to the reasoning set forth by the AEPD in response to the allegation third in the motion for a resolution, does not share this argument since the AEPD on the one hand indicates that OES cannot be exonerated from its lack of intentionality, but justifies the same in the existence of a conduct that “has been least reckless”, and they understand that intentionality (fraud) and recklessness are opposite terms, not being able to be a malicious conduct as a result of a reckless conduct or, to put it another way, OES cannot be credited with having acted intentionally when the conduct that supposedly originates the fraud in the action is qualified as negligent by the AEPD itself. -In this regard, this Agency clarifies that at no time has it been attributed to OES intentionality in action, but without responsibility, in the given sense by the sentences cited, Judgments of the Supreme Court of 12 (rec. 388/1994) and May 19, 1998, Sixth Section, which state that “in the context of administrative liability it is not enough that the conduct is unlawful. and typical, but it is also necessary that it be guilty, that is, consequence. consequence of an action or omission attributable to its author due to malice or recklessness. inexcusable ignorance, negligence or ignorance (...)” 2- The allegedly infringing conduct indicated by the AEPD and attributed to OES as "reckless", they understand that it could only be attributable to a supposed violation of OES of article 32 RGPD in relation to technical measures and organizational measures applied to the processing of personal data since, where appropriate, It would be up to the data controller to design and implement those that were necessary to safeguard the security of the personal data processed. However, the fact that in the scope of the ordinary activity of the company, a worker, recklessly, has put a copy to the claimant in an email email whose recipients should have been only internal staff of the company, constitutes a circumstance that, beyond the possible technical measures and/or organizational that OES could have implemented at the time, escapes the effective control of the company as it is a human and punctual error that has consisted of not reviewing the recipients of an internal email prior to its Shipping. -In this regard, this Agency cites Judgment 188/2022 of the Third Chamber Section of the Administrative Litigation of the Supreme Court, dated 02/15/2022, which in its foundation of Third Law indicates: (...) Finally, it is appropriate to remember that legal persons are responsible for the action of its employees or workers. It does not therefore establish a strict liability, but if the lack of diligence of its employees, in this sense STC 246/1991, of December 19 f.j 2. (…) III Article 5.1.f) “Principles related to treatment” of the RGPD establishes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/12 "1. The personal data will be: (…) f) treated in such a way as to ensure adequate security of the personal data, including protection against unauthorized processing or against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality”).” In the present case, it is clear that there was an improper exposure of personal data of clients, stored in the OES database, since they were sent by mail electronically signed documents containing personal data such as name, surnames and DNI, to a third party. IV Article 83.5 of the RGPD under the heading "General conditions for the imposition of administrative fines” provides: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that “The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law. For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates: "1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” v For the purposes of deciding on the imposition of an administrative fine and its amount, considers that the infringement in question is serious for the purposes of the RGPD and that It is appropriate to graduate the sanction to be imposed in accordance with the following criteria that establishes article 83.2 of the RGPD: As mitigating factors: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/12 -The incident affected only three people, without which to date has verified that they suffered any damage derived from it. (Article 83.2.a) Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures corrective measures” of the LOPDGDD: As aggravating factors: - The link between the offender's activity and the performance of processing of personal data, since in the case of a company energy supplier, with numerous clients with whom it deals sign contracts, process a large number of personal data. (Article 76.2.b) The balance of the circumstances contemplated in article 83.2 of the RGPD and the Article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 5.1.f) of the RGPD, once examined, also, the allegations of OES, allow a penalty of €25,000 (TWENTY-FIVE THOUSAND EUROS). SAW Article 32 “Security of treatment” of the RGPD establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational measures to guarantee a level of security appropriate to the risk, which in your case includes, among others: a)pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and evaluation of the effectiveness technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular account shall be taken of takes into account the risks presented by the processing of data, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data data transmitted, stored or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to an approved code of conduct under article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/12 4. The person in charge and the person in charge of the treatment will take measures to guarantee that any person acting under the authority of the person in charge or the person in charge and has access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of the Right of the Union or the Member States. In the present case, at the time of the breach, OES did not adopt a minimum of measures tending to avoid that, together with the e-mail addresses e-mail from people belonging to their own organization, to whom they were intended for the withdrawal documents of several CUPS of two clients, include the email address of the complaining party, which is why it ended receiving documents not originally intended for her, with personal data from others. 7th Article 83.4 of the RGPD under the heading "General conditions for the imposition of administrative fines” provides: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the obligations of the person in charge and the person in charge pursuant to articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that “The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law. For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on the provisions of article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee an adequate level of security when risk of treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. (…) viii For the purposes of deciding on the imposition of an administrative fine and its amount, considers that the infringement in question is serious for the purposes of the RGPD and that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/12 It is appropriate to graduate the sanction to be imposed in accordance with the following criteria that establishes article 83.2 of the RGPD: As mitigating factors: -The incident affected only three people, without which to date has verified that they suffered any damage derived from it. (Article 83.2.a) Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures corrective measures” of the LOPDGDD: As aggravating factors: - The link between the offender's activity and the performance of processing of personal data, since in the case of a company energy supplier, with numerous clients with whom it deals sign contracts, process a large number of personal data. (Article 76.2.b) The balance of the circumstances contemplated in article 83.2 of the RGPD and the Article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the established in article 32 of the RGPD, once analyzed, also, the allegations presented by OES, allow a penalty of €10,000 (TEN THOUSAND EUROS) to be set. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE OES GLOBAL ENERGY S.L., with NIF B01901941, for a infringement of Article 5.1.f) of the RGPD typified in Article 83.5 of the RGPD, a fine of €25,000 (TWENTY-FIVE THOUSAND EUROS) IMPOSE OES GLOBAL ENERGY S.L., with NIF B01901941, for an infringement of the Article 32 of the RGPD, typified in Article 83.4 of the RGPD, a fine of €10,000 (TEN THOUSAND EUROS) SECOND: NOTIFY this resolution to OES GLOBAL ENERGY S.L. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/12 Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-120722 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es