AEPD (Spain) - EXP202102778
From GDPRhub
| AEPD - AEPD PS-00508-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1)(f) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 04.11.2021 |
| Decided: | |
| Published: | 10.01.2023 |
| Fine: | 24,000 EUR |
| Parties: | FACTOR ENERGIA, S.A. |
| National Case Number/Name: | AEPD PS-00508-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Teresa López |
The Spanish DPA fined a controller €24,000 for lack of legitimate basis when processing a data subject's personal data for direct postal marketing.
English Summary
Facts
The data subject received an advertising message by post from Factor Energía, S.A. (the controller), in which they were addressed by their full name, and were given a personalised recommendation based on the characteristics of their energy supply point and consumption habits.
Since the controller was not the data subject's energy provider, they contacted the company to request information on the processing of their data. After the period given by Article 12(3) GPDR had elapsed, the controller informed the data subject that their data was obtained from the database that electricity and natural gas distribution companies make available to marketing companies, for the purposes of being able to make offers on the market (SIPS or Supply Point Information System, in English).
The data subject contacted the entity that manages the Supply Point Information System, the Spanish National Markets and Competition Commission. This entity ensured the data subject that the current legislation prohibits marketers from accessing any information that directly identifies the holder of the supply point.
After enquiries from the Spanish Data Protection Authority, the controller stated that the reply given to the data subject had been delayed due to an informatic virus attack which had encrypted their systems. Moreover, the controller indicated that the first answer given to the data subject had been provided by a trainee, since it was received during the holiday period. The controller justified this way the following changes to their reply: That the personal data relating to name, surname and postal address were obtained from publicly accessible sources. The controller was unable to specify the source as a result of the computer virus. On the other hand, the data relating to the technical conditions of the supply point were lawfully obtained from the SIPS. Moreover, the controller added that the consumption data provided to the data subject were estimations not reflecting their real consumption habits, but an aggregated value based on their postal code.
According to the information provided to the DPA, the controller based the processing of the data in their legitimate interest (customer acquisition and an increase of its visibility in the market). Also, the controller shared the legitimate interest assessment where it argued that the data subject's rights did not prevail due to the low impact of the means used (post) and the little or no effect on their legal sphere.
Holding
The Data Protection Authority held that the controller had violated Article 6(1) GDPR since the legitimate interest assessment on which the processing was based was understood as insufficient, therefore not being able to rely on Article 6(1)(f) GDPR as a legal basis.
Contrary to the controller's position, the DPA held that the rights of the data subject prevailed to the controller's interests on several grounds.
First, the DPA noted that the alleged additional safeguards were not an additional layer of protection provided by the controller, but simply protections already mandatory by data protection law.
Second, the DPA rejected the controller's argument stating that post marketing was less invasive than cold calling. The Authority pointed out that with such methods, the data subject may believe that the caller does not have their identification data, whereas the receipt of a postal communication that identifies them gives the data subject the certainty that the sender of the communication has such data. Furthermore, uncertainty arises in the data subject as to what the source of their data may have been, which leads to doubt about their power of disposal of the data.
Third, the DPA found that post marketing being an habitual practice in the industry was an insufficient basis to establish a reasonable expectation in the data subject. The Authority recalled their own report 2018/0173, which analyses the legitimacy of direct marketing actions in both electronic and non-electronic media. This report concluded that, even if the data subject has previously been a customer, the criterion for the sending of commercial communications is restrictive (to the products contracted). Therefore, this is even more so in the case of not having been a customer (as in the present case).
Fourth, the DPA rejected the controller's argument that the nature of the data processed (contact details) was an indicator of the prevalence of the company's legitimate interest. In this sense, the Authority quoted ART29WP's 06/2014 Opinion: "In general, the more sensitive the information involved, the more consequences there may be for the data subject. This, however, does not mean that data that may in and of themselves seem innocuous, can be freely processed based on Article 7(f) GDPR. Indeed, even such data, depending on the way they are processed, can have significant impact on individuals (...)".
Fifth, the controller argued that there was no other less-impact method that allowed to achieve the legitimate interest, to which the DPA disagreed, stating that the post could have been sent without including the personal data.
Finally, the Data Protection Authority noted the existence of a situation of imbalance between the data subject (consumer) and the controller (electricity supply company).
For these reasons, the DPA held that the infringement in question was serious for the purposes of the GDPR and that the sanction to be imposed should be graduated with the aggravation of negligence (Article 83(2)(b) GDPR), since the controller could not point out the public access source of the personal data, and the link between the controller's activity and the processing of personal data (Article 76(1)(b) Spanish Data Protection Law). The DPA initially contemplated a €40,000 fine, but offered two grounds for reduction: the possibility of voluntary payment of the fine and the acknowledgment of guilt. The controller invoked both and finally paid €24,000.
Comment
The Spanish Data Protection Authority did not reflect on other grounds of infringement found in this case, such as the lack of a reply within the due period, the data breach, etc. which could have potentially led to fines by their own right.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/28
File No.: EXP202102778
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On October 31, 2022, the Director of the Spanish Agency for
Data Protection agreed to start a sanctioning procedure against FACTOR ENERGÍA,
S.A. (hereinafter, the claimed party), through the transcribed Agreement:
<<
File No.: EXP202102778
AGREEMENT TO START THE SANCTION PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: A.A.A. (hereinafter, the claiming party) dated August 16, 2021
filed a claim with the Spanish Data Protection Agency. The
The claim is directed against FACTOR ENERGÍA, S.A. with NIF A61893871 (in
forward, ENERGY FACTOR). The reasons on which the claim is based are the following:
following:
-The claimant has received an advertising message by post, from
ENERGY FACTOR, where they address him by his first and last name, and they ask him a
personalized recommendation based on the characteristics of your supply point
and their consumption habits.
- Considering that the advertising company is illegally processing your data,
since he has no relationship with it, the affected person has contacted
contact her to request information, and her Data Protection Officer will
has answered that the data comes from the Information System of Points of
Supply (SIPS). This, as they have explained, is the database that the
distribution companies of electricity and natural gas make available to the
trading companies, for the purpose of being able to make offers in the market.
- As it has been able to find out from the Internet, the complaining party explains that the system
SIPS is regulated by Royal Decree 1435/2002 and the exchange of information
that takes place in its context is managed by the National Markets Commission and the
Competition (CNMC). This body has assured the data subject in writing that it will not
has available data on electricity users since, on the 27th of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/28
November 2015, Royal Decree 1074/2015 was approved, which modified different
provisions in the electricity sector. Said decree incorporated the prohibition that the
trading companies and the CNMC could access any information that
directly identify the owner of the supply point.
-The complaining party continues to believe that illegal treatment is taking place
of your personal data. Either the company is getting them from another source, or
you are extracting them from the SIPS, but if so, even your distribution company should not
provide these data, nor the CNMC consult them, nor the other companies
distributors should be able to access them for any treatment, much
less for commercial actions.
Along with the notification is provided:
-Front of a commercial communication sent by FACTORENERGIA, with your
translation into Spanish, in which there are boxes in red that
would correspond to anonymous data.
-Email sent from the address: DPO@factorenergia.com that includes
a spreadsheet with anonymized data.
-Email that the claimant sent to the National Market Commission,
and response from the Data Protection Officer, from the address dpd@cnmc.es
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was forwarded to FACTOR ENERGIA,
to proceed with its analysis and inform this Agency within a month,
of the actions carried out to adapt to the requirements established in the
data protection regulations.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 10/04/2021, as stated in the
acknowledgment of receipt in the file.
On 10/05/2021, this Agency received a written response indicating that
notification has been received with transfer of claim and request for information, but
A copy of the claim submitted and attached documents (if applicable) are not attached.
but only an extract of the relevant information from it, and therefore
interests the right of the undersigned to have access to and obtain a complete copy of said
claim, with the aim of being able to evacuate the information requirement of the
detailed, complete and truthful way possible, verifying the identity and correct
identification of the claimant, as well as the facts described in the request for
information and in the claim submitted.
THIRD: On November 4, 2021, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/28
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:
Relevant documentation provided by the claimant:
- Copy of the obverse of a commercial communication with header of
ENERGY FACTOR. Written in Catalan, it is anonymous (not
contains the recipient's data and no reference to the date). The complaining party
provides translation and reference to the inclusion of the following categories of
data: name, surname, address of the recipient, address of the point of
supply. The communication recommends a type of electrical installation of
self-consumption (solar panels) based on "a study of your data and habits of
electrical consumption”.
- Transcription of part of the response to the exercise of the right of access
addressed by FACTOR ENERGIA to the claimant, dated August 2
of 2021. Regarding the origin of the data processed, it expresses:
“[…] your personal data, and specifically those related to technical conditions of your
point of supply, such as the CUPS (identification number of the point of
supply), access fee, power, etc. (detailed in the attached Excel) have
status obtained lawfully through the Points of Information System
Subministro (SIPS), which is the database that distributor companies of
electricity and natural gas make available to companies
marketers, for the purpose of being able to make offers in the market.
Regarding the consumption habits to which we refer in the communication
business, as we indicated at the bottom of it in point 2, are estimated data
and standardized, not specifically customized according to the
specific characteristics neither of their home nor of their specific consumption habits.”
- Transcription of the data provided to the claimant by FACTOR
ENERGY as a response to the right of access. It's not the spreadsheet
original, but rather the list of categories of data that would have been provided to you.
Includes the categories name, surname, and address of the supply point,
in addition to technical data (tariff, power, etc.).
- Email response from the DPD of the CNMC to the claimant of
dated August 16, 2021 containing the following paragraphs:
"In strict compliance with the applicable regulations that you point out, the
CNMC does not have data on electricity users since, on December 27,
November 2015, Royal Decree 1074/2015 was approved, which modifies
different provisions in the electricity sector. Said RD incorporated the prohibition that
the trading companies and the CNMC could access any information
that directly identifies the owner of the supply point. Therefore, and in the
assumption that data of this type were being exchanged between companies in the
sector, these data do not come in any case from the CNMC.
The CNMC only has the data of end users of gas (DB of points of
supply), and the marketers do obtain them legally through our
body, but the use they make of them is, logically, their responsibility in
exclusive. However, the user may object to their data being made available.
available to other gas trading companies, expressly indicating it to the
company that supplies you.”
The antecedents that appear in the information systems are the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/28
FACTOR ENERGIA submitted two briefs (of October 5, 2021 and of
November 2021) in which he states:
- That in July 2021 Mrs. B.B.B. exercised the right of access from the mail
email from the complaining party.
- That said exercise could not be attended to normally since on the 24th of
June 2021, the computer systems of FACTOR ENERGIA were
affected by a virus that caused a great impact by encrypting systems and
Company data.
- That on August 2, 2021, a response to the right exercised was sent, although,
states that "the person who was in charge of responding to the applicant was
a trainee since the date coincided with the period
vacation on the part of the company's personnel, and that such a response lacks
of a certain lack of accuracy and/or specificity”.
- That the personal data related to name, surname, and postal address
They were obtained from publicly available sources. He adds that he cannot specify
the source of public access as a result of the impact of the virus
computer.
- That the data relating to the
technical conditions of the supply point. Add that you can download the
SIPS "of the distribution companies and the CNMC periodically in their capacity
marketer and that does not include the personal data of the applicant
relating to the name and surnames or their postal address”.
- That it is still (as of the date of writing -November 3, 2021-)
immersed in the file recovery process.
In addition, he attached the following relevant documentation:
- Emails exchanged on June 30, 2021 between the
IT manager at FACTOR ENERGIA and INCIBE in which
refers to the ransomware attack suffered by the entity.
- Writing signed by B.B.B. exercising the right of access against FACTOR
ENERGIA on July 2, 2021 from the email address of
the complaining party.
- Email addressed on August 2, 2021 by FACTOR ENERGIA
to B.B.B. (to the email address of the complaining party) at
response to the exercise of the right of access referred to in the previous point.
Provide a copy of the original in Catalan and a translation into Spanish. Includes the
following paragraphs:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/28
“On the other hand, we want to clarify that in no case have we carried out a
precise and exact study with your data and specific consumption habits, but
that, as indicated at the bottom of the aforementioned communication (point 2),
your data is estimated and standardized, not personalized or calculated
according to the specific characteristics of your home, or your habits of
consumption, with the understanding that our intention was to highlight
the advantages offered by photovoltaic self-consumption.
[…] Specifically, in relation to art. 5.1 a) referred to, in our
communication indicated that your data has been processed lawfully,
loyal and transparent at all times, since they were collected from sources to which
which we have access as a marketer and from sources accessible to the
public, complying with the requirements demanded by the General Regulation of
Data Protection (RGPD) and Organic Law 3/2018, of December 5, of
Protection of Personal Data and Guarantee of Digital Rights
(LOPDGDD).
[...] Specifically, on our website, it is indicated within the purposes of
processing of personal data with regard to "Non-customers", the purpose
following: "Inform about services, promotions and products related to
our activity".
[…] Your personal data, and specifically those related to conditions
techniques of your point of supply, such as the CUPS (identification number
point of supply), access fee, power, etc. (detailed in the Excel
attached) have been legally obtained through the Information System
of Supply Points (SIPS), which is the database that companies
electricity and natural gas distributors make available to the
marketing companies, for the purpose of being able to make offers in the
market.
Regarding the consumption habits to which we refer in the
commercial communication, as we indicate at the bottom of it in point 2,
are estimated and standardized data, not specially personalized
according to the specific characteristics of your home, or your specific habits
of consumption.
[…] If possible, the expected period of conservation of personal data,
or, if not possible, the criteria used to determine this term:
while you do not exercise any of your rights”
It also refers in this letter to the internet address
www.factorenergia.com to consult the privacy policy.
INVESTIGATED ENTITIES
During these proceedings, the following entities have been investigated:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/28
- FACTOR ENERGY, S.A. with NIF A61893871 with address at
***ADDRESS.1 (BARCELONA)
RESULT OF INVESTIGATION ACTIONS
In addition to the documentation mentioned above, information is collected from the
following sources:
- Letter from FACTOR ENERGIA dated June 28, 2022,
hereinafter Written#1.
- Letter from FACTOR ENERGIA dated July 19, 2022, in
forward Writing#2.
- Proceedings with relevant information for these proceedings
(Diligence References).
About sending postal advertising to people who are not FACTOR customers
ENERGY
FACTOR ENERGIA states (Written #2) that sending postal communications to
non-customers is not a frequent practice of the company, but is carried out "in
occasions and addressed to a small number of recipients”. It further states that "in
Most of the time the data is obtained from the interested parties themselves. Of
in a more residual manner, and to a lesser extent, commercial communication has been sent by
via post to non-customers whose data was obtained from publicly accessible sources without
restrictions”.
ENERGY FACTOR (Written#2) specifies the conditions that must be met to
use for marketing purposes:
- "(1) that the recipient has not previously exercised the right of
opposition".
- "(2) that the sources to be consulted are updated." Regarding this
point clarifies FACTOR ENERGIA that these sources of public access are
correspond to "repertoires or telephone directories whose consultation can be
performed, by any person and without restrictions, not prevented by a
limiting norm”. On July 22, 2022, a letter was addressed to FACTOR
ENERGIA requesting specification in relation to these sources of public access
which uses. As of the date of signing this report, no response has been received.
regard.
- "(3) that the Robinson List advertising exclusion list has been consulted
(to which we are subscribed) and verify that the interested party to whom it will be sent
advertising does not appear in it ”. Regarding this, FACTOR ENERGIA points out that
consult the advertising exclusion system prior to sending and attach
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/28
(document 1 of Brief #2) copy of the service subscription invoices
Adigital's Robinson list of 2021 and 2022.
- "(4) comply with the duty of information to the affected party in accordance with the GDPR and the
LOPDGDD”. Information is detailed later in this report.
included in commercial communications that, in relation to the origin of
personal data states that "they come from sources obtained lawfully
and/or sources of public access available without restrictions”.
In relation to the volume of recipients of the advertising campaign, he states
ENERGY FACTOR (Written #2) the following:
"In relation to the above, to record that in the month of June 2021 a
advertising campaign by post to publicize the advantages of incorporating the
self-consumption in the electricity supply. Within the target group were
a segment of the campaign targeted at customers (and power supply customers)
electricity, with a communication model) and another target group aimed at
not clients […]:
June 2021: self-consumption advertising campaign to obtain savings on
the cost of light.
No. of recipients: 42,670 recipients (total)
In relation to the foregoing, it should be noted that said campaign had as its territorial scope the
autonomous community of Catalonia (not the entire national territory).”
Information recorded in the Record of Treatment Activities (RAT):
Attach ENERGY FACTOR (document 1 attached to Brief #1) the information included
in the Registry of Treatment Activities (RAT) on the "Activity of management of
not clients”. The record includes the following information:
- Categories of personal data: name and surname, DNI/NIF, address/mail,
phone, CUPS. Includes the following annotation: "Includes all
possible categories of data that it can contain according to the source or lead of
Contact."
- Purpose: attracting new customers / managing and responding to requests for
information, requests or commercial offers, budgets, etc. / report and
send offers about services, promotions and products related to
our activity.
- Legal basis: consent of the interested party / legitimate interest -provided that
such interests are not overridden by the interests or the rights and freedoms
of the interested party that require data protection
personal-.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/28
Legitimate interest as the legal basis for processing:
In relation to the use of legitimate interest as a legal basis for processing
of the personal data of people who are not customers in order to send them
advertising by post, provided by FACTOR ENERGIA (document 3 attached to the
Brief #1) a weighting of interests report dated February 12, 2021.
It includes the following paragraphs:
“2.1. Evaluation of the benefit obtained by Factor Energía
On the part of Factor Energía, the processing of the personal data of the interested parties
(potential customers/non-customers) for the purpose of direct marketing,
previously indicated, aims to reach by postal mail those
non-customer interested parties in order for them to know the services offered by Factor
Energía, making them interested in hiring Factor Energía as
your new electric retailer.
In this sense, the benefits obtained by Factor Energía from the treatment of said
personal data consists of obtaining:
An increase in the contracting of its services;
Greater customer acquisition;
An increase in visibility in the competitive market of marketers
electrical.
2.2. Evaluation of the interest or rights and freedoms of the interested party
[…] The direct marketing action by postal mail that is intended to be carried out is
will be made based on personal data obtained in accordance with the regulations for the protection of
applicable data (identification data and contact data) and with standardized data
and anonymized of a technical nature.
In order to configure the different commercial offers, the
unprotected public data obtained from the Cadastre, as well as statistical information
and not personnel of a technical nature obtained through the Information System of
Supply Points (SIPS) using the postal code of residence. In this way
Generic information will be obtained to make a standardized estimate of the
voltage, rates and contracted power in certain geographical areas, which
will allow you to carry out advertising communications sent by postal mail, since it is
considers it logical and appropriate that the advertising of an electricity supplier
include information on possible savings in electricity consumption.
The personal data of the interested parties processed for the purpose of marketing
directly refer only to the data necessary to send them the communication
by postal mail (identification data and contact data).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/28
The treatment will in no case have legal or similar effects on the
interested, since the purpose of direct marketing by postal mail does not affect the
access to services, nor to the execution of a contract.
From Factor Energía it is considered that the sending of advertising communications by
postal mail has a minimal impact on the interested parties who will be seen
impacted exclusively by one contact channel: postal mail. said channel
should be considered a less aggressive and invasive method than other channels
commonly used to send advertising, such as commercial calls and/or
or sending emails. Likewise, this type of campaigns are foreseen as
specific actions, which may be reinforced by carrying out other campaigns
subsequent similar ones (after at least a period of six (6) months has elapsed
from the sending of the communications of the previous campaign).
In this weighting, the reasonable expectation of the
interested in the processing of their personal data with this
purpose. In this sense, we must bear in mind that it is common practice in the
market to send advertising by postal mail to potential customers, but also,
In view of the uses of the market, the interested parties are perfectly aware of
the possibility that such communications may appear in your mailbox and that
In addition, they can be beneficial or provide added value to those interested in
their role as consumers in the Spanish electricity market, since such communications
may be of your interest or adjusted to your specific needs, resulting in a
improvement of their economic situation by discovering an electricity trader that
fit more to your needs.
Taking into account all of the aforementioned, from Factor Energía it is not
finds in our assessment no alternative method that allows us to communicate
our interest in offering our services and that likewise allows us to comply with
our legal obligations (inform about the processing of personal data
stakeholders) and with the least impact to stakeholders.
For all these reasons, it is considered that the impact that the treatment has or may have on
the interests, fundamental rights and freedoms of the interested parties is LOW, and not
would result in adverse and negative consequences for them.
23. Guarantees applied to the treatment
Factor Energía has implemented the technical and organizational measures
to carry out the treatment maintaining the security standards of the Company
Among the guarantees applied directly to the treatment are the following:
Factor Energía has implemented technical security measures and
necessary organizational measures to guarantee the integrity, availability and
confidentiality of the information, having also designated a Delegate
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/28
of Data Protection, in compliance with the provisions of article 37
of the GDPR.
Communications by postal mail are sent only to interested parties who
have not exercised their right of opposition and that do not appear on lists of
advertising exclusion (Robinson List). Those interested who are in
advertising exclusion lists and/or have exercised their right of opposition before
Factor Energía, will not be recipients of advertising campaigns of any
type.
The commercial communications received by the interested parties allow them to exercise
their rights to oppose the sending of advertising in such a way that
simply and free of charge, interested parties can inform Factor Energía that they are not
they wish to receive publicity from it.
These campaigns are foreseen as a specific action, which may be reinforced
with the realization of other similar campaigns later, having
At least a period of six (6) months has elapsed from the sending of the
communications from the previous campaign.
Factor Energía reinforces the channels to guarantee adequate exercise by
those interested in the rights established in the regulations for the protection of
data, establishing both the postal and electronic channels, without prejudice to
that, in accordance with the provisions of the data protection regulations, the
The interested party may exercise their rights through the channel they deem
convenient.
All communications contain information about the treatment of your
personal data in accordance with the requirements of articles 13 or 14 of the GDPR.
3. Result
Based on all of the above, it is determined that Factor Energía can carry out the
treatment consisting of the sending by postal mail of advertising communications to
potential customers (direct marketing).
It is a treatment that will have a positive impact on the Energy Factor and that
In turn, it supposes a low impact on the rights and freedoms of the interested parties.”
The use of SIPS data:
Regarding the use of SIPS data, it is provided by FACTOR ENERGIA (document 5
attached to Letter #1) the copy of the code of conduct on data processing
included in the SIPS dated April 24, 2019, from which the following are extracted
paragraphs:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/28
"Specifically, this RD 1435/2002 contemplates the possibility that all
electric power marketers access to consult the available information
in the Supply Point Information System (SIPS) managed by the
distributors, as reading managers, and specifically to certain data there
contents. Therefore, and as can be deduced from the preamble to the aforementioned
RD 1435/2002, the SIPS was configured as a tool to encourage greater
competition in the retail electricity market.
Subsequently, Royal Decree 1074/2015, of November 27, by which
modify different provisions in the electricity sector, introduced some changes in
the regulation of the electricity SIPS database, partially modifying the
art. 7 of Royal Decree 1435/2002, and specifically eliminating the possibility of having
marketers access to certain data from the SIPS database of the
distributors and establishing the obligation of marketers of
sign a code of conduct and guarantee the confidentiality of information
contained in said database.
Regarding the regulation of natural gas, Royal Decree 1434/2002, of 27
December, which regulates the activities of transportation, distribution,
marketing, supply and authorization procedures for gas installations
natural (RD 1434/2002) established in its art. 43 similar regulation, although with some
differences, RD 1434/2002 not being affected by the modifications of RD
1074/2015.
[…] The Company assumes the firm commitment to comply with the following
obligations:
[…] - Process the SIPS Data only for the purposes of the activity of
marketing (electricity and gas, respectively), both in relation to customers
potential/non-customers and customer management, regardless of their
access fee and specific regime applicable in each case (including those covered by
self-consumption in the case of electricity), not using them for a purpose other than the
that justifies its assignment to the Company in its capacity as marketer by
the corresponding distribution company or CNMC.”
Article 7 of Royal Decree 1435/2002 that regulates the content of the SIPS in the sector
electrical specifies the following:
"one. The distribution companies must have a database referring to
all the supply points connected to their networks and to the transport networks of
its area, permanently complete and up-to-date, containing at least the
Following data:
a) Universal Supply Point Code, that is, the complete “CUPS”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/28
[…] c) Location of the supply point, which includes full address (type of road,
street name, number, floor and door). This information should refer to all
moment to the point of supply and not to the location, population and province of the holder of
said supply point that is required in letter aa) of this same article.
d) Town of the supply point, which includes the name of the town and the
Postal Code. This information must refer at all times to the point of supply
and not to the location, population and province of the owner of said supply point.
e) Name of the Province of the supply point. This information should refer to
at all times to the point of supply and not to the location, population and province of the
owner of said supply point.
[...] z) Name and surnames, or in its case company name and corporate form, of the
owner of the supply point.
[…] aa) Full address of the owner of the supply point. This information should
refer at all times to the owner of the supply point and not to the location,
population and province of said supply point that is required in letter c) of this
same article.
[…] ac) Trading company that currently supplies
[…] In any case, neither the marketing companies nor the National Commission for
Markets and the Competition may access any information that directly
identify the owner of the supply point, and in particular, the data collected in
sections c), z) and aa) of section 1.
Additionally, trading companies will not be able to access the information
of section ac), being accessible to the National Commission of Markets and the
Competition, in the exercise of its functions.”
In relation to the use of electrical SIPS data in order to carry out the
commercial communications to non-customers, expresses FACTOR ENERGIA that uses them
to "obtain estimated and standardized data on the consumption habits of the
population according to household characteristics”. It clarifies that "they do not refer to data
personalized or linked to the personal data of the people to whom
whom the commercial or advertising communication was addressed to”. Thus, it facilitates (document 8
attached to Brief #1) a description of the estimation process that is carried out to
adapt, together with the "installers", the supply of self-consumption
(infrastructure of solar panels, etc.). For this, according to this document,
use:
- The unprotected public data of the cadastre (mapping and cadastral consultation
descriptive and graphic -surface, cadastral reference, address, soil class,
year of construction-).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/28
Examples of the information have been obtained from the electronic headquarters of the cadastre.
publicly available.
- Information not individualized (anonymized) from the SIPS database of
the distribution company, which allows through aggregation by postal code,
assign an average installed power, average contracted power,
estimated average annual consumption to the supplies of a given area,
according to type of supply.
Article 43 of Royal Decree 1434/2002 that regulates the content of the "System of
exchange of information for the management of the change of supplier" in the sector
gas operator specifies the following:
"2. The distribution companies must have as support the system of
exchange of information from a database referring to all points of
supply connected to their networks and to the transport networks in their area,
permanently complete and updated, containing at least the following
data related to the point of supply:
1st Supply point identification code, that is, the complete “CUPS”.
[…] 3rd Location of the supply point: address, population and province, which includes
complete address (type of road, name of the road, number, floor and door), name of the
population, postal code and name of the province. This information should refer to
at all times to the point of supply and not to the location, population and province of the
owner of said supply point that is required in ordinal 16 of this same
pulled apart
[…] 14. Data relating to the owner of the supply point: natural person or person
legal.
15. Name and surname, or, where appropriate, company name and corporate form, of the
owner of the supply point.
16. Full address of the owner of the supply point. This information should
refer at all times to the owner of the supply point and not to the location,
population and province of said supply point that is required in ordinal 3 of
this same section.
5. Traders registered in the corresponding section of the Registry
Administrative of Distributors, Marketers and Direct Consumers in
Market, as well as the Supplier Changes Office, in accordance with the standard
regulating its operation, they will be able to freely access the databases
of supply points of each distribution company”
Thus, according to the CNMC website (see Diligence References):
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/28
"However, it must be clarified that the CNMC's electrical SIPS does not have
information that identifies the owner of a supply point. This information was
eliminated by Royal Decree 1074/2015, of November 27, which modifies
different provisions in the electricity sector. In the second article of the aforementioned Royal
Decree, a modification of article 7.2 of Royal Decree 1435/2002 was approved,
including that: «In any case, neither the marketing companies nor the Commission
National Markets and Competition will be able to access any information
that directly identifies the owner of the supply point […]”.
[…] In the field of natural gas, the SIPS accessed contains the identification
of the owner of the supply point and his address.”
FACTOR ENERGIA is registered in the List of Electricity Suppliers and
of gas from the CNMC.
In relation to the duty of information to the interested party:
ENERGY FACTOR declares that it is fulfilled through the consignment, in the
advertising communication, of the following text: "In accordance with the regulations of
protection of personal data, that is, in accordance with the Regulation
General Data Protection (RGPD) and Organic Law 3/2018, of December 5,
Protection of Personal Data and guarantee of digital rights (LOPDGDD),
We indicate that the data comes from sources obtained lawfully and/or sources of
public access available without restrictions, and that this communication is made
according to the admissible requirements in the indicated regulations. You can exercise your
rights of access, rectification, cancellation, opposition, transparency of the
information, deletion, limitation and portability by contacting FACTOR ENERGIA,
SA by postal mail to the address av. Diagonal, 612 Entl. 08021 of Barcelona or by
email to dpo@factorenergia.com. Likewise, you will have the right to direct your
claims before the data protection authorities. For more information
consult our privacy policy on our website www.factorenergia.com.”
It also states that its website (www.factorenergia.com) includes the
privacy policy (document 4 attached to Brief #1). It contains sections with
information on: data of the person in charge and contact of the DPO; purposes of the
treatments; bases of legitimacy of the treatments; recipients; possibility of
exercise rights and file a claim with the AEPD; conservation periods;
additional information (indication of implementation of security measures and guarantees
with those in charge of article 28 of the GDPR).
Regarding the specific case that is the object of the claim
FACTOR ENERGIA (Written #1) states that the personal data of the party
claimant that appear in their systems are: name and surname; postal address.
It reiterates that the origin of these data are "public sources, without the fact that to date
we can accurately identify its exact traceability”. It states that the period of
Data retention is one year, although "in this case there are
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/28
blocked and are only kept by the fact of having responded to the
previous requirement related to the file at the referred margin and without the company
carry out or will carry out any other treatment of said data.”
As previously seen, FACTOR ENERGIA states that it also has
the technical data of the supply points extracted from the SIPS (article 7 of the Royal
Decree 1435/2002) that periodically unloads from the distribution companies. With
them, as has been seen, obtains "estimated and standardized data on the habits of
consumption of the population according to the characteristics of the households" that "do not refer to
to personalized data or linked to the personal data of people
to whom the commercial or advertising communication was directed.
In relation to compliance with the duty of information, FACTOR ENERGIA provides
(document 7 attached to Brief #1) the one that manifests would be the reverse of the
Communication provided by the complaining party, which includes the aforementioned paragraph
previously (translation into Spanish of the original in Catalan):
In accordance with the personal data protection regulations, it is
that is, in accordance with the General Data Protection Regulation (RGPD) and the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (LOPDGDD), we indicate that the data comes from sources
lawfully obtained and/or publicly accessible sources available without restriction, and
that this communication is carried out according to the admissible requirements in the regulations
marked. You can exercise your rights of access, rectification, cancellation,
opposition, transparency of information, deletion, limitation and portability
by contacting FACTOR ENERGIA, SA by postal mail at the address av. Diagonal,
612 Int. 08021 Barcelona or by email at dpo@factorenergia.com.
Likewise, you will have the right to direct your claims before the authorities of
Data Protection. For more information see our privacy policy at
our website www.factorenergia.com.”)
FUNDAMENTALS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/28
II
Article 6 of the GDPR, Lawfulness of the treatment, establishes in point 1 that:
"one. Processing will only be lawful if at least one of the following is fulfilled
conditions:
a) the interested party gave his consent for the processing of his data
personal for one or more specific purposes;
b) the processing is necessary for the performance of a contract in which the
interested party or for the application at the request of this of measures
pre-contractual;
c) the processing is necessary for compliance with a legal obligation
applicable to the data controller;
d) the processing is necessary to protect vital interests of the data subject or
of another physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible
of the treatment;
f) the processing is necessary for the satisfaction of legitimate interests
pursued by the data controller or by a third party, provided that
such interests are not overridden by the interests or the rights and freedoms
of the interested party that require the protection of personal data,
in particular when the interested party is a child.
The provisions of letter f) of the first paragraph shall not apply to the
processing carried out by public authorities in the exercise of their
functions.”
On the other hand, article 4 of the GDPR, Definitions, in its sections 1, 2 and 11,
notes that:
“1) “personal data” means any information about an identified natural person
or identifiable ("the data subject"); Any identifiable natural person shall be considered
person whose identity can be determined, directly or indirectly, in
by means of an identifier, such as a name, a number
identification, location data, an online identifier, or one or more
elements of physical, physiological, genetic, psychological,
economic, cultural or social of said person; “
2) "processing": any operation or set of operations carried out
about personal data or sets of personal data, either by
automated procedures or not, such as the collection, registration, organization,
structuring, conservation, adaptation or modification, extraction, consultation,
use, communication by transmission, diffusion or any other form of
authorization of access, comparison or interconnection, limitation, deletion or
destruction; “
11) "consent of the interested party": any manifestation of free will,
specific, informed and unequivocal for which the interested party accepts, either
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/28
by means of a declaration or a clear affirmative action, the processing of data
personal matters that concern you."
In the present case, in order to analyze the validity of this legitimizing basis,
examine each of the elements that concur in it to prove the
legality of the treatment. The criteria established for this should be taken into account.
in Opinion 06/2014, of April 9, on the concept of legitimate interest of the
data controller under Article 7 of the Directive
95/46/CE, of the Article 29 Working Group (hereinafter, Opinion 06/2014)
1. Legitimate interest of the controller
Recital 47 of the GDPR establishes the following:
“The legitimate interest of a data controller, including that of a data controller
that personal data may be communicated, or that of a third party, may constitute a
legal basis for the treatment, provided that the interests or interests of the
rights and freedoms of the data subject, taking into account reasonable expectations
of the interested parties based on their relationship with the controller. Such legitimate interest
This could occur, for example, when there is a relevant and appropriate relationship between the
interested party and the controller, such as in situations where the interested party is a customer or
is at the service of the person in charge. In any case, the existence of a legitimate interest
would require careful evaluation, even if a stakeholder can clearly foresee
reasonable, at the time and in the context of the collection of personal data, that
processing can take place for this purpose. In particular, the interests and rights
Fundamentals of the interested party could prevail over the interests of the person in charge
of the treatment when proceeding to the processing of personal data in
circumstances in which the data subject does not reasonably expect that a
further treatment. Since it corresponds to the legislator to establish by law the basis
law for the processing of personal data by public authorities,
this legal basis should not apply to processing carried out by authorities
public in the exercise of their functions. Processing of personal data
strictly necessary for the prevention of fraud is also an interest
lawful name of the person responsible for the treatment in question. Data processing
personal information for direct marketing purposes may be considered made by
legitimate interest.”
For its part, Opinion 06/2014 contains a similar pronouncement. Initially
indicates that:
“An interest must be articulated clearly enough to allow evidence to be
of balancing is carried out against the interests and rights
fundamentals of the interested party. In addition, the interest at stake must also be
"persecuted by the data controller". This requires a real and current interest,
that corresponds to present activities or expected benefits in a
very near future. In other words, interests that are too vague or
speculative will not suffice.”
In this sense, the opinion clarifies, a legitimate interest that is relevant must:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/28
- Be lawful (i.e. in accordance with national and EU law
applicable);
- Be articulated clearly enough to allow proof of
balancing is carried out against the interests and rights
fundamentals of the data subject (i.e. sufficiently specific);
- represent a real and current interest (ie not speculative).
And then it includes a non-exhaustive list of some of the most
common areas where the question of legitimate interest within the meaning of Article
article 7, letter f). Among them it includes "conventional prospecting and other forms of
marketing or advertising.
In principle, it could be considered that the performance of data processing for
of “direct marketing” and “business prospecting and other forms of advertising”
would constitute a principle of legitimate interest. This does not imply that it can be considered
all treatment for said purpose as covered by the legitimizing basis of the
legitimate interest. Indeed, Opinion 06/2014 clarifies:
“The legitimacy of the interest of the data controller is only a starting point,
one of the elements to be analyzed under article 7, letter f). If he
Article 7(f) can be used as a legal basis or not will depend on the
result of the following weighing test”
Therefore, the person responsible for the treatment of the information remains
weighting provided for in article 6.1.f) GDPR, by virtue of which the treatment will be
lawful if "it is necessary for the satisfaction of legitimate interests pursued by the
responsible for the treatment or by a third party, provided that such interests are not
the interests or fundamental rights and freedoms of the data subject prevail
that require the protection of personal data, in particular when the interested party
be a child.”
1. Weighting of rights and interests
In order to carry out the weighting provided for in the Regulation, the defendant has
argued:
- As an interest of the person in charge: attracting customers and an "increase in their
visibility in the market
- As a possible affectation of rights of the complaining party. The responsible
minimized with various arguments. Among them: scarcity and minor
of the data processed (identity and contact details); the absence of effects
legal on the interested party (hiring, access to services); affectation
minimum in the sphere of the interested party (receipt of a postal communication, of
less invasive than other routes); the existence of guarantees applicable to the
treatment; respect for those who exercise their right of opposition; the
existence of channels for the exercise of rights in terms of protection of
data, guarantees that are imposed by law, not because the person responsible
bestow graciously
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/28
1. Rights of the data owner
If the legitimate interest alleged by the person in charge of the
treatment, it must also be analyzed in what way the rights and
interests of the interested party, so that the weighting judgment can be concluded
In this regard, special attention should be paid to the impact that the treatment may
generate the interested The claimed party focuses on declaring that this would not be
significant depending on the means used (postal) and the little or no affectation
in the legal sphere of the owner of the data. However, they are not the only ones
parameters to take into account. In this regard, Opinion 06/2014 states:
"The legitimate interest of the data controller, when it is minor and not very
compelling, in general, only annuls the interests and rights of those interested in
cases where the impact on these rights and interests is even more trivial.”
In the case at hand, it is clear that the interest of the person responsible cannot
qualified as "pressing", since as he himself indicates, it leads back to his
interest in attracting new customers. This means, as the opinion indicates, that it should be
more demanding in terms of the affected rights of the claimant. The opinion
continues:
“The term «impact» as used in this Opinion covers any possible
consequence (potential or actual) of data processing. The concept is not
related to the notion of breach of personal data and is much broader
than the repercussions that may derive from said violation.”
And as for the type of affectation that the processing of the data may cause in your
holder, declares the following:
“In addition to adverse outcomes that may be specifically anticipated,
the more emotional repercussions must also be taken into consideration.
general, such as anger, fear and anguish that may result from the loss
of control over personal information by the interested party or knowledge
that such personal information has been or may be misused or is seen
compromised, for example, through its exposure on the Internet. The effect
intimidating statement about protected behavior, such as freedom of investigation or
freedom of expression, which may result from supervision or monitoring
continuous must also be taken into account.”
It cannot be forgotten that the claim was filed by the claimant before the
event of having received a postal communication of a promotional nature, which was
directly addressed to her because it contains her identification and contact information. For
Therefore, the criterion used by the claimed party cannot be shared in the sense of
state that "This [postal] channel should be considered a less aggressive and
invasive than other channels commonly used to send advertising, such as
commercial calls and/or sending emails”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/28
In this regard, it is necessary to indicate that, although channels such as the telephone could in
principle be considered more "invasive", the truth is that whoever receives the
call may believe that the caller does not have their data
identifiers, while receiving a postal communication with data
identification and contact details, makes the data owner certain that whoever
sends the communication has said data. Not being a client of the entity,
In addition, uncertainty arises about what could have been the source of knowledge of
the data, which leads the owner to doubt his power to dispose of them
This leads us to the concept of "reasonable expectation" as a criterion to be taken into account.
in the processing of data based on legitimate interest
2. Reasonable expectation in data processing
As previously mentioned, Recital 47 GDPR establishes in
relation to the legitimizing basis of the legitimate interest that this could concur when
the interest of the person in charge does not prevail over the rights of the interested party "taking into account
account the reasonable expectations of data subjects based on their relationship with the
responsible. Such legitimate interest could arise, for example, where there is a
relevant and appropriate relationship between the data subject and the controller, as in
situations in which the interested party is a client or is at the service of the person in charge”.
The reasonable expectation that the interested party may have in the processing of the data
It is crucial in the balance judgment between the interests of the person responsible and the rights of the
interested. Opinion 06/2014 states:
“The reasonable expectations of the data subject in relation to the use and disclosure of
Data is also very relevant in this regard. As it was put
manifest with respect to the analysis of the purpose limitation principle, it is
It is important to consider whether the position of the data controller, the nature of the
relationship or the service provided, or the applicable legal or contractual obligations
(or other promises made at the time of data collection) could give
give rise to reasonable expectations of stricter confidentiality and limitations
more stringent regarding its further use.”
The clearest example of reasonable expectation in cases of receipt of
advertising communications comes from the fact of having previously been a client of a
company or at least have contacted it to inquire about the
products or services marketed by it.
In the present case, the claiming party has not been a client of the claimed party and
nor has he contacted her to inquire about the services of the
business questioned Hence his surprise at the receipt of a communication
commercial with your identification and contact information
The defendant, for its part, alleges that:
"In this consideration, the reasonable expectation of the
interested in the processing of their personal data with this
purpose. In this sense, we must bear in mind that it is common practice in the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/28
market to send advertising by postal mail to potential customers, but also,
In view of the uses of the market, the interested parties are perfectly aware of
the possibility that such communications may appear in your mailbox and that
In addition, they can be beneficial or provide added value to those interested in
their role as consumers
That is, it does not provide any justification for the existence of a reasonable expectation,
beyond indicating that any citizen can expect to receive a communication
advertising postcard in your mailbox, without previously being a customer or being interested in the
services of a company.
It is worth mentioning the Report of the Legal Department of this Agency 2018/0173,
that analyzes the legitimacy of direct marketing actions insofar as in the field
the use of electronic media like others. In this regard, even if
an interested party has previously been a client of a company, or has been interested
for their goods or services, clarifies that direct marketing actions must
limited to goods or services similar to those previously contracted.
“As indicated in the report just reproduced, the general criteria for
consider that the treatment of the data can be based on the rule of equilibrium of the
legitimate interest of the person in charge would be that the services and products offered
were those of the person in charge. In this sense, it was clarified that, when talking about
financial credit institutions, such publicity should be understood as referring to the
that entity's own asset or liability products, but not to other products
financial, such as, expressly indicated, insurance. This is based on
that in relation to such products there is no reasonable expectation of the
interested in having their data processed by the bank for the offer of
products that in principle are not related to those contracted when going to
she."
Bearing in mind that even having previously been a client, the criterion is
restrictive for the sending of commercial communications (and must be restricted to the
contracted products), even more so in the event that there has not been
been a customer, in which said products and services do not exist.
3. Data processed
Another of the defendant's arguments consists of insisting on the nature
of the data, which would consist only of the identity of the claimant and his address
Postcard. In this regard, it should be noted that, although it is true that they are not involved
data of special protection of article 9 GDPR, Opinion 06/2014 clarifies that
“In general, the more sensitive the information in question, the more consequences
may have for the interested party. However, this does not mean that the data you
seem in and of themselves innocuous can be treated freely
based on article 7, letter f). Of course, even such data, depending
the way they are treated, they can have a significant impact on people”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/28
This, in combination with the absence of a reasonable expectation of the data subject in
the processing of your data, means that the nature of the data processed, by itself, does not
can justify the legitimate interest in the treatment.
4. How the data is processed
Another aspect to take into account when weighing rights and interests would be the
judgment of necessity, suitability and proportionality in data processing. To this
Regarding Opinion 06/2014, it indicates the following:
“In general, the more negative and uncertain the impact of treatment may be, the more
it is unlikely that the processing will be considered, on the whole, legitimate. Disponibility
of alternative methods to achieve the objectives pursued by the person in charge
of the treatment, with less negative impact on the interested party, should be, without
Certainly a pertinent consideration in this context."
In this regard, the defendant alleges that "from Factor Energía there is no
in our assessment no alternative method that allows us to communicate our
interest in offering our services and that likewise allows us to comply with
our legal obligations (inform about the processing of personal data
stakeholders) and with the least impact to stakeholders.”
Suffice it to say that it would have been enough to carry out a mailing activity, without
Inclusion of the claimant's data. This is especially so when the claimed party itself has
clarified that the indication of appropriate rates based on consumption, which is
included in the letter, are not based on specific data from the complaining party, but on
zone estimates. Based on this statement, it would not be necessary for the letter
be accompanied by identification data.
With this, the treatment carried out does not exceed the judgment of proportionality, nor the principle
minimal intervention, as there are methods that would not require treatment.
5. Position of the controller and the interested party
Facing the judgment of weighting, it is necessary to pay attention to the position of
claimant vs. defendant. Thus, in the first case we find
a citizen or user, while the claimed party is a company
electricity marketer.
In this regard, Opinion 06/2014 advises paying attention to the situation of
imbalance between the two
"Depending on whether the data controller is a person or a
small organization, a large multinational company or an industry body
public, and from the specific circumstances, his position may be more or less
dominant with respect to the interested party
The fact of whether the interested party is an employee, a student, a patient, or if he exists
otherwise an imbalance in the relationship between the position of the person concerned and that of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/28
controller must, of course, also be considered relevant. Is
It is important to assess the effect of actual treatment on individual individuals.”
6. Conclusions on the weighting of rights and interests
Based on the factors analysed, it cannot be concluded that in the present case the
defense of legitimate interests, in comparison with the affectation of the rights of the
claimant, justify the use of the legitimizing basis of the legitimate interest for the
processing of data for direct marketing purposes. This is based on:
- The existence of an impact has been determined in the field of rights and
interests of the complaining party. This has received a commercial communication
of a company of which he was not a client, processing his personal data
name and surname and address, causing a situation of uncertainty
about the origin of the data and whether they could be available to other
entities
- The existence of a reasonable expectation on the part of the
complaining party that their data may be being processed by this
company for these purposes. This is above all due to the fact that, in the case of
of a direct marketing action, it has not been justified that the
claimant was previously a customer and had not been interested in the services
of the claimed party.
- The non-existence of alternative methods has not been justified, in application of the
principle of minimal intervention, which did not involve data processing
personal, to carry out marketing activities in the
conditions in which they were being carried out by the claimant
- The existence of an unbalanced situation has been determined between the
position of the claimant (consumer) and of the claimed party (company
distributor of the electricity sector)
II
In accordance with the evidence available at the present time of
agreement to start the disciplinary procedure, and without prejudice to what results from the
investigation, it is considered that the known facts could constitute a
infringement, attributable to the claimed party, for violation of article 6.1 of the GDPR,
since the data processing carried out, that is, the activity of
marketing by postal mail, addressed to the complaining party with his name,
surnames and address, has been made without legitimizing cause.
IV.
If confirmed, the aforementioned infringement of article 6.1 of the GDPR could lead to the
commission of the offenses typified in article 83.5 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/28
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.
For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:
b) The processing of personal data without the fulfillment of any of the conditions of
legitimacy established in article 6 of Regulation (EU) 2016/679. (…)”
V
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available at the present time of
agreement to start disciplinary proceedings, and without prejudice to what results from the
investigation, it is considered that the offense in question is serious for the purposes of the
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following
criteria established in article 83.2 of the GDPR:
As aggravating factors:
-Negligence in the offence. (Art. 83.2.b). It must be taken into account that FACTOR
ENERGIA has not even been able to prove the source from which it obtained the data
of the complaining party, indicating that they were obtained from "sources of
public access”, without being able to specify the specific source. This indicates when
least, a considerable lack of diligence.
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:
As aggravating factors:
- Linking the activity of the offender with the processing of
personal information. (Art. 76.1.b). FACTOR ENERGIA, a company dedicated to
electricity trade, handles a high number of personal data for
which must have extensive knowledge of the regulations relating to the protection of
data and its management.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/28
The balance of the circumstances contemplated in article 83.2 of the GDPR and the
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the
established in article 6.1 of the GDPR, allows the initial setting of a penalty of
€40,000 (FORTY THOUSAND euros).
SAW
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
adequate measures to adjust its performance to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the
which each control authority may "order the person responsible or in charge of the
processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a certain
specified term…”. The imposition of this measure is compatible with the sanction
consisting of an administrative fine, according to the provisions of art. 83.2 of the GDPR.
It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
opening of a subsequent administrative sanctioning procedure.
Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: INITIATE SANCTION PROCEDURE against FACTOR ENERGÍA, S.A.,
with NIF A61893871, for the alleged violation of Article 6.1 of the GDPR, typified in
Article 83.5 of the GDPR.
SECOND: APPOINT as instructor C.C.C. and, as secretary, D.D.D.,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).
THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the
documents obtained and generated by the Sub-directorate General of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be, for the alleged violation of article 6.1 of the
GDPR, typified in article 83.5 of said regulation, administrative fine of amount
€40,000.00
FIFTH: NOTIFY this agreement to FACTOR ENERGÍA, S.A., with NIF
A61893871, granting a hearing period of ten business days to formulate
the allegations and present the evidence it deems appropriate. In his writing of
allegations must provide your NIF and the procedure number that appears in the
heading of this document.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/28
If, within the stipulated period, he does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the
sanction that should be imposed in this proceeding. With the application of this
reduction, the sanction would be established at 32,000.00 euros, resolving the
procedure with the imposition of this sanction.
In the same way, it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 32,000.00 euros and its payment will imply the termination
of the procedure.
The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 24,000.00 euros.
In any case, the effectiveness of any of the two aforementioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (32,000.00 euros or 40,000.00 euros), you must make it effective
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to
name of the Spanish Data Protection Agency in the bank
CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause of
reduction of the amount to which it receives.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue with the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/28
935-110422
Mar Spain Marti
Director of the Spanish Data Protection Agency
>>
SECOND: On November 17, 2022, the claimed party has proceeded to the
payment of the penalty in the amount of 24,000 euros using the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal via
against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Commencement Agreement.
FUNDAMENTALS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/28
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.
3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.
The percentage reduction provided for in this section may be increased
according to regulations."
According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202102778, in
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to FACTOR ENERGÍA, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
936-040822
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
