AEPD (Spain) - EXP202202898: Difference between revisions

From GDPRhub
No edit summary
 
(6 intermediate revisions by 3 users not shown)
Line 61: Line 61:
}}
}}


The Spanish DPA fined an electricity and gas company €24,000 because it did not have a legal basis for its processing, pursuant of [[Article 6 GDPR|Article 6(1) GDPR]]. Due to an internal error at the side of company, it registered incorrectly that the data subject had given consent for a service contract, which was not the case.  
The Spanish DPA fined an electricity and gas company €24,000 for the lack of a legal basis under [[Article 6 GDPR|Article 6(1) GDPR]] to process the personal data of its client which was caused by an internal error in registering the data subject's will to enter into contract.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject was billed by an electricity and gas company (controller) without his consent. The data subject had received a phone call in the past if he was interested in the services of the controller.
The electricity and gas company (controller) billed a data subject illegally, in absence of a valid contract for that.  


The data subject filed a complaint at the Spanish DPA (DPA) on 14 february 2022. The data subject provided several invoices and proof of withdrawals from his bank account related to contract that he had not given consent for. The data subect also showed that he had complained to the controller several times regarding this issue.   
On 14 February 2022, the data subject filed a complaint to the Spanish DPA. The data subject provided several invoices and transaction data from his bank account, which were related to a contract that he had not agreed to. The data subject also showed that he had complained about this issue to the controller several times.   


The controller acknowledged on 18 April 2022 that there had been an internal error which had resulted in the unjustified contracting. The controller used a two-step system for contract-signings on the phone. The first step was informing data subject on the phone abouts the nature of the service provided by the controller. The second step followed after the data subjects accepted the conditions on the phone, after which the controller would sent the contract to the data subject by SMS for a signature to give consent. According to the controller, the data subject had accepted the conditions, but did not sign the contract and did therefore also not consent to the contract. However, due to an internal synchronisation error at the side of the controller, it seemed that the data subject had signed the contract by SMS and had consented to the contract.   
On 18 April 2022, the controller acknowledged that there had been an internal error which had resulted in the unjustified contracting. The controller used a two-step system for contract-signings over the phone. The first step was informing data subjects on the phone about the nature of the service provided by the controller. The second step followed after data subjects accepted the conditions on the phone, after which the controller would send a contract to the data subject by SMS for a signature in order to give consent. According to the controller, the data subject had accepted the conditions, but did not sign the contract and did therefore also not consent to the contract. However, due to an internal synchronisation error at the side of the controller, it seemed that the data subject had signed the contract by SMS and had consented to the contract.   


=== Holding ===
=== Holding ===

Latest revision as of 13:16, 13 December 2023

AEPD - PS/00286/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 14.02.2022
Decided: 03.11.2022
Published: 29.12.2022
Fine: 24,000 EUR
Parties: SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.
National Case Number/Name: PS/00286/2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined an electricity and gas company €24,000 for the lack of a legal basis under Article 6(1) GDPR to process the personal data of its client which was caused by an internal error in registering the data subject's will to enter into contract.

English Summary

Facts

The electricity and gas company (controller) billed a data subject illegally, in absence of a valid contract for that.

On 14 February 2022, the data subject filed a complaint to the Spanish DPA. The data subject provided several invoices and transaction data from his bank account, which were related to a contract that he had not agreed to. The data subject also showed that he had complained about this issue to the controller several times.

On 18 April 2022, the controller acknowledged that there had been an internal error which had resulted in the unjustified contracting. The controller used a two-step system for contract-signings over the phone. The first step was informing data subjects on the phone about the nature of the service provided by the controller. The second step followed after data subjects accepted the conditions on the phone, after which the controller would send a contract to the data subject by SMS for a signature in order to give consent. According to the controller, the data subject had accepted the conditions, but did not sign the contract and did therefore also not consent to the contract. However, due to an internal synchronisation error at the side of the controller, it seemed that the data subject had signed the contract by SMS and had consented to the contract.

Holding

The DPA determined that the controller had violated Article 6(1) GDPR because of a lack of a legal basis for processing. The DPA determined that this was a fraudulent contract because of a missing signature from the data subject. The processing by the controller was carried out without a legitimate reason.

The DPA originally fined the controller €30,000. That amount was reduced to €24,000 due to a voluntary payment by the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/13










     File No.: EXP202202898



       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                    VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following
                                  BACKGROUND

FIRST: On September 9, 2022, the Director of the Spanish Agency
of Data Protection agreed to start a sanctioning procedure against SUPPLIER

IBÉRICO DE ENERGÍA, S.L. (hereinafter the claimed party). Notified the agreement
beginning and after analyzing the allegations presented, on November 3,
In 2022, the resolution proposal that is transcribed below was issued:

<<



File No.: EXP202202898


      PROPOSED RESOLUTION OF SANCTION PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                  BACKGROUND



FIRST: D.A.A.A. (hereinafter, the claiming party) on February 14,
2022 filed a claim with the Spanish Data Protection Agency. The
The claim is directed against SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. with NIF
B67421867 (hereinafter, the claimed party or SIE). The reasons on which the

claim are as follows:

The claimant states that there has been a change in the company of the
electricity and gas supply without your consent.


Provide invoices associated with non-consensual contracting, charges made on your
bank account and claims filed with the claimed party.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

forward LOPDGDD), said claim was transferred to the claimed party, for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13









The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations

Public (hereinafter, LPACAP), was collected on March 14, 2022 as
It appears in the acknowledgment of receipt that is in the file.

On April 18, 2022, this Agency received a written response
indicating:


<<According to the Complainant, during the call the salesperson pretended to work for a
third company, with the aim of misleading him and hiring his services
without knowing that he was changing electricity supplier.

Notwithstanding the foregoing, it is necessary to indicate that the procedures for the

formalization of the electricity supply contract in SIE require, of course,
the verification and authentication of the manifestation of the client's willingness to proceed
upon signing the contract. This implies that, when a service provider
telemarketing formalizes a supply contract on behalf of SIE, it must provide the
Recording of the sales process. In this way, SIE can verify that the contracting
has been carried out properly.


After reviewing the recordings of the phone call, we were able to
verify that the commercial at no time said that he worked for the third
company in question, but rather carried out the contracting process indicating to the
Claimant that said contracting would be carried out with Más Energía, which is a

brand that sells SIE.

Regarding the origin of the personal data referred to by the Complainant,
The following considerations should be made about the contracting process when
This is done by a company that provides telemarketing services:


- The telemarketing service provider transfers to SIE the personal data of
stakeholders to whom SIE products and services will be offered. Later,
The telemarketing service provider acts as the person in charge of the
treatment of SIE to carry out the activities of offering its products and
services and contracting of the corresponding products and services.


- Notwithstanding the foregoing, the telemarketing service provider may only
carry out commercial actions on those interested parties who have provided them with
your consent for the transfer of your personal data to SIE for said purpose.


Taking into account the above, from SIE it is not possible to determine where the
telemarketing service provider the personal data of the Complainant, since
that he obtained them as the person responsible for the independent treatment of SIE.

However, at the time of signing the contract for the provision of services, said

provider of telemarketing services acquired the commitment to assign only
the personal data of those interested who have given their consent
for said purpose.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13








Additionally, the service provider undertook to inform the interested parties
duly and in accordance with the regulations on data protection about
of the transfer to SIE of your data.


2. As a result of the receipt of the transfer of claim and request for information that
motivates this writing, from SIE an internal investigation was initiated, in order to
determine whether there had been any non-compliance with the regulations on
of data protection in the organization during the contracting process with the
claimant.


However, this party acknowledges an error in the contract signing process, which
caused unjustified hiring and, therefore, the issuance of invoices that
did not correspond either: SIE has a contract signing process with two
steps: A first step in which the conditions of the service are reported via

telephone and that, if the client accepts said conditions by the same means,
The contract is sent to you for your signature via SMS.

In the case of this claim, the interested party accepted the conditions of the
service by telephone and, despite not having signed the contract via SMS, it appeared
as formalized in the SIE information systems due to an error in

synchronization of these systems.

4. SIE is the first party interested in having its services contracted
always in accordance with current legislation.


Therefore, and although in this case it has been possible to determine after the investigations
made that their action has been in accordance with the data protection regulations
personal, because incidents of a different nature have been detected in the
contracting procedure for its services, SIE has adopted as a measure the
total stoppage of the contracting procedure for its services since the past

March 4, 2022 and until they are resolved>>.

THIRD: In accordance with article 65 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD), when submitted to the Spanish Data Protection Agency
(hereinafter, AEPD) a claim, it must evaluate its admissibility for processing,

must notify the claimant of the decision on the admission or non-admission to
procedure, within three months from the date the claim was entered into this
Agency.

If, after this period, said notification does not take place, it will be understood that

the processing of the claim continues in accordance with the provisions of Title VIII of
Law. Said provision is also applicable to the procedures that the
AEPD would have to process in exercise of the powers that were attributed to it by
other laws.


In this case, taking into account the foregoing and that the claim is
filed with this Agency, on February 14, 2022, it is communicated that your
The claim has been admitted for processing on May 14, 2022, having elapsed
three months from the time it entered the AEPD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13









FOURTH: On September 9, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in
Article 83.5 of the GDPR.

FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in

Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), the claimed party submitted a written
of allegations in which, in summary, he stated that: <<as we already explained in
our response to the request for information sent to the AEPD, our
procedure for contracting our services consists of a process of

verification and authentication of the manifestation of the client's willingness to proceed
to the formalization of the supply contract. This implies that, when the service provider
telemarketing services formalizes a supply contract on behalf of SIE, the latter
must provide the recording of the sale process, in this way, SIE can verify that
recruitment has been carried out properly.


Once we have reviewed the recording of the telephone call, we can affirm that: 1. The
commercial at no time indicated that he worked for a third company. The
indicates that the contract will be carried out with Más Luz Energía, a
brand marketed by SIE.


2. The interested party expresses his will during the call to hire both
supplies (electricity and gas) with the SIE company through the Más Luz Energía brand.

We attach as Annex I the transcript of the call where the interested party
expresses its willingness to contract both supplies.


This party explained that the contracting process for the services offered by SIE is
is done by means of a double acceptance, a first acceptance occurs during the
phone call and a second by sending an SMS to finish
formalize the contract. Although in this specific case this second acceptance is not
was carried out when the SMS was not sent to the interested party, to which they had to respond with a “YES”.


This party understands that, although the formalization of the contract was not carried out through the
sending of the corresponding SMS due to a human error not attributable to SIE, yes
the claimant clearly stated his willingness to contract with SIE (as
can be seen in the transcript of the call provided), and consequently the

treatment carried out would fall within the expectation of the interested party.

For this reason, as a result of the internal investigations into what happened in the process of
contracting its services, SIE halted the contracting of its services with
undefined character.


For all of the foregoing, that the Proceedings File be filed by the
AEPD>>.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13








SIXTH: On October 3, 2022, the procedure instructor agreed
perform the following tests:


<<1. The claim filed by D.
   A.A.A. and its documentation, the documents obtained and generated during the phase
   admission to process the claim.

2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement
   initiation of the referenced sanctioning procedure, presented by

   SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., and the documentation that they
   accompanies>>.

SEVENTH: A list of documents in the file is attached as an annex.
process.


Of the actions carried out in this procedure and of the documentation
in the file, the following have been accredited:

                                PROVEN FACTS


FIRST: On February 14, 2022, it has entered the Spanish Agency for
Data Protection a letter from the complaining party in which it states that it has been
carried out a change of the electricity and gas supply company without your

consent.

Provide invoices associated with non-consensual contracting, charges made on your
bank account and claims filed with the claimed party.


SECOND: SIE acknowledges in its brief of April 18, 2022 and in the allegations to the
present proceeding on September 30 of the same year, which at the time
of the signing of the contract an error occurred which caused a contracting
unjustified and, therefore, the issuance of invoices that did not correspond either.

That SIE has a contract signing process with two steps: A first step

in which the conditions of the service are informed by telephone and that, in the case
If the client accepts said conditions in the same way, the contract is sent to him for
your signature via SMS.

THIRD: It is clear that despite not having signed the contract via SMS, the party

claimant, it appeared as formalized in the information systems of the party
claimed.

                           FUNDAMENTALS OF LAW


                                           Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13








guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                            II

In response to the allegations presented by the respondent entity, it should be noted
the next:


Article 6.1 of the GDPR establishes the assumptions that allow the use of
processing of personal data.


"one. Processing will only be lawful if it meets at least one of the following

conditions:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the

responsible for the treatment;

d) the processing is necessary to protect the vital interests of the data subject or of another
Physical person.

e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;

f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said

interests do not outweigh the interests or fundamental rights and freedoms of the
interested party that require the protection of personal data, in particular when the
interested is a child.

The provisions of letter f) of the first paragraph shall not apply to the treatment
carried out by public authorities in the exercise of their functions.”

On this question of the legality of the treatment, Recital 40 also affects

of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the
Personal data must be processed with the consent of the interested party or on
some other legitimate basis established in accordance with Law, either in the present
Regulation or by virtue of another Law of the Union or of the Member States to which
referred to in this Regulation, including the need to comply with the legal obligation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13








applicable to the data controller or the need to perform a contract with
to which the interested party is a party or in order to take measures at the request of the
concerned prior to the conclusion of a contract."

Well then, in response to the allegations presented by the defendant, it is

It should be noted that there is evidence that the data processing of the person who
appears in the contract object of this claim has been made without cause
legitimizing the data collected in article 6 of the GDPR.

The GDPR applies to personal data, which is defined as "personal data":
any information about an identified or identifiable natural person ("data subject");

An identifiable natural person shall be considered any person whose identity can be
be determined, directly or indirectly, in particular by means of an identifier, such as
for example a name, an identification number, location data, a
online identifier or one or more elements of physical identity,
physiological, genetic, psychological, economic, cultural or social of said person.

It has been verified, as the defendant acknowledges, that the data of the person

claimant "However, this party acknowledges an error in the process of signing the
contract, which caused an unjustified hiring and, therefore, the issuance of some
invoices that did not correspond either: SIE has a contract signing process
with two steps: A first step in which the conditions of service are reported by
by telephone and that, if the client accepts said conditions for the same
via, the contract is sent to you for your signature via SMS.


In the case of this claim, the interested party accepted the conditions of the
service by telephone and, despite not having signed the contract via SMS, it appeared
as formalized in the SIE information systems due to an error in
synchronization of said systems" were treated without legitimizing basis and without

The signature of the complaining party was recorded in the contract, and that there was a contract
fraudulent.

And, in the allegations to the present procedure of September 30, 2022,
The defendant states that <<Although in this specific case this second

Acceptance was not made as the SMS to which it was due was not sent to the interested party.
answer with a “YES”>>.

According to what has been stated, data processing requires the existence of a
legal basis that legitimizes it, such as the consent of the interested party provided
validly, and in this specific case there is no legitimating basis since the contract

it was not formalized.

                                           II

In accordance with the available evidence, it is considered that the
facts exposed do not comply with the provisions of article 6.1. of the GDPR, therefore

could involve the commission of an offense classified in article 83.5 of the GDPR,
which provides the following:

 Violations of the following provisions will be penalized, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/13








in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:

a) the basic principles for the treatment, including the conditions for the

consent under articles 5, 6, 7 and 9;

b) the rights of the interested parties in accordance with articles 12 to 22; […].”

For the purposes of the limitation period for infringements, the infringement indicated in the
previous paragraph is considered very serious and prescribes after three years, in accordance with the
Article 72.1 of the LOPDGDD, which establishes that:

       According to what is established in article 83.5 of Regulation (EU) 2016/679

are considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:

b) The processing of personal data without the fulfillment of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.

(…)»


                                            IV.

In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:

“Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation

indicated in sections 4, 9 and 6 are effective in each individual case,
proportionate and dissuasive.”

"Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or in lieu of the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administration and its amount in each individual case shall be duly taken into account:

        a) the nature, seriousness and duration of the offence, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of stakeholders affected and the level of damage and
        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor

        to alleviate the damages and losses suffered by the interested parties;

        d) the degree of responsibility of the controller or the person in charge of the
        processing, taking into account the technical or organizational measures that have
        applied under articles 25 and 32;

        e) any previous infringement committed by the person in charge or in charge of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13








        treatment;

         f) the degree of cooperation with the supervisory authority in order to put
        remedy the breach and mitigate the potential adverse effects of the breach;

        g) the categories of personal data affected by the infringement;


        h) the way in which the supervisory authority became aware of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such
        case, to what extent;

        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person in charge or in charge in question
        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or to mechanisms

        of certification approved in accordance with article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as the financial benefits obtained or the losses avoided, direct
        or indirectly, through the infraction.”

Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:


 "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuing nature of the offence.

b) The link between the activity of the offender and the performance of data processing.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.

d) The possibility that the conduct of the affected party could have led to the commission

of the offence.

e) The existence of a merger by absorption process subsequent to the commission of the
violation, which cannot be attributed to the absorbing entity.

f) The affectation of the rights of minors.

g) Have, when it is not mandatory, a data protection delegate.

h) Submission by the person responsible or in charge, on a voluntary basis, to

alternative conflict resolution mechanisms, in those cases in which
there are controversies between those and any interested party.”

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in article 83.2 of the GDPR:

As aggravating factors:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13








     That it is a company whose main activity is linked to the
       processing of personal data, in accordance with the provisions of article

       76.2.b) of the LOPDGDD. The development of business activity
       The defendant performs requires continuous data processing
       customer personal.

                                           V

It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 30,000
€ for violation of article 83.5 a) GDPR.


In view of the foregoing, the following is issued

                           PROPOSED RESOLUTION


That the Director of the Spanish Agency for Data Protection sanctions
SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L., with NIF B67421867, for a
infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, with a
a fine of 30,000 euros (thirty thousand euros).


Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be
informs that it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a reduction of 20% of the amount of the same. With the application of this
reduction, the sanction would be established at 24,000 euros (twenty-four thousand euros) and

Your payment will imply the termination of the procedure. The effectiveness of this reduction
will be conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.

In case you choose to proceed to the voluntary payment of the specified amount

above, in accordance with the provisions of the aforementioned article 85.2, you must do it
effective by entering the restricted account IBAN number: 0000 0000 0000 0000
0000 0000 open in the name of the Spanish Data Protection Agency in the
banking entity CAIXABANK, S.A., indicating the reference number in the concept
of the procedure that appears in the heading of this document and the cause, for

voluntary payment, reduction of the amount of the sanction. You must also send the
Proof of admission to the Sub-Directorate General of Inspection to proceed to close
The file.

By virtue of this, you are notified of the foregoing, and the procedure is revealed.

so that within TEN DAYS you can allege whatever you consider in your defense and
present the documents and information that it deems pertinent, in accordance with
Article 89.2 of the LPACAP.

B.B.B.

INSPECTOR/INSTRUCTOR






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13










                                     EXHIBIT
File index EXP202202898

02/14/2022 A.A.A.
03/14/2022 Transfer of claim to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.
04/14/2022 Communication from SUMINISTRADOR IBERICO DE ENERGIA S.L.
05/14/2022 Communication to A.A.A.
09/09/2022 A. opening of SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.

09/12/2022 Info. Complainant to A.A.A.
09/15/2022 Request for extension of term of SUMINISTRADOR IBERICO DE
ENERGY S.L.
09/16/2022 Amp. Term to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.
09/30/2022 Response to IBERICO ENERGY SUPPLIER requirement
GIA S.L.

10/03/2022 Notification p. evidence to SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L.





>>

SECOND: On November 15, 2022, the claimed party has proceeded to the
payment of the penalty in the amount of 24,000 euros using the reduction
provided for in the motion for a resolution transcribed above.


THIRD: The payment made entails the waiver of any action or resource in the
against the sanction, in relation to the facts referred to in the
resolution proposal.

                         FUNDAMENTALS OF LAW


                                         Yo
                                   Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency

of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character

subsidiary, by the general rules on administrative procedures."

                                        II

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13








                             Termination of the procedure


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:

"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,

The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in

any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.

3. In both cases, when the sanction is solely pecuniary in nature, the

The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.


The percentage reduction provided for in this section may be increased
according to regulations."

According to what has been stated,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202202898, in
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to SUMINISTRADOR IBÉRICO DE
ENERGY, S.L.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                                 968-171022
Mar Spain Marti
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13











Director of the Spanish Data Protection Agency















































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es