AEPD (Spain) - EXP202304117
| AEPD - EXP202304117 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(a) GDPR Article 5(2) GDPR Article 58(2)(d) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 13.05.2022 |
| Decided: | 16.01.2024 |
| Published: | 06.02.2024 |
| Fine: | 5,000,000 EUR |
| Parties: | Energya VM Gestión de Energía, S.L |
| National Case Number/Name: | EXP202304117 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Rosa Ruiz |
Energya VM Gestión de Energía, S.L., (“Energya VM” or “data controller”) entered into a contractual relationship with Nivalco, to promote its services. Nivalco contacted individuals from its database, offering discounts or insurance purportedly from their current energy supplier. However, these offers were actually agreements with Energya VM. Many data subjects only discovered they had entered into agreements with a new company when they noticed unexpected charges on their bank accounts. AEPD's investigation began following police reports of alleged crimes by energy supply companies. Energya VM failed to conduct a prior risk analysis analysis,ensure GDPR compliance in processing, and adopt measures for GDPR-compliant sales pitches. The AEPD found Energya VM negligent for allowing Nivalco’s deceptive practices to persist despite being aware of them at some point during the contractual relationship and imposed fines.
English Summary
Facts
Energya VM received several complaints from data subjects alleging they had been contacted by Nivalco, which offered energy services. The individuals making these calls had access to the customers' personal data. In response, Energya VM held a meeting with Nivalco to clarify the purpose of the calls and the discounts being offered. An internal audit revealed that most of the calls targeted customers who had canceled their agreements within the initial days of the contract. Under their contractual arrangement, Nivalco was responsible for promoting Energya VM’s services and managing a database containing the personal information of individuals and businesses for marketing purposes.
Energya VM claimed it was not involved in compiling this database and only accessed personal data when an individual entered into an agreement for energy services.
On May 9, 2023, the Spanish Data Protection Agency (AEPD) initiated an investigation into alleged violations of Article 5(2) GDPR and Article 5(1)(a) GDPR. Energya VM denied responsibility for Nivalco’s data processing practices, asserting that Nivalco independently obtained and managed the personal data and autonomously decided its use. Energya also argued that its lack of access to the database prevented effective supervision. However, during its investigation, the AEPD found that Energya VM had provided Nivalco with instructions regarding the processing of personal data, undermining Energya’s claims of non-involvement. Energya VM was deemed the data controller. The contractual relationship between Energya VM and Nivalco ended on May 28, 2020.
Holding
The AEDP determined that Energya VM violated Article 5(1)(a) GDPR, as well as Article 5(2) GDPR.
• Article 5(1)(a) GDPR: The facts indicate that the processing of personal data was neither lawful nor transparent, as Energya VM was aware that Nivalco was using the data in a manner that misled customers. Energya VM provided Nivalco with a sales script for the calls, which violated Article 5(1)(a) GDPR by failing to clarify how the personal data was being used. As a result, Energya VM was deemed the data controller, with Nivalco acting as the data processor.
• Article 5(2) GDPR: Energya VM, as the data controller, failed to conduct a prior risk assessment regarding Nivalco's processing of personal data. Although the data processor provided a declaration asserting that all personal data in its database was lawfully obtained, they admitted that their employees contacted customers while posing as the data controller. The origin of the personal data (including full names, business names, and phone numbers) remains unclear. Additionally, the data processor had knowledge of the customers' current energy suppliers. As the data controller, Energya was obligated to adopt proactive measures to verify the lawful origin of the data but instead acted reactively. This lack of due diligence further compounded the violation of GDPR requirements.
As a result, the AEPD upheld fines of €2,500,000 for the violation of Article 5(1)(a) GDPR and an additional €2,500,000 for the violation of Article 5(2) GDPR.
Furthermore, the AEPD directed Energya VM to take the following actions within nine months, in accordance with Article 58(2)(d) GDPR:
• Conduct a comprehensive risk assessment of their processes for collecting and handling personal data.
• Implement technical and administrative safeguards to ensure GDPR compliance in the processing and handling of personal data.
• Establish technical and administrative measures to ensure all data collection activities comply with Article 5(1)(a)GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
