Difference between revisions of "AEPD (Spain) - PS/00037/2020"

From GDPRhub
 
(4 intermediate revisions by 2 users not shown)
Line 54: Line 54:
 
}}
 
}}
  
The Spanish DPA fined an energy company €1,500,000 for not providing sufficient information to the data subjects and for not implementing adequate measures to avoid or mitigate risks related to the data processing.
+
The Spanish DPA fined an energy company €1,500,000 for not providing sufficient information to data subjects under Article 13 GDPR, and for not implementing adequate measures to avoid or mitigate risks related to the data processing under Article 25 GDPR.
  
 
== English Summary ==
 
== English Summary ==
Line 109: Line 109:
 
This is normally done by providing the information in layers. The AEPD explains that, for example, in case of phone contracting, the basic information (purposes, identity of the controller, data subjects rights, and most relevant information about a particular processing) could be provided during the call itself, sending afterwards the rest of the information via email, or via a link to the privacy policy. Additionally, the AEPD remarks, the fact that layers are used to provide information cannot lead to a delay in the provision of the less relevant information, what also needs to be done in the moment of the collection of the data.
 
This is normally done by providing the information in layers. The AEPD explains that, for example, in case of phone contracting, the basic information (purposes, identity of the controller, data subjects rights, and most relevant information about a particular processing) could be provided during the call itself, sending afterwards the rest of the information via email, or via a link to the privacy policy. Additionally, the AEPD remarks, the fact that layers are used to provide information cannot lead to a delay in the provision of the less relevant information, what also needs to be done in the moment of the collection of the data.
  
The AEPD also analyzed the content of the information provided. Firstly, the the way that the data subject is informed about the identity of the controller is problematic. The controller, EDP, is divided into two different companies: EDP Energy and EDP Commercial. The information provided states that "the data will be processed by EDP Energy and EDP Commercial", who are both said to be controllers. However, there is no specific reference to which company processes which data and for what purposes, which leads to a confusing and imprecise information. The privacy policy, after clarifying the existence of both controllers, only uses the generic name (EDP) without further specification.
+
The AEPD also analyzed the content of the information provided. Firstly, the the way that the data subject is informed about the identity of the controller is problematic. The controller, EDP, is divided into two different companies: EDP Energy and EDP Marketer. The information provided states that "the data will be processed by EDP Energy and EDP Marketer", who are both said to be controllers. However, there is no specific reference to which company processes which data and for what purposes, which leads to a confusing and imprecise information. The privacy policy, after clarifying the existence of both controllers, only uses the generic name (EDP) without further specification.
  
 
The AEPD also noted that it is difficult, with the information provided, to identify how processing activities relate to each legal basis alleged by the controller. Therefore, it is not clear for which processes the controller is relying on a legitimate interest. It is not possible to identify what are the legal basis that are been relied upon for each processing activity. This should be clearly provided in the information. Also, what particular legitimate interest or interests are wielded by the controller is not clarified (although later the controller made clear that such interests were fraud prevention and marketing).
 
The AEPD also noted that it is difficult, with the information provided, to identify how processing activities relate to each legal basis alleged by the controller. Therefore, it is not clear for which processes the controller is relying on a legitimate interest. It is not possible to identify what are the legal basis that are been relied upon for each processing activity. This should be clearly provided in the information. Also, what particular legitimate interest or interests are wielded by the controller is not clarified (although later the controller made clear that such interests were fraud prevention and marketing).
Line 144: Line 144:
  
 
== Comment ==
 
== Comment ==
''Share your comments here!''
+
In their allegations, the organizational structure of the group of the controllers is clarified. The existence of two companies comes from procedural and formal issues that arose when the group was bought. Currently, only EDP Marketer has employees and actual management and operative capacity, therefore being EDP employees the only ones accessing the data. In practice, all processing activities are carried out by EDP Marketer, either as a joint controller or as a processor of EDP Energy.
 +
 
 +
This structure was in principle going to be rearranged, but was paralyzed by the start of negotiations for the sale of the group.
  
 
== Further Resources ==
 
== Further Resources ==
Line 153: Line 155:
  
 
<pre>
 
<pre>
 +
 +
Page 1
 +
1/141
 +
 Procedure No.: PS / 00037/2020
 +
RESOLUTION OF SANCTIONING PROCEDURE
 +
Of the procedure instructed by the Spanish Agency for Data Protection and based on
 +
to the following
 +
BACKGROUND
 +
FIRST: Various claims have been filed before this Agency against
 +
the entity EDP COMERCIALIZADORA, SAU in which substantially
 +
denounces the processing of personal data without the consent of the interested party. Sayings
 +
treatments are produced within the framework of the contracting of gas services
 +
supposedly carried out by a representative of the client, without said entity
 +
can prove the existence of such representation. Such claims have given
 +
lead to the initiation of various sanctioning procedures by this
 +
Agency, among which it is worth mentioning PS / 0025/2019, which has concluded by declaring
 +
the existence of an infringement of the provisions of the data protection regulations.
 +
SECOND: In view of the antecedents mentioned in the previous number, on the 3rd of
 +
June 2019, the Director of the Spanish Data Protection Agency urged the
 +
Subdirectorate General for Data Inspection the start of previous actions of
 +
investigation in order to prove, where appropriate, the existence of a regular conduct and
 +
continued possible violation of data protection regulations by
 +
EDP ​​COMERCIALIZADORA, SAU .
 +
THIRD: On December 17, 2019, the Subdirectorate General of Inspection
 +
formulates a request to EDP COMERCIALIZADORA, SAU to facilitate the
 +
Next information:
 +
1. Specification of the contracting channels (telephony, internet, distributors
 +
own or subcontracted, sales force with own home visits or
 +
outsourced, etc.…) of the services marketed by EDP
 +
COMERCIALIZADORA, SAU to individuals.
 +
2. Description of the contracting procedure followed through each of the
 +
previous channels when the contract is made by a third party in
 +
representation of the natural person who owns the contract. In this regard, it is requested to provide,
 +
in addition to all the information it deems appropriate for the purposes of documenting the
 +
procedure, the following:
 +
2.1. Copy of documents (model forms, contracts, arguments
 +
telephone numbers, etc.) used to collect the personal data of the owner and the third party
 +
that acts by representing it, indicating the channel or channels for which it is used
 +
each.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 2
 +
2/141
 +
2.2. Description of the procedures enabled through each of the channels
 +
contract so that a third party can prove the representation of a holder to the
 +
sign a contract with EDP COMERCIALIZADORA, SAU
 +
2.3. Specification of the procedure followed by EDP COMERCIALIZADORA,
 +
SAU to store the evidence that proves the capacity of representation
 +
of the third party in the procedures in which this type of contracting is carried out, with
 +
indication of the channel or channels for which each one is used.
 +
2.4. Attach models and / or examples of type evidence collected under the
 +
procedure followed in section 2.3.
 +
3. Information on the number of contracts signed in 2018 and 2019 by third parties in
 +
representation of the owners of the services (natural persons) with distinction of:
 +
3.1. By virtue of what this representation is supported (power, degree of kinship, etc.)
 +
3.2. Procedure or formula for accreditation of the representation followed.
 +
3.3. Recruitment channel for telephony, internet, own distributors or subcontractors,
 +
sales force with own or outsourced home visits, etc.…)
 +
FOURTH : On January 13, 2020, the entry in the AEPD of the
 +
Written answer from EDP COMERCIALIZADORA, SAU to the request for
 +
above information. In this document the following is stated:
 +
“FIRST- Specification of the contracting channels (telephony, internet,
 +
own distributors or subcontractors, sales force with own home visits or
 +
outsourced, etc.…) of the services marketed by EDP
 +
COMERCIALIZADORA, SAU to individuals.
 +
EDP ​​has different channels to formalize the contracting, distinguishing the
 +
following:
 +
A. Telephone Channel, with partial or definitive closure of the contracting process
 +
through a phone call. It includes the following subchannels:
 +
- CAC Inbound: Call reception, from customers to EDP. In general they are
 +
and EDP customers who are identified from the beginning of the call through a
 +
security protocol, although customer calls can also be received
 +
potentials.
 +
- Telemarketing: Issuance of calls, from EDP to already owned databases
 +
customers for upselling or churn recovery. It is used for the realization of
 +
the call the telephone number that appears in the client's file, and that has been
 +
provided by said person previously.
 +
- LEADS: Issuance or reception of calls, about users who have expressed a
 +
interest in any platform or web page (raffles, promotions, comparators of
 +
offers, blogs, advertising agencies, etc.) leaving your basic data to be
 +
contacted or contacting themselves at the phone number shown.
 +
These users usually do not yet have active contracts with EDP.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 3
 +
3/141
 +
B. Web channel, closed by means of a digital form. The user accesses through
 +
a website and start a hiring process totally online, without interaction with
 +
agents.
 +
C. Distributors, with face-to-face or digital closing of the contracting process,
 +
including:
 +
- EDP's own Commercial Offices. Usually already EDP clients who come
 +
proactively to the office, although it can also be about potential clients.
 +
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to perform
 +
their purchases and are interested in EDP's offer.
 +
D. External Sales Forces, with in-person closing of the contracting process,
 +
including:
 +
- Stands at Fairs, Shopping Centers, etc. In general, new clients who come
 +
to such events or places and are interested in EDP's offer.
 +
- Home visits with prior request. Clients or potential clients who have
 +
provided your data and consent to receive proposals from an EDP agent to
 +
address.
 +
SECOND.- Description of the contracting procedure followed through each
 +
one of the above channels when the contracting is carried out by a third party in
 +
representation of the natural person who owns the contract.
 +
A. Telephone Channel:
 +
Next, the procedures implemented in EDP in
 +
those cases in which the contracting is carried out by a third party in
 +
representation of a natural person by telephone:
 +
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
 +
As a representative, you are asked about your relationship with the owner and if you have
 +
authorization of said person. 2) Once the previous point has been confirmed, they are requested
 +
identification data of the representative, and all the data of the owner necessary to
 +
formalize the hiring. 3) Finally the Consent is read and recorded in audio
 +
Representative express. 4) The holder of the contract, for informational purposes, is sent
 +
in duplicate, with a stamped envelope, the contractual documentation in compliance
 +
of the provisions of the consumer and user protection regulations.
 +
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
 +
hiring as a representative is asked about their relationship with the owner. 2) A
 +
Once the previous point has been confirmed, identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. 3) Then
 +
the Express Consent of the representative is read and recorded in audio. 4) Finally
 +
durable support is sent to the phone / sms provided by the representative, and is expected
 +
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 4
 +
4/141
 +
duplicate, with a stamped envelope, the contractual documentation in compliance with the
 +
provided in the consumer and user protection regulations.
 +
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
 +
representative is asked about his relationship with the owner. 2) Once the
 +
previous point, identification data of the representative is requested, and all the data of the
 +
holder necessary to formalize the contract. 3) It is then read and recorded in
 +
audio the Express Consent of the representative. 4) Then support is sent
 +
durable to the phone / sms provided by the representative, and awaits your confirmation.
 +
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
 +
franked, the contractual documentation in compliance with the provisions of the
 +
consumer and user protection regulations. 6) In this channel, by the mode of
 +
contracting and the characteristics of the clients who use it, it is in progress,
 +
as a pilot test, communication via SMS or e-mail to the represented (in cases of
 +
not related to the representative to study its effectiveness and receptivity.)
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
In the case of contracts made in EDP's own Commercial Offices (in
 +
third-party stores there is no possibility of contracting in the name and on behalf of
 +
a third) the procedure is as follows:
 +
1) In those cases in which the user indicates that he wishes to make a contract
 +
as a representative of a third party, you are asked about your relationship with the owner. 2) A
 +
Once the information is obtained, the identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. Likewise,
 +
requires a photocopy of the NIF, both the representative and the represented. 3)
 +
The presentation of an authorization document is also required.
 +
completed and signed by both interested parties (representative and owner).
 +
D. External Sales Forces:
 +
In the case of contracts made by external sales forces (fair stands,
 +
shopping centers and home visits, provided there is prior request by
 +
of the interested party), in the contract the identification data of the representative will be collected,
 +
Also requesting the data of the owner necessary to formalize the contract.
 +
In the contract, it is expressly specified that the representative declares to have
 +
of sufficient powers to sign the contract on behalf of the client to whom it is
 +
is responsible for informing of all the conditions thereof. It is required, on the other
 +
part of a photocopy of the representative's NIF.
 +
Next, an audio verification of the hiring is recorded where you are
 +
indicates on two occasions to the representative, the fact that he acts on behalf of the
 +
holder of the supply and the relationship-kinship that binds them is confirmed.
 +
Therefore, to prove the representation, the contracting stub is formalized
 +
where the representative declares to have sufficient powers to sign the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 5
 +
5/141
 +
contract on behalf of the client who is responsible for informing of all
 +
conditions of this. Likewise, a copy of the representative's NIF is provided.
 +
In this regard, it is requested to provide, in addition to all the information that it considers appropriate
 +
For the purposes of documenting the procedure, the following:
 +
2.1. Copy of documents (model forms, contracts, arguments
 +
telephone numbers, etc.) used to collect the personal data of the owner and the third party
 +
that acts by representing it, indicating the channel or channels for which it is used
 +
each.
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
The data collection is carried out in the system of each of the providers,
 +
following the order that corresponds according to the type of client, contracted product
 +
or campaign.
 +
Documents:
 +
1) Sales data template (Evidence 1)
 +
2) Express Consent Sales representative CAC (Evidence 2)
 +
Evidence 2 contains the following:
 +
"[XXXXXX] we're going to record your agreement. Okay?
 +
It is [hh: mm] on the day [dd] of [mm] of [20XX], and Mr./Ms. [Name and surname]
 +
with DNI [DNI number], as [husband / wife / child / attorney / representative] and in re-
 +
presentation of the holder [name and surname / company name] with ID / CIF [number
 +
DNI / CIF] phone [phone] and email [email] has called and accepts the
 +
EDP's offer for management [supply address] consisting of [con-
 +
ditions of the plan -dto. in the light-] for [CUPS LUZ: ES…] on the EDP price
 +
current electricity price [power price (€ / kW month) and energy term price
 +
(€ / kWh)] and / or [plan conditions -dto. in gas] for [GAS CUPS: ES…] and preset
 +
current EDP gas price [price term availability (€ / month) and term price
 +
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works].
 +
[If the collection date is not chosen] The chosen payment method is [direct debit
 +
bank account in your current account / in the account ...] and will be charged on the date
 +
indicated on the invoice.
 +
[If the collection date is chosen] The payment method chosen is [direct debit bank
 +
caria in your current account / in the account ...] and will be charged on a date
 +
Specifically, the days [DD] of the month. In that case, the payment period may be shorter
 +
greater than or greater than the 20 days established in the regulations ".
 +
"On behalf of the client, and after passing a risk analysis of the transaction
 +
ration, we will take the necessary steps to activate the access contracts,
 +
moment from which the new contract will come into force, being resolved
 +
previous.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 6
 +
6/141
 +
The contract / s will have a duration of 1 year, extendable for the same period
 +
Except for a complaint in advance of 15 days. Are you satisfied with the above
 +
mation and conditions of the contract / s? [Yes / Ok].
 +
In a few days you will receive the contract including a withdrawal document for
 +
duplicate, of which you will only have to return us signed one of the copies in
 +
The self-postage envelope does not need a stamp, which we will attach to it.
 +
You have 14 calendar days to exercise your right of withdrawal. Not obs-
 +
Therefore, if you request it, we can start the procedures now. Then,
 +
If you subsequently withdraw from the contract, you must pay the corresponding amount
 +
tooth to the borrowed supply period. Do you want your contract to be processed
 +
you immediately? [OTHERWISE].
 +
You will still receive an invoice from your current company for a probable period-
 +
less than normal. From there, from the entry into force of the contract
 +
You will receive the invoice from EDP with all our advantages.
 +
Your personal data and that of your client will be processed by EDP Comer-
 +
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
 +
fraud prevention, profiling based on customer information and
 +
EDP, as well as the realization of personalized communications about products
 +
coughs or services directly related to their contracts, being able in any-
 +
want to oppose them ".
 +
"Additionally, so that EDP can advise you with the best
 +
proposals:
 +
Will you allow us to present energy-related offers to your client?
 +
adapted to your profile after the end of the contract, or send you at any
 +
information on non-energy products and services, from companies
 +
Collaborators or EDP? [OTHERWISE]
 +
Will you allow us to complete the commercial profile of your client with information
 +
of third-party databases, in order to send you personal proposals-
 +
and the possibility of contracting or not certain services? [OTHERWISE]
 +
Your request has been registered with the code that I am going to indicate. If you wish,
 +
you can make a note of [COD. CIG] ".
 +
A.2 - TELEMARKETING
 +
The data collection is carried out in the system of each of the providers,
 +
following the order that corresponds according to the type of client, contracted product
 +
or campaign.
 +
Documents:
 +
1) Sales data template (Evidence 1)
 +
2) Express Consent Sales representative TLMK (Evidence 3)
 +
The text of evidence 3 is as follows:
 +
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
 +
agreement?. [Yes].
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 7
 +
7/141
 +
Well, it is [hh: mm] on the [dd] day of [mm] of [20XX
 +
[Mr / Mrs] [name and surname] with DNI [DNI number] as [husband / wife / child / attorney-in-fact
 +
address / representative] and on behalf of the owner [name and surname / reason
 +
social] with ID / CIF [ID / CIF number], phone [phone] and email [email]
 +
accepts EDP's offer for the address [supply address] consisting of
 +
in for [CUPS LUZ: ES ………… ..] on the current EDP price of electricity
 +
[power price (€ / kW month) and energy term price (€ / kWh)] and / or [conditions
 +
purposes of the plan - disc. in gas] for [GAS CUPS: ES ……………………….] and price
 +
Gas EDP in force [price term availability (€ / month) and term price
 +
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works]. The chosen form of payment is [direct debit at
 +
your current account / in the account ………] and will be charged [on the date indicated
 +
on the invoice / on A SPECIFIC DATE, THE DAYS (DD) OF THE MONTH. ON
 +
IN THIS CASE, THE PAYMENT PERIOD MAY BE LESSER OR HIGHER THAN
 +
THE 20 DAYS ESTABLISHED IN THE REGULATIONS]. In the name of his repre-
 +
sitting down, and after passing an analysis of the risk of the operation, we will make the
 +
tions necessary to activate the access contracts, from the moment
 +
which will enter into force the new contract, being resolved the previous one.
 +
The contract / s will have a duration of 1 year, extendable for the same period
 +
Except for a complaint in advance of 15 days.
 +
Are you satisfied with the above information and conditions of the contract / s? "
 +
[Yes / Ok]. "Thank you."
 +
In a few days you will receive the contract (including withdrawal document) for
 +
duplicate, of which you will only have to return us signed one of the copies in
 +
The self-postage envelope does not need a stamp, which we will attach to it.
 +
You have 14 calendar days to exercise your right of withdrawal in the
 +
form that you consider appropriate. However, we can initiate the procedures during
 +
within that period if you request it, in which case if you withdraw from the contract
 +
must pay the amount proportional to the borrowed part of the supply. From-
 +
Whether your hiring is processed immediately? [OTHERWISE]
 +
You will still receive an invoice from your current company for a probable period-
 +
less than normal. With the entry into force of the contract you will receive the invoice
 +
from EDP with all our advantages.
 +
Your personal data and that of your client will be processed by EDP Comer-
 +
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
 +
fraud prevention, profiling based on customer information and
 +
EDP, as well as the realization of personalized communications about products
 +
coughs or services directly related to their contracts, being able in any-
 +
want time to oppose them.
 +
Additionally, so that from EDP we can advise you with the best
 +
proposals:
 +
Will you allow us to present energy-related offers to your client?
 +
after the end of the contract, or send you at any time information on
 +
products and services of the financial, insurance and automotive sectors,
 +
Collaborating Companies or EDP?
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 8
 +
8/141
 +
[OTHERWISE]
 +
Will you allow us to complete the commercial profile of your client with information
 +
of third-party databases, in order to send you personal proposals-
 +
and the possibility of contracting or not certain services?
 +
[OTHERWISE]
 +
We remind you that you can exercise your rights to
 +
access, rectification, opposition, deletion, limitation and portability, through
 +
any of the routes indicated in the General Conditions that may
 +
check on our website www.edpenergia.es.
 +
[Only in case of gas contracting] “For your safety we remind you of the obligation
 +
legal obligation to collaborate with your Distribution Company by facilitating access to
 +
your instalations."
 +
In order to process your request we need you to confirm the acceptance of this
 +
offer that has the Code, please take note: “CIG CODE”.
 +
A.3 - LEADS
 +
The data collection is carried out in the system of each of the providers,
 +
following the order that corresponds according to the type of client, contracted product
 +
or campaign.
 +
Documents:
 +
1) Sales data template (Evidence 1)
 +
2) Express Consent Sales Representative LEADS (Evidence 4)
 +
The content of evidence 4 is as follows:
 +
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
 +
agreement?. [Yes].
 +
Well, it is [hh: mm] on the day [dd] of [mm] of [20XX] and [Mr / Mrs] [name
 +
and surnames] with DNI [DNI number] has requested the call from EDP and as
 +
[husband / wife / child / attorney-in-fact / representative] and on behalf of the owner
 +
[name and surname / company name] with DNI / CIF [DNI / CIF number], telephone [telephone]
 +
and email [email] accepts EDP's offer for the address [address
 +
supply] consisting of [plan conditions -dto. in the light for [CUPS
 +
LIGHT: ES ………… ..] on the current EDP price of electricity [price of
 +
power (€ / kW month) and energy term price (€ / kWh)] and / or [conditions of the
 +
plan -dto. in gas] for [GAS CUPS: ES ……………………….] and EDP price
 +
gas current [price term availability (€ / month) and term energy price
 +
(€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works]. The chosen form of payment is [direct debit at
 +
your current account / in the account ………] and will be charged [on the date indicated
 +
on the invoice / on a specific date, the days (dd) of the month. in that case the
 +
payment period may be less or more than the 20 days established in the
 +
normative]. On behalf of your client, and after passing a risk analysis
 +
of the operation, we will take the necessary steps to activate the contracts of
 +
access, moment from which the new contract will come into force, leaving
 +
solved the above.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 9
 +
9/141
 +
The contract / s will have a duration of 1 year, extendable for the same period
 +
Except for a complaint in advance of 15 days.
 +
Are you satisfied with the above information and conditions of the contract / s? "
 +
[Yes / Ok]. "Thank you."
 +
In a few days you will receive the contract (including withdrawal document) for
 +
duplicate, of which you will only have to return us signed one of the copies in
 +
The self-postage envelope does not need a stamp, which we will attach to it.
 +
You have 14 calendar days to exercise your right of withdrawal in the
 +
form that you consider appropriate. However, we can start the procedures
 +
during that period if you request it, in which case if you desist from the
 +
contract must pay the amount proportional to the borrowed part of the
 +
supply. Do you want your hiring to be processed immediately? [OTHERWISE]
 +
You will still receive an invoice from your current company for a period
 +
probably lower than normal. With the entry into force of the contract you will receive
 +
the EDP invoice with all our advantages.
 +
Your personal data and that of your client will be processed by EDP
 +
Comercializadora SAU and EDP Energía SAU to manage their contracts,
 +
fraud prevention, profiling based on customer information
 +
and EDP, as well as the realization of personalized communications about
 +
products or services directly related to their contracts, being able
 +
at any time oppose them.
 +
Additionally, so that from EDP we can advise you with the best
 +
proposals:
 +
May we present you with energy-related offers tailored to your
 +
profile after the end of the contract, or send you at any time
 +
information of non-energy products and services, of companies
 +
Collaborators or EDP?
 +
[OTHERWISE]
 +
Will you allow us to complete the commercial profile of your client with information
 +
of third-party databases, in order to send you proposals
 +
personalized services and the possibility of contracting or not certain services?
 +
[OTHERWISE]
 +
We remind you that you can exercise your rights to
 +
access, rectification, opposition, deletion, limitation and portability, through
 +
any of the routes indicated in the General Conditions that may
 +
check on our website www.edpenergia.es.
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 10
 +
10/141
 +
In the case of EDP's own commercial offices, data collection is carried out
 +
in the system of each of the suppliers, following the corresponding order
 +
according to the type of client, contracted product or campaign.
 +
Documents provided:
 +
1) Sales data template (Evidence 1)
 +
2) Representative management authorization template (Evidence 5)
 +
Regarding the content of the evidence 5, the document contains three
 +
Differentiated boxes. The first one indicates that "the HOLDER (D. ,,,, DNI or CIF) in
 +
proper name or representation of the company. " The second box indicates that
 +
“AUTHORIZES (D. ,,,, DNI ... or CIF) to carry out the management of (indicates 4 possibilities:
 +
registration / cancellation, change of ownership, change of direct debit, and / or other procedures)
 +
the box next to each of them must be marked. In the third box,
 +
collect "SIGNATURE" and leave the spaces corresponding to the place, date (day, month and
 +
year) and space for the signature of the authorizing and authorized.
 +
Next, the following legend is highlighted with a red background:
 +
"NOTE: TO BE VALID, THIS AUTHORIZATION MUST BE PRESENTED
 +
ACCOMPANIED BY PHOTOCOPY OF THE HOLDER'S AND THE AUTHORIZED'S ID.
 +
WHEN IT IS AN AUTHORIZATION GRANTED BY A REPRESENTATIVE
 +
DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF OWNERS,
 +
FOUNDATIONS, SCHOOLS, ..., IN ADDITION, A PHOTOCOPY OF THE
 +
TIMELY POWER OF ATTORNEY ”.
 +
The following text follows;
 +
"Interested parties are informed that the personal data provided in
 +
This form will be treated as the data controller by EDP ENERGÍA,
 +
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
 +
for the processing of authorized management.
 +
The personal data that you provide us will be used, in the form and with the
 +
limitations and rights recognized by the General Data Protection Regulation
 +
(EU) 2016/679.
 +
The interested parties whose data are subject to treatment may exercise their rights
 +
of access, rectification, deletion, portability, limitation and opposition to treatment
 +
of these data, proving your identity, by email addressed to
 +
cclopd@edpenergia.es or by writing to the person responsible for the treatment at the
 +
Address Plaza del Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can put
 +
in contact with the EDP Data Protection Officer, at the same address
 +
postal or email dpd.es@edpenergia.es, if you understand
 +
violated any of your rights related to data protection, or in your
 +
case, file a claim with the Spanish Agency for Data Protection "
 +
D. External Sales Forces:
 +
In the case of external sales forces (fair stands, shopping centers and
 +
home visits, provided there is a prior request by the interested party), the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 11
 +
11/141
 +
Data collection is done on a paper stub. This data is digitized in
 +
Channel Management Tool (HGC).
 +
For verification, data collection is carried out in the system of the supplier of
 +
check.
 +
Documents:
 +
1) Sales receipt (Evidence 6)
 +
2) Sales data template (Evidence 1)
 +
3) Verification script (Evidence 7)
 +
With regard to evidence 6, which the defendant calls the
 +
sales, the document, under the title "contract for the supply of energy and / or services",
 +
It contains on its first page three boxes.
 +
In the first one there are spaces to fill in the data related to the point of
 +
supply (address, electricity cup, gas cup) and separately check boxes
 +
the contracting of a light + gas contract or one of the two services individually. I know
 +
They also contain spaces to fill in the data of the contract holder
 +
(name, surname, telephone and email) and representative data (name,
 +
NIF and address and several boxes are included to mark that the representative is in
 +
status of spouse / registered partner, ascendant / descendant or attorney-in-fact) below
 +
of such boxes, a text indicates that “it declares that it has sufficient powers to
 +
sign this contract on behalf of the client who is responsible for
 +
inform of all the conditions of the same. "
 +
Below this box is the following legend; "The client hires, for the
 +
supply indicated, the gas supply with EDP Comercializadora, SAU and the
 +
supply of electricity and / or complementary services with EDP Energía, SAU,
 +
(hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) with
 +
in accordance with the Specific Conditions set out below and the
 +
General Conditions in annex.
 +
The client requests that the provision of the supply / supplies and / or services be
 +
start during the withdrawal period contemplated in the general conditions. "
 +
In the second box entitled specific conditions of the contract and in which
 +
Separately depending on whether it is gas or light, certain information is contained on
 +
rates and in which there are spaces to be completed and boxes to mark
 +
relating to the services that are contracted, it appears both in the gas part and in the
 +
light a box that must be marked to indicate that the owner is changing. I also know
 +
includes a space to fill in the data related to the current account for
 +
direct debit charges (this space is common to all contracted services)
 +
Below this box is the following text: “EDP reserves the right to
 +
waive this contract if the actual supply data does not comply with the
 +
declared by the client at the time of hiring. " Below is a box for
 +
mark that "The client expressly declares to know and accept the above
 +
Specific conditions." And another to mark that “The client declares to have been
 +
informed and received the annex with the General Conditions, which he accepts. " It adds
 +
then that “The client, if he / she had the status of consumer, has the RIGHT
 +
TO DESIST this contract if it had been formalized remotely or outside the
 +
establishments of the marketer as indicated in the general conditions
 +
and acknowledges that the corresponding withdrawal document has been delivered to the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 12
 +
12/141
 +
effect." Below is a box to mark that “The client declares to have
 +
received the withdrawal document and have been informed of it. "
 +
In the third box, under the heading CLIENT / REPRESENTATIVE after noting that the
 +
information related to data protection can be read on the back, allows you to mark
 +
the following consents:
 +
 I consent to the processing of my personal data once the relationship has ended
 +
contractual, to carry out commercial communications adapted to my profile
 +
of products and services related to the supply and consumption of energy. In addition,
 +
I consent to the aforementioned treatments during the term and after the end of the
 +
contract, on non-energy products and services, both of the Group companies
 +
EDP ​​and third parties.
 +
 I consent to the processing of my personal data for the elaboration of my profile
 +
with information from third party databases, for the
 +
adoption, by EDP, of automated decisions in order to send
 +
personalized commercial proposals, as well as to allow, or not, the contracting
 +
of certain services.
 +
On the back of the first page there is a section entitled “Basic information
 +
on Data Protection ”: which contains the following:
 +
" Personal data will be processed by EDP COMERCIALIZADORA,
 +
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
 +
Responsible for the Treatment, for the maintenance, development, compliance and management
 +
tion of the contractual relationship, fraud prevention, profiling based on
 +
in information provided by the Client and / or derived from the provision of the service by
 +
part of EDP, as well as sending commercial communications, related to products and
 +
services related to the supply and consumption of energy, maintenance of ins-
 +
facilities and equipment, and that can be customized based on your profile of
 +
Client, as reported in the General Conditions, being able to oppose in any-
 +
any time to send commercial communications. Additionally, the Client
 +
gives your explicit consent for the processing of personal data collected
 +
on the obverse. Without prejudice to the consents given, the client may exercise,
 +
at all times, your rights of access, rectification, opposition, deletion, limitation
 +
tion and portability, through any of the channels indicated in the Conditions
 +
General. "
 +
In the part of general conditions the following information regarding
 +
personal data protection:
 +
“ LOPD Purposes of the processing of personal data. According to
 +
provided in current regulations, the client is informed that all data
 +
provided in this contract are necessary for the purposes of its formalization.
 +
Said data, in addition to those obtained as a result of the execution of the
 +
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
 +
c / General Concha, 20, 48001, Bilbao and by EDP ENERGIA, SAU with address at
 +
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
 +
in order to manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 13
 +
13/141
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or improvement of the service, to carry out actions to prevent
 +
fraud, as well as profiling, personalized commercial communications
 +
based on information provided by the Client and / or derived from the provision of the
 +
service by EDP and related to products and services related to the
 +
supply and consumption of energy, maintenance of facilities and equipment.
 +
These treatments will be carried out in strict compliance with the legislation
 +
current and insofar as they are necessary for the execution of the contract and / or the
 +
satisfaction of EDP's legitimate interests, provided that the latter are not
 +
other rights of the client prevail.
 +
Provided that the client has explicitly accepted it, their personal data will be
 +
treated, even once the contractual relationship has ended and provided that there is no
 +
Produces opposition to said treatment, to:
 +
(I) The promotion of financial services, payment protection services, automotive
 +
or related and electronic, own or third parties, offered by EDP and / or participation in
 +
promotional contests, as well as for the presentation of commercial proposals
 +
linked to the energy sector after the end of the contract, (II) The preparation of
 +
Commercial profiles of the Client by aggregating the databases of
 +
third parties, in order to offer the Client personalized products and services,
 +
thus improving the customer experience, (III) Decision-making
 +
automated, such as allowing the contracting, or not, of certain products
 +
and / or services based on the Client's profile and particularly, on data such as, the
 +
history of defaults, the history of hires, permanence, locations, data
 +
consumption, types of devices connected to the energy network, and similar data
 +
that allow to know in greater detail the risks associated with the contracting. (IV)
 +
Based on the results obtained from the aggregation of the indicated data,
 +
EDP ​​may make personalized offers, specifically aimed at achieving the
 +
contracting of certain products and / or services from EDP or from third parties
 +
depending on whether the client has consented to it or not, being in any case treated
 +
data whose age will not exceed one year. In the event that said process was carried out
 +
carried out in an automated way, the client will always have the right to obtain intervention
 +
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
 +
resulting decision.
 +
Categories of data processed
 +
By virtue of the contractual relationship, EDP may process the following types of data
 +
personal: (I) Identifying data (name, surname, ID, postal address, address
 +
email address, supply point, etc.), (II) Identification codes or keys
 +
User and / or Client, (III) Personal characteristics data (date of birth,
 +
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
 +
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
 +
of these, (VI) Economic, financial, solvency and / or insurance data.
 +
Personal data will be kept for the duration of the contractual relationship
 +
and at most, during the statute of limitations for legal actions
 +
corresponding, unless the Client authorizes its treatment for a longer period,
 +
applying organizational and security measures from the beginning of the treatment
 +
to ensure the integrity, confidentiality, availability and resilience of data
 +
personal
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 14
 +
14/141
 +
Communications and recipients of personal data.
 +
All personal data derived from the provision of the service and those obtained in
 +
By virtue of this contract, they may be communicated to the following entities:
 +
i)
 +
The corresponding distribution company, producing with it an in-
 +
permanent exchange of information for the adequate provision of the service,
 +
among them the request for access to your network, the readings (which in the case of
 +
remote-managed controller will be hourly) and / or consumption estimation, quality control
 +
supply, request for supply cuts, modifications in the pos-
 +
tencia, etc.
 +
ii)
 +
The Organizations and Public Administrations that by Law correspond.
 +
iii)
 +
Banks and financial entities for the collection of services rendered.
 +
iv)
 +
Other companies of the business group, solely for administrative purposes
 +
internal and the management of the products and services contracted.
 +
v)
 +
National equity solvency and credit services (Asnef-Equifax,
 +
...) to which in case of non-payment, without just cause by the Client,
 +
You will be able to communicate the debt, as well as fraud prevention services,
 +
with the sole purpose of identifying erroneous or fraudulent information provided during-
 +
you the hiring process.
 +
saw)
 +
EDP ​​suppliers necessary for the adequate fulfillment of the obligations
 +
contractual arrangements, including those that may be located outside the State
 +
European Economic space, in which case it is duly adequate
 +
international data transfer.
 +
Rights of the data owner
 +
The client will have the possibility of exercising freely at all times
 +
and completely free the following rights:
 +
i)
 +
Access your personal data that is processed by
 +
EDP.
 +
ii)
 +
Rectify your personal data that is processed by
 +
EDP ​​that are inaccurate or incomplete.
 +
iii)
 +
Delete your personal data that is processed by EDP
 +
iv)
 +
Limit EDP's treatment of all or part of its
 +
personal information.
 +
v)
 +
Oppose certain treatment and decision-making
 +
automated data processing, requiring human intervention
 +
mana in the process, as well as to challenge the decisions that are final-
 +
adopted by virtue of the processing of your data.
 +
saw)
 +
Port your personal data in an interoperable format and auto-
 +
enough.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 15
 +
15/141
 +
vii)
 +
Withdraw at any time, the consents granted
 +
previously.
 +
In accordance with current regulations, the user can exercise their
 +
rights by requesting it in writing, and together with a copy of a certified document
 +
accrediting identity, at the following post-
 +
such: Plaza del Fresno, 2, 33007 Oviedo or in the email cclo-
 +
pd@edpenergía.es
 +
Likewise, you can contact the protection delegate
 +
of EDP data at the following postal address Plaza del Fresno, 2,
 +
33007 Oviedo or in the email dpd, es @ edpenergía.es, in the
 +
in case you understand that any of your related rights has been violated
 +
with data protection, or, where appropriate, file a claim
 +
before the Spanish Agency for Data Protection, at the address Calle
 +
de Jorge Juan, 6, 28001. Madrid "
 +
Evidence 7 refers to a sales process with express online verification.
 +
SCRIP VERIFIER-AGENT
 +
Part 1 (Agent call to number *** PHONE.1 or *** PHONE.2 )
 +
VERIF - EDP ​​Verifications, good morning. Can you tell me your phone number to
 +
perform verification?
 +
AGE - Good morning, my phone is XXXXX.
 +
VERIF-I proceed to issue the outgoing call.
 +
Part 2 (Outgoing call from the verifier to the agent's phone)
 +
VERIF: Good morning, can you tell me ID ?. XXXXX Can you tell me your name and surname and
 +
collaborating company? If the tool returns the collaborator's data (and the
 +
itself is active) we will check if they match, if so we continue, in
 +
If they do not match, we will ask you again for the data / s that do not match for
 +
reconfirm the discrepancy, if you continue we will indicate: «We cannot carry out the
 +
verification, the data you provide us is inconsistent »). In case the
 +
tool does not return anything to us, we will ask you again for your ID and if you continue
 +
Without appearing we indicate: «We cannot carry out the verification, your company has not
 +
accredited ».
 +
VERIF- Can you tell me the name, surname and ID of the signer? XXXXX How many contracts
 +
He has signed? XXXX (maximum 6 contracts per call) made at the EDP Stand
 +
in the CC XX / in the store of the collaborator XX
 +
VERIF-Is the signer the owner of the contracts? In case of being the owner, request
 +
contact telephone number and province. If you sign as a representative, request a name,
 +
Surname and DNI of / the holders (maximum 3) and contact telephone number and main province
 +
of each holder.
 +
VERIF-Can you tell me the phone number of the signer to carry out the verification?
 +
XXXXX
 +
VERIF-I proceed to issue the call to start the verification.
 +
Part 3 (Outgoing call from verifier to verification phone)
 +
VERIFY CUSTOMER- Good morning, I am XXXX from the company *** COMPANY.1
 +
collaborator of EDP. For security reasons I inform you that this call is
 +
being recorded, do you confirm that it is SIGNING NAME with DNI XXXX and that
 +
has just signed XX contracts at the collaborator's EDP stand / store (in case of
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 16
 +
16/141
 +
sign as representative indicate “in representation of name-surname HOLDER
 +
DNI) Yes / No . What relationship-kinship do you have with the owner? (this question I don't know
 +
performed when the owner is a company).
 +
- Tenant, I have the rented house. Request that it happen to the agent and
 +
tell you that a tenant cannot sign as a representative. KO verification.
 +
-Family or attorney-in-fact: continue verification.
 +
Perfect, please pass me on to the agent to take some information and carry out the
 +
verification, thank you.
 +
2.2. Description of the procedures enabled through each of the channels
 +
contract so that a third party can prove the representation of a holder to the
 +
sign a contract with EDP COMERCIALIZADORA, SAU
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
Recording of the legal text where the representative confirms the data provided from the
 +
represented.
 +
A.2 - TELEMARKETING
 +
Recording of the legal text where the representative confirms the data provided from the
 +
represented and durable support via sms / email where the representative confirms
 +
new said data.
 +
A.3 - LEADS
 +
Recording of the legal text where the representative confirms the data provided from the
 +
represented and durable support via sms / email where the representative confirms
 +
new said data.
 +
Additionally, in the pilot test of this channel, another
 +
sms / email informing of the representative's action.
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
In the case of EDP's own commercial offices, it is requested to fill out and
 +
signed by both interested parties (representative and owner) a document of
 +
express authorization in which the data of both persons and copies of their
 +
NIF.
 +
D. External Sales Forces:
 +
In the case of external sales forces (fair stands, shopping centers and
 +
home visits, provided there is a prior request by the interested party), the
 +
compilation, the hiring stub is kept where the representative declares
 +
have sufficient powers to sign the contract on behalf of the client to
 +
who is responsible for informing of all the conditions of this.
 +
Likewise, the verification recording is available and kept where they are confirmed
 +
with the representative the data of the represented, as well as the relationship / kinship that
 +
unites them.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 17
 +
17/141
 +
2.3. Specification of the procedure followed by EDP COMERCIALIZADORA, SAU
 +
to store the evidence that proves the capacity of representation of the
 +
third party in the procedures in which this type of contracting is carried out, with
 +
indication of the channel or channels for which each one is used.
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
The recording is stored linked to the commercial management system of
 +
Contacts where the request is registered.
 +
A.2 - TELEMARKETING
 +
The recording and durable media are stored in the recording system.
 +
Channel commercial management.
 +
A.3 - LEADS
 +
The recording and durable media are stored in the recording system.
 +
Channel commercial management.
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors
 +
In the case of EDP's own Commercial Offices, the authorization document
 +
It is stored linked to the Contacts commercial management system
 +
where the request is registered.
 +
D. External Sales Forces:
 +
The recruitment stub and the recording of the verification call are located
 +
stored digitally in the Canales commercial management system.
 +
For its part, the paper copy is sent to the supplier commissioned by EDP of the
 +
custody of said documents.
 +
2.4. Attach models and / or examples of type evidence collected under the
 +
procedure followed in section 2.3.
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
An example is provided with the recordings (Evidence 8) It is an audio with the
 +
recording of a service contract in a specific case carried out through
 +
representation. Its content is the same as in evidence 2.
 +
A.2 - TELEMARKETING
 +
Examples of recordings and durable supports are provided (Evidence 9 and 10,
 +
respectively) Evidence 9 consists of an audio with the recording of the
 +
contracting services with a client representative. Play the content
 +
of evidence 3. Evidence 10 is a document with the following text:
 +
"Confirmation of acceptance of communication by sms:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 18
 +
18/141
 +
On 2019-04-26 15:50:06 an SMS was sent from the phone number
 +
*** PHONE. 3 with the text:
 +
EDP ​​Offer : *** OFFER. 1 Please respond with a YES to this SMS to
 +
accept and
 +
activate discounts. Thanks. Details:
 +
http://edpconfirma.es/OOUSEAVSXK to the recipient phone number
 +
*** PHONE . 4.
 +
This message was answered with the notification ID OOUSEAVSXK, on ​​the day
 +
2019-04-26 15:50:46 and with the text: If which we accept as valid for the
 +
processing of the product offered in the document shown to
 +
continuation. The personal data of the contractor and of
 +
the offer and the following information: Your personal data will be processed by
 +
EDP ​​Comercializadora SAU and EDP Energía SAU for the management of their
 +
contracts, fraud prevention, profiling based on information
 +
of the client and EDP, as well as the realization of communications
 +
personalized information on products or services directly related to their
 +
contracts, being able to oppose them at any time.
 +
We remind you that you can exercise your rights to
 +
access, rectification, opposition, deletion, limitation and portability, through
 +
any of the routes indicated in the General Conditions that can
 +
check on our website www.edpenergia.es. "
 +
A.3 - LEADS
 +
Examples are provided with recordings and durable media (Evidence 11, 12,
 +
and 13, respectively)
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
Regarding our own Commercial Offices, a model document is attached.
 +
authorization completed by the representative in favor of the represented
 +
(Evidence 14).
 +
D. External Sales Forces:
 +
With regard to the evidence generated by external sales forces, is attached
 +
hiring stub model where the representation is collected (Evidence 15),
 +
as well as the recording in which it is confirmed, as well as the relationship-kinship
 +
that links them (Evidence 16).
 +
THIRD. - Information on the number of contracts signed in 2018 and 2019 by
 +
third parties on behalf of the owners of the services (natural persons) with
 +
distinction of: 3.1. By virtue of what this representation is supported (power, degree of
 +
kinship, etc.) 3.2. Procedure or formula for accreditation of representation
 +
Following. 3.3. Recruitment channel for telephony, internet, own distributors or
 +
subcontractors, sales force with own or subcontracted home visits, etc. ...)
 +
In relation to the request for information regarding the number of contracts signed in
 +
the years 2018 and 2019 by third parties on behalf of individuals, it is put into
 +
knowledge of the AEPD the following information related to each of the channels:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 19
 +
19/141
 +
A. Telephone Channel: 11656
 +
A.1 - CAC INBOUND
 +
Year Channel Representation
 +
No. Contracts
 +
2018 CAC Relationship
 +
1,346
 +
2018 CAC Unrelated
 +
394
 +
2019 CAC
 +
Relationship
 +
983
 +
2019 CAC Unrelated
 +
278
 +
A.2 - TELEMARKETING
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 TELEMARKETING
 +
Relationship
 +
2,865
 +
2018 TELEMARKETING
 +
No kinship
 +
82
 +
2019 TELEMARKETING
 +
Relationship
 +
1,201
 +
2019 TELEMARKETING
 +
No kinship
 +
42
 +
A.3 - LEADS
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 LEADS
 +
Relationship
 +
5,518
 +
2018 LEADS
 +
No kinship
 +
849
 +
2019 LEADS
 +
Relationship
 +
6,127
 +
2019 LEADS
 +
No kinship
 +
1,160
 +
B. Web: Hiring with a representative is not contemplated.
 +
C. Distributors (own commercial offices):
 +
Year Channel Representation
 +
No. Contracts
 +
2018 OOCC Relationship
 +
194
 +
2018 OOCC Unrelated
 +
67
 +
2019 OOCC Relationship
 +
174
 +
2019 OOCC Unrelated
 +
78
 +
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
 +
Year Channel Representation
 +
No. Contracts
 +
2018 FVE
 +
Relationship
 +
10,758
 +
2018 FVE
 +
No kinship
 +
118
 +
2019 FVE
 +
Relationship
 +
1,556
 +
2019 FVE
 +
No kinship
 +
58
 +
FIFTH : In writing dated May 29, 2020, sent on June 1, 2020,
 +
formulates a new information request to EPD COMERCIALIZADORA, SAU
 +
requesting the one listed below:
 +
1. Copy of the content included in the Register of Treatment Activities (article
 +
30 of the RGPD) regarding personal data processing activities
 +
carried out in the context of contracting services with EDP
 +
COMERCIALIZADORA, SAU
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 20
 +
20/141
 +
2. Copy of the content included in the Risk Analysis or Assessment carried out by the
 +
entity in compliance with article 32 of the RGPD regarding the processing of
 +
personal data made in the context of contracting services with EDP
 +
COMERCIALIZADORA, SAU
 +
3. Enter the information previously provided by the entity to the AEPD, registered
 +
with the number 001390/2020, it is specified on a recurring basis (see evidence 2, 3, 4,
 +
6, 10, 12, 14, 15) that personal data will be processed for all
 +
purposes described, in addition to EDP COMERCIALIZADORA, SAU, for another
 +
legal person (EDP ENERGIA, SAU). In this regard, the following is requested
 +
information:
 +
3.1. Reason that justifies that both entities process the personal data collected.
 +
3.2. Detail of the circumstances that condition, if any, that the treatments
 +
made on specific personal data are executed by one or the other
 +
entity.
 +
3.3. Detail, where appropriate, the procedures and mechanisms used to
 +
guarantee the separation of personal data processed by one and another entity of
 +
so that each one only has the possibility of treating what corresponds to it according to
 +
of the legitimate purpose pursued at all times.
 +
SIXTH: On June 17, 2020, a written entry from EDP is entered in this Agency
 +
COMERCIALIZADORA, SAU in which the following is stated regarding the last
 +
question raised in the request of this Agency referred to in point
 +
previous:
 +
"THIRD.- Enter the information previously provided by the entity to the AEPD,
 +
registered with the number 001387/2020, it is specified on a recurring basis (see
 +
evidences 2, 3, 4, 6, 10, 12, 14, 15) that personal data will be processed for the
 +
set of purposes described, in addition to EDP COMERCIALIZADORA, SAU,
 +
by another legal person (EDP ENERGIA, SAU). In this regard, the following is requested
 +
information:
 +
3.1. Reason that justifies that both entities process the personal data collected.
 +
3.2. Detail of the circumstances that condition, if any, that the treatments
 +
made on specific personal data are executed by one or the other
 +
entity.
 +
As these two questions are directly related to each other, the answer is given
 +
joint to them.
 +
In relation to the evidence provided and that correspond to supports that are
 +
used to carry out the contracting through the different channels is done
 +
reference, both to EDP COMERCIALIZADORA, and EDP ENERGÍA SAU (EDP
 +
ENERGY), because the company with which the services are contracted will be one or
 +
another depending on the product and / or service requested, being highly probable that
 +
the same customer when requesting the contracting of the electricity and gas supply, is
 +
contracting with both companies at the same time.
 +
For this reason, the “dual” contract has been drawn up and structured in such a way that a
 +
client can obtain discounts or additional advantages for the fact of contracting
 +
both energies with two companies of the same business group, and in order to
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 21
 +
21/141
 +
keep the discounts updated in each of the energies and information
 +
derived, it is necessary for both societies to know whether the energy initially
 +
contracted with the other Group company remains active in order to maintain and
 +
correctly manage the discounts / benefits applied.
 +
For this reason, and in order to provide the maximum possible transparency to a process
 +
carried out eminently in writing, such as the contracting of services
 +
energy, is why in the clause on data protection it is reported that
 +
the personal data provided during the hiring process will be processed by
 +
both entities, always respecting the functions of each one in accordance with the
 +
contract signed in each case and particularly the type of energy services that
 +
are finally hired.
 +
On the other hand, and regardless of the above, we inform you of this
 +
Agency that the existence of two companies within the Group with the role of entities
 +
trading companies is due to a purely formal issue, a consequence of the
 +
corporate structure and shareholding composition of the companies acquired by the
 +
EDP ​​Group at the time of its establishment in Spain, but not
 +
corresponds to the operational functioning of said marketers, since
 +
only one of them, EDP COMERCIALIZADORA, currently has
 +
employees and managerial and operational capacity. Thus, in practice, all
 +
treatments are carried out by said entity, either as responsible for the
 +
treatment or as person in charge of the treatment of EDP ENERGÍA.
 +
Additionally, it should be noted that the EDP Group had planned the corporate reorganization
 +
of EDP COMERCIALIZADORA and EDP ENERGÍA and the adaptation of their structure
 +
company with that of its actual operation and its business operations. Bliss
 +
reorganization has been currently affected by a process of sale to TOTAL
 +
in which both companies are immersed, and that if it materializes, it could alter or
 +
finalize said integration.
 +
3.3. Detail, where appropriate, the procedures and mechanisms used to
 +
guarantee the separation of personal data processed by one and another entity of
 +
so that each one only has the possibility of treating what corresponds to it according to
 +
of the legitimate purpose pursued at all times.
 +
As already stated, all users with access to the system are employees of
 +
EDP ​​COMMERCIALIZADORA.
 +
In this way, EDP agents access the personal data of the clients of
 +
said entity as data controllers or, they have access to the
 +
personal data of EDP ENERGÍA clients, as Manager of the
 +
Treatment, in compliance with the provision of customer management services of
 +
EDP ​​ENERGÍA entrusted to it by EDP COMERCIALIZADORA, being
 +
managed as the two different roles they occupy by virtue of the
 +
contractual regulation that we make available to this Agency. "
 +
Along with this response, an extract from the Registry of Treatment Activities is provided.
 +
which includes the records relating to the activities carried out in the field of
 +
contracting of products and / or services and the risk analysis carried out regarding the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 22
 +
22/141
 +
treatments that are carried out in the context of contracting products and / or
 +
services.
 +
The risk analysis is contained in an Excel document, it does not contain a date or
 +
firm. 15 risk factors are listed; 1. Commercially sensitive information, 2.
 +
Commercial Communications, 3. Data Origin (external or internal source), 4. Assignments
 +
of data. 5, Treatment Managers. 6. International transfers. 7. Activities
 +
scoring / profiling. 8. Automated decisions. 9. Systematic monitoring of
 +
Headlines. 10. Special categories of data. 11. Large-scale data processing.
 +
12. Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders. 14.
 +
Application or use of innovative technologies 15. Unavoidable Treatment / Restriction
 +
exercise rights or access service. Regarding the potential risk assessment
 +
inherent, the risk scale has 4 levels: low, with a rating from 0 to 12;
 +
average score from 13 to 25; high from 26 to 38 and very high from 39 to 51. The assessment or
 +
The weight given to each of the risk factors is from 1 to 4. In the analysis of
 +
risks, a yes or no is marked for each of the sales channels in each of the
 +
15 risk factors listed above. The sum of the weight attributed to each of
 +
the factors for each channel determine the inherent risk. The result of risk
 +
inherent is medium in all contracting channels, except in web channels and
 +
external forces through home visits in which the risk outcome
 +
inherent is low. Risk correction measures are not indicated.
 +
SEVENTH: Information is obtained on the volume of sales of the entity being
 +
the results of the turnover during the year 2019 of 989,491,000 euros. The
 +
Capital according to the information obtained from the Mercantile Registry is 1,487,895
 +
euros.
 +
Information is obtained on the number of clients of the entity. According to the report of
 +
supervision of the changes of marketer, corresponding to the first quarter of
 +
2019, of the National Markets and Competition Commission, the number of
 +
supply points of the entity as of March 31, 2019, corresponding to the scope
 +
domestic, amounted to 893,736, constituting 11.4% of the total gas sector in
 +
said domestic environment.
 +
EIGHTH: On July 16, 2020, a written entry from EDP has been entered in this Agency
 +
COMERCIALIZADORA, SAU stating that “In the framework of the procedure above
 +
referenced, EDP was required by the AEPD to clarify, among others
 +
extremes, certain information related to contracting procedures
 +
implemented in EDP carried out with the intervention of a third party authorized by the owner,
 +
as well as addressing the suggestion made in previous procedures communicated by
 +
part of the AEPD in which it was suggested to carry out modifications in the mode in
 +
that these types of contracts are carried out.
 +
2. That, for all of the above, EDP has reviewed the procedure to be followed in the
 +
contracting by third parties on behalf of the owner, in order to strengthen said
 +
procedure and reduce the risks of possible identity theft carried out
 +
in bad faith by the contracting party in this type of process, taking into account,
 +
additionally, the particular needs identified as a result of the state of
 +
alarm decreed last March and that has necessarily required that
 +
all contracts are carried out in a non-face-to-face way.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 23
 +
23/141
 +
3. That in order to inform the AEPD of the specific actions that are
 +
are being carried out in relation to this matter by EDP, in compliance
 +
of their duty of proactive compliance (accountability), we attach the
 +
"Contracting procedure by third parties on behalf of the owner", so that they have
 +
visibility on the modifications that are being implemented in these processes
 +
in order to meet your request in this regard, as well as to highlight the
 +
EDP's proactivity regarding its suggestion of adaptation of said
 +
process."
 +
The following aspects are detailed in three sections below: purpose,
 +
contracting procedure with third parties and data and interests of those affected.
 +
In the first section, called the purpose after exposing the situation, it states the
 +
following proposal: “A contracting procedure that, through correct use
 +
and technology insurance, facilitate the contracting of EDP services by
 +
clients through a third party acting under a mandate under the terms of Title IX
 +
of the Fourth Book of the Civil Code, protecting in any case the rights of the client and
 +
agent about your personal data, which will only be treated in accordance with
 +
an adequate basis of legitimacy and in compliance with the principles of the RGPD,
 +
ensuring that they are informed about the treatment and that they can exercise their
 +
rights at all times, as well as to act in case of identifying any action
 +
irregular."
 +
In the second section relating to the contracting procedure with third parties,
 +
distinguishes the procedure followed with a representative with written authorization from the
 +
followed by agent with verbal authorization. In the first case, the
 +
next steps: the agent is informed, the data and authorization are collected and the
 +
contracts on behalf of the client. In the case of the agent with verbal authorization, the
 +
The steps to follow are as follows: EDP proceeds to the information at the
 +
agent and data collection, to be hired by the agent in the name and
 +
representation of the client, sending the client information on the contracting and
 +
possibility of the client to disavow the contract.
 +
Regarding the information to the agent and the collection of the data, it consists of,
 +
as set forth, in the following:
 +
- Services are offered and explained
 +
- It is informed about the need to collect certain data for contracting, as well
 +
as well as the use that will be made of them and the place where more
 +
information about it.
 +
- The data of the agent and the client are requested
 +
- The agent provides EDP with his own data and those of the client and confirms that it is
 +
empowered to negotiate and sign the contract on behalf of the client
 +
- The contract includes all the information required by the applicable regulations and in
 +
relationship with the processing of personal data derived from the hiring.
 +
Regarding the hiring by the agent on behalf of the client
 +
differentiates the hiring in own commercial offices and outside the establishment
 +
mercantile, in which the information is collected in the contract and delivered in support
 +
durable or digital to the agent and remote contracting (by phone)
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 24
 +
24/141
 +
distinguishing between incoming calls to EDP's CAC, in which the
 +
conversation or outgoing calls (telemarketing, outgoing calls
 +
EDP ​​providers) in which the conversation is recorded, and the contract is sent in
 +
durable support to the president (It is clarified that the conversations are recorded after
 +
have previously informed the user that the conversation is going to be recorded.
 +
The following is noted regarding the step related to sending information to the client
 +
about hiring.
 +
-Once the contract is formalized by the agent, when there is no
 +
written authorization, is sent to the client, by email or SMS, depending on the
 +
communication channel available in each case, a communication in which
 +
It includes: o Confirmation of the contract made through your agent,
 +
including the agent's data or URL link to access the contract signed by
 +
the agent on his behalf (with guarantees of content integrity and accreditation
 +
of the exact date of realization) where you can exercise your right to disallow
 +
hiring in a simple and intuitive way (with a single click) View, print, or
 +
download the contract and withdrawal document
 +
The contract collects all the information about the treatment of the client's data by
 +
part of EDP, in addition to the details of the contracted services.
 +
Clarifies that the contracting procedure based on double authentication factor
 +
It has been designed taking into consideration the procedure approved by the
 +
National Markets and Competition Commission for carrying out portability and
 +
hiring in the telecommunications sector, a sector very similar in
 +
that the contracting procedure refers to.
 +
The communication is made through a trusted third party that accredits the shipment
 +
of the SMS / mail as follows:
 +
-SMS message:
 +
EDP ​​XXXXXXXX. NAME REP SURNAME REP has contracted energy / services in
 +
your name. Before 14 days you can disallow it. Details:
 +
https://edpcontrato.es/VER/JAOCOARGPG
 +
-E-MAIL Message:
 +
SUBJECT: Hiring of NAME TIT SURNAME TIT with EDP
 +
Hello, we inform you that NAME REP SURNAME REP has made on your behalf
 +
the XXXXXXXX contracting related to your energy supply / services. Have
 +
14 days to disallow said management.
 +
See details at: https://edpcontrato.es/VER/JAOCOARGPG
 +
The step related to the "Possibility for the client to reject the contract" consists of
 +
in the following:
 +
A link is sent to the client, through which they access a portal from which they are
 +
It allows:
 +
- View contract with the possibility of downloading or printing it or
 +
- Disallow the hiring with a single click. Evidence is generated that
 +
guarantees the traceability of the action (exact moment of the realization, as well as
 +
integrity of associated evidence) or
 +
- Download the withdrawal document.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 25
 +
25/141
 +
Regarding the third section, data and interests affected, it is indicated what
 +
following:
 +
It has been determined that to achieve the purpose of the treatment, it is essential to
 +
treatment of the following categories of personal data:
 +
-With written authorization
 +
Customer data: Identification (includes copy of DNI), Contact, Services
 +
contracted, Bank details, Supply point data
 +
Mandatory data: Identification (includes a copy of the DNI), Relationship with the owner
 +
(yes / no), Contact
 +
- With verbal authorization:
 +
Customer data: Identification, Contact, Contracted services, Bank details,
 +
Supply point data.
 +
Mandatory data: Identification, Relationship with the owner (yes / no), Contact.
 +
NINTH: Access to the internet site indicated in evidence 3 and 4
 +
(www.edpenergia.es) in order to download the General Conditions of
 +
Hiring.
 +
The procedure followed to download the document that contains the Conditions
 +
General Contracting, as stated in the diligence of the acting inspector, has
 +
been the following:
 +
-Access through the internet browser to the address
 +
https://www.edpenergia.es/es/
 +
- Introduction in the search engine of the text page itself: "General Conditions"
 +
-The website shows, under the following address:
 +
https://www.edpenergia.es/es/buscadorGeneral.do?tiposBusqueda=C%7CM
 +
% 7CD & idMenuSegmento = 18 & textBusqueda = Conditions + General, 2 tabs
 +
one called related information and the other Documents.
 +
-The "Documents" tab of the Search Results is selected. Is
 +
offers a total of 78 results, the third of which corresponds to the
 +
"General contracting conditions".
 +
-The "General contracting conditions" are selected and automatically
 +
open a new browser window pointing to the following internet address:
 +
https://www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales-
 +
de-contratacion.pdf
 +
-Download the document
 +
The content of the general conditions in the "LOPD" section coincides with the
 +
transcribed as evidence 6, with the same LOPD title within the conditions
 +
general, in the fourth number of this Agreement for the Initiation of the procedure
 +
sanctioner.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 26
 +
26/141
 +
TENTH: On July 31, 2020, the Director of the Spanish Agency for
 +
Data Protection agreed to initiate a sanctioning procedure against the entity EDP
 +
COMERCIALIZADORA, SAU, in accordance with the provisions of article 58.2 of the
 +
Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016,
 +
Relating to the Protection of Natural Persons with regard to the Treatment of
 +
Personal Data and the Free Circulation of this Data (General Regulation of
 +
Data Protection, hereinafter RGPD), for the alleged infringement of article 25
 +
of the RGPD, typified in article 83.4.a) of the aforementioned Regulation; for the alleged
 +
infringement of article 6 of the RGPD typified in article 83.5.a) of the aforementioned
 +
Regulation; for the alleged violation of article 22 of the RGPD, typified in the
 +
Article 83.5.b) of the aforementioned Regulation; and for the alleged violation of article 13 of the
 +
RGPD, typified in article 83.5.b) of the aforementioned Regulation, determining that the
 +
The penalty that may correspond would amount to a total of 3,500,000.00 euros, without
 +
detriment to what results from the instruction.
 +
ELEVENTH: The aforementioned initiation agreement has been notified , the investigated entity
 +
filed on August 4, 2020, requesting an extension of the term to the
 +
object of presenting allegations. Once the extension of the term was granted,
 +
allegations dated 08/24/2020 which are mainly the following:
 +
FIRST: ALLEGED BREACH OF THE PRIVACY PRINCIPLE BY
 +
DESIGN IN THE HIRING PROCESSES THROUGH A REPRESENTATIVE.
 +
The AEPD intends to justify the initiation of this sanctioning file in the alleged
 +
lack of documentation that has never been requested. In this regard,
 +
It should be noted that EDP COMERCIALIZADORA has a methodology of
 +
identification, analysis and risk management, both to identify risks
 +
inherent, as well as specifically to assess the need to carry out the
 +
Impact Evaluations, alleges that it includes as an annex the documentation
 +
justification that more than certifies that EDP COMERCIALIZADORA complies with
 +
fully and fully with these obligations and which is specified in the following: -
 +
"Methodology for Risk Analysis and Performance of Impact Assessments" -
 +
"Registration of treatment activities and risk assessment of treatments
 +
related to the contracting of EDP COMERCIALIZADORA ”-“ Evaluation of
 +
Privacy Impact: Channel of Leads to Convert by Telemarketing "-" Evaluation
 +
of Privacy Impact: Telemarketing to clients for upselling or recovery of
 +
abandonments "-" Privacy Impact Assessment: CAC Channel to Clients OR Clients
 +
Potentials (Inbound) ”-“ Privacy Impact Assessment: OOCC Channel a
 +
clients or potential clients (Reactive sale) ”-“ Impact Assessment of
 +
Privacy: Third-party stores channel for sale to potential customers (Reactive sale) ”-
 +
"Privacy Impact Assessment: External sales forces through stands
 +
at fairs and shopping centers (reactive sales) ”-“ Impact Assessment of
 +
Privacy: Treatment activity: Carrying out B2C Customer Scoring prior to
 +
the hiring".
 +
Likewise, and as a consequence of the measures adopted as a result of the
 +
recommendations derived from risk analysis and impact assessments
 +
carried out by EPD comercializadora, a large number of
 +
of procedures for compliance with data protection obligations
 +
from the design and by default that are provided as annex 2: Specifically, it is
 +
include in this Annex 2 the following procedures related to Privacy
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 27
 +
27/141
 +
from the Design and by Default, which are part of the Governance, Risks and
 +
Data protection regulatory compliance of EDP COMERCIALIZADORA: •
 +
EDP's Data Protection Methodology from Design and Default •
 +
Operational instruction Privacy By Design and Privacy by Default of the commercial area •
 +
Form for characterization and registration of treatment activities for analysis
 +
Privacy by Design and Privacy by Default • Flow chart of the Privacy By Design process
 +
and Privacy by Default.
 +
It is really striking that the AEPD gives the relevance it gives to the fact
 +
specifically that EDP COMERCIALIZADORA had not taken into consideration in
 +
its risk analysis, the specific analysis of the risks associated with the possibility
 +
of contracting through a representative, when the AEPD itself, in its own "Guide
 +
Risk Analysis Practice in the processing of data subject to the RGPD "
 +
(published on their website (https://www.aepd.es/sites/default/files/2019-09/guiaanalisis-de-
 +
risks-rgpd.pdf) does not include any direct or indirect reference to the need
 +
to assess the specific risk in relation to data processing, whether in
 +
contracting or in other processes, carried out by authorized third parties.
 +
Second, it alleges that all the data processing carried out by
 +
EDP ​​COMERCIALIZADORA were analyzed to verify their degree of compliance
 +
of the obligations related to RGPD, proposing measures for their correct
 +
adaptation, regardless of the need for evaluations
 +
impact or not. Delving into the specific risk related to the contracting carried out
 +
through third parties, it must be indicated that the content of the analyzes carried out was
 +
updated at the time, taking into account the considerations that the AEPD has
 +
transferred to EDP COMERCIALIZADORA in the administrative procedure
 +
related to this issue that began at the end of 2019 and that, we understand,
 +
is the cause of the sanctioning procedure in which we find ourselves in these
 +
moments. Indeed, as has already had the opportunity to expose in the framework
 +
of said sanctioning procedure previously initiated by the AEPD, the processes
 +
contracting through authorized third parties had not been identified by
 +
of EDP COMERCIALIZADORA as an inherent risk factor that was
 +
relevant, taking into account that: 1) The practically non-existence of claims for
 +
part of clients in relation to this reason. 2) EDP COMERCIALIZADORA does not
 +
Until now, it had no disciplinary proceedings opened for this cause.
 +
3) The contracting carried out through a third party as a verbal agent is found
 +
expressly recognized in the Civil Code of 1889.
 +
Although the potential risks identified by the AEPD are perfectly possible,
 +
the probability of materialization of said risks, in the specific case of EDP
 +
MARKETING COMPANY, was practically nil and that therefore their diligence, in what
 +
Regarding the performance of the risk analysis, it has been amply accredited.
 +
Specifically, this fact is based on the very low number of claims for
 +
this reason that EDP COMERCIALIZADORA has received. Indeed, there is one (1)
 +
sole claim with respect to a total of 33,848 contracts made, as
 +
It appears in the information provided in the file itself, what we understand, that
 +
as the AEPD will surely agree with EDP COMERCIALIZADORA, in
 +
probabilistic terms, it could be considered a value that, objectively, does not
 +
requires an independent and detailed assessment.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 28
 +
28/141
 +
It states that the possibility of entering into a contract between two parties through the
 +
intermediation of a third party is an exclusive question of Civil Law, so the
 +
need, or not, of formalities associated with the accreditation of the representation has
 +
to be governed by the provisions of the Civil Code and, where appropriate, by the provisions of the
 +
consumer protection regulations. In this regard, the requirement by the
 +
AEPD that the representation alluded to by the representative is recorded in a medium that
 +
allow its accreditation could be considered logical in an isolated interpretation of
 +
data protection regulations, but it loses meaning when put in context
 +
with the rest of the legal system, more specifically, with the provisions of the Code
 +
Civil, which contemplates, among others, the possibility of hiring by representative
 +
included in article 1259, or the figure of the "mandate", regulated in articles 1709
 +
to 1739 l himself and stating that "the contract of mandate is obliged to
 +
person to provide a service or do something for the account or commission of another »and
 +
for which total freedom of form is allowed, establishing that "the mandate may
 +
be express or tacit "and that, likewise," acceptance may also be express or
 +
tacit, deduced this last one of the acts of the agent chief executive ». In this case, it does not seem
 +
that such a wide freedom of form is compatible with obtaining evidence of
 +
the existence of the representation or mandate, beyond the manifestations of the
 +
agent, protected by good contractual faith. Likewise, there is little
 +
understandable that a separate consent is required for the treatment of
 +
your data or a confirmation of the order by the principal, since this
 +
would imply denaturing the representation, inasmuch as it would be absurd that who is
 +
designated for the conclusion of a contract in favor of a third party cannot facilitate
 +
the data of the person on whose behalf it acts, or that confirmation is necessary
 +
separated from it to authorize said communication, since the need to
 +
Addressing the represented person directly would make the representative's intervention useless,
 +
since it would be meaningless.
 +
Likewise, and in relation to the possibility that the represented party may provide
 +
additional consents to the hiring itself, it should be noted that this
 +
possibility may well have been authorized by the represented in a way
 +
specific, but as the same freedom of form governs for the granting of this
 +
power (which the norm does not oblige in any case to provide in writing), nor is it
 +
Your reliable accreditation is required at the time of hiring . About this
 +
In particular, it should be noted that to date no assumptions have occurred in the
 +
that any type of incidents have been reported by those represented
 +
related to the granting of said consents.
 +
Regarding other risks identified by the AEPD, it must be indicated that the
 +
The risk of identity theft is very low, since the representative identifies himself
 +
personally by reliable means when the hiring is face-to-face and
 +
providing your DNI data when you do it remotely. However, as well
 +
the AEPD knows the risk theory, it does not hold that the existence of a low risk
 +
may be considered a non-existent risk. In this sense, the risks of there being
 +
identity theft do not differ from those that correspond to the
 +
contracting in their own name, since the same checks are carried out for
 +
avoid this, based on the risks and threats detected in relation to each form
 +
hiring. Therefore, it cannot be taken for granted that this risk was not
 +
taken into consideration by EDP COMERCIALIZADORA, or that no
 +
adopted measures aimed at its mitigation, as will be explained below
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 29
 +
29/141
 +
in the explanation of the hiring procedure. On the other hand, in what I know
 +
refers to the potential economic damages, although this is a question more
 +
linked again to the civil field of contracting than to data protection
 +
personal, it must be indicated that in the cases in which the annulment of the
 +
contracts for any reason, EDP COMERCIALIZADORA assumes the costs of the
 +
services provided, so there would be no economic damage to the
 +
affected, proof of this is that EDP COMERCIALIZADORA has not received until the
 +
moment no claim for the alleged damages wielded by the
 +
AEPD
 +
Regarding the way in which the contracting is carried out, as already stated and stated
 +
both in the information made available to that Agency and in the Background
 +
In fact of the Initiation Agreement, the contracting of the services is preceded by a
 +
series of guarantees that allow to identify the author of the contracts, following the
 +
common practices throughout the supply service contracting sector and by
 +
companies known as "Utilities", both in person and remotely,
 +
this information being recorded, so that, in the event of any
 +
incidence, there is evidence of who is the person who has carried out the
 +
hiring. Against the insignificance that the AEPD intends to grant to the
 +
statement of the representative, perfectly identified, on his condition of
 +
representative of the person in whose name it contracts, it should be noted that this
 +
manifestation has binding legal consequences, which, as already stated,
 +
are subject to regulation and are expressly recognized by our
 +
Legal System, and that imply responsibilities, both from the point of view of
 +
civil view, as well as criminal, so it is not a “mere manifestation”, like the
 +
He came to name the AEPD in the Fundamentals of Law of his writing of initiation of
 +
sanctioning procedure, but it is a legal act, such as the
 +
own consent of the owner, defined by the RGPD itself as a "manifestation
 +
of will ”. Therefore, it does not seem that a legal defense can be defended
 +
discrimination of the relevance of some manifestations versus others, due to the fact that
 +
that are included or not within a specific regulation, or manifested from a
 +
form, or other. Likewise, as stated in the Factual Background, although
 +
later it seems to be obviated in the Fundamentals of Law, in all cases
 +
in which the contracting is carried out remotely, it is indicated that: “To the contract holder, to
 +
informative purposes, it is sent to you in duplicate, with a stamped envelope, the
 +
contractual documentation in compliance with the provisions of the regulations of
 +
protection of consumers and users ”. That is why, in any case, the owner
 +
You have the possibility of knowing the terms in which the
 +
hiring.
 +
Notwithstanding all of the above, as a result of the sanctioning procedures opened in
 +
the year 2019, and following the criteria transferred by the AEPD in the resolution of the
 +
PS / 0025/2019 (do not sign on the day of the presentation of this brief, due to being appealed)
 +
EDP ​​COMERCIALIZADORA has proceeded to identify the risk
 +
related to the intervention of third parties in contracting, making the
 +
corresponding detailed analysis of this issue and have
 +
proposals for improvement, in order to comply with the AEPD considerations of
 +
so that in the contracting procedures the person in question is always informed
 +
whose name is hired. The proposed contracting protocol has been put into
 +
knowledge of the AEPD on July 16, 2020 and registration number
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 30
 +
30/141
 +
025308/2020, presented in any case before receiving the written Start Agreement
 +
of Sanctioning Procedure, being a Request for information with number
 +
common for EPD ENERGÍA and EDP COMERCIALIZADORA without the
 +
AEPD has ruled on it with the corresponding legal report
 +
assessment, as requested, in order to implement a system that
 +
was fully in accordance with the criteria and interpretations of the AEPD, limiting
 +
so far to be included in the Initiation Agreement sent to EDP
 +
COMMERCIALIZER certain considerations in relation to the same.
 +
Specifically, the doubts raised in relation to the proposed procedure, which
 +
We understand they are the only ones that the AEPD has, they are the following: 1) It is not clarified if
 +
applies to all contracting channels, including the Leads subchannel which is not
 +
makes no reference; 2) situations in which it cannot be reported are not contemplated
 +
to the represented by the indicated means (email or SMS); 3) not reported
 +
to the client of the consents provided by the representative for other
 +
treatments for purposes other than contracting the service requested during
 +
the hiring process, nor the possibility of revoking such consents. 4) no
 +
effective dates for the implementation of this procedure are indicated.
 +
Again, incomprehensibly, instead of requesting additional information from EDP
 +
MARKETING COMPANY in relation to the proposed procedure, the AEPD chooses to
 +
negatively interpret information whose content is not clear to you. Not
 +
However, and as we understand that the will of the AEPD, like that of EDP
 +
MARKETING COMPANY, is to achieve a procedure that allows not only to give
 +
compliance with the different contracting modalities provided for in the Civil Code,
 +
recognized by consumer authorities and competent courts in matters
 +
contractual, but also to the considerations of the AEPD, below,
 +
We proceed to clarify what we understand would be the only doubts of the AEPD in
 +
regarding the modifications to the contracting procedure sent: 1) The
 +
The proposed procedure will be applied to all the contracting channels with which
 +
EDP ​​COMERCIALIZADORA works, including the “Leads” and any other than in the
 +
future implement EDP COMERCIALIZADORA. 2) Regarding the doubt raised in
 +
around what would happen in the event that the contracting person does not have
 +
none of the means provided to carry out the confirmation of the contract
 +
(email or SMS), indicate that the alternatives will be: a. Make it your own
 +
holder b. Presenting written authorization and copy of the ID of the representative and
 +
represented 3) Regarding the consents granted and the possibility of
 +
revoke them, it should be noted that the communication gives access to the
 +
contractual documentation, where each of the consents are recorded. The
 +
Once this information is known, the user has the possibility of modifying them. Not
 +
However, as a result of the comment of the AEPD in which it questions the validity of the
 +
Authorization of the representative for the authorization of additional consents to the
 +
contracting, EDP COMERCIALIZADORA proposes to allow representation only for
 +
this purpose and will collect additional consents directly from the owner. 4) In
 +
Regarding the date of implantation, it depends precisely on the opinion that
 +
the AEPD states about this procedure, since it would not make sense to put it
 +
ongoing if the supervisory authority considers that it does not meet its criteria for
 +
consider it an appropriate procedure, taking into account the economic costs
 +
associated with this implementation, in addition to the resources of time and dedication
 +
necessary for the deployment of these measures.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 31
 +
31/141
 +
It is alleged that the alleged breach of the obligations of article 25 RGPD, and
 +
the consequent quantification of possible sanction to impose on my client
 +
derived from said alleged breach, lack any basis for its
 +
consideration. In addition, and, in any case, the quantification of said possible sanction
 +
it lacks any hint of being proportionate.
 +
SECOND. - ALLEGED BREACH IN RELATION TO THE
 +
CONSENT PROVIDED BY THE INTERESTED PARTY .
 +
It alleges that it is interested in stating that the treatment relating to the creation of
 +
a commercial profile based on the information of third parties for the referral of
 +
advertising information is not, in practice, being made, nor at the date of
 +
issuance of these allegations, nor prior to them. For the
 +
Therefore, the treatment that could potentially have been carried out, has not had
 +
place in no case, at any time, so, even though it can be questioned
 +
From the point of view of the other requirements of the RGPD, it is not possible to attribute to EDP
 +
MARKETER carrying out unlawful conduct that may be
 +
punishable derived from the mere obtaining of the consents related to a
 +
treatment of data that, to date, has been non-existent and that therefore, has not
 +
generated the alleged damage to the fundamental rights of citizens
 +
wielded by this Agency. The commission of the offense of reference, regulated in the
 +
Article 83.5 (a) RGPD and 72.1.b) of the LOPDGDD, necessarily requires that
 +
a treatment has actually been caused and that it has not been
 +
The adequate legitimation basis has been identified or has not been regularized, stating: “1.
 +
In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
 +
considered very serious and will prescribe after three years the infractions that suppose
 +
a substantial violation of the articles mentioned therein and, in particular, the
 +
following: (…) b. The processing of personal data without the concurrence of any of the
 +
conditions of legality of the treatment established in article 6 of the Regulation
 +
(EU) 2016/679 ".
 +
In relation to informed consent, in the Agreement to Start the Procedure
 +
Sanctioner to consider that the required consent is invalid, is part of
 +
the consideration that the information provided to the interested party is not
 +
sufficient, inasmuch as it is not indicated, nor what third-party bases will be consulted, nor
 +
what type of data will be collected, so that the interested party does not know
 +
absolutely what it is that you are consenting to. And it is appreciated that a single
 +
consent for two different purposes. In this regard it is alleged that the
 +
Information is provided in accordance with the good practices set forth by the
 +
AEPD and ratified by the LOPDGDD, so that it is transferred to the interested parties
 +
through the double layer system, so that the interested party can reinforce
 +
the information provided through the consultation contained therein, through the
 +
different mechanisms that are granted for this purpose (informative locution, reverse of the
 +
EDP ​​COMERCIALIZADORA physical document or website.
 +
In relation to the absence of clear identification of the sources of third parties or the
 +
categories of data, it should be noted that such information can be derived from the
 +
information provided to the customer in the first layer (by clearly identifying that the
 +
treatment will be carried out with third-party sources) as in the second layer, whose
 +
content is contained in the section called "general conditions of the contract",
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 32
 +
32/141
 +
whose content indicates: “(II) The elaboration of commercial profiles of the Client
 +
by aggregating EDP databases with data from
 +
databases of third parties, in order to offer the Client products and services
 +
personalized, thus improving the Customer experience. (III) The adoption of
 +
automated decisions, such as allowing the hiring, or not, of certain
 +
products and / or services based on the Client's profile and particularly, on data
 +
such as, the history of defaults, the history of hiring, permanence,
 +
locations, consumption data, types of devices connected to the energy network, and
 +
similar data that allow to know in greater detail the risks associated with the
 +
hiring. (iv) Based on the results obtained from the aggregation of the
 +
data indicated, EDP may make personalized offers and specifically
 +
aimed at achieving the contracting of certain EDP products and / or services. "
 +
As reflected in the cited text, EDP COMERCIALIZADORA has identified
 +
in great detail the types of data that are treated for the detailed purposes, being
 +
the sources consulted for this an obvious derivation of the above.
 +
The indication made on obtaining third-party sources is, therefore,
 +
sufficient content for the user to be fully aware that their
 +
authorization will mean the possibility that the authorized entity can obtain said
 +
information. It must be remembered that there is no legal requirement that, in the
 +
At the time of collecting the data of the interested party, the questioned information must
 +
be contemplated directly in the consent requested. That is, being the
 +
origin of the data the interested party, it only corresponds to the Entity to inform
 +
in accordance with the provisions of article 13 RGPD, a provision that does not establish, in
 +
none of its precepts, the obligation to identify neither the source nor the typology of
 +
the data. Only in the event that said treatment had been
 +
carry out, the Entity should have reported such extremes, since only in
 +
At that time, the provisions of article 14 RGPD would apply. Taking into account
 +
of the non-materialization of said enrichment, this information did not become
 +
transferred to the interested party, not appearing in EDP databases
 +
COMMERCIALIZADORA data unrelated to those that have been provided or generated
 +
on the occasion of the contractual relationship between the parties. In addition, it must
 +
It should be noted that, in the event of obtaining data from
 +
a third party, would be the one who, in his capacity as transferor of the data, would be obliged to
 +
legitimize the communication of the data on the basis of the consent of the interested party,
 +
notwithstanding that EDP COMERCIALIZADORA would also do so, in compliance with its
 +
obligation of information once obtained data from a third party of
 +
in accordance with the provisions of the RGPD. In this sense, this situation could only
 +
occur, in the event that the interested party himself, exercising his right to dispose of
 +
the data and with full awareness of it, would have expressed its authorization to
 +
that your personal data travel to another company, such as EDP
 +
COMMERCIALIZADORA, who could only make use of them, in the event of
 +
that he had also expressed his consent, by marking the
 +
box or express indication, indicating that "Yes" in case of
 +
by phone.
 +
On the other hand, in relation to the alleged accumulation of treatment purposes,
 +
by stating that the interested party would authorize the sending of advertising and, secondly, the
 +
use so that EDP COMERCIALIZADORA can assess the viability of the
 +
hiring by said user. In relation to this point, we must
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 33
 +
33/141
 +
state that the assessment made by the AEPD starts from an erroneous premise, by
 +
consider that they are two differentiated treatments, in a case in which
 +
it is clear that it is a single purpose, such as the generation of a profile
 +
commercial, whose use is limited to two contexts linked to each other: (i) the first,
 +
to carry out the assessment of the possibility of hiring and, (ii) the second, to
 +
issue the corresponding commercial offers to the user in question. Thus,
 +
both assumptions are necessarily interrelated, since there is no
 +
He doubts that it would make no sense to design a customer profile, based on the data
 +
provided by the user and those derived from the service provided, for the remission of a
 +
commercial offer that was sent to an interested party who did not meet the parameters
 +
Entity internal to carry out a contract at the time of your request.
 +
In relation to this aspect, it is well known by this company that the RGPD requires
 +
that the consents that are collected are specific, as well as
 +
unanimous criterion of the control authorities to point out that the grouping of purposes
 +
related to each other, as would happen in this case, has full place in said
 +
concept, without such grouping giving rise to the consideration, per se, that it has not been
 +
specifically obtained consent. In this area, the approach
 +
on which the AEPD sustains the breach attributed to EDP
 +
COMMERCIALIZADORA, obviates the regulation established by the LOPGDD, in which
 +
Article 6.2 states that: “2. When it is intended to base the treatment of the data on
 +
the consent of the affected party for a plurality of purposes will require that
 +
It is specifically and unequivocally stated that said consent is granted to
 +
All of them." In light of the above, there is an evident specific regulation that
 +
enables the grouping of purposes that the AEPD is now questioning
 +
As an additional matter, it is indicated by this Agency that the consent obtained
 +
It is not in accordance with the regulations, considering that it is not explicit, but
 +
obtained in the same way as a general consent, although there are no
 +
clearly identified the reasons why it would not meet the criteria
 +
issued. For these purposes, the inclusion of the analyzed consent is carried out in a
 +
separate context to the acceptance of the procurement itself, so that either
 +
It is collected in a box in those contexts in which there is documentary support
 +
for this, or in an informative locution that is read and that must be
 +
expressly ratified by the interested party to understand that it has been provided to
 +
In this regard, in the absence of clarity in the regulations on the ways that will allow
 +
determine that a consent deserves the consideration of explicit (understood
 +
as a reinforced consent to the one already required by the RGPD), in the aforementioned
 +
Guideline 5/2020 mentions several nuances that help in this clarification. From
 +
it is extracted that, in addition to meeting the requirements defined in the
 +
Article 7 GDPR, the validity of an explicit consent does not require the attention of
 +
exact requirements, being able to be valid both in written documents, as well as in
 +
telephone recordings. At this point, it is interesting to emphasize a question
 +
essential: although there is neither legal precept nor opinion from the authorities
 +
that clearly determine the requirements to consider that the
 +
The consent obtained is explicit, nor the differences that correspond to the
 +
“regular” consent, yes that is attributed to EDP COMERCIALIZADORA, since
 +
any other entities that act as data controllers, the work
 +
to define at their own discretion in which situations such requirement will be understood to have been fulfilled.
 +
Said casuistry cannot but cause serious legal uncertainty, which in the
 +
assumption that concerns us is not solved, not even with the foundation that
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 34
 +
34/141
 +
It is stated in the writing of the Agreement to Start the sanctioning procedure, since in
 +
At no time is it clearly stated which factor, element or action has not been
 +
executed by EDP COMERCIALIZADORA, to determine that its conduct has
 +
unlawful result and that deserves a sanction of such magnitude. According to
 +
this, the request to the client for an obvious action, such as the verbal indication that
 +
yes you consent or the marking of a box, the content of which clearly exposes the
 +
purposes for which the data will be used, which is unrelated to any other
 +
acceptance and that it is not subject to other purposes, should be considered as a
 +
explicit consent in order to comply with the obligation imposed by the
 +
data protection regulations. In view of the aforementioned extremes, EDP
 +
COMERCIALIZADORA complies with all the requirements
 +
legally required, from which it must necessarily be concluded that the work of the
 +
Entity to collect the consent of the client, explicitly, have been
 +
rigorously cared for. It is proof of this that, both in the telephone channels,
 +
such as those in which they are carried out in writing, obtaining consent
 +
is carried out differently from the contracting itself, it is stated that it is
 +
additional to it and it is understood collected, only, in cases in which the
 +
client ticks the box or clearly states that they consent. Of all this it does not fit
 +
rather than concluding that the consent collection process has been carried out at the
 +
light of the criteria required by the applicable regulations, being therefore adjusted to
 +
Right.
 +
This being the case, the process of obtaining consents that EDP
 +
COMERCIALIZADORA has been using it is not something new for the AEPD, who has
 +
had the opportunity to analyze it prior to the beginning of this file
 +
sanctioner, in those files (requests for information and / or
 +
sanctioning procedures) opened on the occasion of a claim of any
 +
Username. Within the framework of these, the AEPD had full knowledge of the process of
 +
contracting and the type of consents that were collected from the interested parties,
 +
as the contracts have been provided by EDP COMERCIALIZADORA as evidence
 +
compliance. Needless to say, the end result of both turned out to be that of
 +
file of the same (see claims with reference E / 00915/2019, which neither
 +
it was even admitted for processing, and file E / 02714/2019), without
 +
additional appreciations on compliance with regulations, which leaves no more
 +
to delve into the confusion that this part has in the face of the very serious accusations
 +
released on EDP COMERCIALIZADORA by this Agency.
 +
Additionally, and without prejudice to the arguments presented, the
 +
presumption made in the Agreement to Initiate Sanctioning Procedure, in which
 +
the assessment of the infractions is carried out taking as a premise a double
 +
attribution: (i) the first, derived from the absence of adequate information and, (ii) the
 +
second, as a consequence of the execution of a non-consensual treatment. To these
 +
effects, it should be noted that, even if it is considered that the information provided
 +
the interested party is deficient, this fact cannot lead to the determination of a
 +
infringement of article 6 RGPD, since the treatment that would be carried out takes
 +
as a starting point the adequate legitimizing base. As it is, the definition
 +
carried out by EDP COMERCIALIZADORA regarding the legal basis that would allow
 +
treat the data for the purposes that have already been mentioned, would strictly adhere to
 +
the corresponding legitimation. In other words, EDP COMERCIALIZADORA
 +
carry out the necessary actions to obtain the corresponding consent
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 35
 +
35/141
 +
of the interested party, giving him the possibility of granting it or not, on a voluntary basis,
 +
by marking the box provided or expressly indicating in the cases of
 +
that these are collected by means of a telephone call. For all this, it cannot
 +
conduct that could be legally reprehensible to EDP
 +
MARKETING COMPANY, taking into account that it has rigorously subscribed the terms
 +
required by the norm, when proceeding to request an action of will from the interested party
 +
express, free, unequivocal and not conditioned to another purpose. And for that reason it is not possible to impute to me
 +
represented the commission of any infraction of those typified in article 83.5.a)
 +
RGPD, in relation to its article 6.
 +
THIRD. - ALLEGED BREACH IN RELATION TO THE
 +
DATA PROCESSING RELATED TO AUTOMATED DECISIONS AND
 +
PREPARATION OF CUSTOMER PROFILES.
 +
Third, the Agreement for the Initiation of Sanctioning Procedure, establishes in its
 +
Legal Basis IV a series of alleged breaches related to the
 +
apparent lack of observance by EDP COMERCIALIZADORA of the
 +
obligations derived from the provisions of article 22 of the RGPD, relating to the
 +
consideration by the AEPD of the existence of an impediment, the
 +
obstruction or repeated non-attention to the exercise of the rights established in
 +
Articles 15 to 22 of Regulation (EU) 2016/679 in relation to decisions
 +
automated systems and the elaboration of customer profiles, typified in article 83.5.b)
 +
RGPD and, classified as a very serious breach for the purposes of prescription in the
 +
article 72.1.k) of the LOPDGDD. Specifically, the AEPD maintains that: 1) EDP
 +
COMERCIALIZADORA does not give users the possibility to exercise their right
 +
relative to not being the subject of automated decisions, as well as not granting the user the
 +
due information regarding this right, 2) The user is unaware of the possibility of
 +
refuse to take such decisions. In this way, the proposed sanction
 +
by the AEPD is based on the fact that the information that is provided by EDP
 +
COMERCIALIZADORA to the owners of the data is insufficient and imprecise, without
 +
damage that is recognized by the AEPD that EDP COMERCIALIZADORA
 +
facilitates and makes available to users documents with information related to the
 +
compliance with data protection regulations, both at the time of the
 +
hiring, as in durable support at the end of the hiring.
 +
First of all, regarding the information provided by EDP
 +
MARKETING COMPANY in relation to the legitimizing basis (consent in the
 +
case at hand) we must emphasize that the information that is provided to
 +
users regarding the treatments that, being additional to the contracting itself
 +
same, require the consent of the user, is duly provided to the
 +
users. Specifically, in the so-called Evidence 6 presented by EDP
 +
MARKETING COMPANY during the substantiation of the information file of which the
 +
This sanctioning file brings cause, it is reflected in the contract model
 +
supply the following boxes: "You can read the information regarding the treatment
 +
of your personal data on the back. ☐ I consent to the processing of my data
 +
personal once the contractual relationship has ended, to carry out
 +
commercial communications adapted to my profile of products and services related to
 +
energy supply and consumption. Likewise, I consent to the aforementioned treatments
 +
during the term and after the end of the contract, on products and services not
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 36
 +
36/141
 +
energy, both from EDP Group companies and from third parties. ☐ I consent to the
 +
treatment of my personal data for the elaboration of my commercial profile with
 +
information from third party databases, for adoption, by
 +
EDP, of automated decisions in order to send commercial proposals
 +
personalized, as well as to allow, or not, the hiring of certain
 +
services "In this case, and expanding information regarding the processing of data
 +
of the users in the general conditions, we find the following information;
 +
“As long as the client has explicitly accepted it, their personal data will be
 +
treated, even once the contractual relationship has ended and provided that there is no
 +
produces opposition to said treatment, for: (I) The promotion of services
 +
financial, payment protection services, automotive or related and electronics,
 +
own or third parties, offered by EDP and / or participation in contests
 +
promotional, as well as for the presentation of related commercial proposals
 +
to the energy sector after the end of the contract, (II) The elaboration of profiles
 +
Customer's commercial data by aggregating third-party databases, with
 +
in order to offer the Client personalized products and services, thus improving the
 +
customer experience, (III) The adoption of automated decisions, such as
 +
allow the contracting, or not, of certain products and / or services based on the
 +
Customer profile and particularly, in data such as the history of defaults, the
 +
hiring history, permanence, locations, consumption data, types of
 +
devices connected to the energy network, and similar data that allow to know
 +
the risks associated with contracting in greater detail. (IV) Based on the
 +
results obtained from the aggregation of the indicated data, EDP may carry out
 +
personalized offers, and specifically aimed at achieving the hiring of
 +
products and / or services of EDP or third-party entities depending on whether the client thus
 +
has consented or not, being in any case processed data whose antiquity does not
 +
will exceed a year. In the event that said process was carried out in a
 +
automated, the customer will always have the right to obtain human intervention by
 +
part of EDP, admitting the challenge and, where appropriate, evaluation of the decision
 +
resulting.
 +
From these fragments, it can only be concluded that (i) both for the elaboration of
 +
profiles, such as for data processing adopting automated decisions EDP
 +
COMERCIALIZADORA requests the explicit and specific consent of the user, without
 +
that automated decision-making can be construed to be dealt with under
 +
another legitimizing basis, as well as that (ii) the information related to the preparation of
 +
profiles and automated decisions, complies with the requirements of article 13 of the
 +
RGPD, since it informs about the existence of automated decisions, including the
 +
profiling and provides meaningful information on the applied logic, as well as
 +
such as the importance and expected consequences of such treatment for the
 +
interested . For all this and taking into account the first aspect raised by the
 +
AEPD regarding the alleged breach committed by EDP COMERCIALIZADORA
 +
in relation to the information provided to users to obtain the
 +
specific consent, there is no interpretation regarding the lack of
 +
information and confusing treatment by EDP COMERCIALIZADORA, which
 +
includes the information corresponding to the specific treatments, facilitating all the
 +
information required in the RGPD.
 +
Second, in relation to the information provided to the owners of the data
 +
Regarding the exercise of rights, it should be noted that EDP
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 37
 +
37/141
 +
COMERCIALIZADORA expressly informs users in the information that
 +
facilitates your specific right to “object” to “decision-making
 +
automated data processing, requiring human intervention in the
 +
process, as well as to challenge the decisions that are finally adopted by virtue of
 +
of the processing of your data ”In this sense, the AEPD considers that EDP
 +
COMERCIALIZADORA fails to comply with its obligation to inform the owners of the data
 +
by the mere fact that the information provided does not appear, expressly and
 +
literal the right to "revoke consent", appearing in its place the verb that
 +
grants the right of the owners of the data to "oppose" to "the adoption of
 +
automated decisions of your personal data, requiring intervention
 +
human rights in the process, as well as to challenge the decisions that are ultimately
 +
adopted by virtue of the processing of your data ”. We are sure that the nuance
 +
semantic and technical associated with both verbs "opposition" and "revocation", both the
 +
experts that the AEPD has, such as its own that EDP has
 +
MARKETING COMPANY are able to differentiate them from each other, and determine that
 +
It deals with two legal concepts, but that Agency will also agree with us,
 +
than the average user (a concept widely used by that Agency throughout
 +
throughout the procedure that concerns us) will hardly be able to differentiate
 +
concepts. In the present case, what is really important is the effect that
 +
in practice it has the user's request, which, ultimately, is the one that is relevant
 +
for the owner of the data, and that generates positive or negative effects on their rights
 +
fundamental, this being what the RGPD really protects, and not the use of
 +
one verb or another, even more so when they can be used as synonyms.
 +
In this case, the only thing that is intended to be used in the information provided to the
 +
users the term "opposition" with respect to automated decisions, is to be able to
 +
provide the user with a clear, concise and transparent understanding of the information that
 +
is made available to you, and facilitating, in the event that the request of said interested party
 +
conforms to the regulatory requirements, the exercise of the different
 +
Rights. Thus, according to the definition contained in the Dictionary of the RAE, revoke
 +
means "to leave without effect"; and oppose, “put something against something else to prevent its
 +
effect ”, so except for those who have knowledge in the matter and
 +
can appreciate the nuance that differentiates one and the other, the truth is that, for the purposes of
 +
most of the population, both terms would be synonymous and would suppose, in the
 +
practice, the same.
 +
Without prejudice to all the above, we must highlight, by the
 +
relevance that this has in this allegation, the information contained in Clause 16
 +
of the General Contracting Conditions, relative to data protection. On
 +
said clause, in the section corresponding to "Rights of the owner of the data"
 +
makes express reference to the possibility of revoking the consent that previously
 +
have granted, thus, it is expressly indicated “(VII) Withdraw, at any time,
 +
the consents granted ”.
 +
It refers to its internal procedure, and states that therefore, not only the
 +
Users are informed at all times of the possibility of revoking the
 +
consents granted, but that EDP COMERCIALIZADORA itself, as
 +
internal procedure and in order that those in charge of managing the
 +
applications have the necessary knowledge in relation to the different
 +
possibilities, expressly express said right, regardless of the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 38
 +
38/141
 +
technical term used, since the main purpose is to inform and that the user
 +
know the possibility of not being the subject of automated decisions. Thus, the
 +
internal procedure referenced above even includes models of
 +
answer to be able to attend in general, the different requests. All of it,
 +
Without prejudice to the fact that each of the requests is treated in a particular way and in accordance with
 +
specific circumstances affect the specific case, and it is necessary to
 +
adaptation of said response model depending on the specific casuistry of
 +
every request. The procedure related to the management and
 +
answer to the exercises of rights.
 +
In view of the above, the AEPD attends to the lack of knowledge of the average user,
 +
as an argument to consider the informative clauses as not very transparent,
 +
This aspect, however, considers it to be substantially essential since it only relates
 +
as a valid exercise the opposition of the interested party. Taking into account that the right
 +
related to not being the subject of automated decisions is collected with
 +
independent and express nature in the general contracting conditions,
 +
requiring, where appropriate, the explicit and specific consent of the user, and
 +
being the same duly informing in a specific way, as
 +
is justified in the evidence provided, as well as the possibility of opposing
 +
to be subject to automated decisions, it is surprising to say the least that the
 +
AEPD considers that EDP COMERCIALIZADORA does not comply with article 22 RGPD
 +
for not offering the client the possibility to literally "revoke consent", it is
 +
that is to say, strictly formal and semantic aspect, that an average user without
 +
knowledge of the subject does not have the ability to understand the difference with the
 +
word "opposition", understanding that Agency that it is not valid to report the
 +
possibility of "opposing", as a synonym, to said treatment, which is what
 +
effectively carried out by EDP COMERCIALIZADORA .
 +
In line with the above, it should be noted that EDP COMERCIALIZADORA, in
 +
no case has denied the exercise of rights that have not been
 +
requested / drawn up with a precise character, directing the request to the
 +
user, so that it can be resolved effectively, satisfactorily and without
 +
procrastination.
 +
Likewise, as has already been stated in previous points, in relation to the
 +
automated decisions, the client is offered the possibility of obtaining intervention
 +
human rights, admitting challenge and, where appropriate, assessment of the resulting decision,
 +
reason why, in addition to informing about the possibility of not being the subject of
 +
automated decisions, the client is empowered as an alternative to intervene
 +
human. For all the above, it cannot be reasonably interpreted that the owner of the
 +
the data may, even remotely, ignore the possibility or right to
 +
that your data are not subject to automated decisions, nor that EDP
 +
COMMERCIALIZER places limitations, or does not make available to said
 +
interested parties the necessary mechanisms to be able to make the request, being able in
 +
any time to "oppose" such treatment, or rather, "revoke" the
 +
consent given for the adoption of such decisions, as well as to request
 +
human intervention, which on the other hand, in the case of EDP COMERCIALIZADORA
 +
always occurs, because although the consultation of the information is automated,
 +
the final decision is made by an employee after analyzing its content. I know
 +
provides as Annex 4, by way of example, exercises of the right of opposition and of
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 39
 +
39/141
 +
revocation of consent that has been processed during the last year, to the
 +
effects that the AEPD can know, first hand, what type of rights are
 +
exercised by the holders, in what modality they are received, as well as specifically
 +
how they are properly cared for by EDP COMERCIALIZADORA.
 +
For the sake of completeness and in order to address the true scope of the alleged
 +
infringement, despite the fact that EDP COMERCIALIZADORA includes the possibility of
 +
perform profiling and make automated decisions, the only profiling performed, is
 +
that relating to the rating of customers in the area of ​​fraud prevention,
 +
treatment for which there is legal authorization and is based on the interest
 +
legitimate of EDP COMERCIALIZADORA, in order to safeguard the good
 +
future of the contracts made by EDP COMERCIALIZADORA, as well as
 +
prevent customers, whose sole purpose is to consume the energy service without paying
 +
invoices, become part of the customer portfolio. Without prejudice of the previous,
 +
data holders are informed that said profiling is reviewed and processed
 +
finally by EDP COMERCIALIZADORA staff, which is why they cannot
 +
be considered as an automated decision in itself, taking into account in this
 +
meaning to the literal wording of the concept established by the authorities. In other words,
 +
nor is there any data processing based on automated decisions, nor is there
 +
any manifestation about said treatments, since outside of the strictly
 +
necessary to continue with the service and those provided by law, are not
 +
carried out, which is why, not only can it not be considered that there are
 +
non-compliance with article 22 of the RGPD, as the requirements are met
 +
collected by the regulations, but there are not, nor can there be data owners who
 +
may have been affected by said treatments, so we refer to the
 +
broad jurisprudence previously enunciated in this section as it is fully
 +
application to the case at hand.
 +
This is enough so that there is no basis whatsoever in order to impute to my client
 +
any infringement of those typified in article 83.5.b) RGPD in relation to your
 +
cited Article 22, however, for dialectical purposes and in the unlikely event that
 +
If the commission of said infringement could be considered proven, we state what
 +
follows in relation to the amount of the sanction provided for said alleged infringement
 +
in the Agreement to initiate the sanctioning procedure.
 +
Thus in relation to the quantification of the specific sanction for the alleged
 +
breach of article 22 RGPD, after assessing the aspects set out in the
 +
this section, and taking into account the evaluation criteria set out in the RGPD
 +
employees to graduate the alleged offense, it must be said first, that in
 +
its writing, the AEPD limits itself to stating some aggravating factors that it considers
 +
application, without deploying the slightest foundation activity of why, what
 +
that apart from assuming a total lack of motivation, implies an added difficulty to the
 +
EDP ​​COMERCIALIZADORA's right of defense.
 +
Notwithstanding the foregoing, the criteria by which the
 +
understands that the aggravating factors considered by the AEPD would not concur in this case
 +
concrete, beyond the fact that, how it has been justified, there is no breach of its
 +
obligations on the part of EDP COMERCIALIZADORA, to the extent that no
 +
produce normative-type requirements, insofar as EDP
 +
COMERCIALIZADORA does not carry out the treatment object of the sanction, this being a
 +
indispensable requirement so that the application of the sanction can be accommodated. After
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 40
 +
40/141
 +
assess the aspects set out in this section, and taking into account the criteria
 +
evaluators listed in the RGPD;
 +
"The nature, severity and duration of the offense" taking into account the same
 +
criterion “the nature, purpose of the treatment operation in question as well
 +
such as the number of interested parties affected and the level of damages that
 +
have suffered; " As stated in this section, the information
 +
provided to users does not constitute an infringement, since there is no breach by
 +
part of EDP COMERCIALIZADORA, being even more decisive than the
 +
number of people affected by the treatments related to profiling and the adoption of
 +
automated decisions, is void and therefore the damages that may have
 +
caused, they are non-existent. Likewise, by not supposing an illegal act, or having
 +
materialized it is not possible that it has been delayed in time, reason
 +
by which, and taking into account the specific circumstances, when qualifying the
 +
The potential administrative fine to be imposed would be a mitigating criterion.
 +
In any case, it should be remembered that in order to qualify as aggravating the
 +
damages caused to those affected, in addition to materializing, the same
 +
must be accredited and demonstrated, an aspect that in no case has been
 +
proven, nor exposed in the Agreement to Initiate Sanctioning Procedure.
 +
"The intentionality or negligence appreciated in the commission of the offense;" Just like
 +
It is clear from these allegations, neither EDP COMERCIALIZADORA has had
 +
any intention to infringe data protection regulations, or to cause damage or
 +
harm to any user, nor has there been any negligence in their actions. A major
 +
abundance, there is no evidence that negligence may exist and much
 +
less an intention on the part of EDP COMERCIALIZADORA, reason for the
 +
which, the potential applicable sanction should be reduced.
 +
“The high link between the activity of the offender and the treatment of
 +
personal information;" EDP ​​COMERCIALIZADORA's main activity is not based on
 +
in the processing of personal data, but in the energy supply,
 +
assuming the link of the activity with the performance of the treatment in
 +
question, minimal. Reason why, said aspect would appear as mitigating,
 +
reducing the potential applicable sanction.
 +
"The continuing nature of the offense;" "High volume of data and treatments
 +
which constitutes the object of the file; " and "High number of interested parties;" As
 +
that in other criteria indicated individually, these three criteria are
 +
subsumed with the one raised in the first place, and proceeding from article 83.2 a) of the
 +
RGPD, so its evaluation must be carried out jointly with the indicated one and, therefore
 +
Therefore, do not suppose an additional aspect to the one mentioned for the calculation of the potential
 +
applicable sanction.
 +
In order to complete the evaluation criteria, it is worth mentioning the
 +
following:
 +
“C) any measure taken by the person in charge of the treatment to
 +
mitigate the damages suffered by the interested parties; " As it has been
 +
accredited, the internal procedures under which EDP operates
 +
COMMERCIALIZADORA, both in relation to the exercise of rights, the protocol of
 +
performance relative to the user's rating for the purposes of preventing
 +
fraud, collect the fundamental characteristics to attend to all types of exercise
 +
rights and the characteristics related to the assessed qualification treatment of the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 41
 +
41/141
 +
user for the necessary fraud prevention. For all this, taking into account
 +
Note that these procedures are part of the measures and proactive attitude of
 +
EDP ​​COMERCIALIZADORA, in no case could the omission of actions be interpreted,
 +
nor passivity of EDP COMERCIALIZADORA.
 +
“E) any previous infringement committed by the person in charge or the person in charge of the
 +
treatment;" It should be noted that EDP COMERCIALIZADORA has not been
 +
claimed, nor has he been a subject sanctioned by said precepts at any time, for
 +
what there are neither procedures nor previous sanctions, what is more, as we have already
 +
exposed in previous points, EDP COMERCIALIZADORA has been implementing
 +
new measures to alleviate any potential compromised situation, acting
 +
always diligently.
 +
In this case, it is not only the rationale set out in the Agreement of
 +
Start to interpret infringement of article 22 of the RGPD -related to decisions
 +
individual automated data, including profiling, but rather the amount
 +
proposed for the alleged infringement, which amounts to 1,000,000 euros, is the point
 +
that has surprised this part the most. All this because:
 +
1) EDP COMERCIALIZADORA has not been sanctioned, has not been involved in
 +
any procedure for infringement of article 22 of the RGPD nor has received
 +
any claim in relation to an alleged infringement of this precept,
 +
2) in the history of procedures published by the AEPD itself, there are no
 +
sanctions covered by the breach of the aforementioned normative precept.
 +
In other words, not only is there no precedent to which EDP has been a part
 +
TRADING COMPANY, but there are also no prior sanctions by the
 +
Control Authority that have been based on the violation of article 22 of the RGPD.
 +
Therefore, the fact that the offense is considered very serious and the sanction
 +
proposed amounts to this high amount, requires that it be substantiated with
 +
exhaustive character, since it escapes any criteria followed so far
 +
by the AEPD.
 +
f) the degree of cooperation with the supervisory authority in order to remedy the
 +
infringement and mitigate the possible adverse effects of the infringement; Since the beginning of
 +
informative file that causes this EDP procedure
 +
COMERCIALIZADORA has acted collaboratively and proactively, contributing in
 +
at all times the information and documentation requested by the AEPD in time and
 +
shape. Reason why, this aspect would appear as mitigating, reducing the
 +
potential applicable sanction. Finally, and by way of conclusions, in the Agreement of
 +
Initiation is neither duly substantiated, nor motivated in accordance with the provisions of
 +
regulations, the decision to impose an administrative fine, much less, a
 +
fine with the proposed amount, as well as not considering EDP
 +
MARKETER as the infringing party of the claims included in the
 +
Agreement, since as we have indicated in this section, the arguments
 +
by the AEPD to sanction under the legal precept contained in article 22 of the RGPD
 +
and 72.1 k) of the LOPDGDD, are not given.
 +
In this sense, in addition to informing in accordance with the applicable regulations, and granting
 +
also to users the possibility of exercising their rights, EDP
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 42
 +
42/141
 +
COMERCIALIZADORA does not carry out treatment based on decisions
 +
automated outside of what is strictly necessary to carry out the prevention of
 +
fraud. Reason why, neither the alleged offense has been committed, nor are there
 +
sufficient arguments to consider the precepts mentioned in the
 +
this section. Furthermore, throughout this procedure the
 +
existence of infringement due to breach of article 22 RGPD, nor has
 +
fully grounded the severity, nor the criteria that allow setting such
 +
high amount of sanction to the present assumption.
 +
FOURTH.- ALLEGED BREACH IN RELATION TO THE DUTY OF
 +
TRANSPARENCY.
 +
The AEPD, in its Agreement to Initiate Sanctioning Procedure, attributes to EDP
 +
TRADING COMPANY the violation of Article 13 of the RGPD, assuming a
 +
breach of the duty of information that is its own as responsible for the
 +
treatment, typified in article 83.5.b) and classified as mild for the purposes of
 +
prescription in article 74.a) of the LOPDGDD. Specifically consider the
 +
existence of said infringement due to:
 +
1) lack of information to interested parties about the possibility of accessing information
 +
enforceable in article 13 of the RGPD.
 +
2) the web address provided does not lead directly to the required information
 +
in accordance with article 13 of the RGPD, without allowing immediate access to the
 +
information, nor is access easy for anyone. EDP
 +
COMMERCIALIZADORA has no choice but to state, again, and as it has
 +
fact and demonstrated in the rest of the alleged breaches alleged by this
 +
Agency, which cannot share the appraisals made by the AEPD, so
 +
The reasons why you understand that effectively,
 +
EDP ​​COMERCIALIZADORA fully complies with the requirements of the
 +
data protection regulations in terms of transparency in relation to the
 +
information provided to the holders of personal data in the processes of
 +
hiring.
 +
Regarding the CAC inbound channel, on which it is stated that the information
 +
provided is incomplete, it should be noted that in the case of incoming calls there is at the
 +
the call starts, before the recording starts - and regardless of the
 +
management that the person who calls the customer service department of the
 +
entity-, a telephone announcement where information is provided, among other aspects, of the
 +
rights that assist data subjects, as well as where to find information
 +
additional, so that users receive this information whenever they call,
 +
which not only means that this information is provided to them in the call in which they go
 +
to carry out the contracting of the supply, but also when they are already customers and are going to
 +
carry out any procedure (either a consultation, request a change of power,
 +
make a payment, request a fractionation or file a claim).
 +
In this sense, it should be noted that the RGPD itself expressly provides in its
 +
point 13.4 that: “The provisions of paragraphs 1, 2 and 3 will not be applicable
 +
when and to the extent that the interested party already has the information ”. Therefore,
 +
customers receive all the required information in a first layer of information
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 43
 +
43/141
 +
verbal, which can be completed by accessing the EDP COMERCIALIZADORA website or
 +
either directly in the call itself, depending on the management that is carried out.
 +
Thus, this information is provided in layers, distinguishing on the one hand the layer
 +
1. “This call can be recorded. The data you provide us will be processed by
 +
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
 +
or query. You can exercise the rights of access, rectification, deletion, opposition,
 +
limitation and portability at any time. See the Privacy Policy at
 +
our website edpenergia.es or press 0 "
 +
And on the other, layer 2, which collects the information in a more detailed way, which is activated
 +
automatically if the user dials 0, following the prompts
 +
of the first layer: "The use of this TELEPHONE CHANNEL does not oblige the user to
 +
provide any information about yourself. However, to use certain
 +
services or access certain content, users must provide
 +
previously some personal data. In the event that the user provides
 +
personal information, we inform you that the data will be processed by
 +
EDP ​​Energía, SAU and EDP Comercializadora, SAU, with registered office in Oviedo,
 +
Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
 +
hereinafter "EDP", as data controllers, as established by the
 +
General Data Protection Regulation ((EU) 2016/679), hereinafter "RGPD", and
 +
its implementing regulations.
 +
Specifically, your data may be processed, when the user so requests, to
 +
manage the attention and follow-up of requests and inquiries directed through the
 +
website, as well as for conducting surveys and participating in sweepstakes,
 +
games and promotions. The data requested will be mandatory and limited to
 +
those necessary to proceed with the provision and / or management of the requested service, which
 +
You will be conveniently informed at the time of collecting your data from
 +
personal character. In case of not providing them or not providing them correctly, you will not be
 +
may provide the service.
 +
In these cases, the user guarantees that the personal data provided is
 +
truthful and is responsible for communicating any changes to them.
 +
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration
 +
In it, the data processing carried out is based on the relationship
 +
legal derived from your request.
 +
The processing of data for conducting surveys is based on legitimate interest
 +
of EDP in order to improve the quality of the services provided to customers and / or
 +
users, being able to oppose said treatments at any time, without
 +
This affects the legality of the treatments carried out previously.
 +
In no case may they be included in the forms contained in the CHANNEL
 +
TELEFONICO personal data corresponding to third parties, except
 +
that the applicant had previously obtained his consent in the
 +
terms required by article 7 of the RGPD, responding exclusively to the
 +
breach of this obligation and any other in terms of character data
 +
personal.
 +
The personal data of the users registered on the website may be transferred to
 +
the Public Administrations that by law correspond, to other companies of the group
 +
business for internal administrative purposes, and to the suppliers of the person responsible
 +
of the treatment necessary for the adequate fulfillment of the obligations
 +
contractual.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 44
 +
44/141
 +
Personal data will be kept for the duration of your contract of
 +
supply with EDP, in all other cases, during the time necessary to answer the
 +
your requests or to analyze the content of your responses to surveys. A
 +
Once the contractual relationship has ended, their requests answered or their
 +
responses, as appropriate in each case, your personal data will be erased,
 +
keeping the rest of the information anonymized solely for the purposes
 +
statistics. Notwithstanding the foregoing, the data may be kept for the period
 +
established to comply with the legal obligations of maintenance of the
 +
information and, at most, during the statute of limitations for legal actions
 +
corresponding data, and the data must be kept blocked during the aforementioned
 +
statute of limitations. After this period, the data will be deleted.
 +
In application of the provisions of article 32 of the RGPD, EDP undertakes to
 +
comply with the security obligations of the data provided by users,
 +
trying to establish all the technical means at its disposal to avoid the loss,
 +
misuse, alteration, unauthorized access and theft of the data that the user provides to
 +
through it, taking into account the state of technology, the nature of the data
 +
facilitated and the risks to which they may be exposed. Without prejudice of the previous,
 +
the user must be aware that the security measures in the CHANNEL
 +
TELEPHONE are not impregnable.
 +
EDP ​​will treat the user's data confidentially, at all times, keeping
 +
the mandatory duty of secrecy regarding them, in accordance with the provisions of the
 +
applicable regulations.
 +
The user can exercise their rights of access, rectification, deletion, opposition,
 +
limitation and portability, as well as the revocation of the consents granted
 +
previously, in the legally established terms, communicating it in writing to
 +
EDP, at the following address: LOPD Communication Channel, Plaza del Fresno, nº2,
 +
33007 Oviedo. Likewise, you can exercise these rights by sending an email
 +
email with your personal data to cclopd@edpenergia.es. In both cases
 +
You must attach a photocopy of the holder's DNI or document that proves your
 +
identity. Likewise, you can contact the Delegate for the Protection of
 +
EDP ​​data, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or at
 +
the email dpd.es@edpenergia.es, in the event that you understand violated
 +
any of your rights related to data protection, or where appropriate,
 +
file a claim with the Spanish Data Protection Agency in the
 +
Address Calle de Jorge Juan, 6, 28001 Madrid "
 +
Next, it is indicated by that Agency that “The provisions in
 +
Article 11.1 of the LOPDGDD in the other two telephone channels (Telemarketing and
 +
Leads), nor is the interested party informed that they can access all the information required
 +
in accordance with article 13 RGPD at the indicated email address ”. However,
 +
Such statement is made after reproducing the AEPD the texts in which the
 +
clients of the identity of the person responsible for the treatment, the purposes of the treatment,
 +
as well as the rights that they can exercise and the web where to obtain information
 +
additional. Therefore, it does not seem that such a statement corresponds to the reality of the
 +
facts, so we understand that the Agency will be pleased to modify and eliminate this
 +
alleged breach in its resolution proposal writing.
 +
The analysis continues, referring to the general conditions of
 +
contracting to which the information is sent, indicating that those hosted on the web
 +
they are not easily accessible. In this regard, it is interesting to specify that:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 45
 +
45/141
 +
1) Article 11 of the LOPGDD refers to the fact that this information must be provided to the
 +
interested party "indicating an electronic address or other means that allows access from
 +
simply and immediately to the rest of the information ”and that, in this case, as stated
 +
informs the interested party in the locution, after contracting a copy of the
 +
contract in which, obviously, the general contracting conditions are included,
 +
therefore, direct access to said information is provided. Complementarily,
 +
this information is available on the web at all times.
 +
2) Faced with the alleged difficulty alluded to by the AEPD to find the aforementioned
 +
general conditions contrasts the fact that, as exemplified, a simple
 +
search to access them directly, using the search engine
 +
available on the website. Searching for "contracting conditions"
 +
or “general contracting conditions”, the first results are published
 +
documents related to the general contracting conditions that are of
 +
application both in Spanish, in Galician, in Catalan, and in Basque, leaving
 +
clearly identified the documentation that refers directly to the document
 +
in PDF format, as evidenced in the following address:
 +
https://www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales-
 +
de-contratacion.pdf
 +
3) Regarding the fact that it is “required to search in the general conditions (which
 +
include numerous aspects related to contracting) the information related to the
 +
data protection ”, it must be made clear that the general conditions
 +
are composed of four pages, of which practically one of them is
 +
is exclusively dedicated to providing information on the treatment of
 +
personal data made by EDP COMERCIALIZADORA, as we are
 +
insurance that the AEPD has been able to verify during the procedure for preparing
 +
your writing of proposal of sanction.
 +
In relation to this alleged non-compliance, it is worth mentioning the guidelines
 +
facilitated by the Article 29 Working Group, in which it recommends including the
 +
access to information related to the processing of personal data through
 +
of means in which the interested party can immediately recognize where and how
 +
access this information, (direct links or in the form of an answer to a question
 +
in natural language, in the frequently asked questions section, or pop-up windows).
 +
However, it also states that "depending on the circumstances of the collection
 +
and data processing, a data controller could be obliged to
 +
use additionally. […] ”. Other possible ways of transmitting the information to the
 +
Interested parties derived from the following environments other than personal data could
 +
include the following modes, listed below, applicable to the
 +
relevant environments. a) On paper, for example, when entering into contracts by means
 +
postcards: written explanations, brochures, information in contractual documents,
 +
cartoons, infographics, or flow charts; b) By phone: explanations
 +
verbal words directly from one person to allow for conversation and
 +
answer to questions, or automated or prerecorded information with the possibility of
 +
hear more detailed additional information;
 +
The Article 29 Working Group solely and exclusively provides this information to
 +
recommendation mode, without in any case being considered a bad practice,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 46
 +
46/141
 +
nor of course a regulatory breach the fact of making the publication to
 +
through a simple method that, taking into account that the service requires the
 +
conclusion of a contract, the essential method and format and therefore that prevails in this
 +
This assumption is the same as indicated in the GT29's own guidelines, through the
 +
medium in paper and telephone support. All this, without prejudice to keeping accessible
 +
through the web for all those interested who decide to carry out and attend the
 +
content in an intuitive and simple way and without prejudice to the obligation to deliver in
 +
durable support all the contractual information both with the previous information, as
 +
with the contract itself. In this sense, we can see that the possibility of
 +
linking "immediately" is susceptible to being interpreted.
 +
The AEPD itself on its website makes it the interested party who must "hit" or
 +
"Find out" which of the treatments included in the registry of activities of the
 +
entity are the ones that really affect their relationship with the AEPD, since the
 +
purposes are included within the description of each of them and not in the
 +
privacy policy accessed.
 +
Regarding the identity of the person responsible for the treatment, the
 +
information already provided after the request for additional information of June 3,
 +
2020 in which EDP COMERCIALIZADORA was required, for this purpose, within the
 +
Information Request E / 05549/2019 in which it was explained that the fact of
 +
that information from both entities is included is because it is not possible to know
 +
form prior to contracting the services that will be requested by the interested party (gas
 +
I electricity) nor, therefore, by which of the companies they will be provided, so
 +
This can only be specified when said services are identified by the
 +
own customer. highly probable that the same client when requesting the hiring of the
 +
electricity and gas supply, is contracting with both companies.
 +
For this reason, the so-called “dual” contract of
 +
way that a client can obtain discounts or additional advantages for the fact of
 +
contract both energies with two companies of the same business group, and in order to
 +
keep discounts on each energy (electricity and gas) up-to-date
 +
and derived information, it is necessary for both companies to know if energy
 +
initially contracted with the other Group company remains active in order to be able to
 +
maintain and correctly manage the discounts / benefits applied.
 +
Consequence of the foregoing, the clause on data protection informs
 +
that the personal data provided during the hiring process may be
 +
treated by only one of the entities or both entities, depending on the type of
 +
energy services that are contracted. Therefore, there is no inconcretion, but
 +
the explanation of who is the specific person responsible for the treatment in each case is
 +
It literally contains the first section of the contract, which identifies the
 +
parties, as stated in Evidence 6 provided in the response to the Request
 +
of Information made to this company during the processing of the aforementioned
 +
informative file of which the present sanctioning file brings cause: "The
 +
customer contracts, for the supply indicated, the supply of gas with EDP
 +
Comercializadora, SAU and the supply of electricity and / or services
 +
complementary with EDP ENERGIA, SAU, (hereinafter joint and / or
 +
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
 +
Specific that are collected below and the General Conditions in annex. "
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 47
 +
47/141
 +
Therefore, customers know which company will process their data depending on the
 +
requested supply (electricity or gas), something we understand fits perfectly
 +
clear and is derived from both the sales agents' explanations and the tenor
 +
literal of the first clause of the contract. In case of being both services, the data
 +
will be processed by both entities.
 +
To date, neither in the field of data protection, nor in relation to any of
 +
the regulations applicable to the regulated electricity or gas sectors, or the
 +
Regarding the defense of consumers, there has been no request for
 +
additional information, claim, or complaint in this regard, nor by the own
 +
consumers, nor by the multiple regulators that control and
 +
supervise the activity of trading companies, so it seems obvious
 +
that the information provided does not create problems for customers or other regulators
 +
of the country, more than the AEPD itself.
 +
Additionally, we reiterate two essential aspects in the sector's own operations
 +
in which EDP COMERCIALIZADORA carries out its activity, the exposure of which is
 +
contemplated in the information previously sent: 1) The existence of two
 +
companies within the Group with the role of trading entities is due to a
 +
merely formal matter, consequence of the corporate structure and composition
 +
shareholding of the companies acquired by the EDP Group at the time of its
 +
establishment in Spain, but that does not correspond to the operation
 +
operation of these marketers, since only one of them, EDP
 +
COMMERCIALIZADORA, currently has employees and capacity to
 +
management and operations. Thus, in practice, all treatments are
 +
carried out by said entity, either as data controller or as
 +
in charge of the treatment of EDP COMERCIALIZADORA.
 +
2) The EDP Group had planned the corporate reorganization of EDP
 +
COMERCIALIZADORA and EDP ENERGIA and the adaptation of their corporate structure
 +
with that of its actual operation and its business operations. This reorganization is
 +
has currently been affected by a TOTAL sale process in which both
 +
societies are immersed, and that, if materialized, could alter or terminate said
 +
integration.
 +
For all of the above, it understands that transparency is perfectly justified in
 +
in relation to how the information is provided, as well as the fact that it is
 +
perfectly understandable to the average customer.
 +
The AEPD continues its analysis referring to the purposes and legitimizing bases of the
 +
treatment. First of all, reference is made to those reported treatments
 +
whose legitimizing basis is the contract itself -existing contractual relationship- or the
 +
legitimate interest of the company.
 +
On this matter, it is stated that “It is not easy for anyone, without
 +
knowledge of data protection matters, differentiate which treatments
 +
derive from the contract and which are based on the legitimate interest of the person responsible ".
 +
This assessment is debatable, since it may be evident to anyone
 +
that treatments such as “manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 48
 +
48/141
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or service improvement ”are closely related to the execution of the
 +
contract, the rest being assignable to legitimate interest. In this regard, we can
 +
contrast this information with that provided by the AEPD itself regarding its
 +
treatments when these have diverse bases of legitimation, as is the case of the
 +
called "HR Management", published on its website
 +
(https://www.aepd.es/es/laagencia/transparencia/otro-tipo-de-informacion/registro-
 +
activities-treatmentaepd / gestion-hr), in whose information it can be seen that
 +
various bases of legitimation are identified, without indicating what specific purpose it is
 +
refers to each one of them.
 +
Therefore, although this part has nothing to object about the fact that the AEPD's criterion
 +
may be a good practice regarding the level of transparency, it seems
 +
to consider the fact of not having reached this level of management of the
 +
information, cannot be considered a breach of the norm, especially if
 +
we take into account that not even the body that issues the guidelines
 +
transparency (and that he is now proposing a sanction of nothing more and nothing less
 +
than one million euros for this reason), has considered such a distinction necessary in its
 +
website, as has been duly evidenced.
 +
Regarding the alleged omission by EDP COMERCIALIZADORA
 +
to report "what is the legitimate interest attributed to the person in charge", must
 +
It should be noted that they are clearly exposed and put in relation to the
 +
pursued purposes, that is: fraud prevention and marketing, in
 +
regarding the sending of personalized commercial communications. In these cases
 +
it is obvious that there is an identification between the reported purpose and self-interest
 +
persecuted, so making a separate allusion to the latter would be redundant.
 +
Similarly, by way of illustration, it should be noted that the direct competitors of
 +
EDP ​​COMERCIALIZADORA uses information formulas similar to those of
 +
implanted in my client, with no known procedures to date
 +
against them
 +
On the other hand, the high number of requests for rights received on the channels
 +
willing to do so demonstrate that customers fully understand the content
 +
information and the rights that assist them, and are perfectly clear what
 +
is what they want to achieve with their request and EDP COMERCIALIZADORA, executes
 +
said requests in all cases, always with a marked character of
 +
compliance with the regulations and protection of the fundamental rights of
 +
users.
 +
Regarding the need to report on the weighting carried out for
 +
assess whether the legitimate interest is preponderant in this case, it is relevant to mean that
 +
These two assumptions have been addressed by the legislator himself, who in the
 +
Recital 47 of the RGPD expressly refers to the possibility of carrying out these
 +
treatments based on the legitimate interest of the person responsible for the treatment.
 +
Specifically, it provides that: "the processing of personal data
 +
strictly necessary for the prevention of fraud is also an interest
 +
legitimate of the person responsible for the treatment in question. Data processing
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 49
 +
49/141
 +
personal data for direct marketing purposes may be considered to be carried out by
 +
legitimate interest ”.
 +
The AEPD itself has also ruled on the latter in its report 195/2017
 +
stating that “if the data came only from the information that
 +
provided by the entity in relation to the products or services contracted by the
 +
client, without it being completed with the one originating from other different sources,
 +
certainly the conduct of the entity, consisting of conducting a profiling
 +
for the referral of offers of products or services to their clients, it would be
 +
less invasive of the rights and interests of the clients, being able in this case
 +
consider the applicability of the provisions of article 6.1 f) of the Regulation
 +
general of data protection ”.
 +
Therefore, in both cases the weighting of legitimate interest has already been
 +
carried out, both by the legislator, as well as by the Control Authority and, therefore, the
 +
reason given by the GT29 to recommend its publication so that those affected
 +
may file a claim with said authority when they “doubt whether the
 +
weighting test has been carried out fairly ”would be meaningless in this regard.
 +
case, having to raise said claim before the Court of Justice itself.
 +
Justice of the European Union, in order to examine the legality of the provision
 +
introduced in the RGPD, or where appropriate, before the control authority itself and / or
 +
competent national courts. In any case, GT29 itself identifies this
 +
possibility as a good practice and, as stated in the report itself, its
 +
The objective is “to indicate the approach that, in the opinion of the WG29, those responsible for
 +
treatment they must assume in terms of acting with transparency. It is not, for
 +
Therefore, of a legal obligation whose defective fulfillment may entail
 +
a sanction, as is already the case with many other issues that the AEPD is
 +
trying to sanction in this procedure, lacking the slightest principles of
 +
typification, guilt and proof, these facts that never cease to amaze us in what
 +
which we understand is an action that should be subject to compliance
 +
integrity and rigorous by the sanctioning Administration.
 +
The AEPD continues its analysis stating that the treatments for which it is requested
 +
consent, assessing that it is not easy for a person to understand
 +
no specialized knowledge. However, it offers no explanation for
 +
reach that conclusion (beyond a vague reference to the fourth point).
 +
Against the criteria of the AEPD, we understand that the information is given in a
 +
simple language, understandable for anyone. The information contained in
 +
This second layer must be related to the requested consents.
 +
The first consent says: “I consent to the processing of my personal data once
 +
once the contractual relationship has ended, to carry out communications
 +
commercial adapted to my profile of products and services related to the supply and
 +
energy consumption. Likewise, I consent to the aforementioned treatments during the
 +
validity and after the end of the contract, on non-energy products and services,
 +
both from EDP Group companies and from third parties. "
 +
In the second layer, this information is expanded indicating which are the sectors to be
 +
those belonging to third parties on whom communications can be sent "(I) The
 +
promotion of financial services, payment protection services, automotive or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 50
 +
50/141
 +
related and electronic, own or third parties, offered by EDP and / or participation in
 +
promotional contests, as well as for the presentation of commercial proposals
 +
linked to the energy sector after the end of the contract. "
 +
As can be seen, not a single technical term is used to make it difficult to
 +
understanding of these texts, and the conditions of consent are fully
 +
clear.
 +
The second consent requested says: "I consent to the processing of my data
 +
personal data for the elaboration of my commercial profile with information from
 +
databases of third parties, for the adoption, by EDP, of decisions
 +
automated in order to send personalized commercial proposals, as well
 +
as to allow, or not, the contracting of certain services. "
 +
The second layer details the content of this consent, indicating: (II) the
 +
possibility of processing personal data of third parties to be added to your profile (III) the
 +
contractual information used by EDP COMERCIALIZADORA in the preparation
 +
of the profile (IV) the detail of the purposes of the aggregation of this information.
 +
Finally, the rights of the interested parties are informed in the case of
 +
that automated decision-making occurs in these processes. Therefore, the
 +
EDP ​​COMERCIALIZADORA's clear objective is to allow interested parties to have a
 +
detailed knowledge of the uses for which consent is requested, since there is no
 +
Will or any fraud to hide the information. Likewise, the AEPD points out that
 +
there is a lack of clarity in the information provided regarding the
 +
aggregation of third party information, by not distinguishing whether it refers to the purpose
 +
relating to point (II) (the possibility of processing personal data of third parties to be
 +
added to your profile) or to (III) (the contractual information used by EDP
 +
MARKETING COMPANY in the elaboration of the profile). In this regard, it seems obvious that
 +
the word aggregation is concise enough, and refers to the sum of both
 +
information. The word add is in common use in everyday life and, according to
 +
the RAE, means: "to unite or join some people or thing to others". In this case, the
 +
context it is clearly inferred that it would be a question of joining the data that EDP already has
 +
COMERCIALIZADORA, with which you could obtain from third parties.
 +
Beyond this, it is unknown what is the specific information whose understanding
 +
It can be complex, as no clarification is provided on this matter. EDP
 +
COMERCIALIZADORA has tried at all times to use clear language and
 +
understandable and there are no technicalities that can complicate the reading of the text, something
 +
It seems that now the AEPD, considers a negative action that penalizes the good
 +
faith of EDP COMERCIALIZADORA in relation to compliance with regulations.
 +
Finally, the AEPD refers to the information regarding the exercise of rights,
 +
with respect to which, as in the previous cases, it does not seem to be sufficient either
 +
for the AEPD the information provided in this regard. Thus, under the heading "Rights
 +
of the owner of the data ”EDP COMERCIALIZADORA informs that:“ The client will have
 +
at all times with the possibility of exercising freely and completely
 +
free the following rights: i) Access your personal data that are processed
 +
by EDP. ii) Rectify your personal data that are processed by
 +
EDP ​​that are inaccurate or incomplete. iii) Delete your personal data that are
 +
treated by EDP. iv) Limit EDP's treatment of all or part of its
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 51
 +
51/141
 +
personal information. v) Oppose certain treatments and decision-making
 +
automated data processing, requiring human intervention in the
 +
process, as well as to challenge the decisions that are finally adopted by virtue of
 +
of the processing of your data. vi) Port your personal data in a format
 +
interoperable and self-sufficient. vii) Withdraw at any time, the consents
 +
previously granted.
 +
In accordance with current regulations, the user can exercise their rights
 +
requesting it in writing, and together with a copy of a reliable accreditation document
 +
identity, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or at
 +
the email cclopd@edpenergia.es
 +
Likewise, you can contact the data protection officer of
 +
EDP, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by mail
 +
electronic dpd.es@edpenergia.es, in the event that you understand that any of the
 +
your rights related to data protection, or, where appropriate, file a
 +
claim before the Spanish Agency for Data Protection at the address Calle de
 +
Jorge Juan, 6, 28001 Madrid. "
 +
The AEPD considers the mention made by EDP COMERCIALIZADORA insufficient
 +
regarding the possibility of opposing "certain treatments" without specifying
 +
one by one which treatments we are referring to, insofar as the AEPD
 +
states that “it must be clear to the interested party which are the treatments that
 +
they can be objected ”.
 +
This party does not share this assessment, since this supposed obligation that the
 +
AEPD highlights and seems to impose EDP COMERCIALIZADORA is not required by the
 +
RGPD, nor does it have any legal support, which as that Agency knows well is
 +
condition "sine qua non" to be able to sanction-
 +
. Moreover, and for the sake of completeness, this part would like to highlight again
 +
that the formula used by EDP COMERCIALIZADORA is precisely the
 +
recommended by the AEPD itself in its multiple guides and tools related to
 +
duty of information in accordance with the RGPD, and even on the AEPD's own website, something
 +
which, again, does not cease to surprise this part, since that Agency considers
 +
an infringement of the RGPD, proposing for said infringement a penalty of one million
 +
euros, for an alleged breach in relation to a certain practice that
 +
she recommends performing. Along these lines, it should be noted
 +
1) The Guide for the fulfillment of the duty to inform, in which the
 +
following example
 +
2) 2) The FACILITA Tool, of the AEPD, intended for entities to carry out
 +
the adequacy in accordance with the RGPD, including the informative clauses
 +
in accordance with applicable regulations (fictitious data have been included):
 +
3) Report on privacy policies on the internet. Adaptation to the RGPD, where
 +
the AEPD itself exposes as a valid example to adapt the policy of
 +
privacy to the GDPR.
 +
4) Privacy policy of the AEPD, does not collect the alleged information
 +
which is now required from EDP COMERCIALIZADORA, and includes formulas
 +
as "where appropriate"
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 52
 +
52/141
 +
Consequently, EDP COMERCIALIZADORA cannot be criticized for not including
 +
of information that is not even indicated as a good practice in the guides
 +
prepared for the adequate fulfillment of their obligations by the
 +
responsible for the treatment, and that neither the AEPD itself complies with its
 +
Privacy and other information clauses used on its website.
 +
Nor does it seem to make sense to refer to “It is imprecise to point out that the
 +
interested party can oppose the automated decision-making of their data
 +
personal ”. It is obvious that the information provided using the word "oppose" is
 +
understood as a right both when the treatment is legitimized in an interest
 +
legitimate as in a consent (in any case the possibility of
 +
object at any time to the consents granted). The proof is that
 +
When exercising their rights, the interested parties rarely use any of these
 +
terms and are limited to requesting the "unsubscribe" or directly request that they stop using their
 +
data for certain purposes, without using formalities as has been
 +
evidenced in this procedure through the contribution of innumerable examples.
 +
Additionally, this party is interested in showing once again that the AEPD
 +
has had the opportunity to analyze both the general contracting conditions,
 +
such as the information provided in the different contracting processes of which
 +
EDP ​​COMERCIALIZADORA has available during the different requirements of
 +
information and, where appropriate, sanctioning procedures that the AEPD has initiated until
 +
at the moment, without the AEPD having ruled on possible
 +
breaches of the duty of transparency, having proceeded to file the
 +
multiple files in which this documentation was subject to review by the
 +
AEPD.
 +
Therefore, having made this information known to the AEPD and
 +
having been analyzed by the latter, without having spoken out against the
 +
itself, EDP COMERCIALIZADORA continued to use these documents and
 +
procedures in the legitimate confidence that it was adjusted to the requirements
 +
normative, insofar as the AEPD, having access and first-rate knowledge
 +
hand in hand with these alleged breaches, he did not indicate at any time to EDP
 +
MARKETING COMPANY that there was any irregularity, now proposing a
 +
a penalty of one million euros for an alleged breach, of which he would have had
 +
knowledge years ago, but that he no longer considered not to sanction but not even
 +
advise EDP COMERCIALIZADORA. In this sense, it should be noted that the
 +
The purpose of this supervisory authority is none other than to guarantee compliance with the
 +
normative, so in the absence of legal justification that motivates the opening of
 +
Sanctioning Procedure on some aspects that were previously
 +
known and even subject to an archive, the subsequent
 +
imposition of a sanction of the amount that is exposed.
 +
As a conclusion of all the above, it cannot be interpreted that EDP
 +
COMERCIALIZADORA fails to comply with its duties set forth in article 13 of the
 +
GDPR.
 +
In relation to the weighting of the sanction proposed by the AEPD, as well as
 +
than in the previous points, after evaluating the aspects presented in the present
 +
section, and according to the evaluation criteria related by the AEPD, although,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 53
 +
53/141
 +
Without having justified the reason why they are included, the following are included
 +
comments regarding their possible attendance.
 +
"The nature, severity and duration of the offense" to which the RGPD itself
 +
continues with “taking into account the nature and purpose of the operation of
 +
treatment in question, as well as the number of interested parties affected and the level of
 +
the damages they have suffered; " As stated in the present
 +
section, the information provided to users complies with the legal requirements as
 +
throughout the entire hiring process and even afterwards, without therefore allowing
 +
interpret that there is a breach of EDP COMERCIALIZADORA. In addition,
 +
as has been reflected in the previous points, in order to qualify as
 +
aggravate the damages caused to those affected, in addition to materializing,
 +
they must be accredited, an aspect that has not been tested in the
 +
this Procedure.
 +
"The intentionality or negligence appreciated in the commission of the offense;" The
 +
alleged inaccuracies in the information provided by EDP COMERCIALIZADORA
 +
do not imply any breach of the regulations so, in any case, it could be
 +
recommended some improvement in the way it is expressed, but nothing more.
 +
The intention to inform those affected of all aspects has been proven
 +
related to the processing of your personal data in a transparent way, therefore
 +
that in no case is it possible to speak of intention to breach the norm or much
 +
Minus negligent or malicious behavior.
 +
“The high link between the activity of the offender and the performance of treatment of
 +
personal information;" As indicated, this is an ambiguous factor. It has to be taken into
 +
account of the great deployment of means carried out by EDP COMERCIALIZADORA
 +
to allow the information to be provided to all interested parties through all channels through
 +
which it is possible to collect personal data.
 +
"The continuing nature of the offense;" "High volume of data and treatments
 +
which constitutes the object of the file; " and "High number of interested parties;" As
 +
that in other criteria indicated individually, these three criteria are
 +
subsumed with the one raised in the first place, and proceeding from article 83.2 a) of the
 +
RGPD, so its evaluation must be carried out jointly with the indicated one and, therefore
 +
Therefore, do not suppose an additional aspect to the one mentioned for the calculation of the potential
 +
applicable sanction.
 +
"The condition of a large company of the responsible entity and its volume of business."
 +
As already stated, this is not an evaluation factor for the amount of the
 +
sanctions. Consequently, EDP COMERCIALIZADORA cannot be penalized for the
 +
compliance with its duty of transparency, far from it in the amount proposed
 +
in the Agreement for the Initiation of Sanctioning Procedure to which we reply in the
 +
present writing.
 +
FIFTH.- ON THE AGREEMENT TO START THE SANCTIONING FILE AND THE
 +
ASSESSMENT OF THE POSSIBLE PENALTY. LEGAL BASIS AND
 +
PROPORTIONALITY OF THIS.
 +
A. BREACH OF THE PRINCIPLE OF INTERDICTION OF ARBITRARITY .
 +
In relation to this principle we must attend to two specific questions:
 +
1) The recommendations and publications of the AEPD,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 54
 +
54/141
 +
2) The amounts of the sanctions that have taken place in previous cases
 +
Similar.
 +
First of all, certain practices recommended and even applied by the AEPD
 +
relating to the collection of consent and the information to be provided to
 +
interested parties, have served in this case to argue and motivate the alleged
 +
offenses committed by EDP COMERCIALIZADORA.
 +
These criteria are reflected both in the way of jointly compiling the
 +
purposes whose legitimating basis is the consent of the user, as stated
 +
in the Second Allegation, as well as in the presentation of the information related to the
 +
exercise of rights of the interested parties included in the Fourth Allegation. These
 +
aspects, which a priori the AEPD recommends and puts into practice, considering them
 +
examples that are adapted to the applicable regulations, are used as elements
 +
offenders to justify the alleged breach of different legal precepts by
 +
EDP ​​COMMERCIALIZADORA.
 +
All this and said in strict defense terms, not only implies that the AEPD
 +
considers insufficient what the Authority itself has incorporated into its clauses
 +
informative, thus resulting in insufficient information in accordance with the RGPD,
 +
rather, the fact of modifying the adopted criterion invalidating aspects without
 +
motivation, or any justification, implies a clear situation of legal uncertainty,
 +
contrary to the constitutional principle of prohibition of arbitrariness contained in the
 +
article 9.3 of the Spanish Constitution; principle that implies that the authorities do not
 +
can make arbitrary decisions, understanding by such, those that suppose a
 +
infringement of the principle of equal treatment of the administered before the application of
 +
the law and the objectively determined rules.
 +
Second, the amounts of the previous sanctions in cases of fact
 +
Similar are not comparable to the proposals in this case.
 +
Specifically, we must bring up the Penalty Procedure
 +
PS / 00097/2019, addressed to the entity of the same business group, EDP
 +
ENERGÍA, in which, after having analyzed the contracting system and the information
 +
provided to each of the intervening parties, both the representative and the
 +
represented, the file of the file is issued, thus validating all the
 +
documents that accompanied the procedure, that is, the related documentation
 +
to the hiring process.
 +
Likewise, it should be noted that, last March 2019, EDP ENERGIA, also
 +
received file of actions of the request for information E / 04707/2018,
 +
initiated after complaint filed by Mr. *** AAA . In this case, the AEPD resolves
 +
that it is not appropriate to process the claim received, considering, therefore, the
 +
contracting procedure and documentation provided, in accordance with Law.
 +
As in the first section of this point, the proposed sanctions, carried out
 +
Without motivation, or due justification, they go against legal certainty, a principle
 +
constitutional established in article 9.3 of the Spanish Constitution, as well as against
 +
the principle of legal foundation. In other words, any decision made by
 +
the AEPD must be objective, well-founded and typified.
 +
In this sense, it is worth mentioning the Judgment of the Supreme Court of the 3rd Chamber
 +
of the Contentious-administrative, Section 3, Judgment of May 13. 2015, Rec.
 +
28/2013, in which the interested party, appeals in cassation, stating among others
 +
allegations the infringement of the principles of interdiction of arbitrariness, security
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 55
 +
55/141
 +
legal and equality established in articles 9.3 and 14 CE, pursuant to article
 +
88.1.d) LJCA and the Court uphold said motivation. Of this resolution, it is worth highlighting
 +
the next:
 +
“C) The constitutional requirement of the reasons for the judgments, included in the
 +
Article 120.3, in relation to 24.1, of the Constitution, appears justified, without further ado
 +
to emphasize the ends to whose achievement it tends, which, above all, aspires to
 +
patent the submission of the Judge or Court to the rule of Law and contributes to achieving the
 +
conviction of the parties in the process about justice and the correctness of a decision
 +
judicial, facilitating the control of the sentence by the Superior Courts, and operates
 +
as a guarantee or preventive element against arbitrariness.
 +
d) The breadth of the reasons for the judgments has been qualified by the doctrine of the
 +
Constitutional Court, indicating that it does not authorize to demand judicial reasoning
 +
exhaustive and detailed of all the aspects and perspectives that the parties
 +
may have of the question to be decided, but must be considered sufficiently
 +
motivated those judicial decisions that are supported by reasons that
 +
make it possible to know what the essential legal foundational criteria have been
 +
of the decision, that is, the "ratio decidendi" that it has determined (judgments of the
 +
Constitutional Court 14 / 1991,28 / 1994,145 / 1995 and 32/1996, among many others). A) Yes
 +
It has been recognized by the Constitutional Court itself when it refers to the fact that it is not
 +
an exhaustive or exhaustive examination of the arguments of the parties is necessary, and
 +
when it even allows argumentation by references to reports or other
 +
resolutions. The Judgment of the Constitutional Court nº 122/94 of April 25, affirms
 +
that this right to motivation is satisfied when the judicial decision in a manner
 +
explicit or implicit contains reasons or elements of judgment that allow knowing the
 +
criteria on which the decision is based "."
 +
As a result of the foregoing, it should be noted that the AEPD identifies as an example of a sanction, the
 +
Sanctioning Procedure with file number PS / 0025/2019, file that
 +
It is in contentious proceedings and therefore, it does not become firm. For all this, neither can
 +
be considered a file that affects the diligence operated by EDP
 +
MARKETING COMPANY, nor can it be considered as an antecedent, since
 +
this sanction is not yet final. After analyzing the above, as well as the doctrine and
 +
jurisprudence embodied in this section, it can only be concluded that we
 +
We are faced with a series of proposals for administrative sanctions, the motivation of which
 +
they are separated from the own interpretation recently made by this Agency. For
 +
Therefore, it must be understood that the situation caused generates damages derived from the
 +
lack of legal certainty, the motivation of which is set out in the sections that
 +
follow.
 +
B. LACK OF PROPORTIONALITY At this point, it should be remembered that the principle
 +
proportionality is a general principle of law. Reason why, the AEPD
 +
you should take this principle into account both when determining the criteria
 +
evaluators, such as when determining the applicable sanction, a principle that as
 +
It is possible to appreciate the procedure, from the beginning of the investigation and
 +
stricter sense of defense, has not been applied by the AEPD in the Agreement of
 +
Initiation of the Sanctioning Procedure.
 +
It should be noted in this section that the sanctioning capacity of the AEPD is
 +
is limited by the principle of proportionality, a limitation embodied in the
 +
Article 29 of Law 40/2015, of the Legal Regime of the Public Sector (hereinafter,
 +
"LRJSP"). This requires that all sanctions be suitable, necessary and adequate to the
 +
seriousness of the constitutive fact of the offense. Therefore, we remember the criteria
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 56
 +
56/141
 +
evaluators collected throughout the writing, as well as the following excerpts from the
 +
Article 83.2 of the RGPD that applies jointly.
 +
"K) any other aggravating or mitigating factor applicable to the circumstances of the case,
 +
such as financial benefits obtained or losses avoided, direct or
 +
indirectly, through the offense. "
 +
In this regard, of the aforementioned few or non-existent claims in
 +
regarding the alleged breaches, it can only be interpreted that EDP
 +
COMERCIALIZADORA complies with the general and majority requirements
 +
included in the RGPD, a criterion that must be taken into account as mitigating
 +
potential applicable sanction.
 +
First, with respect to the alleged violation of Article 25 of the RGPD, the
 +
AEPD, seems to intend to sanction assuming the non-existence of
 +
legally required documentation, without the Authority itself having required it.
 +
For this reason, the AEPD in the sanction proposed in the writing of Agreement for the Start of
 +
Sanctioning Procedure, is based on a fiction, since the reality of the situation is
 +
that the documents on which the non-existence or inaccuracy is alleged comply with
 +
all obligations associated with data protection from the design and by
 +
defect, providing, as stated in the corresponding point, of
 +
relevant risk analyzes and impact assessments, including all relevant
 +
corrective measures, having followed both the analyzes and the internal plans
 +
with the criteria indicated by the AEPD.
 +
Therefore, the proposed sanction is not only disproportionate according to the above
 +
in this writing, but it is not applicable to the facts before which we
 +
we find.
 +
Second, as indicated in the second claim, the alleged
 +
infringement of article 6 of the RGPD, EDP COMERCIALIZADORA has not carried out
 +
any treatment related to the realization of a profiling and its subsequent use with
 +
commercial purposes, nor has it provided insufficient information regarding the identification of the
 +
responsible, being the same reflected at the contractual and informative level both in the
 +
first layer, as in the second, aspect that in any case would affect what was collected
 +
in article 13 of the RGPD. A greater abundance, as we have exposed
 +
previously, the collection of the purposes jointly, when these are
 +
They are subject to the same legitimizing basis, it is approved by the AEPD itself.
 +
For this reason, the proposed sanction is disproportionate and contrary to law.
 +
legal since the existence of any infraction has not been justified, nor has
 +
carry out the treatment in question.
 +
Likewise, as we have already stated previously, the AEPD, up to now, has not
 +
sanctioned in any file based on the violation of article 22 of the RGPD,
 +
thus requiring a detailed and justified review and substantiation, so that the
 +
proposed sanction is not considered disproportionate.
 +
Finally, based on what is stated in the fourth claim regarding the violation of the
 +
Article 13 of the RGPD and in relation to the provisions of this section, the
 +
information collected and provided to interested parties complies with legal requirements
 +
enforceable, not being punishable in any case the non-implementation of recommendations
 +
that the AEPD intends to impose on EDP COMERCIALIZADORA, as well as aspects that
 +
even despite being at one point defended and applied by the AEPD itself,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 57
 +
57/141
 +
are at this time arguments to justify the non-existent infringement by
 +
of EDP COMERCIALIZADORA of its duty of information.
 +
Therefore, as it has been shown and broken down throughout the present
 +
In writing, EDP COMERCIALIZADORA complies with both the requirements set out by the
 +
applicable regulations, as indicated by the guides and legal texts published by
 +
the AEPD itself.
 +
Likewise, the AEPD considers EDP COMERCIALIZADORA as an entity with a
 +
great business value, assuming this volume is a relevant aspect when it comes to
 +
raise the penalty, without proving, however, that the business value is sufficient to
 +
that the sanctions, which are widely high, can be considered as
 +
proportional.
 +
Likewise, as has been explained in each point, each and every one of the
 +
alleged infringing actions have mitigating factors that do not appear to be
 +
have been taken into account, since they only consider criteria that in addition to
 +
expressed independently of what is contained in the articles themselves, increase the
 +
amount of the potential sanction to impose.
 +
These aspects show the total disproportion and arbitrariness of the sanctions
 +
proposals, without there being any foundation in the Initiation Agreement that allows
 +
the AEPD to motivate the amounts proposed, nor the reasons why some
 +
same facts that until now had not even been sanctioned by the
 +
Control Authority previously - infringement of article 22 of the RGPD-,
 +
thus departing from the considerations of other procedures, as well as the
 +
evaluative criteria to determine unmotivated amounts and
 +
disproportionate.
 +
Therefore, the proposed sanction would not have to be applied, since there is no
 +
infringement, nor any breach, nor does it meet the criteria covered by the
 +
principle of proportionality.
 +
Added to the above, in the Judgment of October 15, 2012 (JUR / 2012/353649),
 +
Appeal 180/2010, the Chamber, applying the principle of proportionality, addressed the lack of
 +
of accreditation of the effects of the conduct as a criterion to reduce the sanction,
 +
pointing out the essential character of the principle, allowing the Chamber to eliminate or reduce
 +
sanction imposed:
 +
“As the appellant points out, it is not proven that the conduct
 +
anticompetitive would have any effect on the market, since there is no reasoning in the
 +
resolution appealed what has been the effect on consumers or users in this
 +
case of public hospitals (…) In Spain, the Supreme Court has recognized the
 +
capacity of the court to rectify the graduation of sanctions
 +
imposed by the Court for the Defense of Competition. Thus in sentence of 5 of
 +
March 2001, May 24, 2004, June 12, 2006, February 14, 2007
 +
points out that "the aforementioned principle of proportionality or of the individualization of
 +
sanction to adapt it to the seriousness of the fact, make the determination of the
 +
sanction a regulated activity and, of course, it is possible in a jurisdictional seat not
 +
only the confirmation or elimination of the sanction imposed but its modification to
 +
reduction "or in the judgment of October 8, 2001" there is no excess in the
 +
exercise of jurisdiction but observance without more than the constitutional mandates
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 58
 +
58/141
 +
referring to the right to judicial protection (article 24.1) and to the control of the legality of the
 +
administrative action (8 article 106.1), when the court, analyzing
 +
one of the reasons for challenging the administrative act, such as the resolution of the
 +
Competition Defense Court, decides which is the appropriate sanction in
 +
application of this principle of proportionality and of the provisions that for this purpose
 +
established the legal norm ".
 +
In this sense, it is also worth mentioning the Judgment of the TSJA resolving
 +
through resource number 795/2003:
 +
"The principle of proportionality has served in jurisprudence as an important
 +
control mechanism by the Courts of the exercise of power
 +
sanctioning of the Administration when the norm establishes for an infraction
 +
various possible sanctions or indicates a quantitative margin for setting the
 +
financial penalty. The principle of proportionality or the criminal principle of
 +
individualization of the sanction to adapt it to the seriousness of the act and the
 +
personality of the author, make the determination of the sanction a regulated activity.
 +
The Supreme Court has repeatedly maintained the provenance of specifying
 +
administrative sanctions in contemplation of the offense committed,
 +
grading them with the appropriate criterion of proportionality, based on the principles
 +
sanctioning law computers, weighing for this purpose the circumstances
 +
concurring in the constitutive act of the sanctioned offense, corresponding to
 +
jurisdictional activity, as stated in the judgment of September 26, 1990,
 +
not only the power to subsume the offender's conduct in a certain type
 +
legal, but also adapt the sanction to the act committed, since in both cases
 +
It involves the application of legal criteria set out in the written norm and
 +
deductible from the informing principles of the sanctioning legal system, such as
 +
they are those of congruence and proportionality between the offense and the sanction. "
 +
In short, analyzing each of the alleged infractions that are attributed to me
 +
represented, it is only possible to interpret that there is an absolute disproportionality in
 +
the interpretation made by the AEPD in this Agreement for the Beginning of
 +
Penalty Procedure, not only because it lacks motivation when it comes to
 +
consider the alleged offense to have been committed, but because of the fact that the sanctions
 +
Proposals escape any criteria previously assessed by the company itself.
 +
AEPD. And therefore, at least the correction by the AEPD corresponds, in
 +
case of not considering the due cancellation and filing of the proceedings, assuming
 +
therefore a substantial reduction of each potential infringement to its minimum degree,
 +
even reaching the warning, because there is no non-compliance, lack of
 +
motivation and disproportionality.
 +
C. DUPLICITY OF SANCTIONS AND COMPLIANCE WITH THE "NE BIS IN PRINCIPLE
 +
IDEM"
 +
An aspect is derived from the Agreement to Initiate Sanctioning Procedure that has
 +
been pointed out at various points in the present allegations thereto, and
 +
whose relevance cannot be ignored. Thus, the infractions that are indicated are
 +
reiterations of the same facts, whose estimation would cause a notorious
 +
duplicity in the sanctions imposed, either because they address circumstances
 +
previously examined by the AEPD or because it estimates the concurrence
 +
multiple infringements on the same fact.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 59
 +
59/141
 +
In the first place, this Agency has pointed out the concurrence of a
 +
infringement derived from the provisions of article 25 RGPD by estimating that they have not been
 +
carried out the appropriate actions, referring to the adequacy of the
 +
procedures that are implemented for contracting by third parties. Without prejudice to
 +
the arguments that have been expressed in the corresponding First allegation, to
 +
to which we refer for brevity, it is relevant to note that the appreciation of the
 +
commission of infringement derives from events that, prior to it,
 +
have been previously analyzed by the AEPD. This has meant that, considering the
 +
concurrent casuistry in the same, this was sanctioned in a procedure that,
 +
the date, is appealed.
 +
From the foregoing, it should necessarily follow that the imposition of the
 +
infringement causes the production of new facts that motivate the imposition of
 +
the proposed sanctions. Well, neither is this the casuistry that concerns us,
 +
there have been no new claims or circumstances that have led to the AEPD
 +
to this Agreement for the Initiation of Sanctioning Procedure. Certainly the
 +
imposition of the sanction that is proposed would suppose that, before a fact that has been
 +
evaluated and resolved or punished by the corresponding authority, be it again
 +
examined from the same perspective or, on the contrary, that, in the absence of
 +
materialization of said risk, said sanction would be imposed based on conducts
 +
that could potentially lead to non-compliance, but whose production is, to
 +
the date, nonexistent.
 +
Secondly, the AEPD makes use of different normative precepts to
 +
sanction the same act, by simultaneously constituting the commission of three
 +
infractions, although each of them is based on non-compliance with the
 +
duty of information regulated in article 13 of the RGPD
 +
In this sense, as has already been advanced in the previous allegations, although the
 +
Agreement to Initiate Sanctioning Procedure part of the applicability of three
 +
differentiated offenses, corresponding to articles 6, 13 and 22 of the RGPD,
 +
all of them are based on deficient information and ignorance of the
 +
user of the object of the consent request. Thus, the argumentation that embodies
 +
to substantiate your consideration regarding obtaining consent
 +
insufficient, it is indicated that: “It is considered that the consent thus given is not
 +
adjusted to the provisions of the RGPD and the LOPDGDD. Consent is requested with
 +
deficient information, as it is not indicated or what third-party databases are going to
 +
consult or what type of data will be collected, so that the interested party does not know
 +
absolutely that is what you are consenting to. Nor is it determined who is going to be
 +
the person responsible for the treatment, a generic reference is made to EDP, without the
 +
client who has contracted a service only with one of the two entities
 +
(EDP COMERCIALIZADORA SAU or EDP ENERGIA, SAU) know if you are
 +
Consenting that such treatments are carried out by both entities or only
 +
that of which you are a client. Nor is it clear what type of services will be allowed
 +
hire or not. Such deficiencies do not allow the interested party to know the
 +
consequences of your decision and thus assess whether or not to provide your
 +
consent." (Page 50 of the Agreement to Initiate Sanctioning Procedure).
 +
Similarly, regarding the alleged violation of article 22 RGPD, relating to the
 +
commission of automated decisions, the AEPD in its own written Agreement of
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 60
 +
60/141
 +
Initiation of Sanctioning Procedure, after collecting the aspects related to the
 +
treatment of data in which there are automated decisions, collects the following:
 +
“From all this it can be concluded that the consent given for such purposes does not
 +
is in accordance with the provisions of article 4.7 of the RGPD as long as it is not
 +
duly informed in general, the requirements are not met
 +
specific information established in article 13.2 for decisions
 +
automated and is not specific. The absence of such requirements determines that
 +
the same is not valid so that the treatments based on it lack
 +
legitimation, thus contravening the provisions of articles 6 and 22 of the RGPD. "
 +
(Page 52 of the Agreement to Initiate Sanctioning Procedure).
 +
In light of the foregoing, each insufficiency mentioned, derives cumulatively, to the
 +
potential breach of article 13 of the RGPD, regarding the duty of information.
 +
For these purposes, the presentation made by
 +
that Agency of two infractions derived from the absence of legitimation basis
 +
sufficient as it is not informed consent and, simultaneously, another infraction
 +
due to the lack of transparency in the information provided. About it, well
 +
It is known by the AEPD that our jurisprudence has reiterated in many
 +
occasions as a fundamental principle of Law, that the same fact cannot be
 +
sanctioned twice.
 +
The application of this principle non bis in idem supposes a manifest impossibility of
 +
impose two or more administrative sanctions, for the same act, provided that
 +
produces a de facto identity, is attributed to the same subject and is imposed
 +
based on a common foundation as regards the protected legal asset.
 +
Therefore, there is no doubt that, if the AEPD's assessment is applicable
 +
of the commission of an infringement by EDP COMERCIALIZADORA of the
 +
exposed facts referring to the indicated articles, this will require the necessary
 +
competition of applicable laws. In this sense, it is essential to bring up the
 +
provided in article 29.5 of the LRJSP, which states that: “When the commission of
 +
an offense necessarily derives the commission of another or others, it must be imposed
 +
only the sanction corresponding to the most serious offense committed. "
 +
Without prejudice to the scarce jurisprudence derived from said precept, as a result of its
 +
previous regulation (Royal Decree 1398/1993, of August 4, approving the
 +
Rules of Procedure for the Penalty Power), our Courts
 +
have preached that, for the assessment of the aforementioned contest, the regulations
 +
“(…) Requires, for the application of the medial contest, a necessary derivation of some
 +
infractions with respect to the others and vice versa ”(Judgment of the Supreme Court of 8
 +
February 1999).
 +
In application of this precept, there are favorable judgments of the Chamber of
 +
contentious-administrative law of the National Court that, in analysis of the matter
 +
it concerns us, stated that: “Accordingly, this Chamber considers that in the case of
 +
There is a direct connection between the violation of Article 6 (treatment of
 +
personal data without the consent of the affected party) and the violation of the
 +
Articles 4.3 (treatment of inaccurate data), both of the LOPD. Connection to be
 +
is highlighted by the fact that the processing of the complainant's data without his
 +
consent, is carried out only in communication by letter (from the
 +
information about the movements of the Cortefiel POS) to your old address, which is
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 61
 +
61/141
 +
which gives rise to the complaint presented by him, and that by not correcting (precisely
 +
because said incorrect treatment did not have any economic or accounting reflection in
 +
said Bank), is maintained in the different communications by letter made. It is
 +
In other words, as indicated by the plaintiff in the lawsuit, it turns out that the treatment that
 +
has consisted, exclusively, in improperly including some data of the affected party in a
 +
report of operations that do not refer to it, can only be produced without mediating its
 +
consent, so that the non-consensual treatment of data of article 6.1 LOPD
 +
necessarily derives from the improper or erroneous treatment thereof (Art
 +
4.3) .Therefore, the aforementioned article 4.4 of the Regulation for the
 +
exercise of the sanctioning power, therefore, since both offenses are the same
 +
gravity, it is necessary to impose a single sanction 60,101.21 Euros, which is considered
 +
be in this case the one corresponding to the infringement of the principle of treatment not
 +
consented, in which the infringement of the
 +
data quality principle, both of article 44.3.d) LOPD. " (Judgment of 19
 +
November 2009, rec 338/2009)
 +
In light of this, even though the precepts of the
 +
regulations that preceded the RGPD and would cover a differentiated scenario, there is no doubt
 +
that the National Court appreciated the appropriateness of estimating the concurrence of
 +
offenses based on a medial contest among the offenses contemplated
 +
in the data protection regulations, when necessarily the commission of a
 +
requires the production of the other. In this regard, said Hearing states that,
 +
if there is a single action from which two offenses could be derived, it can only be
 +
be taken into account the most serious. In the same way as in the aforementioned case,
 +
in which the improper obtaining of a data necessarily caused a treatment of
 +
inaccurate data, in the case that concerns us, the consideration by this AEPD of
 +
an illegitimate obtaining for not complying with the principles defined by the RGPD for
 +
determine that consent is informed and unequivocal, it must be subsumed
 +
in the assessment pertinent to the duty to inform, not allowing in any way the double
 +
assessment indicated in the penalty proposal. It does not fit, therefore, as has
 +
set out by the AEPD in this procedure, apply different precepts
 +
regulations (articles 6, 22 and 13 of the RGPD) independently, to sanction
 +
on a potential offense directly related to the line of duty
 +
of information, and in any case the penalties proposed in the
 +
Penalty Procedure Agreement.
 +
D. LACK OF RELEVANT EVIDENCE FOR IMPUTATION OF THE INFRINGEMENT
 +
AND CORRESPONDING IMPOSITION OF THE PENALTY.
 +
It is necessary to bring up the inquisitive principle or of dominant officiality in the
 +
administrative procedure, which implies that the administrative authority is the
 +
obliged to proceed to the verification of the alleged facts through the ex practice
 +
office of the pertinent tests, thus dominating the principle of material truth. A) Yes
 +
Therefore, in the administrative procedure it is an essential requirement that all
 +
affirmations made are subjected to confrontation with the facts, falling
 +
on the competent authority the accreditation of the same, in order to guarantee the
 +
legal certainty required for the sole purpose of complying with the purposes of the
 +
Public Administration .
 +
Likewise, it is pertinent to point out the provisions of article 53 of Law 39/2015 of 1
 +
October, of the Common Administrative Procedure of Public Administrations,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 62
 +
62/141
 +
regarding the presumption of innocence and the non-existence of responsibility while
 +
not to be proven otherwise.
 +
For more abundance, reference should be made to the Judgment of the Court
 +
Constitutional 76/1990, of April 26, 1990, Rec / 695/1985 that delimits the scope
 +
and respect for the presumption of innocence in the sanctioning procedure and that indicates
 +
the following: “Indeed, it cannot raise any doubt that the presumption of
 +
Innocence governs without exceptions in the sanctioning system and must be respected
 +
in the imposition of any sanctions, be they criminal, be administrative in
 +
general or tributary in particular, since the exercise of ius puniendi in its various
 +
manifestations is conditioned by art. 24.2 CE to the test set and a
 +
Contradictory procedure in which their own positions can be defended. On
 +
In this sense, the right to the presumption of innocence entails: that the sanction is
 +
based on acts or probative means of charge or incriminating conduct
 +
reproached; that the burden of proof rests with the accuser, without anyone being
 +
forced to prove his own innocence; and that any insufficiency in the result of
 +
The tests, carried out, freely assessed by the sanctioning body, must
 +
be translated into an acquittal.
 +
Likewise, we cannot affirm that the evidentiary activity carried out by the
 +
Administration can be considered of charge, and, in the event that this body
 +
so consider it, (STS of December 18, 2000- RJ 2000/92) it has been
 +
fully disproved by means of the statements made by this party, thus
 +
as well as through the documents attached to this lawsuit.
 +
Similarly, the jurisprudential line followed by
 +
Constitutional Court in its judgment of February 20, 1989, in relation to the
 +
principles and guarantees of criminal judicial procedure applicable to the procedure
 +
administrative sanctioning and, which indicates "Our doctrine and criminal jurisprudence have
 +
been arguing that, although both may consider as manifestations of
 +
a generic favor rei, there is a substantial difference between the right to presumption
 +
of innocence, which develops its effectiveness when there is an absolute lack of evidence
 +
or when those practiced do not meet the procedural guarantees and the principle
 +
jurisprudential in dubio pro reo that belongs to the moment of the valuation or
 +
evidentiary appreciation, and that has to judge when, that activity concurs
 +
indispensable evidence, there is a rational doubt about the real concurrence of
 +
objective and subjective elements that make up the criminal type in question "
 +
Regarding these criteria, the Spanish Agency has ruled, agreeing on the
 +
file of proceedings (E / 04684/2017) and stating the following literally:
 +
“(…) For this reason, it is necessary to review in relation to the principle of presumption of
 +
innocence that, to the Administrative Penalty Law, due to its specialty, are
 +
application, with some qualification, but without exceptions, the inspiring principles of the
 +
criminal order, being clear the full virtuality of this principle of presumption of
 +
innocence. In this sense, the Constitutional Court, in Sentence 76/1990, considers
 +
that the right to the presumption of innocence implies “that the sanction is based on
 +
acts or means of proof of charge or incriminating the reproached conduct; what
 +
The burden of proof rests with the accuser, without anyone being obliged to prove
 +
his own innocence; and that any shortcomings in the test result
 +
practiced, freely valued by the sanctioning body, should be translated into a
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 63
 +
63/141
 +
acquittal ”. In accordance with this approach, it is necessary to
 +
account that they can only be sanctioned for acts constituting an infringement
 +
administrative the natural and legal persons who are responsible for the
 +
themselves by way of fraud or fault ”(…) Ultimately, the application of the principle of
 +
presumption of innocence prevents the imputation of an administrative offense when
 +
has obtained and verified the existence of a proof of charge accrediting the
 +
facts that motivate this accusation. (…)
 +
Finally, review the Judgment of May 25, 2001, issued on appeal
 +
administrative litigation by this National Court, to number 29/2000,
 +
pronounce on the imposition of a sanction based on a presumption
 +
carried out by the Agency, and rules that “(…) the Chamber, as we went on to
 +
reason, from the assessment of the evidence in the administrative file, it reaches
 +
the conclusion that this integrating fact of the
 +
type, that is, it is not proven that the Bank delivered to Mr. ... the respective extract,
 +
This concrete fact provokes serious doubts, in the face of the required certainty ”. Y
 +
concludes by stating that without denying that the events could have occurred as indicated in the
 +
the complainant, neither can the possibility that the extract was not
 +
given to the husband by the Bank, but that he obtained it by taking advantage of some
 +
visit to the home or through the action of a relative, said in terms of
 +
pure hypothesis ”.
 +
In this same sense, the Superior Court of Justice of Madrid ruled in
 +
Judgment of 02/21/2001, in which it states that “The only evidence of the prosecution, of which the
 +
APD infers the responsibility of the appellant, it is the fact that it was the ex-husband
 +
of Dña ... who will provide the lawyer with said extract that was contributed to the incident
 +
modification of measures, and it must be agreed with the appellant that the possession of the
 +
Extract, in the opinion of this Chamber, is insufficient circumstantial evidence to destroy its
 +
presumption of innocence since, certainly, said extract could reach the possession of
 +
D ... through channels other than direct delivery by the bank, for
 +
what not being proven any of these hypotheses, this reasonable doubt
 +
about the way in which the ex-husband obtained the bank account statement
 +
The complainant must always operate for the benefit of the sanctioned, proceeding, in
 +
Consequently, uphold his claim to annul the sanction imposed for lack of
 +
sufficient proof of the appellant's participation in the delivery of the bank statement
 +
to a person other than the account holder ”In short, appreciating the various
 +
criteria taken into account by the competent body in matters of protection
 +
of data when carrying out the file of actions in those cases in
 +
those in which it is considered that there is a lack of evidence and in which, the
 +
outlined jurisprudential lines, this part considers that the
 +
legal guarantees that all procedures must respect.
 +
E. LACK OF LEGAL FOUNDATION
 +
As we have stated throughout this writing, the alleged infractions
 +
committed by my client, have not taken place, so it has not materialized,
 +
nor is there any possibility that EDP COMERCIALIZADORA has infringed the
 +
mentioned articles following what was alleged by the AEPD in the Agreement for the Beginning of
 +
Sanctioning Procedure.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 64
 +
64/141
 +
It should be noted that any sanctioning procedure and, where appropriate, the sanction
 +
resulting, must be motivated, grounded, and even more decisive, must comply
 +
with the due principle of legality, typicity. As a result of this aspect, it is brought up
 +
the Sentence of the Superior Court of Justice of Catalonia, number 870/2019,
 +
Rec: 454/2016, from which we extract the following:
 +
"The due effectiveness of the principle of typicity in administrative sanctioning matters
 +
whose requirement certainly derives from our administrative order
 +
sanctioner, also in tax matters, as a manifestation of the guarantees
 +
formal and material that are contained in the constitutional principle of legality
 +
sanctioning ex article 25.1 of the Constitution, and which previously included article 129 of
 +
the already repealed Law 30/1992, of November 26, on the legal regime of
 +
public administrations and the common administrative procedure, applicable to
 +
this case additionally for temporary reasons (and today Article 27 of the Law
 +
40/2015), as well as in this specific tax order, article 178 of the Law
 +
58/2003, General Tax, taking into account the implicit content of the aforementioned precept
 +
constitutional (Article 25.1 of the Constitution), despite its remarkable laconism
 +
(Constitutional Court ruling number 34/1996, of March 11), in which
 +
has highlighted the so-called material guarantee of the principle of legality (among others, and
 +
Since the ruling of the Constitutional Court 42/1987, of April 7, the
 +
Judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of June 8, 161,
 +
200 and 219/1989, of December 21, 61/1990, of March 29, 207/1990, of December 17,
 +
December, 120 and 212/1996, 133/1999, of July 14, 142/1999, of July 22, and 60 and
 +
276/2000, of November 16), which is identified with the traditional principle of
 +
typicity of the offenses and administrative sanctions and that requires a determination
 +
previous and certain regulations of the specific conduct or conducts that by action or
 +
omission is deemed to constitute a fault or an administrative offense, with
 +
prohibition of any analogue or extensive interpretation in malam partem
 +
(Constitutional Court ruling 125/2001, of June 4, citing the
 +
Judgments of the Constitutional Court 81/1995, of June 5, 34/1996, of
 +
March, 64/2001, of March 17, and 113/2002, of May 9), being likewise
 +
jurisprudential doctrine already well consolidated which teaches that in the exercise of its
 +
sanctioning administrative power the acting sanctioning administration does not
 +
responds, properly, to the exercise of an administrative power of essence or of
 +
discretionary trend but predominantly regulated for the application to each case
 +
concrete sanctioning regulatory framework pre-established with a general character in the
 +
applicable sanctioning legal system, which implies, from the outset, the
 +
requirement of the necessary adequacy and rigor in the qualification of the facts
 +
accused and in their punctual incardination and adequate subsumption in the offending type
 +
legally defined for its correction, in such a way that the opposite, certainly,
 +
it would be a determining factor of violation of the subjective fundamental right before
 +
pointed out and all recognized by the current constitutional text ex article 25.1 of the
 +
Constitution (rulings of the Constitutional Court 77/1983, of October 3, and
 +
3/1988, of January 21), which, because it is susceptible to constitutional protection, would
 +
incur in an eventual administrative sanctioning action that violates the same in
 +
the defect of nullity of full right previously provided for by article 62.1. a) of the
 +
Repeated Law 30/1992, applicable to the case for temporary reasons (today Article 47.1. a)
 +
of Law 39/2015) "
 +
For more abundance, article 89 of Law 39/2015, of October 1, on the
 +
Common Administrative Procedure of Public Administrations, which includes the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 65
 +
65/141
 +
following: 1. The investigating body will resolve the completion of the procedure, with
 +
file of the proceedings, without the need to formulate the proposal for
 +
resolution, when the procedural instruction shows that
 +
any of the following circumstances concur: a) The non-existence of the facts that
 +
could constitute the infringement. b) When the facts are not proven. c)
 +
When the proven facts do not manifestly constitute an infringement
 +
administrative. d) When there is no or it has not been possible to identify the person or
 +
responsible persons or appear exempt from liability. e) When
 +
conclude, at any time, that the offense has prescribed. In the present
 +
Of course, both a), b) and c) concur, which is why, therefore, it would not fit
 +
continue with the sanctioning procedure initiated, having to resolve, where appropriate, the
 +
file of the proceedings, a request that we present before the AEPD with character
 +
reiterated, since, as evidenced in this document, neither has
 +
committed the offending acts, nor are the alleged
 +
offending conduct, nor the interpretation and sanctions proposed by the AEPD remain
 +
motivated.
 +
TWELFTH: Received the allegations made by EDP
 +
Comercializadora, SAU to the agreement to initiate the reference procedure,
 +
noted that the document attached to them called "annexes 1, 2 and 4" is
 +
states that “given the technical limitations of the electronic office for the
 +
presentation of the content of annexes 1, 2 and 4, these are presented by means of a
 +
link to a folder ”, indicating a link to a website and a password, using
 +
written, dated October 3, 2020, a period of 5 business days is granted to
 +
present the documentation that appears in said document in the Registry of this
 +
Agency through the Electronic Office, for the purposes of recording
 +
Registry of the documentation presented, its origin and its integrity.
 +
On October 8, 2020, they are presented through the Registry of this Agency
 +
the following documents:
 +
Appendix 1:
 +
- Annex 1.a) Risk analysis methodology and implementation of Days
 +
- Annex 1.b) RAT contracting EDPC
 +
- Annex 1.c) RAT risk assessment- EDPC contracting
 +
- Annex 1.e) Impact Assessments -Risk Assessments
 +
- Annex 1.f) Impact evaluations - Reports
 +
Appendix 2:
 +
- EDP Methodology_Privacy by Design by Default
 +
- Operational Instruction Privacy by Design & Privacy by Default
 +
- Privacy by Design & Privacy by Default form
 +
- Privacy By Design Procedure Flowchart.
 +
Annex 4:
 +
- Examples of requests for the exercise of rights.
 +
Regarding these documents:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 66
 +
66/141
 +
- A risk analysis methodology is provided, whose history of
 +
versions dates version 1.0 on 11/24/2017, indicating in the notes of
 +
revision which is an "initial version-working document" and version 1.1 is
 +
dated 05/11/2108 indicating the revision notes “revision prior to the
 +
application of the RGPD ”. There is no evidence that any review has been carried out
 +
later. Various annexes are provided, the date of which does not appear, specifically
 +
These annexes are the following: 1.b) RAT contracting EDPC
 +
- Annex 1.c) RAT risk assessment- EDPC contracting
 +
- Annex 1.e) Impact Assessments -Risk Assessments
 +
- Annex 1.f) Impact evaluations - Reports
 +
The document contained in annex 1.b RAT, contracting EDPC, whose date does not
 +
It consists, includes a treatment purpose not included in the Activity Register
 +
of treatment sent to this Agency on June 17, 2020. Specifically
 +
said treatment that is now included has the following content:
 +
Responsible: EDP Comercializadora SAU
 +
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
 +
to hiring ”,
 +
Description: “Scoring of customers in the B2C segment prior to the
 +
contracting according to the internal pending debt and information from
 +
solvency (ASNEF). "
 +
Category of data holders: "Clients and potential clients."
 +
Category of personal data processed: "Identifying data and economic data."
 +
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
 +
Period of conservation of personal data: “5 years from the end of the
 +
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
 +
contract will be maintained until its cancellation or the limitation period of the actions
 +
pertinent legal recovery. "
 +
Data transfers (data recipients, other than those in charge of the treatment):
 +
“ASNEF is jointly responsible for the treatment, according to the signed agreement
 +
with ASNEF. "
 +
Categories in charge of treatment: The box has no content.
 +
International data transfer: No
 +
Annex 1.c) under the name “RAT Risk Assessment- EDPC Contracting”, whose
 +
date is also not reflected in the document, it contains a risk analysis, in the form
 +
of matrix, the same as that presented on June 17, 2020, although they have added
 +
two columns under the title “treatment requires PIA”, the two titled “Nº of
 +
EDP-W29 criteria ”, the first indicates a number that seems to correspond to
 +
its title and the second indicates the need to carry out an evaluation of
 +
impact. In said matrix there is also a new treatment whose purpose is the
 +
"Scoring clients in the B2C segment prior to hiring."
 +
Various documents entitled impact evaluations are provided, whose date
 +
Nor is it recorded, these impact evaluations are the following:
 +
-Risk assessment of B2C client scoring prior to hiring,
 +
in which, among other threats, the following are indicated:
 +
- “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated
 +
adequately ”, whose probability is set as high, with an impact rated as
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 67
 +
67/141
 +
very high and resulting in inherent risk High. Regarding the controls implemented
 +
Faced with this threat, it is stated that “the legal basis of the treatment is to satisfy a
 +
legitimate interest (fraud prevention) ”.
 +
- “At the time of data collection, the minimum information is not provided
 +
provided to the person or no information is provided. " In this case
 +
it is considered that neither the probability nor the impact “does not apply, nor is there a risk
 +
inherent, the controls being the “Data Protection clause included in the
 +
contract signed with the client with all the information required by the RGPD ”and the
 +
"Information provided to the client prior to carrying out the scoring process"
 +
-Evaluation of channel leads to be converted by telemarketing
 +
-Risk assessment Telemarketing upselling and dropouts
 +
-CAC channel risk assessment to clients or potential clients (inbound)
 +
-OOCC Channel Evaluation of clients and potential clients
 +
- Risk assessment of third-party stores for sale to potential customers.
 +
In all these impact evaluations, threats are considered among others
 +
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
 +
illegal or has not been properly formulated ”and“ at the time of collection of the
 +
data is not provided the minimum information provided to the person or is not
 +
provides no information "In both cases the probability is valued as high,
 +
the impact as very high and the inherent risk high. Controls are mentioned
 +
adopted, referring to the legitimizing basis of the treatment in the first of the cases
 +
and "Data Protection clause included in the contract signed with the client with
 +
all the information required by the RGPD ”in the second. They are described among the
 +
checks in progress for both threats on all channels except channel
 +
OOCC, “the implementation of a new contracting procedure through
 +
representative, incorporating the sending of an SMS / Email message through which the
 +
provides the basic information necessary in terms of data protection to the owner of the
 +
contract."
 +
The date on which the actions in progress were incorporated into the
 +
corresponding impact evaluations.
 +
THIRTEENTH: On 03/11/2021, a resolution proposal was issued in the
 +
following sense:
 +
FIRST: That the Director of the Spanish Agency for Data Protection
 +
sanction the entity EDP COMERCIALIZADORA, SAU, for an infringement of the
 +
Article 25 of the RGPD, typified in article 83.4.a) and classified as serious for the purposes
 +
of prescription in article 73.d) of the LOPDGDD, with a fine in the amount of
 +
500,000 euros (five hundred thousand euros).
 +
SECOND: That the Director of the Spanish Agency for Data Protection
 +
sanction the entity EDP COMERCIALIZADORA, SAU, for an infringement of the
 +
article 13 RGPD, typified in article 83.5.b) and classified as mild for the purposes of
 +
prescription in article 74.a) of the LOPDGDD, with a fine in the amount of
 +
1,000,000 euros (one million euros).
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 68
 +
68/141
 +
THIRD: That, due to lack of evidence, in application of the principle of presumption of
 +
innocence, it is declared not attributable to EDP COMERCIALIZADORA, SAU, the
 +
infringements of the provisions of articles 6 and 22 of the RGPD.
 +
FOURTEENTH: Notified to the entity EDP COMERCIALIZADORA, SAU the
 +
aforementioned resolution proposal, said entity submitted on 03/15/2021 a written
 +
in which an extension of the term was requested to formulate allegations. Granted the
 +
extension of term, on 04/07/2021 a written statement of
 +
allegations, in which it is requested that the file of the procedure be agreed
 +
sanctioner or, alternatively, the substantial reduction of each sanction proposed to
 +
its minimum amount or its substitution, even for the warning, if applicable. Base
 +
your requests in the considerations summarized below:
 +
ACQUISITION OF THE COMPANY OBJECT OF THE SANCTIONING RECORD. With
 +
preliminary character and for clarification purposes, EDP COMERCIALIZADORA puts in
 +
knowledge of this Agency that, on December 1, 2020, Total Gaz
 +
Electricité Holdings France (“Total Group”) acquired 100% of the shares of EDP
 +
MARKETING COMPANY. As a consequence of the foregoing, the
 +
migration of the website www.edpenergia.es to a new transitory domain
 +
(www.edp-residencialbytotal.es) and the email accounts have been modified
 +
that were previously under the domain @ edpenergia.es.
 +
FIRST.- ALLEGED BREACH OF ARTICLE 25 OF THE RGPD:
 +
(i)
 +
The contracting process through a representative is in accordance with the
 +
normative:
 +
The arguments presented in the allegations to the proposal of
 +
resolution, relating to the freedom of form of the mandate contract in accordance with
 +
provided for in the civil code, in particular it insists that “In this case, it does not seem
 +
that such a wide freedom of form is compatible with obtaining evidence of
 +
the existence of the representation or mandate, beyond the manifestations of the
 +
agent, protected by good contractual faith. Likewise, there is little
 +
understandable that a separate consent is required for the treatment of
 +
your data or a confirmation of the order by the principal, since this
 +
would imply denaturing the representation, inasmuch as it would be absurd that who is
 +
designated for the conclusion of a contract in favor of a third party cannot facilitate
 +
the data of the person on whose behalf it acts, or that confirmation is necessary
 +
separated from it to authorize said communication, since the need to
 +
Addressing the represented person directly would make the representative's intervention useless,
 +
since it would be meaningless. (the underline is from the entity that formulates
 +
the allegations)
 +
Likewise, and in relation to the possibility that the represented party may provide
 +
additional consents to the hiring itself, it should be noted that this
 +
possibility may well have been authorized by the represented in a way
 +
specific, but as the same freedom of form governs for the granting of this
 +
power (which the norm does not oblige in any case to provide in writing), nor is it
 +
its reliable accreditation is required at the time of hiring ”.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 69
 +
69/141
 +
Certainly, article 1725 of the Civil Code provides that the third party may request the
 +
agent that gives him knowledge of his powers to determine if the contracting
 +
is within their perimeter or if you are assuming the risk that the
 +
The principal does not subsequently ratify the actions of the agent. But this regulation is
 +
translates into a burden for the agent, not for the third party, since the interests
 +
that is to be safeguarded are those of the latter, and not those of the president nor
 +
of the principal. Therefore, for the third party it is optional to ask the agent to
 +
give knowledge of the powers with which it claims to act.
 +
In the vision that the AEPD manages in the Resolution Proposal, this obligation
 +
would be aimed, however, not to protect the interest of the third party in terms of
 +
object of the contract made by the agent, but to preserve the interest of the
 +
principal regarding the legitimacy of the agent to express the will of the
 +
principal regarding the processing of their personal data by the third party.
 +
However, this consequence cannot be extracted from the regulation of the Civil Code.
 +
in terms of the mandate contract, in which - as we have just seen - the interest to
 +
protect with the exhibition of powers of the agent is strictly that of the third party, and
 +
not that of the principal, which, in the Civil Code scheme, is safeguarded at
 +
through the power of ratification, the granting of which or not always remains in the hands
 +
of the principal.
 +
Thus, the risks referred to in the Proposal for Resolution (“can be
 +
generate various risks, being able to be mentioned, as an example, the one consisting of
 +
a processing of data of the represented without legitimation, the risk of impersonation of
 +
identity or economic or other damages that may be caused to the
 +
interested party ”) are not such: in the event that the agent has exceeded the
 +
exercise of the mandate, the principal will not be bound by that action, except
 +
his subsequent ratification, from which no harm may actually be suffered unless
 +
that accepts - expressly or tacitly - what has been done by the agent a posteriori
 +
From here on, and as optional power of the third party that contracts with the
 +
agent, if and how the third party exercises that power depends on his will and the
 +
circumstances of the hiring. In this sense, the fact that in hiring in
 +
the channel of own commercial offices EDP COMERCIALIZADORA requires the
 +
representative an accreditation of their status as such, does not prove absolutely nothing,
 +
Unlike what the Motion for Resolution says. Since EDP
 +
COMMERCIALIZADORA, as a third party that contracts with the authorized, enjoys the
 +
the power to carry out this verification or not, whoever does it on some occasions and not
 +
in others, or the fact that it does not perform the same in all contracting channels, is not a source
 +
of any obligation - which is not imposed by law or by contract - but simple
 +
manifestation of the exercise of a permit.
 +
At the doctrinal and jurisprudential level, the exercise of rights of the
 +
personality through voluntary representation, particularly when it comes to
 +
articulate ad hoc authorization for specific acts of intrusion1. That possibility
 +
It should be understood as reinforced when the mandate to exercise a right of the
 +
personality is linked to the empowerment to enter into a contract, of which said
 +
Exercise is a conditioning or complementary element. Thus, the agent o
 +
representative of an artist mandated to celebrate on behalf of his client
 +
a lease for services to perform in a concert hall or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 70
 +
70/141
 +
record a disc, it is commonly mandated to authorize the organizer of the
 +
show or record company for the use of the artist's voice and image.
 +
Similarly, those authorized to contract with EDP COMERCIALIZADORA in
 +
name of another person, appear first as mandated subjects for the
 +
conclusion of the supply contract, and concomitantly, because it is about
 +
a factor inherent to the hiring itself, they are also to authorize employment
 +
and treatment of the personal data of its clients. In this sense, it turns out
 +
It should be noted that there is no doubt that the processing of data from the
 +
represented that is necessary for the execution of the contract of which the represented
 +
becomes a party, it should be considered a fully lawful treatment in light of the
 +
Article 6.1.b) of the RGPD.
 +
But in addition, as long as it is possible to establish that the president has standing to
 +
take all relevant decisions within the framework of the recruitment process for the
 +
that has been empowered, the consent that said agent provides on the
 +
data processing of the represented party and that EDP COMERCIALIZADORA collects for
 +
one or more specific purposes within the framework of the contracting process, allows
 +
consider equally lawful the treatment of the data thus obtained ex article 6.1.a)
 +
of the RGPD or any other basis of legitimacy. And it is that, who hires on behalf
 +
of another - once it is assumed that he acts in such a condition - he must be able to lend the
 +
same consents regarding personal data as the interested party if
 +
it was this who concluded the contract, and this whether the contract is concluded in situ
 +
in a business office as if it is held over the phone.
 +
It must be concluded, contrary to what the AEPD indicates in the Proposal for Resolution,
 +
what:
 +
(i)
 +
EDP ​​COMERCIALIZADORA is not obliged to carry out with third parties
 +
authorized who contract through the telephone channel or sales forces
 +
external no verification of the existence and scope of its
 +
mandate, nor a fortiori does this verification have to be analogous to the one
 +
eventually carry out with those who contract through offices
 +
own commercials;
 +
(ii)
 +
(ii) in the power to contract the service through an authorized third party
 +
resides the power to give the consents inherent to the process of
 +
contracting, including those related to the processing of personal data;
 +
(iii)
 +
and (iii) the legality of the treatment by EDP cannot be questioned
 +
MARKETER of the personal data of those who contract with
 +
it through an authorized third party, either through commercial offices
 +
own or through the telephone channel or through sales forces
 +
external, for the simple fact of having contracted through a third party
 +
authorized, insofar as the legal basis for data processing
 +
personal information of a person acting through representation should
 +
be the same as when acting on your own behalf.
 +
(ii) EDP COMERCIALIZADORA has correctly assessed the real risks and
 +
implemented the appropriate mitigating measures.
 +
It reiterates that the risk assessments provided in this procedure are
 +
in accordance with the data protection regulations and the AEPD guides, in force in the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 71
 +
71/141
 +
timing of the analysis, and identify the actual risks applicable to the
 +
different hiring processes.
 +
The AEPD, in its Resolution Proposal, refers to hypothetical or theoretical risks
 +
that he cites, in addition, merely as an example and of those that does not offer greater detail or
 +
Explanation.
 +
As explained in the previous point and in the Allegations to the Initiation Agreement,
 +
These risks are non-existent or lack a sufficient entity for their
 +
consideration. Thus, it can be affirmed against the list contained in the Proposal for
 +
Resolution - not exhaustive since the list of the AEPD is a mere title
 +
example -, among others: (i) that there is no risk of identity theft in
 +
so much so that there is representation and mandate, (ii) that there is no economic damage to
 +
those interested in so far as the cost is assumed by EDP COMERCIALIZADORA in all
 +
case; or (iii) that there is no risk of lack of legitimation basis as EDP
 +
COMERCIALIZADORA may assume, in accordance with the aforementioned civil legislation
 +
and in accordance with the legal framework applicable to these contracts, the existence of
 +
authorization to the agent for data processing and (iv) that, in the event of
 +
excess, the principal's interests are safeguarded by his right to
 +
ratify or not the actions of the president outside the limits of the mandate.
 +
For this reason, EDP COMERCIALIZADORA has correctly assessed the risks
 +
real rates of the different contracting channels according to an analysis
 +
solid legal - and doctrinally and jurisprudentially supported - of the figure of the mandate
 +
in the Spanish legal system and has implemented mitigating measures
 +
appropriate in relation to such risks. The risk analysis carried out is, therefore,
 +
coherent and was carried out in accordance with the legal institute of the civil mandate and its
 +
jurisprudence.
 +
To the extent that the consistency of the analysis carried out has been established, the
 +
AEPD must assess the analysis in accordance with these consolidated civil criteria or, if
 +
on the contrary, the AEPD considers that a different legal criterion should be adopted and
 +
contrary to that of civil regulations and its established jurisprudence, it must substantiate
 +
its legal basis in any way in order to allow EDP COMERCIALIZADORA its
 +
understanding and defense. In any case, EDP's interpretation of the mandate
 +
MARKETING COMPANY in accordance with the regulations, jurisprudence and civil doctrine
 +
-including that relating to personality rights- should be interpreted in a good way.
 +
faith and exclude any guilt on your part.
 +
(iii) Hiring through a representative constitutes a very high proportion
 +
minority of the total contracts made by EDP COMERCIALIZADORA.
 +
It is essential to point out that contracting through a representative constitutes
 +
a minority part of the total contracts carried out by EDP
 +
MARKETING COMPANY. Specifically, of the total number of contracts that EDP
 +
COMMERCIALIZADORA carried out in 2019, less than 13% corresponds to hiring
 +
through representatives of which in less than 1.8% the representative and the
 +
represented would not have a family relationship.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 72
 +
72/141
 +
Therefore, when the AEPD states that EDP's contracting procedure
 +
COMERCIALIZADORA violates the principle of data protection from the design, the
 +
erroneously does, in strict defense terms, as if the
 +
contracting procedure in its entirety violates said principle. Furthermore, at the
 +
When quantifying the sanction, the AEPD refers to the global billing volume of
 +
EDP ​​COMERCIALIZADORA to quantify it, when it should take into account
 +
exclusively, and where appropriate, the billing data (volume) generated by the
 +
eventual alleged breach -related exclusively to the hiring by
 +
representation-.
 +
It should also be taken into account that, in any case, the AEPD could have invoked the
 +
article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD (“the benefits
 +
obtained as a consequence of the commission of the offense ”) to graduate the sanction
 +
proposal. Therefore, in the hypothetical and eventual case that it is considered infringed
 +
Article 25 of the RGPD, the maximum volume of business obtained by EDP
 +
MARKETING COMPANY to take into account should be 2,550,000 euros
 +
approximately, which is the amount obtained “as a consequence of the [eventual]
 +
infringement ”, that is, in contracting by representation, and not in the global
 +
hiring. In this sense, the annual turnover of contracting through
 +
representative would represent 0.26% (approximately) of the business volume
 +
Annual total of the entire client portfolio of EDP COMERCIALIZADORA. Also, the
 +
sanction that this Agency proposes to impose on EDP COMERCIALIZADORA for this
 +
infringement presupposes 20% of the turnover of the contracting through
 +
representative. Since the profit is much lower than the turnover, the penalty
 +
proposal would be disproportionate to the same
 +
In an administrative procedure of a sanctioning nature, counting how it did
 +
the AEPD with objective and sufficient quantifying criteria in relation to the volume
 +
(marginal) that the representation supposes, it is especially relevant the fulfillment
 +
of the principles of proportionality of the sanction and legality and should, therefore,
 +
have taken into account: (i) That the part that corresponds to the procedures of
 +
representation hiring is a small and very limited part of the
 +
EDP ​​COMERCIALIZADORA's global contracting procedure, and, therefore, must
 +
take into account the low magnitude of the contracting that has the use of this type
 +
contracting at EDP COMERCIALIZADORA, being a type of contracting
 +
minority. In addition, as stated in the information provided in this
 +
procedure, there is a single claim before the Agency during the years 2018-
 +
2019 (with respect to a total of 33,848 hires made through
 +
representative), which reflects the low relevance and materialization of the risks
 +
attributed by the AEPD to the contracting process implemented by EDP
 +
MARKETING COMPANY.
 +
That the AEPD's proposed sanction of five hundred thousand (500,000) euros has been
 +
made in the Proposal for Resolution erroneously by attending to a factor not
 +
provided for in the regulations (the volume of business and the status of large company) and by
 +
take into account the volume of recruitment and the global profits of EDP
 +
MARKETING COMPANY -which include both direct contracting (majority) and
 +
hiring by representation (minority) -, which has nothing to do with “the benefits
 +
obtained as a consequence of the commission of the offense ”to which it refers
 +
expressly article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD -the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 73
 +
73/141
 +
Which would represent 0.26% of the business volume-. Therefore, in a way
 +
subsidiary and in the hypothetical case that the AEPD questions the validity of the mandate
 +
civil law for the contracting procedures and declare the offense committed, the
 +
quantification of the eventual sanction should be significantly corrected to have
 +
take into account the real volume of business generated by contracting by representation
 +
exclusively.
 +
All of the foregoing makes clear the disproportionality of the sanction proposed in the
 +
Resolution motion
 +
Lastly and without prejudice to the foregoing, despite the fact that EDP COMERCIALIZADORA
 +
does not consider that its action deserves any legal reproach, in view of the
 +
suggestions made by the AEPD, EDP COMERCIALIZADORA informs the
 +
AEPD that it has proceeded to reinforce the contracting process by means of
 +
representative in line with the protocol that was already provided to the AEPD on
 +
July 2020. This protocol, which was submitted to the AEPD on a voluntary basis and before
 +
of the beginning of the present sanctioning procedure, it was aimed precisely at
 +
collaborate with this Agency to reach an agreed procedure regarding
 +
representation and to satisfy the proposals that the AEPD may have.
 +
In the Allegations to the Initiation Agreement, EDP COMERCIALIZADORA responded
 +
in addition to the doubts raised by the AEPD regarding its content and
 +
implementation and confirmed that it is a procedure with double verification by
 +
SMS and in compliance with the best market standards. For these purposes, the
 +
AEPD must take into account: (i) that EDP COMERCIALIZADORA contacted
 +
proactively in July 2020, without success, with the AEPD to present a new
 +
protocol that proposed changes in the contracting procedure by
 +
representation. Far from being considered, as the Proposal for Resolution does,
 +
negatively and against EDP COMERCIALIZADORA, that proactivity as
 +
sign of acknowledgment of guilt -the arguments of legality have already been made
 +
previously-, the cooperation proposal with the AEPD should be valued as a
 +
a sign of good faith and of EDP COMERCIALIZADORA's firm commitment to the
 +
compliance with data protection regulations and the improvement of its processes as well
 +
as a mitigating circumstance in the graduation of the sanction (article 83.2.f) of the
 +
GDPR);
 +
(ii) that despite not obtaining a response other than the opening of this
 +
procedure, EDP COMERCIALIZADORA in light of the AEPD's comments in
 +
the Initiation Agreement and the Proposal for Resolution, has eliminated from its procedure
 +
contracting by representation the possibility of requesting consents for
 +
marketing and commercial purposes referred to by the AEPD on the pages
 +
112, 113 and 114 of the Proposal. Attached as Documents No. 1 and No. 2 example of
 +
contract and voice-over script for the telephone channel that evidence this elimination.
 +
To the extent that EDP COMERCIALIZADORA has adopted measures to adjust its
 +
procedure to the proposals of the AEPD, this circumstance, in accordance with article
 +
83.2.c) of the GDPR should also be considered as an extenuating circumstance
 +
for the graduation of an eventual sanction, and
 +
(iii) that EDP COMERCIALIZADORA confirms to the AEPD that the new protocol -with
 +
the content communicated in July 2020- is already implemented for all channels
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 74
 +
74/141
 +
hiring, since last January . Attached again to this writing
 +
as Document No. 3, the contract protocol for the aforementioned representative.
 +
In document number 1 under the title durable support, a company acting as
 +
Trusted third party certifies that the data included in the document are those that
 +
They are recorded in your electronic communications and processes record. Such data is the
 +
sending an e-mail with an associated URL, in relation to a contract,
 +
informing the recipient that a person has made the contracting on their behalf
 +
related to your energy supply / services. It is provided as a document
 +
I enclose the contract, in which there are no references to consents for the
 +
sending commercial communications or for the realization of profiling, and the
 +
general contracting conditions.
 +
Document 2 has the following content:
 +
Registration (representative) ML - Spanish
 +
"[XXX] we will record your agreement. It is [hh: mm] on [dd] of [mm] of [20XX].
 +
[name and surname] with DNI [DNI number], as [husband / wife / child / attorney / representative] and in
 +
representation of the holder [name and surname / company name] with DNI / CIF [DNI / CIF number] telephone
 +
[phone] and email [email] accepts EDP Residencial's offer for the address
 +
[supply address] consisting of [plan conditions -dto. in light-] for [CUPS
 +
LIGHT: ES…] on the current EDP Residential price of electricity [price of power (€ / kW
 +
month) and energy term price (€ / kWh)] and / or [plan conditions -dto. in gas] for [CUPS
 +
GAS: ES…] and current EDP Residential gas price [price term availability (€ / month) and
 +
term energy price (€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works].
 +
[If the collection date is not chosen] The payment method chosen is [direct debit at your
 +
current account / in the account ...] and will be charged on the date indicated on the invoice.
 +
[If the collection date is chosen] The payment method chosen is [direct debit at your
 +
current account / in the account ...] and will be charged on a specific date, the days [DD] of
 +
month. In that case, the payment period may be less than or greater than the 20 days established in
 +
the normative".
 +
On behalf of your client and after passing an analysis of the risk of the operation, we will
 +
the necessary steps to activate the access contracts, at which point the user will enter
 +
the new contract is in force.
 +
The contract (s) is / are not permanent and will have a duration of one year, extendable for
 +
The same period except for a 15-day advance complaint. Are you satisfied with the above
 +
information and conditions of the contract / s? [Yes / Ok]. Thank you.
 +
In a few days, your client will receive the contract (including withdrawal document) for
 +
duplicate, of which you only have to return one of the copies signed in the envelope
 +
self-postage, you do not need a stamp, which we will attach.
 +
Your client has 14 calendar days to exercise their right of withdrawal. Not
 +
However, if you request it, we can start the procedures now. In that case, yes
 +
subsequently withdraw from the contract, you must pay the amount corresponding to the period of
 +
supply borrowed. Do you want your hiring to be processed immediately? [OTHERWISE]
 +
With the entry into force of the contract, your client will receive the invoice from EDP Residencial
 +
with all our advantages.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 75
 +
75/141
 +
Your personal data and that of your client may be processed by EDP Residencial to
 +
the management of your contracts, fraud prevention, profiling based on
 +
customer information and EDP Residencial, sending personalized communications about
 +
related products or services, as well as participating in sweepstakes, promotions and surveys
 +
of quality, being able to oppose at any time.
 +
[Read only legal persons calling on behalf of a business] Also, so that
 +
we can advise you with the best proposals: • Can you allow us to present your client
 +
offers related to energy after the end of the contract, or send you information on
 +
non-energy products and services, typical of Collaborating Companies? [YES / NO] • Do we
 +
allows you to complete the business profile of your client with information provided by
 +
third parties, to send you personalized proposals? [OTHERWISE]
 +
Shortly, the Distributor's technicians will contact you. [Remember that you must
 +
give them the Certificate of Individual Gas Installation, when they begin to register].
 +
[Altas Gas] For your safety, we remind you of the legal obligation to collaborate with your Company
 +
Distributor, facilitating access to its facilities. This request has been registered with the
 +
code [we indicate the code] "
 +
THIRD.- ALLEGED BREACH OF ARTICLE 13 OF THE RGPD
 +
(i)
 +
Regarding the information provided in the CAC Inbound Channel.
 +
It indicates that it provides the information regarding the processing of personal data to
 +
through a multi-layered system. Thus he reiterates that in all calls
 +
incoming messages, a voiceover is automatically reproduced that informs of the following
 +
“This call can be recorded. The data you provide us will be processed by
 +
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
 +
or query. You can exercise the rights of access, rectification, deletion, opposition,
 +
limitation and portability at any time. See the Privacy Policy at
 +
our website edpenergia.es or press 0 "
 +
It indicates that the address provided to users has been updated in the locution,
 +
currently indicating edp-residencialbytotal.es/privacidad, so that, if the user
 +
type that address in the browser, access -directly and easily- to the
 +
information related to data protection.
 +
The interested party can consult the second layer through the privacy policy of
 +
the web page or by pressing 0. In this case, a voiceover is reproduced whose content is
 +
the next:
 +
"The use of this TELEPHONE CHANNEL does not oblige the user to provide any information
 +
about himself. However, to use certain services or access certain
 +
content, users must previously provide some personal data.
 +
In the event that the user provides personal information, we inform you that the
 +
data will be PS / 00037/2020 Brief of allegations to Resolution Proposal 15/37
 +
treated by EDP Energía, SAU and EDP Comercializadora, SAU, with registered office at
 +
Oviedo, Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
 +
hereinafter "EDP", as data controllers, as established by the Regulation
 +
General Data Protection ((EU) 2016/679), hereinafter "RGPD", and its regulations on
 +
growth.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 76
 +
76/141
 +
Specifically, your data may be processed, when the user so requests, to manage the
 +
attention and follow-up of requests and inquiries directed through the website, as well as
 +
for conducting surveys and participating in raffles, games and promotions.
 +
The data requested will be mandatory and limited to those necessary to proceed with
 +
the provision and / or management of the requested service, which will be conveniently informed in
 +
the time of collection of your personal data. In case of not providing them or not
 +
provide them correctly, the service will not be provided.
 +
In these cases, the user guarantees that the personal data provided is true and is
 +
is responsible for communicating any changes to them.
 +
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration in the
 +
itself, the data processing carried out is based on the legal relationship derived from
 +
your request.
 +
The processing of data for conducting surveys is based on the legitimate interest of EDP
 +
in order to improve the quality of the services provided to customers and / or users, being able to
 +
oppose said treatments at any time, without affecting the legality of the
 +
treatments carried out previously.
 +
In no case may they be included in the forms contained in the TELEPHONE CHANNEL
 +
personal data corresponding to third parties, unless the applicant
 +
had previously obtained your consent in the terms required by article
 +
7 of the RGPD, responding exclusively to the breach of this obligation and
 +
any other regarding personal data.
 +
The personal data of the users registered on the website may be transferred to the
 +
Public Administrations that by law correspond, to other companies of the business group
 +
for internal administrative purposes, and to the providers of the data controller
 +
necessary for the proper fulfillment of contractual obligations.
 +
Personal data will be kept for the duration of your supply contract with
 +
EDP, in all other cases, during the time necessary to answer your requests or to
 +
analyze the content of your responses to surveys. Once the relationship is over
 +
contractual, answered their requests or analyzed their responses, as appropriate in
 +
each case, your personal data will be erased, keeping the rest of the information
 +
anonymized for statistical purposes only. Notwithstanding the foregoing, the data may
 +
be kept for the period established to comply with the legal obligations of
 +
maintenance of the information and, at most, during the prescription period of the
 +
corresponding legal actions, and the data must be kept blocked during the
 +
mentioned limitation period. After this period, the data will be deleted.
 +
In application of the provisions of article 32 of the RGPD, EDP undertakes to comply with the
 +
security obligations of those data provided by users, trying to establish
 +
all technical means at your disposal to avoid loss, misuse, alteration, access not
 +
authorized and theft of the data that the user provides through it, taking into account the
 +
state of technology, the nature of the data provided and the risks to which they may
 +
be exposed. Notwithstanding the foregoing, the user must be aware that the measures
 +
security in the TELEPHONE CHANNEL are not impregnable.
 +
EDP ​​will treat the user's data confidentially, at all times, keeping the
 +
mandatory duty of secrecy regarding them, in accordance with the provisions of the regulations
 +
of application.
 +
The user can exercise their rights of access, rectification, deletion, opposition,
 +
limitation and portability, as well as the revocation of the consents granted
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 77
 +
77/141
 +
previously, in the terms established by law, communicating it in writing to EDP, at the
 +
following address: LOPD Communication Channel, Plaza del Fresno, nº2, 33007 Oviedo.
 +
Likewise, you can exercise these rights by sending an email with your data
 +
personal to cclopd@edpenergia.es. In both cases, a photocopy of the
 +
ID of the holder or document that proves their identity.
 +
Likewise, you may contact the EDP Data Protection Officer, at the
 +
following postal address: Plaza del Fresno, 2 33007 Oviedo or by email
 +
dpd.es@edpenergia.es, in the event that you understand that any of your rights have been violated
 +
related to data protection, or where appropriate, file a claim with the
 +
Spanish Agency for Data Protection at the address Calle de Jorge Juan, 6, 28001
 +
Madrid".
 +
In the hiring process, the following is reported again: “Your data
 +
personal and those of its client will be treated by EDP Comercializadora SAU and
 +
EDP ​​Energía SAU for the management of its contracts, fraud prevention, execution
 +
of profiles based on customer and EDP information, as well as the performance of
 +
personalized communications about directly related products or services
 +
with their contracts, being able to oppose them at any time ”.
 +
Therefore, it is not possible to blame a lack of information to those interested in the
 +
incoming calls while the information referred to in the first informational layer
 +
(ie, the one provided at the beginning of each call) complies with the information
 +
necessary of article 11 of the LOPDGDD (that is, identity of the person in charge, purposes of
 +
treatment and possibility of exercising rights) and a direct means and
 +
easy to access the rest of the information (by accessing the website or
 +
pressing 0). It is important to note that the speech of the first informational layer is
 +
automatically plays at the beginning of each incoming call and, therefore,
 +
Therefore, it is mandatory to listen to all interested parties who make a call. For
 +
For this reason, all those interested before reaching the contract have already been
 +
informed about the possibility of exercising their rights and how to access the
 +
rest of information about the treatment of your data. Also, before the
 +
contracting, EDP COMERCIALIZADORA reminds interested parties - through a
 +
second locution- part of the basic information on data protection.
 +
In accordance with article 13.4 of the RGPD, the obligation to inform does not apply
 +
to the extent that the interested party already has the information; in the case that we
 +
occupies, taking into account that the initial speech is reproduced automatically
 +
In each call, it is sufficiently proven that any interested party who
 +
puts in contact with EDP COMERCIALIZADORA through the CAC Inbound Channel
 +
receives the information regarding the protection of personal data. In this sense, the
 +
Article 29 Group (now known as the European Committee for the Protection of
 +
Data) indicates in its Guidelines on Transparency under Regulation (EU)
 +
2016/67 (“Transparency Guidelines”), it should be understood that article 13.4
 +
of the RGPD is applicable in those cases in which the information had
 +
been provided, for example, in the previous six months. Regarding the
 +
Canal CAC Inbound, not only would have spent a time clearly less than 6 months
 +
rather, the time span can be measured in minutes, so it is clear that the
 +
interested party knows, knows and remembers perfectly the information on protection of
 +
data without it being necessary to reiterate this information
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 78
 +
78/141
 +
(ii)
 +
Regarding the information provided in the Telemarketing channels and
 +
Leads
 +
It points out that this Agency questions the means to access the second layer
 +
informative (ie, the General Conditions available on the website
 +
edpenergia.es) be "simple and immediate"
 +
It indicates that EDP COMERCIALIZADORA has accredited in the present
 +
the following procedure: • First, the information on the protection of
 +
data (i) is clearly identified within the general conditions of
 +
contracting of EDP COMERCIALIZADORA (in section 16 and entitled LOPD) and
 +
(ii) occupies one of the four pages of the document in length, so its
 +
location has no loss for the interested party.
 +
Please inform this Agency that you have created a separate document containing,
 +
exclusively, the data protection information of the conditions
 +
general contracting, which is easily accessible through its own
 +
website and at the following address: www.edp-residencialbytotal.es/rgpd ; So what
 +
likewise, the general contracting conditions continue to include the
 +
clause relating to the processing of personal data, so that the interested party
 +
You have various means through which you can access the information
 +
In a simple way.
 +
• Secondly, it alleges that the way in which the information on the
 +
The second layer of information can be diverse and, as such, has been recognized by the
 +
data protection authorities. As indicated in the Allegations to the
 +
Initiation Agreement, when the contracting occurs, the conditions are sent
 +
general contracting - which includes the specific clause regarding
 +
Data Protection-; therefore, making this information available to
 +
through the website should be understood as an alternative system and
 +
complementary.
 +
In this sense, the Transparency Guidelines expressly indicate that
 +
“When the first contact with an interested party is by telephone, this
 +
information [first informational layer] could be provided during the call with the
 +
interested party and he could receive the rest of the information required under the
 +
Article 13 or 14 by an additional means other than, for example, by sending you a
 +
copy of the privacy policy by email or a link to the
 +
online privacy statement / notice of the person in charge ”.
 +
In accordance with the criteria of the competent authorities, including the AEPD, EDP
 +
COMMERCIALIZADORA would not have committed an infringement of the duty of
 +
transparency, while complete information on data protection
 +
(with the content required by the regulations) is contained within the conditions
 +
general contracting that are sent to the interested party after contracting. The
 +
Transparency Guidelines also indicate that, depending on the circumstances
 +
of the collection and processing of data, a data controller could
 +
be forced to additionally use other possible means of transmitting the
 +
information to stakeholders applicable to the relevant settings provided that the
 +
information from the first informational layer is transmitted in the first mode
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 79
 +
79/141
 +
used to communicate with the interested party. For this reason, EDP
 +
COMERCIALIZADORA complies with its obligation of transparency by facilitating the
 +
information from the first informational layer by telephone and the second layer
 +
informative in writing (either physical or electronic document). That's it
 +
It is important to note that the most transparent and suitable way for the interested party
 +
receive information about the processing of your personal data is by including it
 +
together with the information on the contracting of services, as this is
 +
the circumstance with which the processing of your data is related and is, in addition,
 +
a document that the interested party will keep during their contractual relationship with
 +
EDP ​​COMMERCIALIZADORA.
 +
(iii)
 +
Regarding the content of the information provided by telephone and in the
 +
general conditions:
 +
• Specification of the data controller:
 +
The AEPD questions the clarity with which the interested party knows which entity acts
 +
as responsible for the treatment, however, as accredited in the conditions
 +
general contracting of EDP COMERCIALIZADORA (provided as evidence
 +
6) of this procedure, the client is informed about the identity of the person in charge
 +
of the treatment through the privacy policy in relation to the conditions of
 +
hiring:
 +
Privacy policy: "the data will be processed by EDP Comercializadora SAU and
 +
EDP ​​Energía SAU ”.
 +
Specific conditions of the contract:
 +
"The customer contracts, for the supply indicated, the supply of gas with EDP
 +
Comercializadora, SAU and the supply of electricity and / or services
 +
complementary with EDP ENERGIA, SAU, (hereinafter joint and / or
 +
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
 +
Specific that are collected below and the General Conditions in annex ”.
 +
As explained in the allegations to the Initiation Agreement, information is included
 +
on both entities while, depending on the service requested by the
 +
interested party (gas and / or electricity), one or another entity will be responsible for the treatment
 +
(or both if the interested party hires both services). Therefore, the
 +
interested party -which has full capacity to contract and, therefore, is
 +
assumes that you should be able to understand the terms and conditions that
 +
govern such contracting, you are aware at all times that, depending on how you contract
 +
the gas and / or electricity supply service, your data will be processed by one or
 +
both entities.
 +
• Purposes and bases of legitimation
 +
It is alleged that neither article 13 of the RGPD nor any other legal precept requires that the
 +
privacy policy list each purpose specifically indicating the basis of
 +
legitimation that results from application. Even so, when it comes to treatments
 +
subject to consent, if it is expressly indicated which they are. In any case, as
 +
was already indicated in the Allegations to the Initiation Agreement, in the case of the bases of
 +
legitimation of "contractual performance" and "legitimate interest", it is evident for
 +
anyone who hires EDP's supply services
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 80
 +
80/141
 +
MARKETING COMPANY that the treatments closely linked to the execution
 +
of the contract such as “manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or improvement of the service ”find their basis of legitimacy in the execution of the
 +
contract, being the other treatments assignable to the legitimate interest (e.g. the
 +
carrying out fraud prevention actions or sending communications
 +
commercial). Legitimate interests are clearly stated and placed in
 +
relationship with the purposes pursued (that is, fraud prevention and
 +
marketing, in relation to the sending of commercial communications
 +
personalized) and since there is an identification between the reported purpose and the
 +
pursued self-interest, making a separate allusion would be redundant.
 +
• Profiling
 +
It is stated in the allegations that in the Resolution Proposal, the AEPD considers
 +
that, in relation to "profiling", it is not clear what its purpose is or
 +
the legitimate interest that supports the treatment. In this sense, the AEPD states in
 +
the Proposed Resolution as follows: “In this case, in the opinion of this
 +
Agency, the information requirements described above. EDP ​​COMMERCIALIZADORA,
 +
SAU, is limited to reporting on the "profiling", but does not offer a
 +
information on the type of profiles to be carried out, the specific uses to which
 +
these profiles or the possibility that the interested party can exercise the
 +
right of opposition in application of article 21 of the RGPD. " However, the
 +
Profiling is associated with the sending of commercial communications
 +
personalized: “will be treated (...) for the purpose of (...) profiling,
 +
personalized commercial communications based on information provided by the
 +
Client and / or derived from the provision of the service by the Marketer / s and
 +
relating to products and services related to the supply and consumption of energy,
 +
maintenance of facilities and equipment ”.
 +
While the wording could have included “for the submission of” (that is, the text
 +
out "as well as making profiles for sending commercial communications
 +
based on information provided by the Client (...) ”), this absence does not
 +
It should be understood that EDP COMERCIALIZADORA violates article 13 of the
 +
GDPR.
 +
• Exercise of rights:
 +
It is alleged that in the opinion of the AEPD, it should be expressly indicated which are the
 +
treatments to which the right of opposition applies. However, as I already know
 +
stated in the Allegations to the Initiation Agreement, the obligation to detail the
 +
specific treatments to which the interested party has the right to oppose not only is it not
 +
an obligation contained in the RGPD, the LOPDGDD or any other regulation of
 +
application, but also the AEPD in its guides and tools (among others, the Guide
 +
for the fulfillment of the duty to inform2 or the Facilita tool3) does not indicate that
 +
The informative clauses on the right to object must specify the
 +
treatments on which the right of opposition applies, not even as an example of
 +
Good practice. In any case, EDP COMERCIALIZADORA expressly indicates that
 +
the interested party may object to some voluntary treatments such as the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 81
 +
81/141
 +
promotion, profiling, automated decision-making, and
 +
realization of commercial offers.
 +
It points out that the motion for a resolution indicated that: “It is imprecise to indicate
 +
that the interested party may oppose the automated decision-making of their
 +
personal information. These can only be carried out by the person in charge in the
 +
assumptions provided for in article 22 of the RGPD, based in the present case on the
 +
consent of the interested party, so he must be able to know that he can revoke
 +
the consent given for the adoption of such decisions in any
 +
moment, without prejudice to being informed of the rights conferred by the
 +
Article 22 to the interested parties. " It is alleged that the semantic and technical nuance associated with
 +
the terms "opposition" and "revocation" in the context of the exercise of rights do not
 +
can have an impact on the interested party, since with both terms the user achieves a
 +
same objective, which is that a treatment specifically identified in the policy
 +
stop occurring.
 +
Furthermore, the term used by EDP COMERCIALIZADORA (opposition) in the
 +
The context of this type of treatment is understood in the regulations and by the
 +
market in a broader way - and therefore more guarantee - since it allows the
 +
user delete a treatment is based on consent, is based on interest
 +
legitimate.
 +
• Treatments based on consent:
 +
The AEPD considers that the information on the treatments subject to consent
 +
it is not completely clear. However, this part cannot agree with
 +
this interpretation for the following reasons:
 +
In the first place, the AEPD questions that in point (IV) it is not clear as to what
 +
data refers to the phrase "the results obtained from the aggregation of the data
 +
indicated ”and argues the existence of confusion as to whether the aggregated data
 +
are those referred to in point (II) and / or in point (III). However, as manifested
 +
in the Allegations to the Initiation Agreement, from reading it is clear that "the results
 +
obtained from the aggregation of the indicated data ”refers to the indicated data
 +
above, that is, the data referred to in point (II) and (III), since it is evident that
 +
the use of the anaphoric term "indicated" refers to the data referred to in the points
 +
previous.
 +
Second, the AEPD states that the difference in data processing
 +
advertising this point with the previous points is not obvious. However, the
 +
difference is clear:
 +
the advertising treatment derived from point (I) refers to offers of "services
 +
financial, payment protection services, automotive or related and electronics,
 +
own or third parties, offered by EDP and / or participation in contests
 +
promotional, as well as for the presentation of related commercial proposals
 +
to the energy sector after the end of the contract ”, that is, services offered by
 +
EDP ​​COMERCIALIZADORA not related to the contracted services but to the
 +
energy sector or other sectors such as financial or automotive and in addition to
 +
generic type - not custom;
 +
▪ point (II) refers to “personalized products and services”, that is, offers
 +
tailored to the customer's business profile; Y
 +
▪ point (IV) refers to “making personalized offers, specifically aimed at
 +
to achieve the contracting of certain products and / or services from EDP or third parties
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 82
 +
82/141
 +
entities ”, that is, to the realization of personalized offers with an objective
 +
specifically to achieve the sale of certain products or services, being the
 +
personalization not only with respect to the client but also with respect to the concrete
 +
service or product offered.
 +
The AEPD's criticism of the granularity offered by EDP COMERCIALIZADORA does not
 +
can be understood in the light of its own recommendations and those of the European Committee
 +
of Data Protection, which ask for precisely such detail and granularity.
 +
FOUR.- COOPERATION AND PROACTIVE ATTITUDE OF EDP
 +
MARKETING COMPANY.
 +
EDP ​​COMERCIALIZADORA is studying and analyzing the implementation of the
 +
timely measures with a view to the adoption and adaptation to the recommendations,
 +
best practices and the criteria established by the AEPD both in the present
 +
procedure as in their guides and publications (in addition to the improvements already
 +
implanted referred to above), in order to improve all its
 +
data protection policies, clauses and general conditions through the
 +
which is informed about the treatment of the personal data of its clients and
 +
Potential customers
 +
FIFTH.- BREACH OF THE PRINCIPLE OF INTERDICTION OF THE
 +
ARBITRARINESS.
 +
It is noted that certain recommended practices (and even applied by the AEPD in
 +
their own privacy policies) have served in this case to argue and
 +
motivate the alleged infringements committed by EDP COMERCIALIZADORA (for
 +
For example, the presentation of information related to the exercise of rights of the
 +
interested parties included in the Second Allegation). These aspects that, a priori, the AEPD
 +
recommends and puts into practice, considering them examples that fit the
 +
applicable regulations, are used as infringing elements to justify the
 +
alleged breach of different legal precepts by EDP
 +
MARKETING COMPANY.
 +
SIX.- LACK OF GUILT IN EDP'S ACTION
 +
MARKETER-
 +
By virtue of all the above, the actions of EDP
 +
COMMERCIALIZADORA cannot be considered guilty in the eventual commission of
 +
the administrative illicit in the matter of data protection that are imputed to him. In the
 +
administrative sanctioning environment it is not enough that the conduct is typical and
 +
unlawful (which in this case, it is not either), but is also a requirement
 +
it is inescapable that he is guilty, that is, a consequence of an imputable act or omission
 +
to the person responsible for fraud or inexcusable fault, without any fate being admissible
 +
of strict liability that exempts the Administration from accrediting
 +
the requirement of guilt or intentionality in the commission of the
 +
infringement. (Judgments of the Supreme Court of July 9, 1994, May 16,
 +
1995, December 12, 1995, January 12 and 19, 1996, April 15, 1996, between
 +
many others.)
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 83
 +
83/141
 +
It is also worth mentioning that the appreciation of the subjective element of the
 +
offense is determined by the degree of predictability it had for the subject
 +
affected that their conduct could be considered typical and unlawful and, therefore,
 +
liable to be sanctioned. The subjective element of guilt can only
 +
concur when, in view of the existing situation at the time of the
 +
conduct, the subject could reasonably anticipate that he was committing a
 +
infringement Sentences of the Hon. Third Chamber of the Supreme Court of May 8
 +
from 2003 - ref. Aranzadi RJ 4209—, of July 7, 2003 - ref. Aranzadi RJ 5832—,
 +
and of January 28 and 27, 2010 - ref. Aranzadi RJ 1362 and 1357.
 +
Likewise, the doctrine of contentious-administrative courts has excluded the
 +
concurrence of the essential guilty element when the subject who has
 +
objectively committed the offense has acted based on a reasonable
 +
interpretation of the legal system.
 +
A reasonable interpretation of the applicable regulations, even if it is not ultimately
 +
considered correct by the courts, excludes guilt, especially in
 +
those cases in which the applicable legal norms are not clear or univocal.
 +
SEVENTH.- SUBSIDIARILY, THE PROPOSED SANCTIONS ARE
 +
MANIFESTLY DISPROPORTIONATE AND SHOULD BE APPLIED
 +
ATTENUATING CIRCUMSTANCES.
 +
In short, analyzing each of the alleged infractions that are attributed to
 +
EDP ​​COMERCIALIZADORA, it can only be interpreted that there is an absolute
 +
disproportionality in the interpretation made by the AEPD in the Proposal for
 +
Resolution, not only because it lacks motivation when it comes to considering the
 +
alleged infringement, but because of the fact that the proposed sanctions are beyond
 +
any criteria previously assessed by the AEPD itself. In this sense,
 +
It should be added that the amounts of previous sanctions imposed in cases of
 +
Similar facts are not comparable to the proposals in this case.
 +
Extenuating circumstances must be applied: Indeed, any sanction that is
 +
imposed on EDP COMERCIALIZADORA, it would have to be set in accordance with the
 +
Articles 83.2 of the RGPD and 76.2 of the LOPDGDD, which contemplate instruments
 +
relevant for the Administration to adjust the proportionality of the sanctions. On
 +
the present case, as stated in the Allegations to the Initiation Agreement,
 +
the following extenuating circumstances concur that here are
 +
resume:
 +
• The nature, seriousness and duration of the offense: according to article 83.2.a) of the
 +
RGPD, the assessment of this circumstance must take into account “the nature,
 +
scope or purpose of treatment ”(...) and“ the level of damages that may have
 +
suffered ”. In this sense, what is attributed to EDP COMERCIALIZADORA is the
 +
need to improve some aspects of their data protection policies, without
 +
that in no case the texts used so far can be understood as
 +
have generated a high level of damages. Also, the treatments
 +
provided for in these policies - which are known to the interested parties - are not
 +
particularly sensitive, neither because of the type of data processed nor because of the characteristics
 +
treatment activities. Therefore, it is not only not appropriate to consider as
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 84
 +
84/141
 +
circumstance aggravating the nature of this offense but, the foregoing must
 +
considered as a mitigating circumstance applicable to the present procedure.
 +
• The intentionality or negligence in the infringement: EDP COMERCIALIZADORA has not
 +
shown any intent or negligence. The AEPD, in its Proposal for
 +
Resolution, indicates that “the defects indicated in the information provided show the
 +
EDP ​​COMERCIALIZADORA's lack of diligence in complying with the
 +
transparency obligations ”. Therefore, what this Agency seems to refer to is
 +
the absence of all the diligence that, according to said Authority, would be expected of EDP
 +
MARKETING COMPANY. However, it does not seem that this statement can
 +
be understood as "intentionality or negligence" in their actions insofar as, as
 +
has been stated in the Allegations to the Initiation Agreement and in these
 +
allegations, EDP COMERCIALIZADORA has carefully observed the guidelines,
 +
guidelines and tools made available by the AEPD itself and the Committee
 +
European Data Protection for the fulfillment of its obligations of
 +
Data Protection. For this reason, the diligence of EDP COMERCIALIZADORA
 +
it should be taken into account as a mitigating circumstance.
 +
• The high link between the activity of the offender and the performance of treatment of
 +
personal data: EDP COMERCIALIZADORA is dedicated, as stated by the AEPD in the
 +
Motion for a Resolution, to the supply of gas, an activity that is not intensive in the
 +
processing of personal data and that although it is true that the development of the
 +
EDP ​​COMERCIALIZADORA's activity involves the processing of personal data,
 +
This is instrumental without its activity being based on the exploitation of data
 +
personal. In this sense, the low link between EDP's activity
 +
COMERCIALIZADORA in the processing of personal data should be considered a
 +
extenuating circumstance.
 +
• Any measure taken to alleviate damages: as stated
 +
In the knowledge of the AEPD, EDP COMERCIALIZADORA is immersed in the
 +
review and improvement of its procedures and clauses in order to adapt and
 +
implement the recommendations made by this Agency, preventing it from
 +
occur any type of damage or harm to the interested parties. Proof of this is that
 +
some of the recommendations of this Agency are already implemented,
 +
such as improving access to information on data protection, which is already
 +
available at the address edp-residencialbytotal.es/rgpd as well as the new protocol
 +
of contracting through a representative, which was already contributed to the procedure
 +
last July 16, 2020 and it has already been implemented last January.
 +
• Degree of cooperation with the authority: EDP COMERCIALIZADORA has shown
 +
From the beginning of this procedure, a completely collaborative attitude with the
 +
AEPD, as has been accredited in this writing. In the Allegations to
 +
Initiation Agreement provides more complete information regarding the
 +
cooperation shown by EDP COMERCIALIZADORA.
 +
• Categories of data and affectation of the rights of minors: the data subject
 +
treatment are not special categories of data and the data have not been affected.
 +
rights of minors (EDP COMERCIALIZADORA clients are always
 +
of legal age with the capacity to contract).
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 85
 +
85/141
 +
• Continued nature of the infringement: as has been proven, EDP
 +
MARKETING COMPANY, from the moment it has had knowledge of the
 +
improvements that, in the opinion of the AEPD, could be adopted in its policies, has proceeded to
 +
analyze their texts and procedures. Therefore, it cannot be understood that it is
 +
an infringement of a continuing nature, although this Agency must understand that in
 +
complex corporate groups the processes of change and adaptation of
 +
procedures cannot be done immediately. However, this does not mean that
 +
The alleged infringement that is imputed should be understood as "continuing".
 +
• Status of a large company and its turnover: the fact that EDP
 +
MARKETING COMPANY is considered a large company cannot be used
 +
as an aggravating circumstance as it is not a circumstance foreseen or in the RGPD
 +
nor in the LOPDGDD. In addition, in this sense, the Supreme Court (judgment of April 4,
 +
November 2015, appeal 100/2014) has stated in recent jurisprudence but
 +
consolidated statement that "it is not feasible, in any case, to presume malicious conduct by the
 +
mere fact of the special circumstances surrounding the taxpayer of the
 +
taxation (economic importance, type of advice received, etc.) (...). [It
 +
that the public power cannot do, without violating the principle of guilt that
 +
derives from art. 25 CE [see, for all, the Judgment of this Section of June 6,
 +
2008 (rec. Cas. For the unification of doctrine no. 146/2004), FD 4], is to impose a
 +
sanction to a taxpayer (or confirm it in the administrative or judicial phase of
 +
recourse) due to its subjective circumstances -even if it is a legal person,
 +
has great financial means, receives or can receive the most competent of the
 +
advice and is habitually or exclusively dedicated to the activity taxed by the
 +
unfulfilled norm ”. For this reason, it is neither legal nor constitutional to assess the
 +
large company status as an aggravating circumstance. Likewise, the AEPD also
 +
refers to “its business volume” (a fact that is not considered as
 +
aggravating circumstance neither in the RGPD nor in the LOPDGDD). When it comes to quantifying the
 +
sanction, the AEPD refers to EDP's global billing volume
 +
MARKETER to quantify it, when it should take into account
 +
exclusively, and where appropriate, the billing data generated by the eventual
 +
alleged non-compliance - in the case of article 25 of the RGPD, relating exclusively
 +
to hiring by representation-. In this sense, the AEPD, in its research in
 +
within the framework of the procedure, requested and obtained specific data on the volume of
 +
contracting by representation and the very small part that corresponds in the global
 +
activity of EDP COMERCIALIZADORA, and should in any case have had it in
 +
account in the Motion for Resolution, which has not happened. Also, as it has
 +
indicated in the First Allegation, the volume of business derived from the
 +
contracting with a representative represents approximately 0.26% of the volume of
 +
global business. For its part, as regards the sanction associated with the alleged
 +
infringement of article 13 of the RGPD, the AEPD should not have taken into consideration the
 +
global billing of your activity
 +
Benefits obtained as a consequence of the infringement: the alleged commission of the
 +
The alleged infringement has not generated any type of economic benefit, direct or
 +
indirectly, to EDP COMERCIALIZADORA. In any case, if this Agency considers the
 +
Otherwise, the benefit should be calculated according to the criteria that have been
 +
indicated in the First Claim, taking into account that the volume of business
 +
derived from contracting through a representative, account for only 0.26% of the
 +
global business volume and that the proposed penalty (500,000 euros) represents a
 +
disproportionate amount in relation to the benefits obtained
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 86
 +
86/141
 +
. • High volume of data and treatments: contrary to what this Agency indicates
 +
in its Proposal for Resolution, the alleged infractions attributed to EDP
 +
COMERCIALIZADORA does not affect "all data processing carried out by the
 +
entity EDP COMERCIALIZADORA SAU ”, but only to the treatments related to
 +
customers. In fact, the AEPD itself recognizes in the section on "High
 +
number of interested parties ”that“ [t] he infringement affects all natural person clients
 +
of the entity ”, but does not indicate any other group of interested parties. Also, in what
 +
which refers to contracting by third parties on behalf of the owner, it is relevant
 +
note that such contracting only affects 0.26% of the business volume
 +
of EDP COMERCIALIZADORA, so it is evident that the volume of data and
 +
treatments affected is minimal. For this reason, the small number of
 +
treatments affected, and especially, in relation to contracting through
 +
representative, must be taken into account as an extenuating circumstance.
 +
• Recent acquisition of EDP COMERCIALIZADORA: as we have indicated in the
 +
Preliminary argument of this writing, EDP COMERCIALIZADORA has been
 +
recently acquired by the Total Group. By virtue of article 76.2.e) of the
 +
LOPDGDD, in conjunction with article 83.2.k) of the RGPD, understands this part that
 +
This circumstance must be taken into consideration when, where appropriate, modular and
 +
attenuate the potential sanction - sanction that in any case this part understands that
 +
proceeds-. Although the aforementioned precept includes the cases in which the
 +
structural modification is a fusion by absorption, in application of the principle of
 +
teleological interpretation, its regulation should be extended to other modifications
 +
structural actions carried out after the commission of the offense and that have
 +
as a consequence the imposition of disproportionate and burdensome sanctions on the
 +
new entity that did not commit the initial offense.
 +
Of the actions carried out in this procedure and of the documentation
 +
Obrante in the file, the following have been accredited:
 +
PROVEN FACTS
 +
1. It appears in the file that EDP COMERCIALIZADORA uses the following
 +
channels to formalize the contracting of their services:
 +
A. Telephone Channel, with partial or definitive closure of the contracting process
 +
through a phone call. It includes the following subchannels:
 +
- CAC Inbound: Call reception, from customers to EDP. On
 +
In general, they are already EDP customers who are identified from the beginning of the call
 +
through a security protocol, although they can also be received
 +
calls from potential customers.
 +
- Telemarketing: Issuance of calls, from EDP to databases
 +
own customers for upselling or abandonment recovery. Used
 +
to make the call the telephone number that appears in the file
 +
of the client, and that has been provided by said person previously.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 87
 +
87/141
 +
- LEADS: Issuance or reception of calls, about users who have
 +
expressed an interest in any platform or website (sweepstakes,
 +
promotions, offer comparators, blogs, advertising agencies, etc.)
 +
leaving their basic data to be contacted or contacting themselves at
 +
the phone number shown to them. Usually such users still
 +
they do not have active contracts with EDP.
 +
B. Web channel, closed by means of a digital form. The user accesses through
 +
a website and start a hiring process totally online, without interaction with
 +
agents.
 +
C. Distributors, with face-to-face or digital closing of the contracting process,
 +
including:
 +
- EDP's own Commercial Offices. Normally already EDP clients who
 +
they proactively go to the office, although they can also be clients
 +
potentials.
 +
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to
 +
make their purchases and are interested in EDP's offer.
 +
D. External Sales Forces, with in-person closing of the contracting process,
 +
including:
 +
- Stands at Fairs, Shopping Centers, etc. In general new clients that
 +
they go to such events or places and are interested in EDP's offer.
 +
- Home visits with prior request. Clients or potential clients who have
 +
provided your data and consent to receive proposals from an agent of
 +
EDP ​​at home.
 +
2. The contracting procedures implemented in those cases in which the
 +
Contracting is carried out by a third party on behalf of the owner are the following:
 +
A) Telephone channels:
 +
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
 +
As a representative, you are asked about your relationship with the owner and if you have
 +
authorization of said person. 2) Once the previous point has been confirmed, they are requested
 +
identification data of the representative, and all the data of the owner necessary to
 +
formalize the hiring. 3) Finally the Consent is read and recorded in audio
 +
Representative express. 4) The holder of the contract, for informational purposes, is sent
 +
in duplicate, with a stamped envelope, the contractual documentation in compliance
 +
of the provisions of the consumer and user protection regulations.
 +
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
 +
hiring as a representative is asked about their relationship with the owner. 2) A
 +
Once the previous point has been confirmed, identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. 3) Then
 +
the Express Consent of the representative is read and recorded in audio. 4) Finally
 +
durable support is sent to the phone / sms provided by the representative, and is expected
 +
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 88
 +
88/141
 +
duplicate, with a stamped envelope, the contractual documentation in compliance with the
 +
provided in the consumer and user protection regulations.
 +
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
 +
representative is asked about his relationship with the owner. 2) Once the
 +
previous point, identification data of the representative is requested, and all the data of the
 +
holder necessary to formalize the contract. 3) It is then read and recorded in
 +
audio the Express Consent of the representative. 4) Then support is sent
 +
durable to the phone / sms provided by the representative, and awaits your confirmation.
 +
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
 +
franked, the contractual documentation in compliance with the provisions of the
 +
consumer and user protection regulations. 6) In this channel, by the mode of
 +
contracting and the characteristics of the clients who use it, it is in progress,
 +
as a pilot test, communication via SMS or e-mail to the represented (in cases of
 +
not related to the representative to study its effectiveness and receptivity.)
 +
B. Distributors:
 +
In the case of contracts made in EDP's own Commercial Offices (in
 +
third-party stores there is no possibility of contracting in the name and on behalf of
 +
a third) the procedure is as follows:
 +
1) In those cases in which the user indicates that he wishes to make a contract
 +
as a representative of a third party, you are asked about your relationship with the owner. 2) A
 +
Once the information is obtained, the identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. Likewise,
 +
requires a photocopy of the NIF, both the representative and the represented. 3)
 +
The presentation of an authorization document is also required.
 +
completed and signed by both interested parties (representative and owner).
 +
C. External Sales Forces:
 +
In the case of contracts made by external sales forces (fair stands,
 +
shopping centers and home visits, provided there is prior request by
 +
of the interested party), in the contract the identification data of the representative will be collected,
 +
Also requesting the data of the owner necessary to formalize the contract.
 +
In the contract, it is expressly specified that the representative declares to have
 +
of sufficient powers to sign the contract on behalf of the client to whom it is
 +
is responsible for informing of all the conditions thereof. It is required, on the other
 +
part of a photocopy of the representative's NIF.
 +
Next, an audio verification of the hiring is recorded where you are
 +
indicates on two occasions to the representative, the fact that he acts on behalf of the
 +
holder of the supply and the relationship-kinship that binds them is confirmed.
 +
To prove the representation, the contracting stub is formalized where the
 +
representative declares to have sufficient powers to sign the contract in
 +
name of the client who is responsible for informing of all the conditions of
 +
this. Likewise, a copy of the representative's NIF is provided.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 89
 +
89/141
 +
3 . It appears in the file that the documentation used by EDP
 +
COMERCIALIZADORA, SAU to prove the representation of the owner when subscribing
 +
a contract is as follows:
 +
A. Telephone Channel:
 +
In the three subchannels of the telephone channel (evidences 2, 3 and 4, CAC Inbound channels,
 +
Telemarketing and Leads respectively) the representative is requested, during the
 +
recording of the contracting procedure, confirmation of the following aspects:
 +
of your identity and ID, of your performance on behalf of the owner, of the relationship with
 +
the represented (as husband, wife, child, attorney, representative); of identity
 +
(name, surname, DNI) of the represented, and telephone and email. The
 +
Documentation accrediting the representation of the contract holder consists of the
 +
recordings in which the representative makes the aforementioned confirmations. On
 +
In the case of telemarketing and LEADS channels, a
 +
sms / email with the following text “EDP Offer: Please, answer with a YES to this
 +
SMS to accept and activate discounts. " (evidences 10 and 12).
 +
B. Distributors: In the case of EDP Comercializadora's own commercial offices
 +
DP, it is requested completed and signed by both interested parties (representative
 +
and owner) a document of express authorization in which the data of both
 +
people and copies of their NIF.
 +
In the channel own commercial offices (evidence 5) the representation is accredited
 +
by means of a document called "representative management authorization template",
 +
in it the owner (identified with his name and ID or CIF), in his own name or
 +
representation of the company authorizes the representative also identified with his
 +
name and ID to carry out different procedures (registration / cancellation, change of ownership,
 +
change of direct debit and / or other procedures) must be indicated in the box
 +
contiguous to each one of them which or which are the authorized procedures. Saying
 +
document requires the signature of the authorizer and the authorized person. Also, said document
 +
contains the following warning “TO BE VALID, THIS AUTHORIZATION
 +
IT MUST BE PRESENTED ACCOMPANIED BY A PHOTOCOPY OF THE HOLDER'S ID AND
 +
OF THE AUTHORIZED. WHEN IT IS AN AUTHORIZATION GRANTED BY A
 +
REPRESENTANTE DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF
 +
OWNERS, FOUNDATIONS, SCHOOLS, ALSO WILL BE REQUIRED
 +
PHOTOCOPY OF THE WRITING OF POWER OF ATTORNEY ”.
 +
C. External Sales Forces: In the case of external sales forces (stands of
 +
fairs, shopping centers and home visits, provided there is prior request by
 +
part of the interested party), a document is used to prove the representation
 +
called sales book (evidence 6). In this checkbook, they contain
 +
spaces to fill in the data of the contract holder (name, surname,
 +
telephone and email) and representative data (name, NIF and address) and
 +
include several boxes to mark that the representative is representative in the capacity of
 +
spouse / registered partner, ascendant / descendant or attorney-in-fact) below such
 +
boxes a text indicates that “it declares to have sufficient powers to subscribe
 +
this contract on behalf of the client who is responsible for informing
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 90
 +
90/141
 +
all the conditions of the same. " A verification recording is made where
 +
confirms with the representative the data of the represented, as well as the relationship or
 +
kinship that unites them (evidence 16)
 +
4. It is evident in the evidence presented that in the hiring subchannels
 +
telephone representatives are informed that “On behalf of their client, and
 +
After passing an analysis of the risk of the operation, we will take the necessary steps
 +
to activate the access contracts, at which point the
 +
new contract being terminated the previous one. "
 +
5. It is established that during the hiring process, in the hiring channels
 +
By telephone, the representative's consent is requested on behalf of the represented
 +
to carry out other treatments such as sending offers related to the
 +
energy adapted to your profile after the end of the contract or send you at any
 +
information on non-energy products or services of companies or
 +
collaborated with EDP. (evidences 2, 3 and 4).
 +
During this process, the consent of the representative is also requested in
 +
name of the represented to complete the commercial profile with information on bases
 +
of third-party data, in order to send you personalized proposals and the
 +
possibility of contracting or not certain services.
 +
In the channel of external forces, the possibility of providing such
 +
consents. As evidence 6 shows under the heading
 +
CLIENT / REPRESENTATIVE, after noting that the information related to the protection of
 +
data can be read on the back, allows you to mark the following consents,
 +
marking the joint box for each of them:
 +
 I consent to the processing of my personal data once the relationship has ended
 +
contractual, to carry out commercial communications adapted to my profile
 +
of products and services related to the supply and consumption of energy. In addition,
 +
I consent to the aforementioned treatments during the term and after the end of the
 +
contract, on non-energy products and services, both of the Group companies
 +
EDP ​​and third parties.
 +
 I consent to the processing of my personal data for the elaboration of my profile
 +
with information from third party databases, for the
 +
adoption, by EDP, of automated decisions in order to send
 +
personalized commercial proposals, as well as to allow, or not, the contracting
 +
of certain services.
 +
6. Evidence 2, 3 and 4 show that during the telephone contracting process
 +
the following information is provided to the representative: "Your personal data and those of your
 +
represented will be treated by EDP Comercializadora SAU and EDP Energía SAU to
 +
the management of your contracts, fraud prevention, profiling based on
 +
customer and EDP information, as well as communication
 +
personalized information on products or services directly related to their
 +
contracts, being able to oppose them at any time ".
 +
In the telemarketing and leads channel evidences 3 and 4 the following is added "Les
 +
We remind you that you can exercise your access rights at any time,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 91
 +
91/141
 +
rectification, opposition, deletion, limitation and portability, through any of
 +
the routes indicated in the General Conditions that can be consulted on our website
 +
www.edpenergia.es. "
 +
This information does not appear in evidence 2 corresponding to the CAC inbound channel.
 +
In the own offices channel, the information provided is as follows (evidence 5)
 +
"Interested parties are informed that the personal data provided in
 +
This form will be treated as the data controller by EDP ENERGÍA,
 +
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
 +
for the processing of authorized management.
 +
The personal data that you provide us will be used, in the form and with the
 +
limitations and rights recognized by the General Data Protection Regulation
 +
(EU) 2016/679.
 +
The interested parties whose data are subject to treatment may exercise their rights
 +
of access, rectification, deletion, portability, limitation and opposition to treatment
 +
of these data, proving your identity, by email addressed to
 +
cclopd@edpenergia.es or by writing to the person responsible for the treatment at the
 +
Address Plaza del Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can put
 +
in contact with the EDP Data Protection Officer, at the same address
 +
postal or email dpd.es@edpenergia.es, if you understand
 +
violated any of your rights related to data protection, or in your
 +
case, file a claim with the Spanish Agency for Data Protection "
 +
In the External Forces Channel, the sales book provides the following
 +
information. On the back of the first page there is a section, entitled
 +
"Basic Information on Data Protection": which includes the following:
 +
"Personal data will be processed by EDP COMERCIALIZADORA,
 +
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
 +
Responsible for the Treatment, for the maintenance, development, compliance and
 +
management of the contractual relationship, fraud prevention, profiling
 +
based on information provided by the Client and / or derived from the provision of the
 +
service by EDP, as well as sending commercial communications, related to
 +
products and services related to the supply and consumption of energy,
 +
maintenance of facilities and equipment, and that can be customized in
 +
based on your Client profile, as reported in the General Conditions, being able to
 +
object at any time to the sending of commercial communications.
 +
Additionally, the Client gives his explicit consent for the treatments of
 +
personal data collected on the front. Without prejudice to consents
 +
provided, the client may exercise, at any time, their access rights,
 +
rectification, opposition, deletion, limitation and portability, through any of
 +
the routes indicated in the General Conditions. "
 +
In the part of general conditions the following information regarding
 +
personal data protection:
 +
“LOPD Purposes of the processing of personal data. According to
 +
provided in current regulations, the client is informed that all data
 +
provided in this contract are necessary for the purposes of its formalization.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 92
 +
92/141
 +
Said data, in addition to those obtained as a result of the execution of the
 +
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
 +
c / General Concha, 20, 48001, Bilbao and by EDP ENERGIA, SAU with address at
 +
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
 +
in order to manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or improvement of the service, to carry out actions to prevent
 +
fraud, as well as profiling, personalized commercial communications
 +
based on information provided by the Client and / or derived from the provision of the
 +
service by EDP and related to products and services related to the
 +
supply and consumption of energy, maintenance of facilities and equipment.
 +
These treatments will be carried out in strict compliance with the legislation
 +
current and insofar as they are necessary for the execution of the contract and / or the
 +
satisfaction of EDP's legitimate interests, provided that the latter are not
 +
other rights of the client prevail.
 +
Provided that the client has explicitly accepted it, their personal data will be
 +
treated, even once the contractual relationship has ended and provided that there is no
 +
Produces opposition to said treatment, to:
 +
(I) The promotion of financial services, payment protection services, automotive
 +
or related and electronic, own or third parties, offered by EDP and / or participation in
 +
promotional contests, as well as for the presentation of commercial proposals
 +
linked to the energy sector after the end of the contract, (II) The preparation of
 +
Commercial profiles of the Client by aggregating the databases of
 +
third parties, in order to offer the Client personalized products and services,
 +
thus improving the customer experience, (III) Decision-making
 +
automated, such as allowing the contracting, or not, of certain products
 +
and / or services based on the Client's profile and particularly, on data such as, the
 +
history of defaults, the history of hires, permanence, locations, data
 +
consumption, types of devices connected to the energy network, and similar data
 +
that allow to know in greater detail the risks associated with the contracting. (IV)
 +
Based on the results obtained from the aggregation of the indicated data,
 +
EDP ​​may make personalized offers, specifically aimed at achieving the
 +
contracting of certain products and / or services from EDP or from third parties
 +
depending on whether the client has consented to it or not, being in any case treated
 +
data whose age will not exceed one year. In the event that said process was carried out
 +
carried out in an automated way, the client will always have the right to obtain intervention
 +
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
 +
resulting decision.
 +
Categories of data processed
 +
By virtue of the contractual relationship, EDP may process the following types of data
 +
personal: (I) Identifying data (name, surname, ID, postal address, address
 +
email address, supply point, etc.), (II) Identification codes or keys
 +
User and / or Client, (III) Personal characteristics data (date of birth,
 +
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
 +
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
 +
of these, (VI) Economic, financial, solvency and / or insurance data.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 93
 +
93/141
 +
Personal data will be kept for the duration of the contractual relationship
 +
and at most, during the statute of limitations for legal actions
 +
corresponding, unless the Client authorizes its treatment for a longer period,
 +
applying organizational and security measures from the beginning of the treatment
 +
to ensure the integrity, confidentiality, availability and resilience of data
 +
personal
 +
Communications and recipients of personal data.
 +
All personal data derived from the provision of the service and those obtained in
 +
By virtue of this contract, they may be communicated to the following entities:
 +
i)
 +
The corresponding distribution company, producing with it a
 +
permanent exchange of information for the adequate provision of the
 +
service, including the request for access to your network, readings (which in the case
 +
remote-managed meter will be hourly) and / or consumption estimate, control
 +
quality of supply, request for supply cuts, modifications in
 +
power, etc.
 +
ii)
 +
The Organizations and Public Administrations that by Law correspond.
 +
iii)
 +
Banks and financial entities for the collection of services rendered.
 +
iv)
 +
Other companies of the business group, solely for administrative purposes
 +
internal and the management of the products and services contracted.
 +
v)
 +
National equity solvency and credit services (Asnef-Equifax,
 +
...) to which in case of non-payment, without just cause by the Client,
 +
You will be able to communicate the debt, as well as fraud prevention services,
 +
for the sole purpose of identifying erroneous or fraudulent information provided
 +
during the hiring process.
 +
saw)
 +
EDP ​​suppliers necessary for the adequate compliance with the
 +
contractual obligations, including those that may be located outside
 +
of the European Economic Area, in which case it is duly
 +
adequate international data transfer.
 +
Rights of the data owner
 +
The client will have at all times the possibility of exercising freely and
 +
completely free of charge the following rights:
 +
i)
 +
Access your personal data that is processed by
 +
EDP.
 +
ii)
 +
Rectify your personal data that is processed by EDP
 +
that are inaccurate or incomplete.
 +
iii)
 +
Delete your personal data that is processed by EDP
 +
iv)
 +
Limit EDP's treatment of all or part of its
 +
personal information.
 +
v)
 +
Oppose certain treatment and decision-making
 +
automated data processing, requiring the intervention
 +
human rights in the process, as well as to challenge the decisions that
 +
are finally adopted by virtue of the processing of your data.
 +
saw)
 +
Port your personal data in an interoperable format and
 +
self-sufficient.
 +
vii)
 +
Withdraw at any time, the consents granted
 +
previously.
 +
In accordance with current regulations, the user can exercise their rights
 +
requesting it in writing, and together with a copy of a reliable accreditation document
 +
identity, at the following postal address: Plaza del Fresno, 2, 33007 Oviedo or
 +
in the email cclopd@edpenergía.es
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 94
 +
94/141
 +
Likewise, you can contact the data protection officer of
 +
EDP ​​at the following postal address Plaza del Fresno, 2, 33007 Oviedo or by mail
 +
electronic dpd, es @ edpenergía.es, in the event that you understand that any of the
 +
your rights related to data protection, or, where appropriate, file a
 +
claim before the Spanish Agency for Data Protection, at the address Calle de
 +
Jorge Juan, 6, 28001. Madrid "
 +
7. It is established that the number of contracts signed in 2018 and 2019 by third parties
 +
representing natural persons is the following:
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
Year Channel Representation
 +
No. Contracts
 +
2018 CAC Relationship
 +
1,346
 +
2018 CAC Unrelated
 +
394
 +
2019 CAC
 +
Relationship
 +
983
 +
2019 CAC Unrelated
 +
278
 +
A.2 - TELEMARKETING
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 TELEMARKETING
 +
Relationship
 +
2,865
 +
2018 TELEMARKETING
 +
No kinship
 +
82
 +
2019 TELEMARKETING
 +
Relationship
 +
1,201
 +
2019 TELEMARKETING
 +
No kinship
 +
42
 +
A.3 - LEADS
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 LEADS
 +
Relationship
 +
5,518
 +
2018 LEADS
 +
No kinship
 +
849
 +
2019 LEADS
 +
Relationship
 +
6,127
 +
2019 LEADS
 +
No kinship
 +
1,160
 +
B. Web: Hiring with a representative is not contemplated.
 +
C. Distributors (own commercial offices):
 +
Year Channel Representation
 +
No. Contracts
 +
2018 OOCC Relationship
 +
194
 +
2018 OOCC Unrelated
 +
67
 +
2019 OOCC Relationship
 +
174
 +
2019 OOCC Unrelated
 +
78
 +
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
 +
Year Channel Representation
 +
No. Contracts
 +
2018 FVE
 +
Relationship
 +
10,758
 +
2018 FVE
 +
No kinship
 +
118
 +
2019 FVE
 +
Relationship
 +
1,556
 +
2019 FVE
 +
No kinship
 +
58
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 95
 +
95/141
 +
8. It establishes that on July 16, a written entry from EDP was entered into the AEPD
 +
Comercializadora SAU in which it states that "it has reviewed the procedure to follow
 +
in contracting by third parties on behalf of the owner, in order to strengthen said
 +
procedure and reduce the risks of possible identity theft carried out
 +
in bad faith by the contracting party in this type of process, taking into account,
 +
additionally, the particular needs identified as a result of the state of
 +
alarm decreed last March and that has necessarily required that
 +
all contracts are carried out in a non-face-to-face way.
 +
That in order to inform the AEPD of the specific actions that are
 +
are being carried out in relation to this matter by EDP, in compliance
 +
of their duty of proactive compliance (accountability), we attach the
 +
"Contracting procedure by third parties on behalf of the owner", so that they have
 +
visibility on the modifications that are being implemented in these processes
 +
in order to meet your request in this regard, as well as to highlight the
 +
EDP's proactivity regarding its suggestion of adaptation of said
 +
process." This procedure is detailed below.
 +
9. EDP ​​COMERCIALIZADORA SAU, contributes in response to the request made
 +
by this Agency in the framework of research activities extract from the Registry
 +
of Treatment Activities that includes the records related to the activities that
 +
are carried out in the field of contracting products and / or services and the analysis of
 +
risks carried out in relation to the treatments carried out in the context of the
 +
contracting products and / or services.
 +
The risk analysis is contained in an Excel document, it does not contain a date
 +
nor signature. 15 risk factors are listed; 1. Information commercially
 +
sensitive, 2. Commercial Communications, 3. Data Origin (external source or
 +
internal), 4. Data transfers. 5, Treatment Managers. 6. Transfers
 +
international 7. Scoring / Profiling activities. 8.Decisions
 +
automated. 9. Systematic monitoring of headlines. 10. Categories
 +
special data. 11. Large-scale data processing. 12.
 +
Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders.
 +
14. Application or use of innovative technologies.15. Unavoidable treatment /
 +
Restriction of the exercise of rights or access to the service. Regarding the valuation
 +
potential of inherent risk, the risk scale has 4 levels: low, with a
 +
score from 0 to 12; average score from 13 to 25; tall from 26 to 38 and very tall
 +
from 39 to 51. The assessment or weight given to each of the factors of
 +
risk is from 1 to 4. In the risk analysis, for each of the
 +
sales channels a yes or no in each of the 15 risk factors above
 +
listed. The sum of the weight attributed to each of the factors for
 +
each channel determines the inherent risk. The result of inherent risk is
 +
medium in all the contracting channels, except in the web channels and
 +
external forces through home visits in which the outcome of the
 +
inherent risk is low. Risk correction measures are not indicated.
 +
These documents are declared reproduced in this act for evidentiary purposes.
 +
10. It is clear that to access the General Conditions, which are referred to in the
 +
telephone processes to obtain the rest of the information regarding the treatment of
 +
personal data, on the www.energía.es page, the following process must be followed:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 96
 +
96/141
 +
-Access through the internet browser to the address
 +
https://www.edpenergia.es/es/
 +
- Introduction in the search engine of the text page itself: "General Conditions"
 +
-The website shows, under the following address:
 +
https://www.edpenergia.es/es/buscadorGeneral.do?tiposBusqueda=C%7CM
 +
% 7CD & idMenuSegmento = 18 & textBusqueda = Conditions + General, 2 tabs
 +
one called related information and the other Documents.
 +
-The "Documents" tab of the Search Results is selected. Is
 +
offers a total of 78 results, the third of which corresponds to the
 +
"General contracting conditions".
 +
-The "General contracting conditions" are selected and automatically
 +
open a new browser window pointing to the following internet address:
 +
https://www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales-
 +
de-contratacion.pdf, where the document can be downloaded.
 +
11 .The following documents are provided in support of the allegations made:
 +
Annex 1.a) Risk analysis methodology and implementation of Days
 +
- Annex 1.b) RAT contracting EDPC
 +
- Annex 1.c) RAT risk assessment- EDPC contracting
 +
- Annex 1.e) Impact Assessments -Risk Assessments
 +
- Annex 1.f) Impact evaluations - Reports
 +
Appendix 2 :
 +
- EDP Methodology_Privacy by Design by Default
 +
- Operational Instruction Privacy by Design & Privacy by Default
 +
- Privacy by Design & Privacy by Default form
 +
- Privacy By Design Procedure Flowchart.
 +
Annex 4:
 +
- Examples of requests for the exercise of rights.
 +
The Risk Analysis Methodology and DPIAS (DATA PRIVACY
 +
ASSESSMENTS) contains on its first page a version history, being the
 +
date of the initial version 11/24/2017 and the last one on 05/11/2018 revision date
 +
prior to the applicability of the RGPD. It is accompanied by various annexes whose date
 +
not included or provided.
 +
The document contained in annex 1.b RAT, EDPC, whose date does not appear, includes
 +
a treatment purpose not included in the register of treatment activities
 +
sent to this Agency on June 17, 2020. Specifically, said treatment
 +
that is now included has the following content:
 +
Responsible: EDP Comercializadora SAU
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 97
 +
97/141
 +
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
 +
to hiring ”,
 +
Description: “Scoring of customers in the B2C segment prior to the
 +
contracting according to the internal pending debt and information from
 +
solvency (ASNEF). "
 +
Category of data holders: "Clients and potential clients."
 +
Category of personal data processed: "Identifying data and economic data."
 +
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
 +
Period of conservation of personal data: “5 years from the end of the
 +
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
 +
contract will be maintained until its cancellation or the limitation period of the actions
 +
pertinent legal recovery. "
 +
Data transfers (data recipients, other than those in charge of the treatment):
 +
“ASNEF is jointly responsible for the treatment, according to the signed agreement
 +
with ASNEF. "
 +
Categories in charge of treatment: The box has no content.
 +
International data transfer: No
 +
Annex 1.c) under the name “RAT Risk Assessment- EDPC Contracting”, whose
 +
The date is not reflected in the document either, it contains the risk analysis, in the form of
 +
matrix, the same as the one presented on June 17, 2020, with the same content, if
 +
either two columns have been added under the title "treatment requires PIA", both
 +
entitled "No. of EDP-W29 criteria", the first indicates a number that seems
 +
correspond to its title and the second indicates the need to carry out a
 +
Impact evaluation. In this matrix there is also a new treatment whose
 +
The purpose is the “Scoring of customers in the B2C segment prior to the
 +
hiring ”.
 +
Various documents entitled impact evaluations are provided, whose date
 +
Nor is it recorded, these impact evaluations are the following:
 +
-Risk assessment of B2C client scoring prior to hiring,
 +
in which, among other threats, the following are indicated:
 +
- “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated
 +
adequately ”, whose probability is set as high, with an impact rated as
 +
very high and resulting in inherent risk High. Regarding the controls implemented
 +
Faced with this threat, it is stated that “the legal basis of the treatment is to satisfy a
 +
legitimate interest (fraud prevention) ”.
 +
- “At the time of data collection, the minimum information is not provided
 +
provided to the person or no information is provided. " In this case
 +
it is considered that neither the probability nor the impact “does not apply, nor is there a risk
 +
inherent, the controls being the “Data Protection clause included in the
 +
contract signed with the client with all the information required by the RGPD ”and the
 +
"Information provided to the client prior to carrying out the scoring process"
 +
-Evaluation of channel leads to be converted by telemarketing
 +
-Risk assessment Telemarketing upselling and dropouts
 +
-CAC channel risk assessment to clients or potential clients (inbound)
 +
-ChannelOOCC evaluation of clients and potential clients
 +
- Risk assessment of third-party stores for sale to potential customers.
 +
In all these impact evaluations, threats are considered among others
 +
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 98
 +
98/141
 +
illegal or has not been properly formulated ”and“ at the time of collection of the
 +
data is not provided the minimum information provided to the person or is not
 +
provides no information "In both cases the probability is valued as high,
 +
the impact as very high and the inherent risk high. Controls are mentioned
 +
adopted, referring to the legitimizing basis of the treatment in the first of the cases
 +
and "Data Protection clause included in the contract signed with the client with
 +
all the information required by the RGPD ”in the second. They are described among the
 +
checks in progress for both threats on all channels except channel
 +
OOCC, “the implementation of a new contracting procedure through
 +
representative, incorporating the sending of an SMS / Email message through which the
 +
provides the basic information necessary in terms of data protection to the owner of the
 +
contract."
 +
The date on which the actions in progress were incorporated into the
 +
corresponding impact evaluations.
 +
These documents are declared reproduced in this act for evidentiary purposes.
 +
FOUNDATIONS OF LAW
 +
I
 +
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679,
 +
of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of
 +
Individuals with regard to the Processing of Personal and Free Data
 +
Circulation of this Data (General Data Protection Regulation, hereinafter
 +
RGPD) recognizes each Control Authority, and as established in the articles
 +
47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
 +
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the
 +
Director of the Spanish Data Protection Agency is competent to initiate and
 +
solve this procedure.
 +
Article 63.2 of the LOPDGDD determines that: “The procedures
 +
processed by the Spanish Data Protection Agency will be governed by the provisions
 +
in Regulation (EU) 2016/679, in this organic law, by the provisions
 +
regulations dictated in their development and, as long as they do not contradict them, in a
 +
subsidiary, by the general rules on administrative procedures. "
 +
II
 +
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the
 +
Council of April 27, 2016, regarding the protection of natural persons in the
 +
regarding the processing of personal data and the free circulation of these data
 +
(General Data Protection Regulation, hereinafter RGPD), under the rubric
 +
"Definitions", provides the following:
 +
"2)" treatment ": any operation or set of operations carried out on
 +
personal data or personal data sets, whether by procedures
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 99
 +
99/141
 +
automated or not, such as collection, registration, organization, structuring,
 +
conservation, adaptation or modification, extraction, consultation, use,
 +
communication by transmission, broadcast or any other form of authorization of
 +
access, collation or interconnection, limitation, deletion or destruction ”.
 +
7) "data controller" or "controller": the natural or legal person,
 +
public authority, service or other body that, alone or together with others, determines the
 +
purposes and means of the treatment; whether the law of the Union or of the Member States
 +
determines the purposes and means of the treatment, the person responsible for the treatment or
 +
Specific criteria for their appointment may be established by Union law.
 +
or of the Member States "
 +
Article 24.1 of the RGPD provides for the responsibility of the person responsible for the
 +
treatment that “Taking into account the nature, scope, context and purposes of the
 +
treatment, as well as risks of varying probability and severity to the rights and
 +
freedoms of natural persons, the data controller will apply measures
 +
appropriate technical and organizational techniques in order to ensure and be able to demonstrate that the
 +
treatment is in accordance with this Regulation. These measures will be reviewed and
 +
will update when necessary . "
 +
In the present case, it is established that EDP COMERCIALIZADORA, SAU is the
 +
responsible for data processing, referred to in the factual background of the
 +
present agreement to initiate the sanctioning procedure, since, in accordance with the
 +
definition of article 4.7 of the RGPD, it is who determines the purpose and means of the
 +
treatments carried out for the purposes indicated in the documentation provided
 +
relating to the contracting of their services, so in their capacity as responsible for the
 +
treatment is obliged to comply with the provisions of transcript art 24 of the RGPD and in
 +
special regarding the effective and continuous control of "technical and organizational measures
 +
appropriate in order to guarantee and be able to demonstrate that the treatment is in accordance with the
 +
this Regulation "
 +
Likewise, article 25. 1 of the RGPD establishes that “ Taking into account the state of
 +
the technique, the cost of the application and the nature, scope, context and purposes of the
 +
treatment, as well as the risks of varying likelihood and severity posed by the
 +
treatment for the rights and freedoms of natural persons, the person responsible for the
 +
treatment will apply, both at the time of determining the means of treatment
 +
as at the time of the treatment itself, technical and organizational measures
 +
appropriate, such as pseudonymisation, designed to effectively apply the
 +
data protection principles, such as data minimization, and integrating the
 +
guarantees necessary in the treatment, in order to meet the requirements of this
 +
Regulation and protect the rights of the interested parties. "
 +
For these purposes, the provisions of the following recitals of the
 +
GDPR:
 +
74. “The responsibility of the person responsible for the treatment for
 +
any processing of personal data carried out by himself or on his own. On
 +
In particular, the person responsible must be obliged to apply timely and effective measures and
 +
must be able to demonstrate the compliance of the processing activities with the
 +
this Regulation, including the effectiveness of the measures. These measures must have
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 100
 +
100/141
 +
take into account the nature, scope, context and purposes of the processing as well as the
 +
risk to the rights and freedoms of natural persons. "
 +
75. “The serious and serious risks to the rights and freedoms of natural persons
 +
variable probability, may be due to the processing of data that could cause
 +
Physical, material or immaterial damages, particularly in cases where
 +
that the treatment may give rise to problems of discrimination, usurpation of
 +
identity or fraud, financial loss, reputational damage, loss of
 +
confidentiality of data subject to professional secrecy, unauthorized reversal of the
 +
pseudonymization or any other significant economic or social damage; in the
 +
cases in which the interested parties are deprived of their rights and freedoms or are
 +
prevent exercising control over your personal data; in cases where the data
 +
personal treaties reveal ethnic or racial origin, political opinions, religion
 +
or philosophical beliefs, union membership and the processing of genetic data,
 +
data relating to health or data on sexual life, or convictions and offenses
 +
criminal or related security measures; in the cases in which they are evaluated
 +
personal aspects, in particular the analysis or prediction of aspects related to the
 +
job performance, financial status, health, preferences or interests
 +
personal, reliability or behavior, situation or movements, in order to create or
 +
use personal profiles; in the cases in which personal data of
 +
vulnerable people, in particular children; or in cases where the treatment
 +
involves a large amount of personal data and affects a large number of
 +
interested. "
 +
76. “The probability and severity of the risk to the rights and freedoms of the
 +
stakeholder should be determined with reference to the nature, scope, context and
 +
the purposes of data processing. Risk should be weighted on the basis of a
 +
objective evaluation by which it is determined whether the treatment operations of
 +
data pose a risk or if the risk is high. "
 +
Therefore, the controller must carry out an analysis of the
 +
risks that the data processing carried out may have for the rights and
 +
freedoms of natural persons, implementing technical and organizational measures
 +
appropriate to apply the principles of data protection and integrate the guarantees
 +
necessary in the treatment in order to comply with the requirements of the RGPD, being able to
 +
demonstrate that the treatment is in accordance with the provisions of the aforementioned standard.
 +
The data protection principles are contained in article 5 of the
 +
RGPD, the first of which should be highlighted here regarding the legality of the
 +
treatment. In accordance with article 5.1.a of the RGPD “Personal data will be: a)
 +
treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
 +
loyalty and transparency '). The second number of article 5 provides that “The
 +
responsible for the treatment will be responsible for compliance with the provisions of the
 +
paragraph 1 and capable of demonstrating it ('proactive responsibility'). "
 +
The legality of the treatment implies that personal data can only be
 +
treated by the person responsible for the treatment when any of the bases
 +
legitimating entities listed in article 6 of the RGPD.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 101
 +
101/141
 +
Taking into account the documentation provided by the person responsible for the treatment,
 +
It should be noted that the contracting of gas services by EDP,
 +
COMERCIALIZADORA, SAU can be carried out through different channels being
 +
these the following:
 +
A- Telephone, which includes the following sub-channels: CAC Inbound, Telemarketing and
 +
Leads.
 +
B. Web Channel.
 +
C. Distributors, which includes EDP's own Commercial Offices and third-party stores.
 +
D. External Sales Forces, which can be: Stands at Fairs, Centers
 +
Commercial, etc., or home visits with prior request.
 +
According to said documentation, the contracting of the service can be carried out
 +
with a customer representative, except for the web channel and sub-channel
 +
third-party stores where it is not allowed. Examination of procedures
 +
contracting the service described by the person in charge and the documentation provided
 +
show that when the service is contracted through
 +
representative is not required to prove the representation he claims to hold.
 +
This absence of accreditation has a single exception when the hiring of the
 +
service is carried out in the sub-channel of our own commercial offices in which a
 +
document certifying the authorization granted for contracting by the
 +
represented together with the presentation of his / her DNI (evidence 5).
 +
Thus, to the extent that a procedure has not been implemented that allows
 +
certify the representation of the person who makes a contract on behalf of a
 +
third, various risks may be generated and may be mentioned, by way of
 +
For example, the one consisting of a data processing of the represented without legitimation, the
 +
risk of identity theft or economic or other damages that are
 +
may cause the interested party as a result of the change of company
 +
service provider with the consequent cancellation of the original contract or the
 +
change of ownership of the contract or the type of contract with the company
 +
supplier, without the interested party having consented to such changes.
 +
Secondly, in the documentation provided, it is observed that in the channel of
 +
telephone contracting (CAC inbound, Telemarketing and leads subchannels) together with the
 +
hiring the service, consent is requested to carry out other
 +
treatments, such as sending energy-related offers tailored to the
 +
customer profile upon completion of the contract or referral at any time of
 +
information on non-energy products or services of collaborating companies or
 +
EDP. This request is made to the representative as is clear from the own
 +
literality of the text of evidence 2, 3 and 4 submitted, according to which the
 +
this one: “May we present to your client offers related to energy
 +
adapted to your profile after the end of the contract, or send you at any time
 +
information of non-energy products and services, of Collaborating Companies or of
 +
EDP? " (Evidence 2)" Can you allow us to present your client with related offers
 +
with the energy after the end of the contract, or send you at any time
 +
information on products and services of the financial, insurance and
 +
automotive, Collaborating Companies or EDP? " (evidence 3). "Allows us
 +
present you with energy-related offers tailored to your profile after the
 +
termination of the contract, or send you at any time product information and
 +
non-energy services, of Collaborating Companies or EDP? (evidence 4).
 +