AEPD (Spain) - PS/00037/2020: Difference between revisions

From GDPRhub
No edit summary
Line 144: Line 144:


== Comment ==
== Comment ==
''Share your comments here!''
In their allegations, the organizational structure of the group of the controllers is clarified. The existence of two companies comes from procedural and formal issues that arose when the group was bought. Currently, only EDP Commercial has employees and actual management and operative capacity, therefore being EDP employees the only ones accessing the data. In practice, all processing activities are carried out by EDP Commercial, either as a joint controller or as a processor of EDP Energy.
 
This structure was in principle going to be rearranged, but was paralyzed by the start of negotiations for the sale of the group.


== Further Resources ==
== Further Resources ==

Revision as of 13:27, 10 May 2021

AEPD (Spain) - PS/00037/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 13 GDPR
Article 22 GDPR
Article 25 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 04.05.2021
Fine: 1500000 EUR
Parties: EDP COMERCIALIZADORA, S.A.U.
National Case Number/Name: PS/00037/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined an energy company €1,500,000 for not providing sufficient information to the data subjects and for not implementing adequate measures to avoid or mitigate risks related to the data processing.

English Summary

Facts

After receiving several complaints regarding the collection and processing of data of an energy company, the Spanish DPA (AEPD) launched an investigation.

In the first place, they found that the controller allowed for contracting their services in the name of another person (as a representative) without properly verifying the identity and validating the representation power. This made it possible for the representative, for example, to consent to commercial communications, including being subject to automated decision-making for personalized commercial offers, or the transfer of the data to third parties without the controller verifying whether they had the power to do so.

This also carried some risks, such as the possibility of contracting in others' names without having such power, leading to the creation of a binding contract without the permission or knowledge of any person that the representative claims to represent. This could lead to identity fraud or economic damages.

These risks were not considered by the controller in its initial assessment; only risks regarding scoring/profiling and commercial communications were considered.

Some additional clauses were implemented during the investigation, although the exact moment is not proven.

Also, the DPA found that the information required by Article 12, 13 and 14 GDPR provided to the clients was not in line with the regulation.

Holding

Infringement of Article 25 GDPR

The AEPD held that the controller should have had a system to verify the representation powers of the representative contracting in other's name, so the lawfulness of the legal basis for processing is verified. The representative must have a legitimate power to contract; otherwise, the legitimate basis used for the processing will not be lawful.

Additionally, the consent powers should be expressively given by the representee, as consent shall be informed and specific. And, the DPA remarks, it is difficult to thing of a representee giving express instructions on that to the representative, as consent is asked for at the same time as contracting, without previous warning or explanation.

The AEPD also remarks that the accountability principle makes the controller responsible for implementing the necessary measures, and that such obligation is not only a formal obligation; such measures must be effective and adequate. The obligation is also dynamic, so the controller has to modify them if necessary when identifying new risks.

The controller, however, had not implemented adequate measures to avoid the mentioned risks. Therefore, the AEPD concluded that there had been a violation of Article 25 GDPR.

Infringement of Articles 6 and 22 GDPR

The AEPD also analyzed whether the controller was carrying out automated decision-making without consent, as the GDPR related information that was provided by the controller stated (differently for each method of contracting) that:

  • The personal data provided may be used to manage the contracts, for fraud prevention, for the execution of a commercial profiles of the client and to subsequently carry out personalized commercial communications.
  • Data obtained from third-party databases may be used to create commercial profiles of the clients, what may lead to an automated decision-making for sending personalized commercial communications.

The DPA alleged that consent was not being collected properly, as it lacked information about the identity of the controller, the categories of data, the third-party recipients, etc. Also, there was no proper information, in relation to Article 14, about data collected from third parties.

The DPA also regarded that the information given about automated decision making did not comply with Article 22 requirements, that requires the logic of the system to be explained, but also the importance and consequences of such decisions, the foreseen processing of data in this regard, as well as comprehensive information given, for example, in form of examples. Additionally, there was no specific consent for automated decision making.

However, the controller alleged that there was no actual automated decision making, as every final decision was taken by a human. Also, they said that for things such as fraud prevention, they were relying on a legitimate interest, not on the consent of the client. They also clarified that they were not currently doing any kind of automated decision making for consumer profiles.

In addition, the DPA could not prove that the controller was using data from third-party databases.

For all these reasons, the AEPD considered that there was no evidence of a violation of Article 6 and 22 GDPR.

The DPA also discussed, based on the controller's allegations, whether, similarly to their decision on Equifax, the infringement of Articles 6 and 22 were instrumental to the infringement of Article 13 (that is to be discussed later) – and therefore only a fine based on the main infringement could be imposed –. However, the AEPD disregarded this argument, as they considered that, even if the infringements could be related to each other, all of them could be committed independently, are were thus not a means for committing the others.

Infringement of Article 13

The AEPD found that not all the requirements from Article 13 GDPR were met. For instance, the information provided via some of the contracting channels did not offer information on the data subjects rights, nor offered a way to access to the entirety of the information on a second layer. Therefore, the information offered was in general (although it varied, depending on the contracting channel that was used) fragmented and scattered, and did not meet what Article 13 requires.

For example, when the contract was made via phone, the only possibility to obtain the most basic information was either to be redirected to another call or to go to the privacy policy, without being informed at the moment of contracting about the rights that the data subject is entitled to. When contracting via electronic means, the data subject could not easily obtain such information, but was redirected to the contracting agreement and to a non-easily-accessible information that had to be thoroughly looked for on the controller's website.

According to Article 13 GDPR, all this information has to be directly given to the data subject by the controller, not being possible that the controller offers this information in a generic way yet the data subject needs to actively look for it. This is also in line with the transparency obligation: the information needs to be offered at the moment of the collection of the data; not afterwards.

This is normally done by providing the information in layers. The AEPD explains that, for example, in case of phone contracting, the basic information (purposes, identity of the controller, data subjects rights, and most relevant information about a particular processing) could be provided during the call itself, sending afterwards the rest of the information via email, or via a link to the privacy policy. Additionally, the AEPD remarks, the fact that layers are used to provide information cannot lead to a delay in the provision of the less relevant information, what also needs to be done in the moment of the collection of the data.

The AEPD also analyzed the content of the information provided. Firstly, the the way that the data subject is informed about the identity of the controller is problematic. The controller, EDP, is divided into two different companies: EDP Energy and EDP Commercial. The information provided states that "the data will be processed by EDP Energy and EDP Commercial", who are both said to be controllers. However, there is no specific reference to which company processes which data and for what purposes, which leads to a confusing and imprecise information. The privacy policy, after clarifying the existence of both controllers, only uses the generic name (EDP) without further specification.

The AEPD also noted that it is difficult, with the information provided, to identify how processing activities relate to each legal basis alleged by the controller. Therefore, it is not clear for which processes the controller is relying on a legitimate interest. It is not possible to identify what are the legal basis that are been relied upon for each processing activity. This should be clearly provided in the information. Also, what particular legitimate interest or interests are wielded by the controller is not clarified (although later the controller made clear that such interests were fraud prevention and marketing).

The AEPD remarks that the information must be provided in a concise, transparent, understandable and easily-accessible manner. This is also related to the transparency requirement set forth by Article 5(1)(a) GDPR.

The AEPD also notes that it is not clear what consequences has the creation of commercial profiles of the clients, and whether this processing can be objected, in accordance to Article 21, and regardless whether it can be considered profiling in accordance to Article 22 GDPR. The DPA also mentions the fact that it is unclear what processing activities will be derived from consent, as the information provided is not specific or understandable to a regular person (e.g. the processing for providing personalized offers, based on the resulting of the aggregate of the indicated data).

In relation to information regarding Article 21, the DPA states that the controller should provide information about what particular processing activities may be subject to the right to object, in connection with the alleged legitimate interest. The mere statement of the existence of such right, referring to "a right to object to certain processing activities" is not enough.

The AEPD also remarks that, to guarantee the exercise of the rights, it is necessary for the data subject to be informed about what legal basis is used for each processing, so the data subject clearly knows for which processing activity has given consent, therefore being able to withdraw it, and for which processing activities a legitimate interest is used, so the data subject can object to such processing.

With basis on those grounds, the AEPD found a violation of Article 13 GDPR.

Sanction

For assessing the quantity of the fine, the DPA took into account the following circumstances:

  • The seriousness of the violations.
  • The lasting in time of the violations and their nature: they result from a lack of adequate measures from the controller.
  • The either intentionality, either negligence of the controller, who should have spotted the risks and problems.
  • The fact that the infringements existed since 2018.
  • The relation between the infringements and the controller's core business activity.
  • The size of the company: being their revenue from 2018 €1,236,124,000.
  • The amount of data processed and procession activities carried out: contracts with 37.197 natural persons were carried out in 2019.
  • Previous infringements from the controller in different proceedings (PS/00101/2018, PS/00363/2018, PS/00109/2019), regarding Article 6(1) GDPR and consent requirements regulated previously to GDPR.
  • The fact that the infringements related to Article 25 GDPR did not include the processing of sensitive data.

Based on all this, the AEPD decided to fine the controller (EDP Comercializadora) €1,500,000:

  • €500,000 for the violation of Article 25 GDPR.
  • €1,000,000 for the violation of Article 13 GDPR.

This sanction was issued at the same time and in the same manner than the sanction against EDP Energy, the other company from the EDP group.

Comment

In their allegations, the organizational structure of the group of the controllers is clarified. The existence of two companies comes from procedural and formal issues that arose when the group was bought. Currently, only EDP Commercial has employees and actual management and operative capacity, therefore being EDP employees the only ones accessing the data. In practice, all processing activities are carried out by EDP Commercial, either as a joint controller or as a processor of EDP Energy.

This structure was in principle going to be rearranged, but was paralyzed by the start of negotiations for the sale of the group.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.