Difference between revisions of "AEPD (Spain) - PS/00037/2020"

From GDPRhub
Line 155: Line 155:
  
 
<pre>
 
<pre>
 +
 +
Page 1
 +
1/141
 +
 Procedure No.: PS / 00037/2020
 +
RESOLUTION OF SANCTIONING PROCEDURE
 +
Of the procedure instructed by the Spanish Agency for Data Protection and based on
 +
to the following
 +
BACKGROUND
 +
FIRST: Various claims have been filed before this Agency against
 +
the entity EDP COMERCIALIZADORA, SAU in which substantially
 +
denounces the processing of personal data without the consent of the interested party. Sayings
 +
treatments are produced within the framework of the contracting of gas services
 +
supposedly carried out by a representative of the client, without said entity
 +
can prove the existence of such representation. Such claims have given
 +
lead to the initiation of various sanctioning procedures by this
 +
Agency, among which it is worth mentioning PS / 0025/2019, which has concluded by declaring
 +
the existence of an infringement of the provisions of the data protection regulations.
 +
SECOND: In view of the antecedents mentioned in the previous number, on the 3rd of
 +
June 2019, the Director of the Spanish Data Protection Agency urged the
 +
Subdirectorate General for Data Inspection the start of previous actions of
 +
investigation in order to prove, where appropriate, the existence of a regular conduct and
 +
continued possible violation of data protection regulations by
 +
EDP ​​COMERCIALIZADORA, SAU .
 +
THIRD: On December 17, 2019, the Subdirectorate General of Inspection
 +
formulates a request to EDP COMERCIALIZADORA, SAU to facilitate the
 +
Next information:
 +
1. Specification of the contracting channels (telephony, internet, distributors
 +
own or subcontracted, sales force with own home visits or
 +
outsourced, etc.…) of the services marketed by EDP
 +
COMERCIALIZADORA, SAU to individuals.
 +
2. Description of the contracting procedure followed through each of the
 +
previous channels when the contract is made by a third party in
 +
representation of the natural person who owns the contract. In this regard, it is requested to provide,
 +
in addition to all the information it deems appropriate for the purposes of documenting the
 +
procedure, the following:
 +
2.1. Copy of documents (model forms, contracts, arguments
 +
telephone numbers, etc.) used to collect the personal data of the owner and the third party
 +
that acts by representing it, indicating the channel or channels for which it is used
 +
each.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 2
 +
2/141
 +
2.2. Description of the procedures enabled through each of the channels
 +
contract so that a third party can prove the representation of a holder to the
 +
sign a contract with EDP COMERCIALIZADORA, SAU
 +
2.3. Specification of the procedure followed by EDP COMERCIALIZADORA,
 +
SAU to store the evidence that proves the capacity of representation
 +
of the third party in the procedures in which this type of contracting is carried out, with
 +
indication of the channel or channels for which each one is used.
 +
2.4. Attach models and / or examples of type evidence collected under the
 +
procedure followed in section 2.3.
 +
3. Information on the number of contracts signed in 2018 and 2019 by third parties in
 +
representation of the owners of the services (natural persons) with distinction of:
 +
3.1. By virtue of what this representation is supported (power, degree of kinship, etc.)
 +
3.2. Procedure or formula for accreditation of the representation followed.
 +
3.3. Recruitment channel for telephony, internet, own distributors or subcontractors,
 +
sales force with own or outsourced home visits, etc.…)
 +
FOURTH : On January 13, 2020, the entry in the AEPD of the
 +
Written answer from EDP COMERCIALIZADORA, SAU to the request for
 +
above information. In this document the following is stated:
 +
“FIRST- Specification of the contracting channels (telephony, internet,
 +
own distributors or subcontractors, sales force with own home visits or
 +
outsourced, etc.…) of the services marketed by EDP
 +
COMERCIALIZADORA, SAU to individuals.
 +
EDP ​​has different channels to formalize the contracting, distinguishing the
 +
following:
 +
A. Telephone Channel, with partial or definitive closure of the contracting process
 +
through a phone call. It includes the following subchannels:
 +
- CAC Inbound: Call reception, from customers to EDP. In general they are
 +
and EDP customers who are identified from the beginning of the call through a
 +
security protocol, although customer calls can also be received
 +
potentials.
 +
- Telemarketing: Issuance of calls, from EDP to already owned databases
 +
customers for upselling or churn recovery. It is used for the realization of
 +
the call the telephone number that appears in the client's file, and that has been
 +
provided by said person previously.
 +
- LEADS: Issuance or reception of calls, about users who have expressed a
 +
interest in any platform or web page (raffles, promotions, comparators of
 +
offers, blogs, advertising agencies, etc.) leaving your basic data to be
 +
contacted or contacting themselves at the phone number shown.
 +
These users usually do not yet have active contracts with EDP.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 3
 +
3/141
 +
B. Web channel, closed by means of a digital form. The user accesses through
 +
a website and start a hiring process totally online, without interaction with
 +
agents.
 +
C. Distributors, with face-to-face or digital closing of the contracting process,
 +
including:
 +
- EDP's own Commercial Offices. Usually already EDP clients who come
 +
proactively to the office, although it can also be about potential clients.
 +
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to perform
 +
their purchases and are interested in EDP's offer.
 +
D. External Sales Forces, with in-person closing of the contracting process,
 +
including:
 +
- Stands at Fairs, Shopping Centers, etc. In general, new clients who come
 +
to such events or places and are interested in EDP's offer.
 +
- Home visits with prior request. Clients or potential clients who have
 +
provided your data and consent to receive proposals from an EDP agent to
 +
address.
 +
SECOND.- Description of the contracting procedure followed through each
 +
one of the above channels when the contracting is carried out by a third party in
 +
representation of the natural person who owns the contract.
 +
A. Telephone Channel:
 +
Next, the procedures implemented in EDP in
 +
those cases in which the contracting is carried out by a third party in
 +
representation of a natural person by telephone:
 +
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
 +
As a representative, you are asked about your relationship with the owner and if you have
 +
authorization of said person. 2) Once the previous point has been confirmed, they are requested
 +
identification data of the representative, and all the data of the owner necessary to
 +
formalize the hiring. 3) Finally the Consent is read and recorded in audio
 +
Representative express. 4) The holder of the contract, for informational purposes, is sent
 +
in duplicate, with a stamped envelope, the contractual documentation in compliance
 +
of the provisions of the consumer and user protection regulations.
 +
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
 +
hiring as a representative is asked about their relationship with the owner. 2) A
 +
Once the previous point has been confirmed, identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. 3) Then
 +
the Express Consent of the representative is read and recorded in audio. 4) Finally
 +
durable support is sent to the phone / sms provided by the representative, and is expected
 +
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 4
 +
4/141
 +
duplicate, with a stamped envelope, the contractual documentation in compliance with the
 +
provided in the consumer and user protection regulations.
 +
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
 +
representative is asked about his relationship with the owner. 2) Once the
 +
previous point, identification data of the representative is requested, and all the data of the
 +
holder necessary to formalize the contract. 3) It is then read and recorded in
 +
audio the Express Consent of the representative. 4) Then support is sent
 +
durable to the phone / sms provided by the representative, and awaits your confirmation.
 +
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
 +
franked, the contractual documentation in compliance with the provisions of the
 +
consumer and user protection regulations. 6) In this channel, by the mode of
 +
contracting and the characteristics of the clients who use it, it is in progress,
 +
as a pilot test, communication via SMS or e-mail to the represented (in cases of
 +
not related to the representative to study its effectiveness and receptivity.)
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
In the case of contracts made in EDP's own Commercial Offices (in
 +
third-party stores there is no possibility of contracting in the name and on behalf of
 +
a third) the procedure is as follows:
 +
1) In those cases in which the user indicates that he wishes to make a contract
 +
as a representative of a third party, you are asked about your relationship with the owner. 2) A
 +
Once the information is obtained, the identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. Likewise,
 +
requires a photocopy of the NIF, both the representative and the represented. 3)
 +
The presentation of an authorization document is also required.
 +
completed and signed by both interested parties (representative and owner).
 +
D. External Sales Forces:
 +
In the case of contracts made by external sales forces (fair stands,
 +
shopping centers and home visits, provided there is prior request by
 +
of the interested party), in the contract the identification data of the representative will be collected,
 +
Also requesting the data of the owner necessary to formalize the contract.
 +
In the contract, it is expressly specified that the representative declares to have
 +
of sufficient powers to sign the contract on behalf of the client to whom it is
 +
is responsible for informing of all the conditions thereof. It is required, on the other
 +
part of a photocopy of the representative's NIF.
 +
Next, an audio verification of the hiring is recorded where you are
 +
indicates on two occasions to the representative, the fact that he acts on behalf of the
 +
holder of the supply and the relationship-kinship that binds them is confirmed.
 +
Therefore, to prove the representation, the contracting stub is formalized
 +
where the representative declares to have sufficient powers to sign the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 5
 +
5/141
 +
contract on behalf of the client who is responsible for informing of all
 +
conditions of this. Likewise, a copy of the representative's NIF is provided.
 +
In this regard, it is requested to provide, in addition to all the information that it considers appropriate
 +
For the purposes of documenting the procedure, the following:
 +
2.1. Copy of documents (model forms, contracts, arguments
 +
telephone numbers, etc.) used to collect the personal data of the owner and the third party
 +
that acts by representing it, indicating the channel or channels for which it is used
 +
each.
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
The data collection is carried out in the system of each of the providers,
 +
following the order that corresponds according to the type of client, contracted product
 +
or campaign.
 +
Documents:
 +
1) Sales data template (Evidence 1)
 +
2) Express Consent Sales representative CAC (Evidence 2)
 +
Evidence 2 contains the following:
 +
"[XXXXXX] we're going to record your agreement. Okay?
 +
It is [hh: mm] on the day [dd] of [mm] of [20XX], and Mr./Ms. [Name and surname]
 +
with DNI [DNI number], as [husband / wife / child / attorney / representative] and in re-
 +
presentation of the holder [name and surname / company name] with ID / CIF [number
 +
DNI / CIF] phone [phone] and email [email] has called and accepts the
 +
EDP's offer for management [supply address] consisting of [con-
 +
ditions of the plan -dto. in the light-] for [CUPS LUZ: ES…] on the EDP price
 +
current electricity price [power price (€ / kW month) and energy term price
 +
(€ / kWh)] and / or [plan conditions -dto. in gas] for [GAS CUPS: ES…] and preset
 +
current EDP gas price [price term availability (€ / month) and term price
 +
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works].
 +
[If the collection date is not chosen] The chosen payment method is [direct debit
 +
bank account in your current account / in the account ...] and will be charged on the date
 +
indicated on the invoice.
 +
[If the collection date is chosen] The payment method chosen is [direct debit bank
 +
caria in your current account / in the account ...] and will be charged on a date
 +
Specifically, the days [DD] of the month. In that case, the payment period may be shorter
 +
greater than or greater than the 20 days established in the regulations ".
 +
"On behalf of the client, and after passing a risk analysis of the transaction
 +
ration, we will take the necessary steps to activate the access contracts,
 +
moment from which the new contract will come into force, being resolved
 +
previous.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 6
 +
6/141
 +
The contract / s will have a duration of 1 year, extendable for the same period
 +
Except for a complaint in advance of 15 days. Are you satisfied with the above
 +
mation and conditions of the contract / s? [Yes / Ok].
 +
In a few days you will receive the contract including a withdrawal document for
 +
duplicate, of which you will only have to return us signed one of the copies in
 +
The self-postage envelope does not need a stamp, which we will attach to it.
 +
You have 14 calendar days to exercise your right of withdrawal. Not obs-
 +
Therefore, if you request it, we can start the procedures now. Then,
 +
If you subsequently withdraw from the contract, you must pay the corresponding amount
 +
tooth to the borrowed supply period. Do you want your contract to be processed
 +
you immediately? [OTHERWISE].
 +
You will still receive an invoice from your current company for a probable period-
 +
less than normal. From there, from the entry into force of the contract
 +
You will receive the invoice from EDP with all our advantages.
 +
Your personal data and that of your client will be processed by EDP Comer-
 +
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
 +
fraud prevention, profiling based on customer information and
 +
EDP, as well as the realization of personalized communications about products
 +
coughs or services directly related to their contracts, being able in any-
 +
want to oppose them ".
 +
"Additionally, so that EDP can advise you with the best
 +
proposals:
 +
Will you allow us to present energy-related offers to your client?
 +
adapted to your profile after the end of the contract, or send you at any
 +
information on non-energy products and services, from companies
 +
Collaborators or EDP? [OTHERWISE]
 +
Will you allow us to complete the commercial profile of your client with information
 +
of third-party databases, in order to send you personal proposals-
 +
and the possibility of contracting or not certain services? [OTHERWISE]
 +
Your request has been registered with the code that I am going to indicate. If you wish,
 +
you can make a note of [COD. CIG] ".
 +
A.2 - TELEMARKETING
 +
The data collection is carried out in the system of each of the providers,
 +
following the order that corresponds according to the type of client, contracted product
 +
or campaign.
 +
Documents:
 +
1) Sales data template (Evidence 1)
 +
2) Express Consent Sales representative TLMK (Evidence 3)
 +
The text of evidence 3 is as follows:
 +
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
 +
agreement?. [Yes].
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 7
 +
7/141
 +
Well, it is [hh: mm] on the [dd] day of [mm] of [20XX
 +
[Mr / Mrs] [name and surname] with DNI [DNI number] as [husband / wife / child / attorney-in-fact
 +
address / representative] and on behalf of the owner [name and surname / reason
 +
social] with ID / CIF [ID / CIF number], phone [phone] and email [email]
 +
accepts EDP's offer for the address [supply address] consisting of
 +
in for [CUPS LUZ: ES ………… ..] on the current EDP price of electricity
 +
[power price (€ / kW month) and energy term price (€ / kWh)] and / or [conditions
 +
purposes of the plan - disc. in gas] for [GAS CUPS: ES ……………………….] and price
 +
Gas EDP in force [price term availability (€ / month) and term price
 +
energy (€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works]. The chosen form of payment is [direct debit at
 +
your current account / in the account ………] and will be charged [on the date indicated
 +
on the invoice / on A SPECIFIC DATE, THE DAYS (DD) OF THE MONTH. ON
 +
IN THIS CASE, THE PAYMENT PERIOD MAY BE LESSER OR HIGHER THAN
 +
THE 20 DAYS ESTABLISHED IN THE REGULATIONS]. In the name of his repre-
 +
sitting down, and after passing an analysis of the risk of the operation, we will make the
 +
tions necessary to activate the access contracts, from the moment
 +
which will enter into force the new contract, being resolved the previous one.
 +
The contract / s will have a duration of 1 year, extendable for the same period
 +
Except for a complaint in advance of 15 days.
 +
Are you satisfied with the above information and conditions of the contract / s? "
 +
[Yes / Ok]. "Thank you."
 +
In a few days you will receive the contract (including withdrawal document) for
 +
duplicate, of which you will only have to return us signed one of the copies in
 +
The self-postage envelope does not need a stamp, which we will attach to it.
 +
You have 14 calendar days to exercise your right of withdrawal in the
 +
form that you consider appropriate. However, we can initiate the procedures during
 +
within that period if you request it, in which case if you withdraw from the contract
 +
must pay the amount proportional to the borrowed part of the supply. From-
 +
Whether your hiring is processed immediately? [OTHERWISE]
 +
You will still receive an invoice from your current company for a probable period-
 +
less than normal. With the entry into force of the contract you will receive the invoice
 +
from EDP with all our advantages.
 +
Your personal data and that of your client will be processed by EDP Comer-
 +
cializadora SAU and EDP Energía SAU to manage their contracts, prevent-
 +
fraud prevention, profiling based on customer information and
 +
EDP, as well as the realization of personalized communications about products
 +
coughs or services directly related to their contracts, being able in any-
 +
want time to oppose them.
 +
Additionally, so that from EDP we can advise you with the best
 +
proposals:
 +
Will you allow us to present energy-related offers to your client?
 +
after the end of the contract, or send you at any time information on
 +
products and services of the financial, insurance and automotive sectors,
 +
Collaborating Companies or EDP?
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 8
 +
8/141
 +
[OTHERWISE]
 +
Will you allow us to complete the commercial profile of your client with information
 +
of third-party databases, in order to send you personal proposals-
 +
and the possibility of contracting or not certain services?
 +
[OTHERWISE]
 +
We remind you that you can exercise your rights to
 +
access, rectification, opposition, deletion, limitation and portability, through
 +
any of the routes indicated in the General Conditions that may
 +
check on our website www.edpenergia.es.
 +
[Only in case of gas contracting] “For your safety we remind you of the obligation
 +
legal obligation to collaborate with your Distribution Company by facilitating access to
 +
your instalations."
 +
In order to process your request we need you to confirm the acceptance of this
 +
offer that has the Code, please take note: “CIG CODE”.
 +
A.3 - LEADS
 +
The data collection is carried out in the system of each of the providers,
 +
following the order that corresponds according to the type of client, contracted product
 +
or campaign.
 +
Documents:
 +
1) Sales data template (Evidence 1)
 +
2) Express Consent Sales Representative LEADS (Evidence 4)
 +
The content of evidence 4 is as follows:
 +
"[Mr. Mrs. XXXXXX] to hire you, I need to record your agreement.
 +
agreement?. [Yes].
 +
Well, it is [hh: mm] on the day [dd] of [mm] of [20XX] and [Mr / Mrs] [name
 +
and surnames] with DNI [DNI number] has requested the call from EDP and as
 +
[husband / wife / child / attorney-in-fact / representative] and on behalf of the owner
 +
[name and surname / company name] with DNI / CIF [DNI / CIF number], telephone [telephone]
 +
and email [email] accepts EDP's offer for the address [address
 +
supply] consisting of [plan conditions -dto. in the light for [CUPS
 +
LIGHT: ES ………… ..] on the current EDP price of electricity [price of
 +
power (€ / kW month) and energy term price (€ / kWh)] and / or [conditions of the
 +
plan -dto. in gas] for [GAS CUPS: ES ……………………….] and EDP price
 +
gas current [price term availability (€ / month) and term energy price
 +
(€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works]. The chosen form of payment is [direct debit at
 +
your current account / in the account ………] and will be charged [on the date indicated
 +
on the invoice / on a specific date, the days (dd) of the month. in that case the
 +
payment period may be less or more than the 20 days established in the
 +
normative]. On behalf of your client, and after passing a risk analysis
 +
of the operation, we will take the necessary steps to activate the contracts of
 +
access, moment from which the new contract will come into force, leaving
 +
solved the above.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 9
 +
9/141
 +
The contract / s will have a duration of 1 year, extendable for the same period
 +
Except for a complaint in advance of 15 days.
 +
Are you satisfied with the above information and conditions of the contract / s? "
 +
[Yes / Ok]. "Thank you."
 +
In a few days you will receive the contract (including withdrawal document) for
 +
duplicate, of which you will only have to return us signed one of the copies in
 +
The self-postage envelope does not need a stamp, which we will attach to it.
 +
You have 14 calendar days to exercise your right of withdrawal in the
 +
form that you consider appropriate. However, we can start the procedures
 +
during that period if you request it, in which case if you desist from the
 +
contract must pay the amount proportional to the borrowed part of the
 +
supply. Do you want your hiring to be processed immediately? [OTHERWISE]
 +
You will still receive an invoice from your current company for a period
 +
probably lower than normal. With the entry into force of the contract you will receive
 +
the EDP invoice with all our advantages.
 +
Your personal data and that of your client will be processed by EDP
 +
Comercializadora SAU and EDP Energía SAU to manage their contracts,
 +
fraud prevention, profiling based on customer information
 +
and EDP, as well as the realization of personalized communications about
 +
products or services directly related to their contracts, being able
 +
at any time oppose them.
 +
Additionally, so that from EDP we can advise you with the best
 +
proposals:
 +
May we present you with energy-related offers tailored to your
 +
profile after the end of the contract, or send you at any time
 +
information of non-energy products and services, of companies
 +
Collaborators or EDP?
 +
[OTHERWISE]
 +
Will you allow us to complete the commercial profile of your client with information
 +
of third-party databases, in order to send you proposals
 +
personalized services and the possibility of contracting or not certain services?
 +
[OTHERWISE]
 +
We remind you that you can exercise your rights to
 +
access, rectification, opposition, deletion, limitation and portability, through
 +
any of the routes indicated in the General Conditions that may
 +
check on our website www.edpenergia.es.
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 10
 +
10/141
 +
In the case of EDP's own commercial offices, data collection is carried out
 +
in the system of each of the suppliers, following the corresponding order
 +
according to the type of client, contracted product or campaign.
 +
Documents provided:
 +
1) Sales data template (Evidence 1)
 +
2) Representative management authorization template (Evidence 5)
 +
Regarding the content of the evidence 5, the document contains three
 +
Differentiated boxes. The first one indicates that "the HOLDER (D. ,,,, DNI or CIF) in
 +
proper name or representation of the company. " The second box indicates that
 +
“AUTHORIZES (D. ,,,, DNI ... or CIF) to carry out the management of (indicates 4 possibilities:
 +
registration / cancellation, change of ownership, change of direct debit, and / or other procedures)
 +
the box next to each of them must be marked. In the third box,
 +
collect "SIGNATURE" and leave the spaces corresponding to the place, date (day, month and
 +
year) and space for the signature of the authorizing and authorized.
 +
Next, the following legend is highlighted with a red background:
 +
"NOTE: TO BE VALID, THIS AUTHORIZATION MUST BE PRESENTED
 +
ACCOMPANIED BY PHOTOCOPY OF THE HOLDER'S AND THE AUTHORIZED'S ID.
 +
WHEN IT IS AN AUTHORIZATION GRANTED BY A REPRESENTATIVE
 +
DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF OWNERS,
 +
FOUNDATIONS, SCHOOLS, ..., IN ADDITION, A PHOTOCOPY OF THE
 +
TIMELY POWER OF ATTORNEY ”.
 +
The following text follows;
 +
"Interested parties are informed that the personal data provided in
 +
This form will be treated as the data controller by EDP ENERGÍA,
 +
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
 +
for the processing of authorized management.
 +
The personal data that you provide us will be used, in the form and with the
 +
limitations and rights recognized by the General Data Protection Regulation
 +
(EU) 2016/679.
 +
The interested parties whose data are subject to treatment may exercise their rights
 +
of access, rectification, deletion, portability, limitation and opposition to treatment
 +
of these data, proving your identity, by email addressed to
 +
cclopd@edpenergia.es or by writing to the person responsible for the treatment at the
 +
Address Plaza del Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can put
 +
in contact with the EDP Data Protection Officer, at the same address
 +
postal or email dpd.es@edpenergia.es, if you understand
 +
violated any of your rights related to data protection, or in your
 +
case, file a claim with the Spanish Agency for Data Protection "
 +
D. External Sales Forces:
 +
In the case of external sales forces (fair stands, shopping centers and
 +
home visits, provided there is a prior request by the interested party), the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 11
 +
11/141
 +
Data collection is done on a paper stub. This data is digitized in
 +
Channel Management Tool (HGC).
 +
For verification, data collection is carried out in the system of the supplier of
 +
check.
 +
Documents:
 +
1) Sales receipt (Evidence 6)
 +
2) Sales data template (Evidence 1)
 +
3) Verification script (Evidence 7)
 +
With regard to evidence 6, which the defendant calls the
 +
sales, the document, under the title "contract for the supply of energy and / or services",
 +
It contains on its first page three boxes.
 +
In the first one there are spaces to fill in the data related to the point of
 +
supply (address, electricity cup, gas cup) and separately check boxes
 +
the contracting of a light + gas contract or one of the two services individually. I know
 +
They also contain spaces to fill in the data of the contract holder
 +
(name, surname, telephone and email) and representative data (name,
 +
NIF and address and several boxes are included to mark that the representative is in
 +
status of spouse / registered partner, ascendant / descendant or attorney-in-fact) below
 +
of such boxes, a text indicates that “it declares that it has sufficient powers to
 +
sign this contract on behalf of the client who is responsible for
 +
inform of all the conditions of the same. "
 +
Below this box is the following legend; "The client hires, for the
 +
supply indicated, the gas supply with EDP Comercializadora, SAU and the
 +
supply of electricity and / or complementary services with EDP Energía, SAU,
 +
(hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) with
 +
in accordance with the Specific Conditions set out below and the
 +
General Conditions in annex.
 +
The client requests that the provision of the supply / supplies and / or services be
 +
start during the withdrawal period contemplated in the general conditions. "
 +
In the second box entitled specific conditions of the contract and in which
 +
Separately depending on whether it is gas or light, certain information is contained on
 +
rates and in which there are spaces to be completed and boxes to mark
 +
relating to the services that are contracted, it appears both in the gas part and in the
 +
light a box that must be marked to indicate that the owner is changing. I also know
 +
includes a space to fill in the data related to the current account for
 +
direct debit charges (this space is common to all contracted services)
 +
Below this box is the following text: “EDP reserves the right to
 +
waive this contract if the actual supply data does not comply with the
 +
declared by the client at the time of hiring. " Below is a box for
 +
mark that "The client expressly declares to know and accept the above
 +
Specific conditions." And another to mark that “The client declares to have been
 +
informed and received the annex with the General Conditions, which he accepts. " It adds
 +
then that “The client, if he / she had the status of consumer, has the RIGHT
 +
TO DESIST this contract if it had been formalized remotely or outside the
 +
establishments of the marketer as indicated in the general conditions
 +
and acknowledges that the corresponding withdrawal document has been delivered to the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 12
 +
12/141
 +
effect." Below is a box to mark that “The client declares to have
 +
received the withdrawal document and have been informed of it. "
 +
In the third box, under the heading CLIENT / REPRESENTATIVE after noting that the
 +
information related to data protection can be read on the back, allows you to mark
 +
the following consents:
 +
 I consent to the processing of my personal data once the relationship has ended
 +
contractual, to carry out commercial communications adapted to my profile
 +
of products and services related to the supply and consumption of energy. In addition,
 +
I consent to the aforementioned treatments during the term and after the end of the
 +
contract, on non-energy products and services, both of the Group companies
 +
EDP ​​and third parties.
 +
 I consent to the processing of my personal data for the elaboration of my profile
 +
with information from third party databases, for the
 +
adoption, by EDP, of automated decisions in order to send
 +
personalized commercial proposals, as well as to allow, or not, the contracting
 +
of certain services.
 +
On the back of the first page there is a section entitled “Basic information
 +
on Data Protection ”: which contains the following:
 +
" Personal data will be processed by EDP COMERCIALIZADORA,
 +
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
 +
Responsible for the Treatment, for the maintenance, development, compliance and management
 +
tion of the contractual relationship, fraud prevention, profiling based on
 +
in information provided by the Client and / or derived from the provision of the service by
 +
part of EDP, as well as sending commercial communications, related to products and
 +
services related to the supply and consumption of energy, maintenance of ins-
 +
facilities and equipment, and that can be customized based on your profile of
 +
Client, as reported in the General Conditions, being able to oppose in any-
 +
any time to send commercial communications. Additionally, the Client
 +
gives your explicit consent for the processing of personal data collected
 +
on the obverse. Without prejudice to the consents given, the client may exercise,
 +
at all times, your rights of access, rectification, opposition, deletion, limitation
 +
tion and portability, through any of the channels indicated in the Conditions
 +
General. "
 +
In the part of general conditions the following information regarding
 +
personal data protection:
 +
“ LOPD Purposes of the processing of personal data. According to
 +
provided in current regulations, the client is informed that all data
 +
provided in this contract are necessary for the purposes of its formalization.
 +
Said data, in addition to those obtained as a result of the execution of the
 +
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
 +
c / General Concha, 20, 48001, Bilbao and by EDP ENERGIA, SAU with address at
 +
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
 +
in order to manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 13
 +
13/141
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or improvement of the service, to carry out actions to prevent
 +
fraud, as well as profiling, personalized commercial communications
 +
based on information provided by the Client and / or derived from the provision of the
 +
service by EDP and related to products and services related to the
 +
supply and consumption of energy, maintenance of facilities and equipment.
 +
These treatments will be carried out in strict compliance with the legislation
 +
current and insofar as they are necessary for the execution of the contract and / or the
 +
satisfaction of EDP's legitimate interests, provided that the latter are not
 +
other rights of the client prevail.
 +
Provided that the client has explicitly accepted it, their personal data will be
 +
treated, even once the contractual relationship has ended and provided that there is no
 +
Produces opposition to said treatment, to:
 +
(I) The promotion of financial services, payment protection services, automotive
 +
or related and electronic, own or third parties, offered by EDP and / or participation in
 +
promotional contests, as well as for the presentation of commercial proposals
 +
linked to the energy sector after the end of the contract, (II) The preparation of
 +
Commercial profiles of the Client by aggregating the databases of
 +
third parties, in order to offer the Client personalized products and services,
 +
thus improving the customer experience, (III) Decision-making
 +
automated, such as allowing the contracting, or not, of certain products
 +
and / or services based on the Client's profile and particularly, on data such as, the
 +
history of defaults, the history of hires, permanence, locations, data
 +
consumption, types of devices connected to the energy network, and similar data
 +
that allow to know in greater detail the risks associated with the contracting. (IV)
 +
Based on the results obtained from the aggregation of the indicated data,
 +
EDP ​​may make personalized offers, specifically aimed at achieving the
 +
contracting of certain products and / or services from EDP or from third parties
 +
depending on whether the client has consented to it or not, being in any case treated
 +
data whose age will not exceed one year. In the event that said process was carried out
 +
carried out in an automated way, the client will always have the right to obtain intervention
 +
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
 +
resulting decision.
 +
Categories of data processed
 +
By virtue of the contractual relationship, EDP may process the following types of data
 +
personal: (I) Identifying data (name, surname, ID, postal address, address
 +
email address, supply point, etc.), (II) Identification codes or keys
 +
User and / or Client, (III) Personal characteristics data (date of birth,
 +
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
 +
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
 +
of these, (VI) Economic, financial, solvency and / or insurance data.
 +
Personal data will be kept for the duration of the contractual relationship
 +
and at most, during the statute of limitations for legal actions
 +
corresponding, unless the Client authorizes its treatment for a longer period,
 +
applying organizational and security measures from the beginning of the treatment
 +
to ensure the integrity, confidentiality, availability and resilience of data
 +
personal
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 14
 +
14/141
 +
Communications and recipients of personal data.
 +
All personal data derived from the provision of the service and those obtained in
 +
By virtue of this contract, they may be communicated to the following entities:
 +
i)
 +
The corresponding distribution company, producing with it an in-
 +
permanent exchange of information for the adequate provision of the service,
 +
among them the request for access to your network, the readings (which in the case of
 +
remote-managed controller will be hourly) and / or consumption estimation, quality control
 +
supply, request for supply cuts, modifications in the pos-
 +
tencia, etc.
 +
ii)
 +
The Organizations and Public Administrations that by Law correspond.
 +
iii)
 +
Banks and financial entities for the collection of services rendered.
 +
iv)
 +
Other companies of the business group, solely for administrative purposes
 +
internal and the management of the products and services contracted.
 +
v)
 +
National equity solvency and credit services (Asnef-Equifax,
 +
...) to which in case of non-payment, without just cause by the Client,
 +
You will be able to communicate the debt, as well as fraud prevention services,
 +
with the sole purpose of identifying erroneous or fraudulent information provided during-
 +
you the hiring process.
 +
saw)
 +
EDP ​​suppliers necessary for the adequate fulfillment of the obligations
 +
contractual arrangements, including those that may be located outside the State
 +
European Economic space, in which case it is duly adequate
 +
international data transfer.
 +
Rights of the data owner
 +
The client will have the possibility of exercising freely at all times
 +
and completely free the following rights:
 +
i)
 +
Access your personal data that is processed by
 +
EDP.
 +
ii)
 +
Rectify your personal data that is processed by
 +
EDP ​​that are inaccurate or incomplete.
 +
iii)
 +
Delete your personal data that is processed by EDP
 +
iv)
 +
Limit EDP's treatment of all or part of its
 +
personal information.
 +
v)
 +
Oppose certain treatment and decision-making
 +
automated data processing, requiring human intervention
 +
mana in the process, as well as to challenge the decisions that are final-
 +
adopted by virtue of the processing of your data.
 +
saw)
 +
Port your personal data in an interoperable format and auto-
 +
enough.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 15
 +
15/141
 +
vii)
 +
Withdraw at any time, the consents granted
 +
previously.
 +
In accordance with current regulations, the user can exercise their
 +
rights by requesting it in writing, and together with a copy of a certified document
 +
accrediting identity, at the following post-
 +
such: Plaza del Fresno, 2, 33007 Oviedo or in the email cclo-
 +
pd@edpenergía.es
 +
Likewise, you can contact the protection delegate
 +
of EDP data at the following postal address Plaza del Fresno, 2,
 +
33007 Oviedo or in the email dpd, es @ edpenergía.es, in the
 +
in case you understand that any of your related rights has been violated
 +
with data protection, or, where appropriate, file a claim
 +
before the Spanish Agency for Data Protection, at the address Calle
 +
de Jorge Juan, 6, 28001. Madrid "
 +
Evidence 7 refers to a sales process with express online verification.
 +
SCRIP VERIFIER-AGENT
 +
Part 1 (Agent call to number *** PHONE.1 or *** PHONE.2 )
 +
VERIF - EDP ​​Verifications, good morning. Can you tell me your phone number to
 +
perform verification?
 +
AGE - Good morning, my phone is XXXXX.
 +
VERIF-I proceed to issue the outgoing call.
 +
Part 2 (Outgoing call from the verifier to the agent's phone)
 +
VERIF: Good morning, can you tell me ID ?. XXXXX Can you tell me your name and surname and
 +
collaborating company? If the tool returns the collaborator's data (and the
 +
itself is active) we will check if they match, if so we continue, in
 +
If they do not match, we will ask you again for the data / s that do not match for
 +
reconfirm the discrepancy, if you continue we will indicate: «We cannot carry out the
 +
verification, the data you provide us is inconsistent »). In case the
 +
tool does not return anything to us, we will ask you again for your ID and if you continue
 +
Without appearing we indicate: «We cannot carry out the verification, your company has not
 +
accredited ».
 +
VERIF- Can you tell me the name, surname and ID of the signer? XXXXX How many contracts
 +
He has signed? XXXX (maximum 6 contracts per call) made at the EDP Stand
 +
in the CC XX / in the store of the collaborator XX
 +
VERIF-Is the signer the owner of the contracts? In case of being the owner, request
 +
contact telephone number and province. If you sign as a representative, request a name,
 +
Surname and DNI of / the holders (maximum 3) and contact telephone number and main province
 +
of each holder.
 +
VERIF-Can you tell me the phone number of the signer to carry out the verification?
 +
XXXXX
 +
VERIF-I proceed to issue the call to start the verification.
 +
Part 3 (Outgoing call from verifier to verification phone)
 +
VERIFY CUSTOMER- Good morning, I am XXXX from the company *** COMPANY.1
 +
collaborator of EDP. For security reasons I inform you that this call is
 +
being recorded, do you confirm that it is SIGNING NAME with DNI XXXX and that
 +
has just signed XX contracts at the collaborator's EDP stand / store (in case of
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 16
 +
16/141
 +
sign as representative indicate “in representation of name-surname HOLDER
 +
DNI) Yes / No . What relationship-kinship do you have with the owner? (this question I don't know
 +
performed when the owner is a company).
 +
- Tenant, I have the rented house. Request that it happen to the agent and
 +
tell you that a tenant cannot sign as a representative. KO verification.
 +
-Family or attorney-in-fact: continue verification.
 +
Perfect, please pass me on to the agent to take some information and carry out the
 +
verification, thank you.
 +
2.2. Description of the procedures enabled through each of the channels
 +
contract so that a third party can prove the representation of a holder to the
 +
sign a contract with EDP COMERCIALIZADORA, SAU
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
Recording of the legal text where the representative confirms the data provided from the
 +
represented.
 +
A.2 - TELEMARKETING
 +
Recording of the legal text where the representative confirms the data provided from the
 +
represented and durable support via sms / email where the representative confirms
 +
new said data.
 +
A.3 - LEADS
 +
Recording of the legal text where the representative confirms the data provided from the
 +
represented and durable support via sms / email where the representative confirms
 +
new said data.
 +
Additionally, in the pilot test of this channel, another
 +
sms / email informing of the representative's action.
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
In the case of EDP's own commercial offices, it is requested to fill out and
 +
signed by both interested parties (representative and owner) a document of
 +
express authorization in which the data of both persons and copies of their
 +
NIF.
 +
D. External Sales Forces:
 +
In the case of external sales forces (fair stands, shopping centers and
 +
home visits, provided there is a prior request by the interested party), the
 +
compilation, the hiring stub is kept where the representative declares
 +
have sufficient powers to sign the contract on behalf of the client to
 +
who is responsible for informing of all the conditions of this.
 +
Likewise, the verification recording is available and kept where they are confirmed
 +
with the representative the data of the represented, as well as the relationship / kinship that
 +
unites them.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 17
 +
17/141
 +
2.3. Specification of the procedure followed by EDP COMERCIALIZADORA, SAU
 +
to store the evidence that proves the capacity of representation of the
 +
third party in the procedures in which this type of contracting is carried out, with
 +
indication of the channel or channels for which each one is used.
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
The recording is stored linked to the commercial management system of
 +
Contacts where the request is registered.
 +
A.2 - TELEMARKETING
 +
The recording and durable media are stored in the recording system.
 +
Channel commercial management.
 +
A.3 - LEADS
 +
The recording and durable media are stored in the recording system.
 +
Channel commercial management.
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors
 +
In the case of EDP's own Commercial Offices, the authorization document
 +
It is stored linked to the Contacts commercial management system
 +
where the request is registered.
 +
D. External Sales Forces:
 +
The recruitment stub and the recording of the verification call are located
 +
stored digitally in the Canales commercial management system.
 +
For its part, the paper copy is sent to the supplier commissioned by EDP of the
 +
custody of said documents.
 +
2.4. Attach models and / or examples of type evidence collected under the
 +
procedure followed in section 2.3.
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
An example is provided with the recordings (Evidence 8) It is an audio with the
 +
recording of a service contract in a specific case carried out through
 +
representation. Its content is the same as in evidence 2.
 +
A.2 - TELEMARKETING
 +
Examples of recordings and durable supports are provided (Evidence 9 and 10,
 +
respectively) Evidence 9 consists of an audio with the recording of the
 +
contracting services with a client representative. Play the content
 +
of evidence 3. Evidence 10 is a document with the following text:
 +
"Confirmation of acceptance of communication by sms:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 18
 +
18/141
 +
On 2019-04-26 15:50:06 an SMS was sent from the phone number
 +
*** PHONE. 3 with the text:
 +
EDP ​​Offer : *** OFFER. 1 Please respond with a YES to this SMS to
 +
accept and
 +
activate discounts. Thanks. Details:
 +
http://edpconfirma.es/OOUSEAVSXK to the recipient phone number
 +
*** PHONE . 4.
 +
This message was answered with the notification ID OOUSEAVSXK, on ​​the day
 +
2019-04-26 15:50:46 and with the text: If which we accept as valid for the
 +
processing of the product offered in the document shown to
 +
continuation. The personal data of the contractor and of
 +
the offer and the following information: Your personal data will be processed by
 +
EDP ​​Comercializadora SAU and EDP Energía SAU for the management of their
 +
contracts, fraud prevention, profiling based on information
 +
of the client and EDP, as well as the realization of communications
 +
personalized information on products or services directly related to their
 +
contracts, being able to oppose them at any time.
 +
We remind you that you can exercise your rights to
 +
access, rectification, opposition, deletion, limitation and portability, through
 +
any of the routes indicated in the General Conditions that can
 +
check on our website www.edpenergia.es. "
 +
A.3 - LEADS
 +
Examples are provided with recordings and durable media (Evidence 11, 12,
 +
and 13, respectively)
 +
B. Web: The option of contracting with a representative is not offered.
 +
C. Distributors:
 +
Regarding our own Commercial Offices, a model document is attached.
 +
authorization completed by the representative in favor of the represented
 +
(Evidence 14).
 +
D. External Sales Forces:
 +
With regard to the evidence generated by external sales forces, is attached
 +
hiring stub model where the representation is collected (Evidence 15),
 +
as well as the recording in which it is confirmed, as well as the relationship-kinship
 +
that links them (Evidence 16).
 +
THIRD. - Information on the number of contracts signed in 2018 and 2019 by
 +
third parties on behalf of the owners of the services (natural persons) with
 +
distinction of: 3.1. By virtue of what this representation is supported (power, degree of
 +
kinship, etc.) 3.2. Procedure or formula for accreditation of representation
 +
Following. 3.3. Recruitment channel for telephony, internet, own distributors or
 +
subcontractors, sales force with own or subcontracted home visits, etc. ...)
 +
In relation to the request for information regarding the number of contracts signed in
 +
the years 2018 and 2019 by third parties on behalf of individuals, it is put into
 +
knowledge of the AEPD the following information related to each of the channels:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 19
 +
19/141
 +
A. Telephone Channel: 11656
 +
A.1 - CAC INBOUND
 +
Year Channel Representation
 +
No. Contracts
 +
2018 CAC Relationship
 +
1,346
 +
2018 CAC Unrelated
 +
394
 +
2019 CAC
 +
Relationship
 +
983
 +
2019 CAC Unrelated
 +
278
 +
A.2 - TELEMARKETING
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 TELEMARKETING
 +
Relationship
 +
2,865
 +
2018 TELEMARKETING
 +
No kinship
 +
82
 +
2019 TELEMARKETING
 +
Relationship
 +
1,201
 +
2019 TELEMARKETING
 +
No kinship
 +
42
 +
A.3 - LEADS
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 LEADS
 +
Relationship
 +
5,518
 +
2018 LEADS
 +
No kinship
 +
849
 +
2019 LEADS
 +
Relationship
 +
6,127
 +
2019 LEADS
 +
No kinship
 +
1,160
 +
B. Web: Hiring with a representative is not contemplated.
 +
C. Distributors (own commercial offices):
 +
Year Channel Representation
 +
No. Contracts
 +
2018 OOCC Relationship
 +
194
 +
2018 OOCC Unrelated
 +
67
 +
2019 OOCC Relationship
 +
174
 +
2019 OOCC Unrelated
 +
78
 +
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
 +
Year Channel Representation
 +
No. Contracts
 +
2018 FVE
 +
Relationship
 +
10,758
 +
2018 FVE
 +
No kinship
 +
118
 +
2019 FVE
 +
Relationship
 +
1,556
 +
2019 FVE
 +
No kinship
 +
58
 +
FIFTH : In writing dated May 29, 2020, sent on June 1, 2020,
 +
formulates a new information request to EPD COMERCIALIZADORA, SAU
 +
requesting the one listed below:
 +
1. Copy of the content included in the Register of Treatment Activities (article
 +
30 of the RGPD) regarding personal data processing activities
 +
carried out in the context of contracting services with EDP
 +
COMERCIALIZADORA, SAU
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 20
 +
20/141
 +
2. Copy of the content included in the Risk Analysis or Assessment carried out by the
 +
entity in compliance with article 32 of the RGPD regarding the processing of
 +
personal data made in the context of contracting services with EDP
 +
COMERCIALIZADORA, SAU
 +
3. Enter the information previously provided by the entity to the AEPD, registered
 +
with the number 001390/2020, it is specified on a recurring basis (see evidence 2, 3, 4,
 +
6, 10, 12, 14, 15) that personal data will be processed for all
 +
purposes described, in addition to EDP COMERCIALIZADORA, SAU, for another
 +
legal person (EDP ENERGIA, SAU). In this regard, the following is requested
 +
information:
 +
3.1. Reason that justifies that both entities process the personal data collected.
 +
3.2. Detail of the circumstances that condition, if any, that the treatments
 +
made on specific personal data are executed by one or the other
 +
entity.
 +
3.3. Detail, where appropriate, the procedures and mechanisms used to
 +
guarantee the separation of personal data processed by one and another entity of
 +
so that each one only has the possibility of treating what corresponds to it according to
 +
of the legitimate purpose pursued at all times.
 +
SIXTH: On June 17, 2020, a written entry from EDP is entered in this Agency
 +
COMERCIALIZADORA, SAU in which the following is stated regarding the last
 +
question raised in the request of this Agency referred to in point
 +
previous:
 +
"THIRD.- Enter the information previously provided by the entity to the AEPD,
 +
registered with the number 001387/2020, it is specified on a recurring basis (see
 +
evidences 2, 3, 4, 6, 10, 12, 14, 15) that personal data will be processed for the
 +
set of purposes described, in addition to EDP COMERCIALIZADORA, SAU,
 +
by another legal person (EDP ENERGIA, SAU). In this regard, the following is requested
 +
information:
 +
3.1. Reason that justifies that both entities process the personal data collected.
 +
3.2. Detail of the circumstances that condition, if any, that the treatments
 +
made on specific personal data are executed by one or the other
 +
entity.
 +
As these two questions are directly related to each other, the answer is given
 +
joint to them.
 +
In relation to the evidence provided and that correspond to supports that are
 +
used to carry out the contracting through the different channels is done
 +
reference, both to EDP COMERCIALIZADORA, and EDP ENERGÍA SAU (EDP
 +
ENERGY), because the company with which the services are contracted will be one or
 +
another depending on the product and / or service requested, being highly probable that
 +
the same customer when requesting the contracting of the electricity and gas supply, is
 +
contracting with both companies at the same time.
 +
For this reason, the “dual” contract has been drawn up and structured in such a way that a
 +
client can obtain discounts or additional advantages for the fact of contracting
 +
both energies with two companies of the same business group, and in order to
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 21
 +
21/141
 +
keep the discounts updated in each of the energies and information
 +
derived, it is necessary for both societies to know whether the energy initially
 +
contracted with the other Group company remains active in order to maintain and
 +
correctly manage the discounts / benefits applied.
 +
For this reason, and in order to provide the maximum possible transparency to a process
 +
carried out eminently in writing, such as the contracting of services
 +
energy, is why in the clause on data protection it is reported that
 +
the personal data provided during the hiring process will be processed by
 +
both entities, always respecting the functions of each one in accordance with the
 +
contract signed in each case and particularly the type of energy services that
 +
are finally hired.
 +
On the other hand, and regardless of the above, we inform you of this
 +
Agency that the existence of two companies within the Group with the role of entities
 +
trading companies is due to a purely formal issue, a consequence of the
 +
corporate structure and shareholding composition of the companies acquired by the
 +
EDP ​​Group at the time of its establishment in Spain, but not
 +
corresponds to the operational functioning of said marketers, since
 +
only one of them, EDP COMERCIALIZADORA, currently has
 +
employees and managerial and operational capacity. Thus, in practice, all
 +
treatments are carried out by said entity, either as responsible for the
 +
treatment or as person in charge of the treatment of EDP ENERGÍA.
 +
Additionally, it should be noted that the EDP Group had planned the corporate reorganization
 +
of EDP COMERCIALIZADORA and EDP ENERGÍA and the adaptation of their structure
 +
company with that of its actual operation and its business operations. Bliss
 +
reorganization has been currently affected by a process of sale to TOTAL
 +
in which both companies are immersed, and that if it materializes, it could alter or
 +
finalize said integration.
 +
3.3. Detail, where appropriate, the procedures and mechanisms used to
 +
guarantee the separation of personal data processed by one and another entity of
 +
so that each one only has the possibility of treating what corresponds to it according to
 +
of the legitimate purpose pursued at all times.
 +
As already stated, all users with access to the system are employees of
 +
EDP ​​COMMERCIALIZADORA.
 +
In this way, EDP agents access the personal data of the clients of
 +
said entity as data controllers or, they have access to the
 +
personal data of EDP ENERGÍA clients, as Manager of the
 +
Treatment, in compliance with the provision of customer management services of
 +
EDP ​​ENERGÍA entrusted to it by EDP COMERCIALIZADORA, being
 +
managed as the two different roles they occupy by virtue of the
 +
contractual regulation that we make available to this Agency. "
 +
Along with this response, an extract from the Registry of Treatment Activities is provided.
 +
which includes the records relating to the activities carried out in the field of
 +
contracting of products and / or services and the risk analysis carried out regarding the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 22
 +
22/141
 +
treatments that are carried out in the context of contracting products and / or
 +
services.
 +
The risk analysis is contained in an Excel document, it does not contain a date or
 +
firm. 15 risk factors are listed; 1. Commercially sensitive information, 2.
 +
Commercial Communications, 3. Data Origin (external or internal source), 4. Assignments
 +
of data. 5, Treatment Managers. 6. International transfers. 7. Activities
 +
scoring / profiling. 8. Automated decisions. 9. Systematic monitoring of
 +
Headlines. 10. Special categories of data. 11. Large-scale data processing.
 +
12. Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders. 14.
 +
Application or use of innovative technologies 15. Unavoidable Treatment / Restriction
 +
exercise rights or access service. Regarding the potential risk assessment
 +
inherent, the risk scale has 4 levels: low, with a rating from 0 to 12;
 +
average score from 13 to 25; high from 26 to 38 and very high from 39 to 51. The assessment or
 +
The weight given to each of the risk factors is from 1 to 4. In the analysis of
 +
risks, a yes or no is marked for each of the sales channels in each of the
 +
15 risk factors listed above. The sum of the weight attributed to each of
 +
the factors for each channel determine the inherent risk. The result of risk
 +
inherent is medium in all contracting channels, except in web channels and
 +
external forces through home visits in which the risk outcome
 +
inherent is low. Risk correction measures are not indicated.
 +
SEVENTH: Information is obtained on the volume of sales of the entity being
 +
the results of the turnover during the year 2019 of 989,491,000 euros. The
 +
Capital according to the information obtained from the Mercantile Registry is 1,487,895
 +
euros.
 +
Information is obtained on the number of clients of the entity. According to the report of
 +
supervision of the changes of marketer, corresponding to the first quarter of
 +
2019, of the National Markets and Competition Commission, the number of
 +
supply points of the entity as of March 31, 2019, corresponding to the scope
 +
domestic, amounted to 893,736, constituting 11.4% of the total gas sector in
 +
said domestic environment.
 +
EIGHTH: On July 16, 2020, a written entry from EDP has been entered in this Agency
 +
COMERCIALIZADORA, SAU stating that “In the framework of the procedure above
 +
referenced, EDP was required by the AEPD to clarify, among others
 +
extremes, certain information related to contracting procedures
 +
implemented in EDP carried out with the intervention of a third party authorized by the owner,
 +
as well as addressing the suggestion made in previous procedures communicated by
 +
part of the AEPD in which it was suggested to carry out modifications in the mode in
 +
that these types of contracts are carried out.
 +
2. That, for all of the above, EDP has reviewed the procedure to be followed in the
 +
contracting by third parties on behalf of the owner, in order to strengthen said
 +
procedure and reduce the risks of possible identity theft carried out
 +
in bad faith by the contracting party in this type of process, taking into account,
 +
additionally, the particular needs identified as a result of the state of
 +
alarm decreed last March and that has necessarily required that
 +
all contracts are carried out in a non-face-to-face way.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 23
 +
23/141
 +
3. That in order to inform the AEPD of the specific actions that are
 +
are being carried out in relation to this matter by EDP, in compliance
 +
of their duty of proactive compliance (accountability), we attach the
 +
"Contracting procedure by third parties on behalf of the owner", so that they have
 +
visibility on the modifications that are being implemented in these processes
 +
in order to meet your request in this regard, as well as to highlight the
 +
EDP's proactivity regarding its suggestion of adaptation of said
 +
process."
 +
The following aspects are detailed in three sections below: purpose,
 +
contracting procedure with third parties and data and interests of those affected.
 +
In the first section, called the purpose after exposing the situation, it states the
 +
following proposal: “A contracting procedure that, through correct use
 +
and technology insurance, facilitate the contracting of EDP services by
 +
clients through a third party acting under a mandate under the terms of Title IX
 +
of the Fourth Book of the Civil Code, protecting in any case the rights of the client and
 +
agent about your personal data, which will only be treated in accordance with
 +
an adequate basis of legitimacy and in compliance with the principles of the RGPD,
 +
ensuring that they are informed about the treatment and that they can exercise their
 +
rights at all times, as well as to act in case of identifying any action
 +
irregular."
 +
In the second section relating to the contracting procedure with third parties,
 +
distinguishes the procedure followed with a representative with written authorization from the
 +
followed by agent with verbal authorization. In the first case, the
 +
next steps: the agent is informed, the data and authorization are collected and the
 +
contracts on behalf of the client. In the case of the agent with verbal authorization, the
 +
The steps to follow are as follows: EDP proceeds to the information at the
 +
agent and data collection, to be hired by the agent in the name and
 +
representation of the client, sending the client information on the contracting and
 +
possibility of the client to disavow the contract.
 +
Regarding the information to the agent and the collection of the data, it consists of,
 +
as set forth, in the following:
 +
- Services are offered and explained
 +
- It is informed about the need to collect certain data for contracting, as well
 +
as well as the use that will be made of them and the place where more
 +
information about it.
 +
- The data of the agent and the client are requested
 +
- The agent provides EDP with his own data and those of the client and confirms that it is
 +
empowered to negotiate and sign the contract on behalf of the client
 +
- The contract includes all the information required by the applicable regulations and in
 +
relationship with the processing of personal data derived from the hiring.
 +
Regarding the hiring by the agent on behalf of the client
 +
differentiates the hiring in own commercial offices and outside the establishment
 +
mercantile, in which the information is collected in the contract and delivered in support
 +
durable or digital to the agent and remote contracting (by phone)
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 24
 +
24/141
 +
distinguishing between incoming calls to EDP's CAC, in which the
 +
conversation or outgoing calls (telemarketing, outgoing calls
 +
EDP ​​providers) in which the conversation is recorded, and the contract is sent in
 +
durable support to the president (It is clarified that the conversations are recorded after
 +
have previously informed the user that the conversation is going to be recorded.
 +
The following is noted regarding the step related to sending information to the client
 +
about hiring.
 +
-Once the contract is formalized by the agent, when there is no
 +
written authorization, is sent to the client, by email or SMS, depending on the
 +
communication channel available in each case, a communication in which
 +
It includes: o Confirmation of the contract made through your agent,
 +
including the agent's data or URL link to access the contract signed by
 +
the agent on his behalf (with guarantees of content integrity and accreditation
 +
of the exact date of realization) where you can exercise your right to disallow
 +
hiring in a simple and intuitive way (with a single click) View, print, or
 +
download the contract and withdrawal document
 +
The contract collects all the information about the treatment of the client's data by
 +
part of EDP, in addition to the details of the contracted services.
 +
Clarifies that the contracting procedure based on double authentication factor
 +
It has been designed taking into consideration the procedure approved by the
 +
National Markets and Competition Commission for carrying out portability and
 +
hiring in the telecommunications sector, a sector very similar in
 +
that the contracting procedure refers to.
 +
The communication is made through a trusted third party that accredits the shipment
 +
of the SMS / mail as follows:
 +
-SMS message:
 +
EDP ​​XXXXXXXX. NAME REP SURNAME REP has contracted energy / services in
 +
your name. Before 14 days you can disallow it. Details:
 +
https://edpcontrato.es/VER/JAOCOARGPG
 +
-E-MAIL Message:
 +
SUBJECT: Hiring of NAME TIT SURNAME TIT with EDP
 +
Hello, we inform you that NAME REP SURNAME REP has made on your behalf
 +
the XXXXXXXX contracting related to your energy supply / services. Have
 +
14 days to disallow said management.
 +
See details at: https://edpcontrato.es/VER/JAOCOARGPG
 +
The step related to the "Possibility for the client to reject the contract" consists of
 +
in the following:
 +
A link is sent to the client, through which they access a portal from which they are
 +
It allows:
 +
- View contract with the possibility of downloading or printing it or
 +
- Disallow the hiring with a single click. Evidence is generated that
 +
guarantees the traceability of the action (exact moment of the realization, as well as
 +
integrity of associated evidence) or
 +
- Download the withdrawal document.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 25
 +
25/141
 +
Regarding the third section, data and interests affected, it is indicated what
 +
following:
 +
It has been determined that to achieve the purpose of the treatment, it is essential to
 +
treatment of the following categories of personal data:
 +
-With written authorization
 +
Customer data: Identification (includes copy of DNI), Contact, Services
 +
contracted, Bank details, Supply point data
 +
Mandatory data: Identification (includes a copy of the DNI), Relationship with the owner
 +
(yes / no), Contact
 +
- With verbal authorization:
 +
Customer data: Identification, Contact, Contracted services, Bank details,
 +
Supply point data.
 +
Mandatory data: Identification, Relationship with the owner (yes / no), Contact.
 +
NINTH: Access to the internet site indicated in evidence 3 and 4
 +
(www.edpenergia.es) in order to download the General Conditions of
 +
Hiring.
 +
The procedure followed to download the document that contains the Conditions
 +
General Contracting, as stated in the diligence of the acting inspector, has
 +
been the following:
 +
-Access through the internet browser to the address
 +
https://www.edpenergia.es/es/
 +
- Introduction in the search engine of the text page itself: "General Conditions"
 +
-The website shows, under the following address:
 +
https://www.edpenergia.es/es/buscadorGeneral.do?tiposBusqueda=C%7CM
 +
% 7CD & idMenuSegmento = 18 & textBusqueda = Conditions + General, 2 tabs
 +
one called related information and the other Documents.
 +
-The "Documents" tab of the Search Results is selected. Is
 +
offers a total of 78 results, the third of which corresponds to the
 +
"General contracting conditions".
 +
-The "General contracting conditions" are selected and automatically
 +
open a new browser window pointing to the following internet address:
 +
https://www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales-
 +
de-contratacion.pdf
 +
-Download the document
 +
The content of the general conditions in the "LOPD" section coincides with the
 +
transcribed as evidence 6, with the same LOPD title within the conditions
 +
general, in the fourth number of this Agreement for the Initiation of the procedure
 +
sanctioner.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 26
 +
26/141
 +
TENTH: On July 31, 2020, the Director of the Spanish Agency for
 +
Data Protection agreed to initiate a sanctioning procedure against the entity EDP
 +
COMERCIALIZADORA, SAU, in accordance with the provisions of article 58.2 of the
 +
Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016,
 +
Relating to the Protection of Natural Persons with regard to the Treatment of
 +
Personal Data and the Free Circulation of this Data (General Regulation of
 +
Data Protection, hereinafter RGPD), for the alleged infringement of article 25
 +
of the RGPD, typified in article 83.4.a) of the aforementioned Regulation; for the alleged
 +
infringement of article 6 of the RGPD typified in article 83.5.a) of the aforementioned
 +
Regulation; for the alleged violation of article 22 of the RGPD, typified in the
 +
Article 83.5.b) of the aforementioned Regulation; and for the alleged violation of article 13 of the
 +
RGPD, typified in article 83.5.b) of the aforementioned Regulation, determining that the
 +
The penalty that may correspond would amount to a total of 3,500,000.00 euros, without
 +
detriment to what results from the instruction.
 +
ELEVENTH: The aforementioned initiation agreement has been notified , the investigated entity
 +
filed on August 4, 2020, requesting an extension of the term to the
 +
object of presenting allegations. Once the extension of the term was granted,
 +
allegations dated 08/24/2020 which are mainly the following:
 +
FIRST: ALLEGED BREACH OF THE PRIVACY PRINCIPLE BY
 +
DESIGN IN THE HIRING PROCESSES THROUGH A REPRESENTATIVE.
 +
The AEPD intends to justify the initiation of this sanctioning file in the alleged
 +
lack of documentation that has never been requested. In this regard,
 +
It should be noted that EDP COMERCIALIZADORA has a methodology of
 +
identification, analysis and risk management, both to identify risks
 +
inherent, as well as specifically to assess the need to carry out the
 +
Impact Evaluations, alleges that it includes as an annex the documentation
 +
justification that more than certifies that EDP COMERCIALIZADORA complies with
 +
fully and fully with these obligations and which is specified in the following: -
 +
"Methodology for Risk Analysis and Performance of Impact Assessments" -
 +
"Registration of treatment activities and risk assessment of treatments
 +
related to the contracting of EDP COMERCIALIZADORA ”-“ Evaluation of
 +
Privacy Impact: Channel of Leads to Convert by Telemarketing "-" Evaluation
 +
of Privacy Impact: Telemarketing to clients for upselling or recovery of
 +
abandonments "-" Privacy Impact Assessment: CAC Channel to Clients OR Clients
 +
Potentials (Inbound) ”-“ Privacy Impact Assessment: OOCC Channel a
 +
clients or potential clients (Reactive sale) ”-“ Impact Assessment of
 +
Privacy: Third-party stores channel for sale to potential customers (Reactive sale) ”-
 +
"Privacy Impact Assessment: External sales forces through stands
 +
at fairs and shopping centers (reactive sales) ”-“ Impact Assessment of
 +
Privacy: Treatment activity: Carrying out B2C Customer Scoring prior to
 +
the hiring".
 +
Likewise, and as a consequence of the measures adopted as a result of the
 +
recommendations derived from risk analysis and impact assessments
 +
carried out by EPD comercializadora, a large number of
 +
of procedures for compliance with data protection obligations
 +
from the design and by default that are provided as annex 2: Specifically, it is
 +
include in this Annex 2 the following procedures related to Privacy
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 27
 +
27/141
 +
from the Design and by Default, which are part of the Governance, Risks and
 +
Data protection regulatory compliance of EDP COMERCIALIZADORA: •
 +
EDP's Data Protection Methodology from Design and Default •
 +
Operational instruction Privacy By Design and Privacy by Default of the commercial area •
 +
Form for characterization and registration of treatment activities for analysis
 +
Privacy by Design and Privacy by Default • Flow chart of the Privacy By Design process
 +
and Privacy by Default.
 +
It is really striking that the AEPD gives the relevance it gives to the fact
 +
specifically that EDP COMERCIALIZADORA had not taken into consideration in
 +
its risk analysis, the specific analysis of the risks associated with the possibility
 +
of contracting through a representative, when the AEPD itself, in its own "Guide
 +
Risk Analysis Practice in the processing of data subject to the RGPD "
 +
(published on their website (https://www.aepd.es/sites/default/files/2019-09/guiaanalisis-de-
 +
risks-rgpd.pdf) does not include any direct or indirect reference to the need
 +
to assess the specific risk in relation to data processing, whether in
 +
contracting or in other processes, carried out by authorized third parties.
 +
Second, it alleges that all the data processing carried out by
 +
EDP ​​COMERCIALIZADORA were analyzed to verify their degree of compliance
 +
of the obligations related to RGPD, proposing measures for their correct
 +
adaptation, regardless of the need for evaluations
 +
impact or not. Delving into the specific risk related to the contracting carried out
 +
through third parties, it must be indicated that the content of the analyzes carried out was
 +
updated at the time, taking into account the considerations that the AEPD has
 +
transferred to EDP COMERCIALIZADORA in the administrative procedure
 +
related to this issue that began at the end of 2019 and that, we understand,
 +
is the cause of the sanctioning procedure in which we find ourselves in these
 +
moments. Indeed, as has already had the opportunity to expose in the framework
 +
of said sanctioning procedure previously initiated by the AEPD, the processes
 +
contracting through authorized third parties had not been identified by
 +
of EDP COMERCIALIZADORA as an inherent risk factor that was
 +
relevant, taking into account that: 1) The practically non-existence of claims for
 +
part of clients in relation to this reason. 2) EDP COMERCIALIZADORA does not
 +
Until now, it had no disciplinary proceedings opened for this cause.
 +
3) The contracting carried out through a third party as a verbal agent is found
 +
expressly recognized in the Civil Code of 1889.
 +
Although the potential risks identified by the AEPD are perfectly possible,
 +
the probability of materialization of said risks, in the specific case of EDP
 +
MARKETING COMPANY, was practically nil and that therefore their diligence, in what
 +
Regarding the performance of the risk analysis, it has been amply accredited.
 +
Specifically, this fact is based on the very low number of claims for
 +
this reason that EDP COMERCIALIZADORA has received. Indeed, there is one (1)
 +
sole claim with respect to a total of 33,848 contracts made, as
 +
It appears in the information provided in the file itself, what we understand, that
 +
as the AEPD will surely agree with EDP COMERCIALIZADORA, in
 +
probabilistic terms, it could be considered a value that, objectively, does not
 +
requires an independent and detailed assessment.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 28
 +
28/141
 +
It states that the possibility of entering into a contract between two parties through the
 +
intermediation of a third party is an exclusive question of Civil Law, so the
 +
need, or not, of formalities associated with the accreditation of the representation has
 +
to be governed by the provisions of the Civil Code and, where appropriate, by the provisions of the
 +
consumer protection regulations. In this regard, the requirement by the
 +
AEPD that the representation alluded to by the representative is recorded in a medium that
 +
allow its accreditation could be considered logical in an isolated interpretation of
 +
data protection regulations, but it loses meaning when put in context
 +
with the rest of the legal system, more specifically, with the provisions of the Code
 +
Civil, which contemplates, among others, the possibility of hiring by representative
 +
included in article 1259, or the figure of the "mandate", regulated in articles 1709
 +
to 1739 l himself and stating that "the contract of mandate is obliged to
 +
person to provide a service or do something for the account or commission of another »and
 +
for which total freedom of form is allowed, establishing that "the mandate may
 +
be express or tacit "and that, likewise," acceptance may also be express or
 +
tacit, deduced this last one of the acts of the agent chief executive ». In this case, it does not seem
 +
that such a wide freedom of form is compatible with obtaining evidence of
 +
the existence of the representation or mandate, beyond the manifestations of the
 +
agent, protected by good contractual faith. Likewise, there is little
 +
understandable that a separate consent is required for the treatment of
 +
your data or a confirmation of the order by the principal, since this
 +
would imply denaturing the representation, inasmuch as it would be absurd that who is
 +
designated for the conclusion of a contract in favor of a third party cannot facilitate
 +
the data of the person on whose behalf it acts, or that confirmation is necessary
 +
separated from it to authorize said communication, since the need to
 +
Addressing the represented person directly would make the representative's intervention useless,
 +
since it would be meaningless.
 +
Likewise, and in relation to the possibility that the represented party may provide
 +
additional consents to the hiring itself, it should be noted that this
 +
possibility may well have been authorized by the represented in a way
 +
specific, but as the same freedom of form governs for the granting of this
 +
power (which the norm does not oblige in any case to provide in writing), nor is it
 +
Your reliable accreditation is required at the time of hiring . About this
 +
In particular, it should be noted that to date no assumptions have occurred in the
 +
that any type of incidents have been reported by those represented
 +
related to the granting of said consents.
 +
Regarding other risks identified by the AEPD, it must be indicated that the
 +
The risk of identity theft is very low, since the representative identifies himself
 +
personally by reliable means when the hiring is face-to-face and
 +
providing your DNI data when you do it remotely. However, as well
 +
the AEPD knows the risk theory, it does not hold that the existence of a low risk
 +
may be considered a non-existent risk. In this sense, the risks of there being
 +
identity theft do not differ from those that correspond to the
 +
contracting in their own name, since the same checks are carried out for
 +
avoid this, based on the risks and threats detected in relation to each form
 +
hiring. Therefore, it cannot be taken for granted that this risk was not
 +
taken into consideration by EDP COMERCIALIZADORA, or that no
 +
adopted measures aimed at its mitigation, as will be explained below
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 29
 +
29/141
 +
in the explanation of the hiring procedure. On the other hand, in what I know
 +
refers to the potential economic damages, although this is a question more
 +
linked again to the civil field of contracting than to data protection
 +
personal, it must be indicated that in the cases in which the annulment of the
 +
contracts for any reason, EDP COMERCIALIZADORA assumes the costs of the
 +
services provided, so there would be no economic damage to the
 +
affected, proof of this is that EDP COMERCIALIZADORA has not received until the
 +
moment no claim for the alleged damages wielded by the
 +
AEPD
 +
Regarding the way in which the contracting is carried out, as already stated and stated
 +
both in the information made available to that Agency and in the Background
 +
In fact of the Initiation Agreement, the contracting of the services is preceded by a
 +
series of guarantees that allow to identify the author of the contracts, following the
 +
common practices throughout the supply service contracting sector and by
 +
companies known as "Utilities", both in person and remotely,
 +
this information being recorded, so that, in the event of any
 +
incidence, there is evidence of who is the person who has carried out the
 +
hiring. Against the insignificance that the AEPD intends to grant to the
 +
statement of the representative, perfectly identified, on his condition of
 +
representative of the person in whose name it contracts, it should be noted that this
 +
manifestation has binding legal consequences, which, as already stated,
 +
are subject to regulation and are expressly recognized by our
 +
Legal System, and that imply responsibilities, both from the point of view of
 +
civil view, as well as criminal, so it is not a “mere manifestation”, like the
 +
He came to name the AEPD in the Fundamentals of Law of his writing of initiation of
 +
sanctioning procedure, but it is a legal act, such as the
 +
own consent of the owner, defined by the RGPD itself as a "manifestation
 +
of will ”. Therefore, it does not seem that a legal defense can be defended
 +
discrimination of the relevance of some manifestations versus others, due to the fact that
 +
that are included or not within a specific regulation, or manifested from a
 +
form, or other. Likewise, as stated in the Factual Background, although
 +
later it seems to be obviated in the Fundamentals of Law, in all cases
 +
in which the contracting is carried out remotely, it is indicated that: “To the contract holder, to
 +
informative purposes, it is sent to you in duplicate, with a stamped envelope, the
 +
contractual documentation in compliance with the provisions of the regulations of
 +
protection of consumers and users ”. That is why, in any case, the owner
 +
You have the possibility of knowing the terms in which the
 +
hiring.
 +
Notwithstanding all of the above, as a result of the sanctioning procedures opened in
 +
the year 2019, and following the criteria transferred by the AEPD in the resolution of the
 +
PS / 0025/2019 (do not sign on the day of the presentation of this brief, due to being appealed)
 +
EDP ​​COMERCIALIZADORA has proceeded to identify the risk
 +
related to the intervention of third parties in contracting, making the
 +
corresponding detailed analysis of this issue and have
 +
proposals for improvement, in order to comply with the AEPD considerations of
 +
so that in the contracting procedures the person in question is always informed
 +
whose name is hired. The proposed contracting protocol has been put into
 +
knowledge of the AEPD on July 16, 2020 and registration number
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 30
 +
30/141
 +
025308/2020, presented in any case before receiving the written Start Agreement
 +
of Sanctioning Procedure, being a Request for information with number
 +
common for EPD ENERGÍA and EDP COMERCIALIZADORA without the
 +
AEPD has ruled on it with the corresponding legal report
 +
assessment, as requested, in order to implement a system that
 +
was fully in accordance with the criteria and interpretations of the AEPD, limiting
 +
so far to be included in the Initiation Agreement sent to EDP
 +
COMMERCIALIZER certain considerations in relation to the same.
 +
Specifically, the doubts raised in relation to the proposed procedure, which
 +
We understand they are the only ones that the AEPD has, they are the following: 1) It is not clarified if
 +
applies to all contracting channels, including the Leads subchannel which is not
 +
makes no reference; 2) situations in which it cannot be reported are not contemplated
 +
to the represented by the indicated means (email or SMS); 3) not reported
 +
to the client of the consents provided by the representative for other
 +
treatments for purposes other than contracting the service requested during
 +
the hiring process, nor the possibility of revoking such consents. 4) no
 +
effective dates for the implementation of this procedure are indicated.
 +
Again, incomprehensibly, instead of requesting additional information from EDP
 +
MARKETING COMPANY in relation to the proposed procedure, the AEPD chooses to
 +
negatively interpret information whose content is not clear to you. Not
 +
However, and as we understand that the will of the AEPD, like that of EDP
 +
MARKETING COMPANY, is to achieve a procedure that allows not only to give
 +
compliance with the different contracting modalities provided for in the Civil Code,
 +
recognized by consumer authorities and competent courts in matters
 +
contractual, but also to the considerations of the AEPD, below,
 +
We proceed to clarify what we understand would be the only doubts of the AEPD in
 +
regarding the modifications to the contracting procedure sent: 1) The
 +
The proposed procedure will be applied to all the contracting channels with which
 +
EDP ​​COMERCIALIZADORA works, including the “Leads” and any other than in the
 +
future implement EDP COMERCIALIZADORA. 2) Regarding the doubt raised in
 +
around what would happen in the event that the contracting person does not have
 +
none of the means provided to carry out the confirmation of the contract
 +
(email or SMS), indicate that the alternatives will be: a. Make it your own
 +
holder b. Presenting written authorization and copy of the ID of the representative and
 +
represented 3) Regarding the consents granted and the possibility of
 +
revoke them, it should be noted that the communication gives access to the
 +
contractual documentation, where each of the consents are recorded. The
 +
Once this information is known, the user has the possibility of modifying them. Not
 +
However, as a result of the comment of the AEPD in which it questions the validity of the
 +
Authorization of the representative for the authorization of additional consents to the
 +
contracting, EDP COMERCIALIZADORA proposes to allow representation only for
 +
this purpose and will collect additional consents directly from the owner. 4) In
 +
Regarding the date of implantation, it depends precisely on the opinion that
 +
the AEPD states about this procedure, since it would not make sense to put it
 +
ongoing if the supervisory authority considers that it does not meet its criteria for
 +
consider it an appropriate procedure, taking into account the economic costs
 +
associated with this implementation, in addition to the resources of time and dedication
 +
necessary for the deployment of these measures.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 31
 +
31/141
 +
It is alleged that the alleged breach of the obligations of article 25 RGPD, and
 +
the consequent quantification of possible sanction to impose on my client
 +
derived from said alleged breach, lack any basis for its
 +
consideration. In addition, and, in any case, the quantification of said possible sanction
 +
it lacks any hint of being proportionate.
 +
SECOND. - ALLEGED BREACH IN RELATION TO THE
 +
CONSENT PROVIDED BY THE INTERESTED PARTY .
 +
It alleges that it is interested in stating that the treatment relating to the creation of
 +
a commercial profile based on the information of third parties for the referral of
 +
advertising information is not, in practice, being made, nor at the date of
 +
issuance of these allegations, nor prior to them. For the
 +
Therefore, the treatment that could potentially have been carried out, has not had
 +
place in no case, at any time, so, even though it can be questioned
 +
From the point of view of the other requirements of the RGPD, it is not possible to attribute to EDP
 +
MARKETER carrying out unlawful conduct that may be
 +
punishable derived from the mere obtaining of the consents related to a
 +
treatment of data that, to date, has been non-existent and that therefore, has not
 +
generated the alleged damage to the fundamental rights of citizens
 +
wielded by this Agency. The commission of the offense of reference, regulated in the
 +
Article 83.5 (a) RGPD and 72.1.b) of the LOPDGDD, necessarily requires that
 +
a treatment has actually been caused and that it has not been
 +
The adequate legitimation basis has been identified or has not been regularized, stating: “1.
 +
In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
 +
considered very serious and will prescribe after three years the infractions that suppose
 +
a substantial violation of the articles mentioned therein and, in particular, the
 +
following: (…) b. The processing of personal data without the concurrence of any of the
 +
conditions of legality of the treatment established in article 6 of the Regulation
 +
(EU) 2016/679 ".
 +
In relation to informed consent, in the Agreement to Start the Procedure
 +
Sanctioner to consider that the required consent is invalid, is part of
 +
the consideration that the information provided to the interested party is not
 +
sufficient, inasmuch as it is not indicated, nor what third-party bases will be consulted, nor
 +
what type of data will be collected, so that the interested party does not know
 +
absolutely what it is that you are consenting to. And it is appreciated that a single
 +
consent for two different purposes. In this regard it is alleged that the
 +
Information is provided in accordance with the good practices set forth by the
 +
AEPD and ratified by the LOPDGDD, so that it is transferred to the interested parties
 +
through the double layer system, so that the interested party can reinforce
 +
the information provided through the consultation contained therein, through the
 +
different mechanisms that are granted for this purpose (informative locution, reverse of the
 +
EDP ​​COMERCIALIZADORA physical document or website.
 +
In relation to the absence of clear identification of the sources of third parties or the
 +
categories of data, it should be noted that such information can be derived from the
 +
information provided to the customer in the first layer (by clearly identifying that the
 +
treatment will be carried out with third-party sources) as in the second layer, whose
 +
content is contained in the section called "general conditions of the contract",
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 32
 +
32/141
 +
whose content indicates: “(II) The elaboration of commercial profiles of the Client
 +
by aggregating EDP databases with data from
 +
databases of third parties, in order to offer the Client products and services
 +
personalized, thus improving the Customer experience. (III) The adoption of
 +
automated decisions, such as allowing the hiring, or not, of certain
 +
products and / or services based on the Client's profile and particularly, on data
 +
such as, the history of defaults, the history of hiring, permanence,
 +
locations, consumption data, types of devices connected to the energy network, and
 +
similar data that allow to know in greater detail the risks associated with the
 +
hiring. (iv) Based on the results obtained from the aggregation of the
 +
data indicated, EDP may make personalized offers and specifically
 +
aimed at achieving the contracting of certain EDP products and / or services. "
 +
As reflected in the cited text, EDP COMERCIALIZADORA has identified
 +
in great detail the types of data that are treated for the detailed purposes, being
 +
the sources consulted for this an obvious derivation of the above.
 +
The indication made on obtaining third-party sources is, therefore,
 +
sufficient content for the user to be fully aware that their
 +
authorization will mean the possibility that the authorized entity can obtain said
 +
information. It must be remembered that there is no legal requirement that, in the
 +
At the time of collecting the data of the interested party, the questioned information must
 +
be contemplated directly in the consent requested. That is, being the
 +
origin of the data the interested party, it only corresponds to the Entity to inform
 +
in accordance with the provisions of article 13 RGPD, a provision that does not establish, in
 +
none of its precepts, the obligation to identify neither the source nor the typology of
 +
the data. Only in the event that said treatment had been
 +
carry out, the Entity should have reported such extremes, since only in
 +
At that time, the provisions of article 14 RGPD would apply. Taking into account
 +
of the non-materialization of said enrichment, this information did not become
 +
transferred to the interested party, not appearing in EDP databases
 +
COMMERCIALIZADORA data unrelated to those that have been provided or generated
 +
on the occasion of the contractual relationship between the parties. In addition, it must
 +
It should be noted that, in the event of obtaining data from
 +
a third party, would be the one who, in his capacity as transferor of the data, would be obliged to
 +
legitimize the communication of the data on the basis of the consent of the interested party,
 +
notwithstanding that EDP COMERCIALIZADORA would also do so, in compliance with its
 +
obligation of information once obtained data from a third party of
 +
in accordance with the provisions of the RGPD. In this sense, this situation could only
 +
occur, in the event that the interested party himself, exercising his right to dispose of
 +
the data and with full awareness of it, would have expressed its authorization to
 +
that your personal data travel to another company, such as EDP
 +
COMMERCIALIZADORA, who could only make use of them, in the event of
 +
that he had also expressed his consent, by marking the
 +
box or express indication, indicating that "Yes" in case of
 +
by phone.
 +
On the other hand, in relation to the alleged accumulation of treatment purposes,
 +
by stating that the interested party would authorize the sending of advertising and, secondly, the
 +
use so that EDP COMERCIALIZADORA can assess the viability of the
 +
hiring by said user. In relation to this point, we must
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 33
 +
33/141
 +
state that the assessment made by the AEPD starts from an erroneous premise, by
 +
consider that they are two differentiated treatments, in a case in which
 +
it is clear that it is a single purpose, such as the generation of a profile
 +
commercial, whose use is limited to two contexts linked to each other: (i) the first,
 +
to carry out the assessment of the possibility of hiring and, (ii) the second, to
 +
issue the corresponding commercial offers to the user in question. Thus,
 +
both assumptions are necessarily interrelated, since there is no
 +
He doubts that it would make no sense to design a customer profile, based on the data
 +
provided by the user and those derived from the service provided, for the remission of a
 +
commercial offer that was sent to an interested party who did not meet the parameters
 +
Entity internal to carry out a contract at the time of your request.
 +
In relation to this aspect, it is well known by this company that the RGPD requires
 +
that the consents that are collected are specific, as well as
 +
unanimous criterion of the control authorities to point out that the grouping of purposes
 +
related to each other, as would happen in this case, has full place in said
 +
concept, without such grouping giving rise to the consideration, per se, that it has not been
 +
specifically obtained consent. In this area, the approach
 +
on which the AEPD sustains the breach attributed to EDP
 +
COMMERCIALIZADORA, obviates the regulation established by the LOPGDD, in which
 +
Article 6.2 states that: “2. When it is intended to base the treatment of the data on
 +
the consent of the affected party for a plurality of purposes will require that
 +
It is specifically and unequivocally stated that said consent is granted to
 +
All of them." In light of the above, there is an evident specific regulation that
 +
enables the grouping of purposes that the AEPD is now questioning
 +
As an additional matter, it is indicated by this Agency that the consent obtained
 +
It is not in accordance with the regulations, considering that it is not explicit, but
 +
obtained in the same way as a general consent, although there are no
 +
clearly identified the reasons why it would not meet the criteria
 +
issued. For these purposes, the inclusion of the analyzed consent is carried out in a
 +
separate context to the acceptance of the procurement itself, so that either
 +
It is collected in a box in those contexts in which there is documentary support
 +
for this, or in an informative locution that is read and that must be
 +
expressly ratified by the interested party to understand that it has been provided to
 +
In this regard, in the absence of clarity in the regulations on the ways that will allow
 +
determine that a consent deserves the consideration of explicit (understood
 +
as a reinforced consent to the one already required by the RGPD), in the aforementioned
 +
Guideline 5/2020 mentions several nuances that help in this clarification. From
 +
it is extracted that, in addition to meeting the requirements defined in the
 +
Article 7 GDPR, the validity of an explicit consent does not require the attention of
 +
exact requirements, being able to be valid both in written documents, as well as in
 +
telephone recordings. At this point, it is interesting to emphasize a question
 +
essential: although there is neither legal precept nor opinion from the authorities
 +
that clearly determine the requirements to consider that the
 +
The consent obtained is explicit, nor the differences that correspond to the
 +
“regular” consent, yes that is attributed to EDP COMERCIALIZADORA, since
 +
any other entities that act as data controllers, the work
 +
to define at their own discretion in which situations such requirement will be understood to have been fulfilled.
 +
Said casuistry cannot but cause serious legal uncertainty, which in the
 +
assumption that concerns us is not solved, not even with the foundation that
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 34
 +
34/141
 +
It is stated in the writing of the Agreement to Start the sanctioning procedure, since in
 +
At no time is it clearly stated which factor, element or action has not been
 +
executed by EDP COMERCIALIZADORA, to determine that its conduct has
 +
unlawful result and that deserves a sanction of such magnitude. According to
 +
this, the request to the client for an obvious action, such as the verbal indication that
 +
yes you consent or the marking of a box, the content of which clearly exposes the
 +
purposes for which the data will be used, which is unrelated to any other
 +
acceptance and that it is not subject to other purposes, should be considered as a
 +
explicit consent in order to comply with the obligation imposed by the
 +
data protection regulations. In view of the aforementioned extremes, EDP
 +
COMERCIALIZADORA complies with all the requirements
 +
legally required, from which it must necessarily be concluded that the work of the
 +
Entity to collect the consent of the client, explicitly, have been
 +
rigorously cared for. It is proof of this that, both in the telephone channels,
 +
such as those in which they are carried out in writing, obtaining consent
 +
is carried out differently from the contracting itself, it is stated that it is
 +
additional to it and it is understood collected, only, in cases in which the
 +
client ticks the box or clearly states that they consent. Of all this it does not fit
 +
rather than concluding that the consent collection process has been carried out at the
 +
light of the criteria required by the applicable regulations, being therefore adjusted to
 +
Right.
 +
This being the case, the process of obtaining consents that EDP
 +
COMERCIALIZADORA has been using it is not something new for the AEPD, who has
 +
had the opportunity to analyze it prior to the beginning of this file
 +
sanctioner, in those files (requests for information and / or
 +
sanctioning procedures) opened on the occasion of a claim of any
 +
Username. Within the framework of these, the AEPD had full knowledge of the process of
 +
contracting and the type of consents that were collected from the interested parties,
 +
as the contracts have been provided by EDP COMERCIALIZADORA as evidence
 +
compliance. Needless to say, the end result of both turned out to be that of
 +
file of the same (see claims with reference E / 00915/2019, which neither
 +
it was even admitted for processing, and file E / 02714/2019), without
 +
additional appreciations on compliance with regulations, which leaves no more
 +
to delve into the confusion that this part has in the face of the very serious accusations
 +
released on EDP COMERCIALIZADORA by this Agency.
 +
Additionally, and without prejudice to the arguments presented, the
 +
presumption made in the Agreement to Initiate Sanctioning Procedure, in which
 +
the assessment of the infractions is carried out taking as a premise a double
 +
attribution: (i) the first, derived from the absence of adequate information and, (ii) the
 +
second, as a consequence of the execution of a non-consensual treatment. To these
 +
effects, it should be noted that, even if it is considered that the information provided
 +
the interested party is deficient, this fact cannot lead to the determination of a
 +
infringement of article 6 RGPD, since the treatment that would be carried out takes
 +
as a starting point the adequate legitimizing base. As it is, the definition
 +
carried out by EDP COMERCIALIZADORA regarding the legal basis that would allow
 +
treat the data for the purposes that have already been mentioned, would strictly adhere to
 +
the corresponding legitimation. In other words, EDP COMERCIALIZADORA
 +
carry out the necessary actions to obtain the corresponding consent
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 35
 +
35/141
 +
of the interested party, giving him the possibility of granting it or not, on a voluntary basis,
 +
by marking the box provided or expressly indicating in the cases of
 +
that these are collected by means of a telephone call. For all this, it cannot
 +
conduct that could be legally reprehensible to EDP
 +
MARKETING COMPANY, taking into account that it has rigorously subscribed the terms
 +
required by the norm, when proceeding to request an action of will from the interested party
 +
express, free, unequivocal and not conditioned to another purpose. And for that reason it is not possible to impute to me
 +
represented the commission of any infraction of those typified in article 83.5.a)
 +
RGPD, in relation to its article 6.
 +
THIRD. - ALLEGED BREACH IN RELATION TO THE
 +
DATA PROCESSING RELATED TO AUTOMATED DECISIONS AND
 +
PREPARATION OF CUSTOMER PROFILES.
 +
Third, the Agreement for the Initiation of Sanctioning Procedure, establishes in its
 +
Legal Basis IV a series of alleged breaches related to the
 +
apparent lack of observance by EDP COMERCIALIZADORA of the
 +
obligations derived from the provisions of article 22 of the RGPD, relating to the
 +
consideration by the AEPD of the existence of an impediment, the
 +
obstruction or repeated non-attention to the exercise of the rights established in
 +
Articles 15 to 22 of Regulation (EU) 2016/679 in relation to decisions
 +
automated systems and the elaboration of customer profiles, typified in article 83.5.b)
 +
RGPD and, classified as a very serious breach for the purposes of prescription in the
 +
article 72.1.k) of the LOPDGDD. Specifically, the AEPD maintains that: 1) EDP
 +
COMERCIALIZADORA does not give users the possibility to exercise their right
 +
relative to not being the subject of automated decisions, as well as not granting the user the
 +
due information regarding this right, 2) The user is unaware of the possibility of
 +
refuse to take such decisions. In this way, the proposed sanction
 +
by the AEPD is based on the fact that the information that is provided by EDP
 +
COMERCIALIZADORA to the owners of the data is insufficient and imprecise, without
 +
damage that is recognized by the AEPD that EDP COMERCIALIZADORA
 +
facilitates and makes available to users documents with information related to the
 +
compliance with data protection regulations, both at the time of the
 +
hiring, as in durable support at the end of the hiring.
 +
First of all, regarding the information provided by EDP
 +
MARKETING COMPANY in relation to the legitimizing basis (consent in the
 +
case at hand) we must emphasize that the information that is provided to
 +
users regarding the treatments that, being additional to the contracting itself
 +
same, require the consent of the user, is duly provided to the
 +
users. Specifically, in the so-called Evidence 6 presented by EDP
 +
MARKETING COMPANY during the substantiation of the information file of which the
 +
This sanctioning file brings cause, it is reflected in the contract model
 +
supply the following boxes: "You can read the information regarding the treatment
 +
of your personal data on the back. ☐ I consent to the processing of my data
 +
personal once the contractual relationship has ended, to carry out
 +
commercial communications adapted to my profile of products and services related to
 +
energy supply and consumption. Likewise, I consent to the aforementioned treatments
 +
during the term and after the end of the contract, on products and services not
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 36
 +
36/141
 +
energy, both from EDP Group companies and from third parties. ☐ I consent to the
 +
treatment of my personal data for the elaboration of my commercial profile with
 +
information from third party databases, for adoption, by
 +
EDP, of automated decisions in order to send commercial proposals
 +
personalized, as well as to allow, or not, the hiring of certain
 +
services "In this case, and expanding information regarding the processing of data
 +
of the users in the general conditions, we find the following information;
 +
“As long as the client has explicitly accepted it, their personal data will be
 +
treated, even once the contractual relationship has ended and provided that there is no
 +
produces opposition to said treatment, for: (I) The promotion of services
 +
financial, payment protection services, automotive or related and electronics,
 +
own or third parties, offered by EDP and / or participation in contests
 +
promotional, as well as for the presentation of related commercial proposals
 +
to the energy sector after the end of the contract, (II) The elaboration of profiles
 +
Customer's commercial data by aggregating third-party databases, with
 +
in order to offer the Client personalized products and services, thus improving the
 +
customer experience, (III) The adoption of automated decisions, such as
 +
allow the contracting, or not, of certain products and / or services based on the
 +
Customer profile and particularly, in data such as the history of defaults, the
 +
hiring history, permanence, locations, consumption data, types of
 +
devices connected to the energy network, and similar data that allow to know
 +
the risks associated with contracting in greater detail. (IV) Based on the
 +
results obtained from the aggregation of the indicated data, EDP may carry out
 +
personalized offers, and specifically aimed at achieving the hiring of
 +
products and / or services of EDP or third-party entities depending on whether the client thus
 +
has consented or not, being in any case processed data whose antiquity does not
 +
will exceed a year. In the event that said process was carried out in a
 +
automated, the customer will always have the right to obtain human intervention by
 +
part of EDP, admitting the challenge and, where appropriate, evaluation of the decision
 +
resulting.
 +
From these fragments, it can only be concluded that (i) both for the elaboration of
 +
profiles, such as for data processing adopting automated decisions EDP
 +
COMERCIALIZADORA requests the explicit and specific consent of the user, without
 +
that automated decision-making can be construed to be dealt with under
 +
another legitimizing basis, as well as that (ii) the information related to the preparation of
 +
profiles and automated decisions, complies with the requirements of article 13 of the
 +
RGPD, since it informs about the existence of automated decisions, including the
 +
profiling and provides meaningful information on the applied logic, as well as
 +
such as the importance and expected consequences of such treatment for the
 +
interested . For all this and taking into account the first aspect raised by the
 +
AEPD regarding the alleged breach committed by EDP COMERCIALIZADORA
 +
in relation to the information provided to users to obtain the
 +
specific consent, there is no interpretation regarding the lack of
 +
information and confusing treatment by EDP COMERCIALIZADORA, which
 +
includes the information corresponding to the specific treatments, facilitating all the
 +
information required in the RGPD.
 +
Second, in relation to the information provided to the owners of the data
 +
Regarding the exercise of rights, it should be noted that EDP
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 37
 +
37/141
 +
COMERCIALIZADORA expressly informs users in the information that
 +
facilitates your specific right to “object” to “decision-making
 +
automated data processing, requiring human intervention in the
 +
process, as well as to challenge the decisions that are finally adopted by virtue of
 +
of the processing of your data ”In this sense, the AEPD considers that EDP
 +
COMERCIALIZADORA fails to comply with its obligation to inform the owners of the data
 +
by the mere fact that the information provided does not appear, expressly and
 +
literal the right to "revoke consent", appearing in its place the verb that
 +
grants the right of the owners of the data to "oppose" to "the adoption of
 +
automated decisions of your personal data, requiring intervention
 +
human rights in the process, as well as to challenge the decisions that are ultimately
 +
adopted by virtue of the processing of your data ”. We are sure that the nuance
 +
semantic and technical associated with both verbs "opposition" and "revocation", both the
 +
experts that the AEPD has, such as its own that EDP has
 +
MARKETING COMPANY are able to differentiate them from each other, and determine that
 +
It deals with two legal concepts, but that Agency will also agree with us,
 +
than the average user (a concept widely used by that Agency throughout
 +
throughout the procedure that concerns us) will hardly be able to differentiate
 +
concepts. In the present case, what is really important is the effect that
 +
in practice it has the user's request, which, ultimately, is the one that is relevant
 +
for the owner of the data, and that generates positive or negative effects on their rights
 +
fundamental, this being what the RGPD really protects, and not the use of
 +
one verb or another, even more so when they can be used as synonyms.
 +
In this case, the only thing that is intended to be used in the information provided to the
 +
users the term "opposition" with respect to automated decisions, is to be able to
 +
provide the user with a clear, concise and transparent understanding of the information that
 +
is made available to you, and facilitating, in the event that the request of said interested party
 +
conforms to the regulatory requirements, the exercise of the different
 +
Rights. Thus, according to the definition contained in the Dictionary of the RAE, revoke
 +
means "to leave without effect"; and oppose, “put something against something else to prevent its
 +
effect ”, so except for those who have knowledge in the matter and
 +
can appreciate the nuance that differentiates one and the other, the truth is that, for the purposes of
 +
most of the population, both terms would be synonymous and would suppose, in the
 +
practice, the same.
 +
Without prejudice to all the above, we must highlight, by the
 +
relevance that this has in this allegation, the information contained in Clause 16
 +
of the General Contracting Conditions, relative to data protection. On
 +
said clause, in the section corresponding to "Rights of the owner of the data"
 +
makes express reference to the possibility of revoking the consent that previously
 +
have granted, thus, it is expressly indicated “(VII) Withdraw, at any time,
 +
the consents granted ”.
 +
It refers to its internal procedure, and states that therefore, not only the
 +
Users are informed at all times of the possibility of revoking the
 +
consents granted, but that EDP COMERCIALIZADORA itself, as
 +
internal procedure and in order that those in charge of managing the
 +
applications have the necessary knowledge in relation to the different
 +
possibilities, expressly express said right, regardless of the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 38
 +
38/141
 +
technical term used, since the main purpose is to inform and that the user
 +
know the possibility of not being the subject of automated decisions. Thus, the
 +
internal procedure referenced above even includes models of
 +
answer to be able to attend in general, the different requests. All of it,
 +
Without prejudice to the fact that each of the requests is treated in a particular way and in accordance with
 +
specific circumstances affect the specific case, and it is necessary to
 +
adaptation of said response model depending on the specific casuistry of
 +
every request. The procedure related to the management and
 +
answer to the exercises of rights.
 +
In view of the above, the AEPD attends to the lack of knowledge of the average user,
 +
as an argument to consider the informative clauses as not very transparent,
 +
This aspect, however, considers it to be substantially essential since it only relates
 +
as a valid exercise the opposition of the interested party. Taking into account that the right
 +
related to not being the subject of automated decisions is collected with
 +
independent and express nature in the general contracting conditions,
 +
requiring, where appropriate, the explicit and specific consent of the user, and
 +
being the same duly informing in a specific way, as
 +
is justified in the evidence provided, as well as the possibility of opposing
 +
to be subject to automated decisions, it is surprising to say the least that the
 +
AEPD considers that EDP COMERCIALIZADORA does not comply with article 22 RGPD
 +
for not offering the client the possibility to literally "revoke consent", it is
 +
that is to say, strictly formal and semantic aspect, that an average user without
 +
knowledge of the subject does not have the ability to understand the difference with the
 +
word "opposition", understanding that Agency that it is not valid to report the
 +
possibility of "opposing", as a synonym, to said treatment, which is what
 +
effectively carried out by EDP COMERCIALIZADORA .
 +
In line with the above, it should be noted that EDP COMERCIALIZADORA, in
 +
no case has denied the exercise of rights that have not been
 +
requested / drawn up with a precise character, directing the request to the
 +
user, so that it can be resolved effectively, satisfactorily and without
 +
procrastination.
 +
Likewise, as has already been stated in previous points, in relation to the
 +
automated decisions, the client is offered the possibility of obtaining intervention
 +
human rights, admitting challenge and, where appropriate, assessment of the resulting decision,
 +
reason why, in addition to informing about the possibility of not being the subject of
 +
automated decisions, the client is empowered as an alternative to intervene
 +
human. For all the above, it cannot be reasonably interpreted that the owner of the
 +
the data may, even remotely, ignore the possibility or right to
 +
that your data are not subject to automated decisions, nor that EDP
 +
COMMERCIALIZER places limitations, or does not make available to said
 +
interested parties the necessary mechanisms to be able to make the request, being able in
 +
any time to "oppose" such treatment, or rather, "revoke" the
 +
consent given for the adoption of such decisions, as well as to request
 +
human intervention, which on the other hand, in the case of EDP COMERCIALIZADORA
 +
always occurs, because although the consultation of the information is automated,
 +
the final decision is made by an employee after analyzing its content. I know
 +
provides as Annex 4, by way of example, exercises of the right of opposition and of
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 39
 +
39/141
 +
revocation of consent that has been processed during the last year, to the
 +
effects that the AEPD can know, first hand, what type of rights are
 +
exercised by the holders, in what modality they are received, as well as specifically
 +
how they are properly cared for by EDP COMERCIALIZADORA.
 +
For the sake of completeness and in order to address the true scope of the alleged
 +
infringement, despite the fact that EDP COMERCIALIZADORA includes the possibility of
 +
perform profiling and make automated decisions, the only profiling performed, is
 +
that relating to the rating of customers in the area of ​​fraud prevention,
 +
treatment for which there is legal authorization and is based on the interest
 +
legitimate of EDP COMERCIALIZADORA, in order to safeguard the good
 +
future of the contracts made by EDP COMERCIALIZADORA, as well as
 +
prevent customers, whose sole purpose is to consume the energy service without paying
 +
invoices, become part of the customer portfolio. Without prejudice of the previous,
 +
data holders are informed that said profiling is reviewed and processed
 +
finally by EDP COMERCIALIZADORA staff, which is why they cannot
 +
be considered as an automated decision in itself, taking into account in this
 +
meaning to the literal wording of the concept established by the authorities. In other words,
 +
nor is there any data processing based on automated decisions, nor is there
 +
any manifestation about said treatments, since outside of the strictly
 +
necessary to continue with the service and those provided by law, are not
 +
carried out, which is why, not only can it not be considered that there are
 +
non-compliance with article 22 of the RGPD, as the requirements are met
 +
collected by the regulations, but there are not, nor can there be data owners who
 +
may have been affected by said treatments, so we refer to the
 +
broad jurisprudence previously enunciated in this section as it is fully
 +
application to the case at hand.
 +
This is enough so that there is no basis whatsoever in order to impute to my client
 +
any infringement of those typified in article 83.5.b) RGPD in relation to your
 +
cited Article 22, however, for dialectical purposes and in the unlikely event that
 +
If the commission of said infringement could be considered proven, we state what
 +
follows in relation to the amount of the sanction provided for said alleged infringement
 +
in the Agreement to initiate the sanctioning procedure.
 +
Thus in relation to the quantification of the specific sanction for the alleged
 +
breach of article 22 RGPD, after assessing the aspects set out in the
 +
this section, and taking into account the evaluation criteria set out in the RGPD
 +
employees to graduate the alleged offense, it must be said first, that in
 +
its writing, the AEPD limits itself to stating some aggravating factors that it considers
 +
application, without deploying the slightest foundation activity of why, what
 +
that apart from assuming a total lack of motivation, implies an added difficulty to the
 +
EDP ​​COMERCIALIZADORA's right of defense.
 +
Notwithstanding the foregoing, the criteria by which the
 +
understands that the aggravating factors considered by the AEPD would not concur in this case
 +
concrete, beyond the fact that, how it has been justified, there is no breach of its
 +
obligations on the part of EDP COMERCIALIZADORA, to the extent that no
 +
produce normative-type requirements, insofar as EDP
 +
COMERCIALIZADORA does not carry out the treatment object of the sanction, this being a
 +
indispensable requirement so that the application of the sanction can be accommodated. After
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 40
 +
40/141
 +
assess the aspects set out in this section, and taking into account the criteria
 +
evaluators listed in the RGPD;
 +
"The nature, severity and duration of the offense" taking into account the same
 +
criterion “the nature, purpose of the treatment operation in question as well
 +
such as the number of interested parties affected and the level of damages that
 +
have suffered; " As stated in this section, the information
 +
provided to users does not constitute an infringement, since there is no breach by
 +
part of EDP COMERCIALIZADORA, being even more decisive than the
 +
number of people affected by the treatments related to profiling and the adoption of
 +
automated decisions, is void and therefore the damages that may have
 +
caused, they are non-existent. Likewise, by not supposing an illegal act, or having
 +
materialized it is not possible that it has been delayed in time, reason
 +
by which, and taking into account the specific circumstances, when qualifying the
 +
The potential administrative fine to be imposed would be a mitigating criterion.
 +
In any case, it should be remembered that in order to qualify as aggravating the
 +
damages caused to those affected, in addition to materializing, the same
 +
must be accredited and demonstrated, an aspect that in no case has been
 +
proven, nor exposed in the Agreement to Initiate Sanctioning Procedure.
 +
"The intentionality or negligence appreciated in the commission of the offense;" Just like
 +
It is clear from these allegations, neither EDP COMERCIALIZADORA has had
 +
any intention to infringe data protection regulations, or to cause damage or
 +
harm to any user, nor has there been any negligence in their actions. A major
 +
abundance, there is no evidence that negligence may exist and much
 +
less an intention on the part of EDP COMERCIALIZADORA, reason for the
 +
which, the potential applicable sanction should be reduced.
 +
“The high link between the activity of the offender and the treatment of
 +
personal information;" EDP ​​COMERCIALIZADORA's main activity is not based on
 +
in the processing of personal data, but in the energy supply,
 +
assuming the link of the activity with the performance of the treatment in
 +
question, minimal. Reason why, said aspect would appear as mitigating,
 +
reducing the potential applicable sanction.
 +
"The continuing nature of the offense;" "High volume of data and treatments
 +
which constitutes the object of the file; " and "High number of interested parties;" As
 +
that in other criteria indicated individually, these three criteria are
 +
subsumed with the one raised in the first place, and proceeding from article 83.2 a) of the
 +
RGPD, so its evaluation must be carried out jointly with the indicated one and, therefore
 +
Therefore, do not suppose an additional aspect to the one mentioned for the calculation of the potential
 +
applicable sanction.
 +
In order to complete the evaluation criteria, it is worth mentioning the
 +
following:
 +
“C) any measure taken by the person in charge of the treatment to
 +
mitigate the damages suffered by the interested parties; " As it has been
 +
accredited, the internal procedures under which EDP operates
 +
COMMERCIALIZADORA, both in relation to the exercise of rights, the protocol of
 +
performance relative to the user's rating for the purposes of preventing
 +
fraud, collect the fundamental characteristics to attend to all types of exercise
 +
rights and the characteristics related to the assessed qualification treatment of the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 41
 +
41/141
 +
user for the necessary fraud prevention. For all this, taking into account
 +
Note that these procedures are part of the measures and proactive attitude of
 +
EDP ​​COMERCIALIZADORA, in no case could the omission of actions be interpreted,
 +
nor passivity of EDP COMERCIALIZADORA.
 +
“E) any previous infringement committed by the person in charge or the person in charge of the
 +
treatment;" It should be noted that EDP COMERCIALIZADORA has not been
 +
claimed, nor has he been a subject sanctioned by said precepts at any time, for
 +
what there are neither procedures nor previous sanctions, what is more, as we have already
 +
exposed in previous points, EDP COMERCIALIZADORA has been implementing
 +
new measures to alleviate any potential compromised situation, acting
 +
always diligently.
 +
In this case, it is not only the rationale set out in the Agreement of
 +
Start to interpret infringement of article 22 of the RGPD -related to decisions
 +
individual automated data, including profiling, but rather the amount
 +
proposed for the alleged infringement, which amounts to 1,000,000 euros, is the point
 +
that has surprised this part the most. All this because:
 +
1) EDP COMERCIALIZADORA has not been sanctioned, has not been involved in
 +
any procedure for infringement of article 22 of the RGPD nor has received
 +
any claim in relation to an alleged infringement of this precept,
 +
2) in the history of procedures published by the AEPD itself, there are no
 +
sanctions covered by the breach of the aforementioned normative precept.
 +
In other words, not only is there no precedent to which EDP has been a part
 +
TRADING COMPANY, but there are also no prior sanctions by the
 +
Control Authority that have been based on the violation of article 22 of the RGPD.
 +
Therefore, the fact that the offense is considered very serious and the sanction
 +
proposed amounts to this high amount, requires that it be substantiated with
 +
exhaustive character, since it escapes any criteria followed so far
 +
by the AEPD.
 +
f) the degree of cooperation with the supervisory authority in order to remedy the
 +
infringement and mitigate the possible adverse effects of the infringement; Since the beginning of
 +
informative file that causes this EDP procedure
 +
COMERCIALIZADORA has acted collaboratively and proactively, contributing in
 +
at all times the information and documentation requested by the AEPD in time and
 +
shape. Reason why, this aspect would appear as mitigating, reducing the
 +
potential applicable sanction. Finally, and by way of conclusions, in the Agreement of
 +
Initiation is neither duly substantiated, nor motivated in accordance with the provisions of
 +
regulations, the decision to impose an administrative fine, much less, a
 +
fine with the proposed amount, as well as not considering EDP
 +
MARKETER as the infringing party of the claims included in the
 +
Agreement, since as we have indicated in this section, the arguments
 +
by the AEPD to sanction under the legal precept contained in article 22 of the RGPD
 +
and 72.1 k) of the LOPDGDD, are not given.
 +
In this sense, in addition to informing in accordance with the applicable regulations, and granting
 +
also to users the possibility of exercising their rights, EDP
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 42
 +
42/141
 +
COMERCIALIZADORA does not carry out treatment based on decisions
 +
automated outside of what is strictly necessary to carry out the prevention of
 +
fraud. Reason why, neither the alleged offense has been committed, nor are there
 +
sufficient arguments to consider the precepts mentioned in the
 +
this section. Furthermore, throughout this procedure the
 +
existence of infringement due to breach of article 22 RGPD, nor has
 +
fully grounded the severity, nor the criteria that allow setting such
 +
high amount of sanction to the present assumption.
 +
FOURTH.- ALLEGED BREACH IN RELATION TO THE DUTY OF
 +
TRANSPARENCY.
 +
The AEPD, in its Agreement to Initiate Sanctioning Procedure, attributes to EDP
 +
TRADING COMPANY the violation of Article 13 of the RGPD, assuming a
 +
breach of the duty of information that is its own as responsible for the
 +
treatment, typified in article 83.5.b) and classified as mild for the purposes of
 +
prescription in article 74.a) of the LOPDGDD. Specifically consider the
 +
existence of said infringement due to:
 +
1) lack of information to interested parties about the possibility of accessing information
 +
enforceable in article 13 of the RGPD.
 +
2) the web address provided does not lead directly to the required information
 +
in accordance with article 13 of the RGPD, without allowing immediate access to the
 +
information, nor is access easy for anyone. EDP
 +
COMMERCIALIZADORA has no choice but to state, again, and as it has
 +
fact and demonstrated in the rest of the alleged breaches alleged by this
 +
Agency, which cannot share the appraisals made by the AEPD, so
 +
The reasons why you understand that effectively,
 +
EDP ​​COMERCIALIZADORA fully complies with the requirements of the
 +
data protection regulations in terms of transparency in relation to the
 +
information provided to the holders of personal data in the processes of
 +
hiring.
 +
Regarding the CAC inbound channel, on which it is stated that the information
 +
provided is incomplete, it should be noted that in the case of incoming calls there is at the
 +
the call starts, before the recording starts - and regardless of the
 +
management that the person who calls the customer service department of the
 +
entity-, a telephone announcement where information is provided, among other aspects, of the
 +
rights that assist data subjects, as well as where to find information
 +
additional, so that users receive this information whenever they call,
 +
which not only means that this information is provided to them in the call in which they go
 +
to carry out the contracting of the supply, but also when they are already customers and are going to
 +
carry out any procedure (either a consultation, request a change of power,
 +
make a payment, request a fractionation or file a claim).
 +
In this sense, it should be noted that the RGPD itself expressly provides in its
 +
point 13.4 that: “The provisions of paragraphs 1, 2 and 3 will not be applicable
 +
when and to the extent that the interested party already has the information ”. Therefore,
 +
customers receive all the required information in a first layer of information
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 43
 +
43/141
 +
verbal, which can be completed by accessing the EDP COMERCIALIZADORA website or
 +
either directly in the call itself, depending on the management that is carried out.
 +
Thus, this information is provided in layers, distinguishing on the one hand the layer
 +
1. “This call can be recorded. The data you provide us will be processed by
 +
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
 +
or query. You can exercise the rights of access, rectification, deletion, opposition,
 +
limitation and portability at any time. See the Privacy Policy at
 +
our website edpenergia.es or press 0 "
 +
And on the other, layer 2, which collects the information in a more detailed way, which is activated
 +
automatically if the user dials 0, following the prompts
 +
of the first layer: "The use of this TELEPHONE CHANNEL does not oblige the user to
 +
provide any information about yourself. However, to use certain
 +
services or access certain content, users must provide
 +
previously some personal data. In the event that the user provides
 +
personal information, we inform you that the data will be processed by
 +
EDP ​​Energía, SAU and EDP Comercializadora, SAU, with registered office in Oviedo,
 +
Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
 +
hereinafter "EDP", as data controllers, as established by the
 +
General Data Protection Regulation ((EU) 2016/679), hereinafter "RGPD", and
 +
its implementing regulations.
 +
Specifically, your data may be processed, when the user so requests, to
 +
manage the attention and follow-up of requests and inquiries directed through the
 +
website, as well as for conducting surveys and participating in sweepstakes,
 +
games and promotions. The data requested will be mandatory and limited to
 +
those necessary to proceed with the provision and / or management of the requested service, which
 +
You will be conveniently informed at the time of collecting your data from
 +
personal character. In case of not providing them or not providing them correctly, you will not be
 +
may provide the service.
 +
In these cases, the user guarantees that the personal data provided is
 +
truthful and is responsible for communicating any changes to them.
 +
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration
 +
In it, the data processing carried out is based on the relationship
 +
legal derived from your request.
 +
The processing of data for conducting surveys is based on legitimate interest
 +
of EDP in order to improve the quality of the services provided to customers and / or
 +
users, being able to oppose said treatments at any time, without
 +
This affects the legality of the treatments carried out previously.
 +
In no case may they be included in the forms contained in the CHANNEL
 +
TELEFONICO personal data corresponding to third parties, except
 +
that the applicant had previously obtained his consent in the
 +
terms required by article 7 of the RGPD, responding exclusively to the
 +
breach of this obligation and any other in terms of character data
 +
personal.
 +
The personal data of the users registered on the website may be transferred to
 +
the Public Administrations that by law correspond, to other companies of the group
 +
business for internal administrative purposes, and to the suppliers of the person responsible
 +
of the treatment necessary for the adequate fulfillment of the obligations
 +
contractual.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 44
 +
44/141
 +
Personal data will be kept for the duration of your contract of
 +
supply with EDP, in all other cases, during the time necessary to answer the
 +
your requests or to analyze the content of your responses to surveys. A
 +
Once the contractual relationship has ended, their requests answered or their
 +
responses, as appropriate in each case, your personal data will be erased,
 +
keeping the rest of the information anonymized solely for the purposes
 +
statistics. Notwithstanding the foregoing, the data may be kept for the period
 +
established to comply with the legal obligations of maintenance of the
 +
information and, at most, during the statute of limitations for legal actions
 +
corresponding data, and the data must be kept blocked during the aforementioned
 +
statute of limitations. After this period, the data will be deleted.
 +
In application of the provisions of article 32 of the RGPD, EDP undertakes to
 +
comply with the security obligations of the data provided by users,
 +
trying to establish all the technical means at its disposal to avoid the loss,
 +
misuse, alteration, unauthorized access and theft of the data that the user provides to
 +
through it, taking into account the state of technology, the nature of the data
 +
facilitated and the risks to which they may be exposed. Without prejudice of the previous,
 +
the user must be aware that the security measures in the CHANNEL
 +
TELEPHONE are not impregnable.
 +
EDP ​​will treat the user's data confidentially, at all times, keeping
 +
the mandatory duty of secrecy regarding them, in accordance with the provisions of the
 +
applicable regulations.
 +
The user can exercise their rights of access, rectification, deletion, opposition,
 +
limitation and portability, as well as the revocation of the consents granted
 +
previously, in the legally established terms, communicating it in writing to
 +
EDP, at the following address: LOPD Communication Channel, Plaza del Fresno, nº2,
 +
33007 Oviedo. Likewise, you can exercise these rights by sending an email
 +
email with your personal data to cclopd@edpenergia.es. In both cases
 +
You must attach a photocopy of the holder's DNI or document that proves your
 +
identity. Likewise, you can contact the Delegate for the Protection of
 +
EDP ​​data, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or at
 +
the email dpd.es@edpenergia.es, in the event that you understand violated
 +
any of your rights related to data protection, or where appropriate,
 +
file a claim with the Spanish Data Protection Agency in the
 +
Address Calle de Jorge Juan, 6, 28001 Madrid "
 +
Next, it is indicated by that Agency that “The provisions in
 +
Article 11.1 of the LOPDGDD in the other two telephone channels (Telemarketing and
 +
Leads), nor is the interested party informed that they can access all the information required
 +
in accordance with article 13 RGPD at the indicated email address ”. However,
 +
Such statement is made after reproducing the AEPD the texts in which the
 +
clients of the identity of the person responsible for the treatment, the purposes of the treatment,
 +
as well as the rights that they can exercise and the web where to obtain information
 +
additional. Therefore, it does not seem that such a statement corresponds to the reality of the
 +
facts, so we understand that the Agency will be pleased to modify and eliminate this
 +
alleged breach in its resolution proposal writing.
 +
The analysis continues, referring to the general conditions of
 +
contracting to which the information is sent, indicating that those hosted on the web
 +
they are not easily accessible. In this regard, it is interesting to specify that:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 45
 +
45/141
 +
1) Article 11 of the LOPGDD refers to the fact that this information must be provided to the
 +
interested party "indicating an electronic address or other means that allows access from
 +
simply and immediately to the rest of the information ”and that, in this case, as stated
 +
informs the interested party in the locution, after contracting a copy of the
 +
contract in which, obviously, the general contracting conditions are included,
 +
therefore, direct access to said information is provided. Complementarily,
 +
this information is available on the web at all times.
 +
2) Faced with the alleged difficulty alluded to by the AEPD to find the aforementioned
 +
general conditions contrasts the fact that, as exemplified, a simple
 +
search to access them directly, using the search engine
 +
available on the website. Searching for "contracting conditions"
 +
or “general contracting conditions”, the first results are published
 +
documents related to the general contracting conditions that are of
 +
application both in Spanish, in Galician, in Catalan, and in Basque, leaving
 +
clearly identified the documentation that refers directly to the document
 +
in PDF format, as evidenced in the following address:
 +
https://www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales-
 +
de-contratacion.pdf
 +
3) Regarding the fact that it is “required to search in the general conditions (which
 +
include numerous aspects related to contracting) the information related to the
 +
data protection ”, it must be made clear that the general conditions
 +
are composed of four pages, of which practically one of them is
 +
is exclusively dedicated to providing information on the treatment of
 +
personal data made by EDP COMERCIALIZADORA, as we are
 +
insurance that the AEPD has been able to verify during the procedure for preparing
 +
your writing of proposal of sanction.
 +
In relation to this alleged non-compliance, it is worth mentioning the guidelines
 +
facilitated by the Article 29 Working Group, in which it recommends including the
 +
access to information related to the processing of personal data through
 +
of means in which the interested party can immediately recognize where and how
 +
access this information, (direct links or in the form of an answer to a question
 +
in natural language, in the frequently asked questions section, or pop-up windows).
 +
However, it also states that "depending on the circumstances of the collection
 +
and data processing, a data controller could be obliged to
 +
use additionally. […] ”. Other possible ways of transmitting the information to the
 +
Interested parties derived from the following environments other than personal data could
 +
include the following modes, listed below, applicable to the
 +
relevant environments. a) On paper, for example, when entering into contracts by means
 +
postcards: written explanations, brochures, information in contractual documents,
 +
cartoons, infographics, or flow charts; b) By phone: explanations
 +
verbal words directly from one person to allow for conversation and
 +
answer to questions, or automated or prerecorded information with the possibility of
 +
hear more detailed additional information;
 +
The Article 29 Working Group solely and exclusively provides this information to
 +
recommendation mode, without in any case being considered a bad practice,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 46
 +
46/141
 +
nor of course a regulatory breach the fact of making the publication to
 +
through a simple method that, taking into account that the service requires the
 +
conclusion of a contract, the essential method and format and therefore that prevails in this
 +
This assumption is the same as indicated in the GT29's own guidelines, through the
 +
medium in paper and telephone support. All this, without prejudice to keeping accessible
 +
through the web for all those interested who decide to carry out and attend the
 +
content in an intuitive and simple way and without prejudice to the obligation to deliver in
 +
durable support all the contractual information both with the previous information, as
 +
with the contract itself. In this sense, we can see that the possibility of
 +
linking "immediately" is susceptible to being interpreted.
 +
The AEPD itself on its website makes it the interested party who must "hit" or
 +
"Find out" which of the treatments included in the registry of activities of the
 +
entity are the ones that really affect their relationship with the AEPD, since the
 +
purposes are included within the description of each of them and not in the
 +
privacy policy accessed.
 +
Regarding the identity of the person responsible for the treatment, the
 +
information already provided after the request for additional information of June 3,
 +
2020 in which EDP COMERCIALIZADORA was required, for this purpose, within the
 +
Information Request E / 05549/2019 in which it was explained that the fact of
 +
that information from both entities is included is because it is not possible to know
 +
form prior to contracting the services that will be requested by the interested party (gas
 +
I electricity) nor, therefore, by which of the companies they will be provided, so
 +
This can only be specified when said services are identified by the
 +
own customer. highly probable that the same client when requesting the hiring of the
 +
electricity and gas supply, is contracting with both companies.
 +
For this reason, the so-called “dual” contract of
 +
way that a client can obtain discounts or additional advantages for the fact of
 +
contract both energies with two companies of the same business group, and in order to
 +
keep discounts on each energy (electricity and gas) up-to-date
 +
and derived information, it is necessary for both companies to know if energy
 +
initially contracted with the other Group company remains active in order to be able to
 +
maintain and correctly manage the discounts / benefits applied.
 +
Consequence of the foregoing, the clause on data protection informs
 +
that the personal data provided during the hiring process may be
 +
treated by only one of the entities or both entities, depending on the type of
 +
energy services that are contracted. Therefore, there is no inconcretion, but
 +
the explanation of who is the specific person responsible for the treatment in each case is
 +
It literally contains the first section of the contract, which identifies the
 +
parties, as stated in Evidence 6 provided in the response to the Request
 +
of Information made to this company during the processing of the aforementioned
 +
informative file of which the present sanctioning file brings cause: "The
 +
customer contracts, for the supply indicated, the supply of gas with EDP
 +
Comercializadora, SAU and the supply of electricity and / or services
 +
complementary with EDP ENERGIA, SAU, (hereinafter joint and / or
 +
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
 +
Specific that are collected below and the General Conditions in annex. "
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 47
 +
47/141
 +
Therefore, customers know which company will process their data depending on the
 +
requested supply (electricity or gas), something we understand fits perfectly
 +
clear and is derived from both the sales agents' explanations and the tenor
 +
literal of the first clause of the contract. In case of being both services, the data
 +
will be processed by both entities.
 +
To date, neither in the field of data protection, nor in relation to any of
 +
the regulations applicable to the regulated electricity or gas sectors, or the
 +
Regarding the defense of consumers, there has been no request for
 +
additional information, claim, or complaint in this regard, nor by the own
 +
consumers, nor by the multiple regulators that control and
 +
supervise the activity of trading companies, so it seems obvious
 +
that the information provided does not create problems for customers or other regulators
 +
of the country, more than the AEPD itself.
 +
Additionally, we reiterate two essential aspects in the sector's own operations
 +
in which EDP COMERCIALIZADORA carries out its activity, the exposure of which is
 +
contemplated in the information previously sent: 1) The existence of two
 +
companies within the Group with the role of trading entities is due to a
 +
merely formal matter, consequence of the corporate structure and composition
 +
shareholding of the companies acquired by the EDP Group at the time of its
 +
establishment in Spain, but that does not correspond to the operation
 +
operation of these marketers, since only one of them, EDP
 +
COMMERCIALIZADORA, currently has employees and capacity to
 +
management and operations. Thus, in practice, all treatments are
 +
carried out by said entity, either as data controller or as
 +
in charge of the treatment of EDP COMERCIALIZADORA.
 +
2) The EDP Group had planned the corporate reorganization of EDP
 +
COMERCIALIZADORA and EDP ENERGIA and the adaptation of their corporate structure
 +
with that of its actual operation and its business operations. This reorganization is
 +
has currently been affected by a TOTAL sale process in which both
 +
societies are immersed, and that, if materialized, could alter or terminate said
 +
integration.
 +
For all of the above, it understands that transparency is perfectly justified in
 +
in relation to how the information is provided, as well as the fact that it is
 +
perfectly understandable to the average customer.
 +
The AEPD continues its analysis referring to the purposes and legitimizing bases of the
 +
treatment. First of all, reference is made to those reported treatments
 +
whose legitimizing basis is the contract itself -existing contractual relationship- or the
 +
legitimate interest of the company.
 +
On this matter, it is stated that “It is not easy for anyone, without
 +
knowledge of data protection matters, differentiate which treatments
 +
derive from the contract and which are based on the legitimate interest of the person responsible ".
 +
This assessment is debatable, since it may be evident to anyone
 +
that treatments such as “manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 48
 +
48/141
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or service improvement ”are closely related to the execution of the
 +
contract, the rest being assignable to legitimate interest. In this regard, we can
 +
contrast this information with that provided by the AEPD itself regarding its
 +
treatments when these have diverse bases of legitimation, as is the case of the
 +
called "HR Management", published on its website
 +
(https://www.aepd.es/es/laagencia/transparencia/otro-tipo-de-informacion/registro-
 +
activities-treatmentaepd / gestion-hr), in whose information it can be seen that
 +
various bases of legitimation are identified, without indicating what specific purpose it is
 +
refers to each one of them.
 +
Therefore, although this part has nothing to object about the fact that the AEPD's criterion
 +
may be a good practice regarding the level of transparency, it seems
 +
to consider the fact of not having reached this level of management of the
 +
information, cannot be considered a breach of the norm, especially if
 +
we take into account that not even the body that issues the guidelines
 +
transparency (and that he is now proposing a sanction of nothing more and nothing less
 +
than one million euros for this reason), has considered such a distinction necessary in its
 +
website, as has been duly evidenced.
 +
Regarding the alleged omission by EDP COMERCIALIZADORA
 +
to report "what is the legitimate interest attributed to the person in charge", must
 +
It should be noted that they are clearly exposed and put in relation to the
 +
pursued purposes, that is: fraud prevention and marketing, in
 +
regarding the sending of personalized commercial communications. In these cases
 +
it is obvious that there is an identification between the reported purpose and self-interest
 +
persecuted, so making a separate allusion to the latter would be redundant.
 +
Similarly, by way of illustration, it should be noted that the direct competitors of
 +
EDP ​​COMERCIALIZADORA uses information formulas similar to those of
 +
implanted in my client, with no known procedures to date
 +
against them
 +
On the other hand, the high number of requests for rights received on the channels
 +
willing to do so demonstrate that customers fully understand the content
 +
information and the rights that assist them, and are perfectly clear what
 +
is what they want to achieve with their request and EDP COMERCIALIZADORA, executes
 +
said requests in all cases, always with a marked character of
 +
compliance with the regulations and protection of the fundamental rights of
 +
users.
 +
Regarding the need to report on the weighting carried out for
 +
assess whether the legitimate interest is preponderant in this case, it is relevant to mean that
 +
These two assumptions have been addressed by the legislator himself, who in the
 +
Recital 47 of the RGPD expressly refers to the possibility of carrying out these
 +
treatments based on the legitimate interest of the person responsible for the treatment.
 +
Specifically, it provides that: "the processing of personal data
 +
strictly necessary for the prevention of fraud is also an interest
 +
legitimate of the person responsible for the treatment in question. Data processing
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 49
 +
49/141
 +
personal data for direct marketing purposes may be considered to be carried out by
 +
legitimate interest ”.
 +
The AEPD itself has also ruled on the latter in its report 195/2017
 +
stating that “if the data came only from the information that
 +
provided by the entity in relation to the products or services contracted by the
 +
client, without it being completed with the one originating from other different sources,
 +
certainly the conduct of the entity, consisting of conducting a profiling
 +
for the referral of offers of products or services to their clients, it would be
 +
less invasive of the rights and interests of the clients, being able in this case
 +
consider the applicability of the provisions of article 6.1 f) of the Regulation
 +
general of data protection ”.
 +
Therefore, in both cases the weighting of legitimate interest has already been
 +
carried out, both by the legislator, as well as by the Control Authority and, therefore, the
 +
reason given by the GT29 to recommend its publication so that those affected
 +
may file a claim with said authority when they “doubt whether the
 +
weighting test has been carried out fairly ”would be meaningless in this regard.
 +
case, having to raise said claim before the Court of Justice itself.
 +
Justice of the European Union, in order to examine the legality of the provision
 +
introduced in the RGPD, or where appropriate, before the control authority itself and / or
 +
competent national courts. In any case, GT29 itself identifies this
 +
possibility as a good practice and, as stated in the report itself, its
 +
The objective is “to indicate the approach that, in the opinion of the WG29, those responsible for
 +
treatment they must assume in terms of acting with transparency. It is not, for
 +
Therefore, of a legal obligation whose defective fulfillment may entail
 +
a sanction, as is already the case with many other issues that the AEPD is
 +
trying to sanction in this procedure, lacking the slightest principles of
 +
typification, guilt and proof, these facts that never cease to amaze us in what
 +
which we understand is an action that should be subject to compliance
 +
integrity and rigorous by the sanctioning Administration.
 +
The AEPD continues its analysis stating that the treatments for which it is requested
 +
consent, assessing that it is not easy for a person to understand
 +
no specialized knowledge. However, it offers no explanation for
 +
reach that conclusion (beyond a vague reference to the fourth point).
 +
Against the criteria of the AEPD, we understand that the information is given in a
 +
simple language, understandable for anyone. The information contained in
 +
This second layer must be related to the requested consents.
 +
The first consent says: “I consent to the processing of my personal data once
 +
once the contractual relationship has ended, to carry out communications
 +
commercial adapted to my profile of products and services related to the supply and
 +
energy consumption. Likewise, I consent to the aforementioned treatments during the
 +
validity and after the end of the contract, on non-energy products and services,
 +
both from EDP Group companies and from third parties. "
 +
In the second layer, this information is expanded indicating which are the sectors to be
 +
those belonging to third parties on whom communications can be sent "(I) The
 +
promotion of financial services, payment protection services, automotive or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 50
 +
50/141
 +
related and electronic, own or third parties, offered by EDP and / or participation in
 +
promotional contests, as well as for the presentation of commercial proposals
 +
linked to the energy sector after the end of the contract. "
 +
As can be seen, not a single technical term is used to make it difficult to
 +
understanding of these texts, and the conditions of consent are fully
 +
clear.
 +
The second consent requested says: "I consent to the processing of my data
 +
personal data for the elaboration of my commercial profile with information from
 +
databases of third parties, for the adoption, by EDP, of decisions
 +
automated in order to send personalized commercial proposals, as well
 +
as to allow, or not, the contracting of certain services. "
 +
The second layer details the content of this consent, indicating: (II) the
 +
possibility of processing personal data of third parties to be added to your profile (III) the
 +
contractual information used by EDP COMERCIALIZADORA in the preparation
 +
of the profile (IV) the detail of the purposes of the aggregation of this information.
 +
Finally, the rights of the interested parties are informed in the case of
 +
that automated decision-making occurs in these processes. Therefore, the
 +
EDP ​​COMERCIALIZADORA's clear objective is to allow interested parties to have a
 +
detailed knowledge of the uses for which consent is requested, since there is no
 +
Will or any fraud to hide the information. Likewise, the AEPD points out that
 +
there is a lack of clarity in the information provided regarding the
 +
aggregation of third party information, by not distinguishing whether it refers to the purpose
 +
relating to point (II) (the possibility of processing personal data of third parties to be
 +
added to your profile) or to (III) (the contractual information used by EDP
 +
MARKETING COMPANY in the elaboration of the profile). In this regard, it seems obvious that
 +
the word aggregation is concise enough, and refers to the sum of both
 +
information. The word add is in common use in everyday life and, according to
 +
the RAE, means: "to unite or join some people or thing to others". In this case, the
 +
context it is clearly inferred that it would be a question of joining the data that EDP already has
 +
COMERCIALIZADORA, with which you could obtain from third parties.
 +
Beyond this, it is unknown what is the specific information whose understanding
 +
It can be complex, as no clarification is provided on this matter. EDP
 +
COMERCIALIZADORA has tried at all times to use clear language and
 +
understandable and there are no technicalities that can complicate the reading of the text, something
 +
It seems that now the AEPD, considers a negative action that penalizes the good
 +
faith of EDP COMERCIALIZADORA in relation to compliance with regulations.
 +
Finally, the AEPD refers to the information regarding the exercise of rights,
 +
with respect to which, as in the previous cases, it does not seem to be sufficient either
 +
for the AEPD the information provided in this regard. Thus, under the heading "Rights
 +
of the owner of the data ”EDP COMERCIALIZADORA informs that:“ The client will have
 +
at all times with the possibility of exercising freely and completely
 +
free the following rights: i) Access your personal data that are processed
 +
by EDP. ii) Rectify your personal data that are processed by
 +
EDP ​​that are inaccurate or incomplete. iii) Delete your personal data that are
 +
treated by EDP. iv) Limit EDP's treatment of all or part of its
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 51
 +
51/141
 +
personal information. v) Oppose certain treatments and decision-making
 +
automated data processing, requiring human intervention in the
 +
process, as well as to challenge the decisions that are finally adopted by virtue of
 +
of the processing of your data. vi) Port your personal data in a format
 +
interoperable and self-sufficient. vii) Withdraw at any time, the consents
 +
previously granted.
 +
In accordance with current regulations, the user can exercise their rights
 +
requesting it in writing, and together with a copy of a reliable accreditation document
 +
identity, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or at
 +
the email cclopd@edpenergia.es
 +
Likewise, you can contact the data protection officer of
 +
EDP, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by mail
 +
electronic dpd.es@edpenergia.es, in the event that you understand that any of the
 +
your rights related to data protection, or, where appropriate, file a
 +
claim before the Spanish Agency for Data Protection at the address Calle de
 +
Jorge Juan, 6, 28001 Madrid. "
 +
The AEPD considers the mention made by EDP COMERCIALIZADORA insufficient
 +
regarding the possibility of opposing "certain treatments" without specifying
 +
one by one which treatments we are referring to, insofar as the AEPD
 +
states that “it must be clear to the interested party which are the treatments that
 +
they can be objected ”.
 +
This party does not share this assessment, since this supposed obligation that the
 +
AEPD highlights and seems to impose EDP COMERCIALIZADORA is not required by the
 +
RGPD, nor does it have any legal support, which as that Agency knows well is
 +
condition "sine qua non" to be able to sanction-
 +
. Moreover, and for the sake of completeness, this part would like to highlight again
 +
that the formula used by EDP COMERCIALIZADORA is precisely the
 +
recommended by the AEPD itself in its multiple guides and tools related to
 +
duty of information in accordance with the RGPD, and even on the AEPD's own website, something
 +
which, again, does not cease to surprise this part, since that Agency considers
 +
an infringement of the RGPD, proposing for said infringement a penalty of one million
 +
euros, for an alleged breach in relation to a certain practice that
 +
she recommends performing. Along these lines, it should be noted
 +
1) The Guide for the fulfillment of the duty to inform, in which the
 +
following example
 +
2) 2) The FACILITA Tool, of the AEPD, intended for entities to carry out
 +
the adequacy in accordance with the RGPD, including the informative clauses
 +
in accordance with applicable regulations (fictitious data have been included):
 +
3) Report on privacy policies on the internet. Adaptation to the RGPD, where
 +
the AEPD itself exposes as a valid example to adapt the policy of
 +
privacy to the GDPR.
 +
4) Privacy policy of the AEPD, does not collect the alleged information
 +
which is now required from EDP COMERCIALIZADORA, and includes formulas
 +
as "where appropriate"
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 52
 +
52/141
 +
Consequently, EDP COMERCIALIZADORA cannot be criticized for not including
 +
of information that is not even indicated as a good practice in the guides
 +
prepared for the adequate fulfillment of their obligations by the
 +
responsible for the treatment, and that neither the AEPD itself complies with its
 +
Privacy and other information clauses used on its website.
 +
Nor does it seem to make sense to refer to “It is imprecise to point out that the
 +
interested party can oppose the automated decision-making of their data
 +
personal ”. It is obvious that the information provided using the word "oppose" is
 +
understood as a right both when the treatment is legitimized in an interest
 +
legitimate as in a consent (in any case the possibility of
 +
object at any time to the consents granted). The proof is that
 +
When exercising their rights, the interested parties rarely use any of these
 +
terms and are limited to requesting the "unsubscribe" or directly request that they stop using their
 +
data for certain purposes, without using formalities as has been
 +
evidenced in this procedure through the contribution of innumerable examples.
 +
Additionally, this party is interested in showing once again that the AEPD
 +
has had the opportunity to analyze both the general contracting conditions,
 +
such as the information provided in the different contracting processes of which
 +
EDP ​​COMERCIALIZADORA has available during the different requirements of
 +
information and, where appropriate, sanctioning procedures that the AEPD has initiated until
 +
at the moment, without the AEPD having ruled on possible
 +
breaches of the duty of transparency, having proceeded to file the
 +
multiple files in which this documentation was subject to review by the
 +
AEPD.
 +
Therefore, having made this information known to the AEPD and
 +
having been analyzed by the latter, without having spoken out against the
 +
itself, EDP COMERCIALIZADORA continued to use these documents and
 +
procedures in the legitimate confidence that it was adjusted to the requirements
 +
normative, insofar as the AEPD, having access and first-rate knowledge
 +
hand in hand with these alleged breaches, he did not indicate at any time to EDP
 +
MARKETING COMPANY that there was any irregularity, now proposing a
 +
a penalty of one million euros for an alleged breach, of which he would have had
 +
knowledge years ago, but that he no longer considered not to sanction but not even
 +
advise EDP COMERCIALIZADORA. In this sense, it should be noted that the
 +
The purpose of this supervisory authority is none other than to guarantee compliance with the
 +
normative, so in the absence of legal justification that motivates the opening of
 +
Sanctioning Procedure on some aspects that were previously
 +
known and even subject to an archive, the subsequent
 +
imposition of a sanction of the amount that is exposed.
 +
As a conclusion of all the above, it cannot be interpreted that EDP
 +
COMERCIALIZADORA fails to comply with its duties set forth in article 13 of the
 +
GDPR.
 +
In relation to the weighting of the sanction proposed by the AEPD, as well as
 +
than in the previous points, after evaluating the aspects presented in the present
 +
section, and according to the evaluation criteria related by the AEPD, although,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 53
 +
53/141
 +
Without having justified the reason why they are included, the following are included
 +
comments regarding their possible attendance.
 +
"The nature, severity and duration of the offense" to which the RGPD itself
 +
continues with “taking into account the nature and purpose of the operation of
 +
treatment in question, as well as the number of interested parties affected and the level of
 +
the damages they have suffered; " As stated in the present
 +
section, the information provided to users complies with the legal requirements as
 +
throughout the entire hiring process and even afterwards, without therefore allowing
 +
interpret that there is a breach of EDP COMERCIALIZADORA. In addition,
 +
as has been reflected in the previous points, in order to qualify as
 +
aggravate the damages caused to those affected, in addition to materializing,
 +
they must be accredited, an aspect that has not been tested in the
 +
this Procedure.
 +
"The intentionality or negligence appreciated in the commission of the offense;" The
 +
alleged inaccuracies in the information provided by EDP COMERCIALIZADORA
 +
do not imply any breach of the regulations so, in any case, it could be
 +
recommended some improvement in the way it is expressed, but nothing more.
 +
The intention to inform those affected of all aspects has been proven
 +
related to the processing of your personal data in a transparent way, therefore
 +
that in no case is it possible to speak of intention to breach the norm or much
 +
Minus negligent or malicious behavior.
 +
“The high link between the activity of the offender and the performance of treatment of
 +
personal information;" As indicated, this is an ambiguous factor. It has to be taken into
 +
account of the great deployment of means carried out by EDP COMERCIALIZADORA
 +
to allow the information to be provided to all interested parties through all channels through
 +
which it is possible to collect personal data.
 +
"The continuing nature of the offense;" "High volume of data and treatments
 +
which constitutes the object of the file; " and "High number of interested parties;" As
 +
that in other criteria indicated individually, these three criteria are
 +
subsumed with the one raised in the first place, and proceeding from article 83.2 a) of the
 +
RGPD, so its evaluation must be carried out jointly with the indicated one and, therefore
 +
Therefore, do not suppose an additional aspect to the one mentioned for the calculation of the potential
 +
applicable sanction.
 +
"The condition of a large company of the responsible entity and its volume of business."
 +
As already stated, this is not an evaluation factor for the amount of the
 +
sanctions. Consequently, EDP COMERCIALIZADORA cannot be penalized for the
 +
compliance with its duty of transparency, far from it in the amount proposed
 +
in the Agreement for the Initiation of Sanctioning Procedure to which we reply in the
 +
present writing.
 +
FIFTH.- ON THE AGREEMENT TO START THE SANCTIONING FILE AND THE
 +
ASSESSMENT OF THE POSSIBLE PENALTY. LEGAL BASIS AND
 +
PROPORTIONALITY OF THIS.
 +
A. BREACH OF THE PRINCIPLE OF INTERDICTION OF ARBITRARITY .
 +
In relation to this principle we must attend to two specific questions:
 +
1) The recommendations and publications of the AEPD,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 54
 +
54/141
 +
2) The amounts of the sanctions that have taken place in previous cases
 +
Similar.
 +
First of all, certain practices recommended and even applied by the AEPD
 +
relating to the collection of consent and the information to be provided to
 +
interested parties, have served in this case to argue and motivate the alleged
 +
offenses committed by EDP COMERCIALIZADORA.
 +
These criteria are reflected both in the way of jointly compiling the
 +
purposes whose legitimating basis is the consent of the user, as stated
 +
in the Second Allegation, as well as in the presentation of the information related to the
 +
exercise of rights of the interested parties included in the Fourth Allegation. These
 +
aspects, which a priori the AEPD recommends and puts into practice, considering them
 +
examples that are adapted to the applicable regulations, are used as elements
 +
offenders to justify the alleged breach of different legal precepts by
 +
EDP ​​COMMERCIALIZADORA.
 +
All this and said in strict defense terms, not only implies that the AEPD
 +
considers insufficient what the Authority itself has incorporated into its clauses
 +
informative, thus resulting in insufficient information in accordance with the RGPD,
 +
rather, the fact of modifying the adopted criterion invalidating aspects without
 +
motivation, or any justification, implies a clear situation of legal uncertainty,
 +
contrary to the constitutional principle of prohibition of arbitrariness contained in the
 +
article 9.3 of the Spanish Constitution; principle that implies that the authorities do not
 +
can make arbitrary decisions, understanding by such, those that suppose a
 +
infringement of the principle of equal treatment of the administered before the application of
 +
the law and the objectively determined rules.
 +
Second, the amounts of the previous sanctions in cases of fact
 +
Similar are not comparable to the proposals in this case.
 +
Specifically, we must bring up the Penalty Procedure
 +
PS / 00097/2019, addressed to the entity of the same business group, EDP
 +
ENERGÍA, in which, after having analyzed the contracting system and the information
 +
provided to each of the intervening parties, both the representative and the
 +
represented, the file of the file is issued, thus validating all the
 +
documents that accompanied the procedure, that is, the related documentation
 +
to the hiring process.
 +
Likewise, it should be noted that, last March 2019, EDP ENERGIA, also
 +
received file of actions of the request for information E / 04707/2018,
 +
initiated after complaint filed by Mr. *** AAA . In this case, the AEPD resolves
 +
that it is not appropriate to process the claim received, considering, therefore, the
 +
contracting procedure and documentation provided, in accordance with Law.
 +
As in the first section of this point, the proposed sanctions, carried out
 +
Without motivation, or due justification, they go against legal certainty, a principle
 +
constitutional established in article 9.3 of the Spanish Constitution, as well as against
 +
the principle of legal foundation. In other words, any decision made by
 +
the AEPD must be objective, well-founded and typified.
 +
In this sense, it is worth mentioning the Judgment of the Supreme Court of the 3rd Chamber
 +
of the Contentious-administrative, Section 3, Judgment of May 13. 2015, Rec.
 +
28/2013, in which the interested party, appeals in cassation, stating among others
 +
allegations the infringement of the principles of interdiction of arbitrariness, security
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 55
 +
55/141
 +
legal and equality established in articles 9.3 and 14 CE, pursuant to article
 +
88.1.d) LJCA and the Court uphold said motivation. Of this resolution, it is worth highlighting
 +
the next:
 +
“C) The constitutional requirement of the reasons for the judgments, included in the
 +
Article 120.3, in relation to 24.1, of the Constitution, appears justified, without further ado
 +
to emphasize the ends to whose achievement it tends, which, above all, aspires to
 +
patent the submission of the Judge or Court to the rule of Law and contributes to achieving the
 +
conviction of the parties in the process about justice and the correctness of a decision
 +
judicial, facilitating the control of the sentence by the Superior Courts, and operates
 +
as a guarantee or preventive element against arbitrariness.
 +
d) The breadth of the reasons for the judgments has been qualified by the doctrine of the
 +
Constitutional Court, indicating that it does not authorize to demand judicial reasoning
 +
exhaustive and detailed of all the aspects and perspectives that the parties
 +
may have of the question to be decided, but must be considered sufficiently
 +
motivated those judicial decisions that are supported by reasons that
 +
make it possible to know what the essential legal foundational criteria have been
 +
of the decision, that is, the "ratio decidendi" that it has determined (judgments of the
 +
Constitutional Court 14 / 1991,28 / 1994,145 / 1995 and 32/1996, among many others). A) Yes
 +
It has been recognized by the Constitutional Court itself when it refers to the fact that it is not
 +
an exhaustive or exhaustive examination of the arguments of the parties is necessary, and
 +
when it even allows argumentation by references to reports or other
 +
resolutions. The Judgment of the Constitutional Court nº 122/94 of April 25, affirms
 +
that this right to motivation is satisfied when the judicial decision in a manner
 +
explicit or implicit contains reasons or elements of judgment that allow knowing the
 +
criteria on which the decision is based "."
 +
As a result of the foregoing, it should be noted that the AEPD identifies as an example of a sanction, the
 +
Sanctioning Procedure with file number PS / 0025/2019, file that
 +
It is in contentious proceedings and therefore, it does not become firm. For all this, neither can
 +
be considered a file that affects the diligence operated by EDP
 +
MARKETING COMPANY, nor can it be considered as an antecedent, since
 +
this sanction is not yet final. After analyzing the above, as well as the doctrine and
 +
jurisprudence embodied in this section, it can only be concluded that we
 +
We are faced with a series of proposals for administrative sanctions, the motivation of which
 +
they are separated from the own interpretation recently made by this Agency. For
 +
Therefore, it must be understood that the situation caused generates damages derived from the
 +
lack of legal certainty, the motivation of which is set out in the sections that
 +
follow.
 +
B. LACK OF PROPORTIONALITY At this point, it should be remembered that the principle
 +
proportionality is a general principle of law. Reason why, the AEPD
 +
you should take this principle into account both when determining the criteria
 +
evaluators, such as when determining the applicable sanction, a principle that as
 +
It is possible to appreciate the procedure, from the beginning of the investigation and
 +
stricter sense of defense, has not been applied by the AEPD in the Agreement of
 +
Initiation of the Sanctioning Procedure.
 +
It should be noted in this section that the sanctioning capacity of the AEPD is
 +
is limited by the principle of proportionality, a limitation embodied in the
 +
Article 29 of Law 40/2015, of the Legal Regime of the Public Sector (hereinafter,
 +
"LRJSP"). This requires that all sanctions be suitable, necessary and adequate to the
 +
seriousness of the constitutive fact of the offense. Therefore, we remember the criteria
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 56
 +
56/141
 +
evaluators collected throughout the writing, as well as the following excerpts from the
 +
Article 83.2 of the RGPD that applies jointly.
 +
"K) any other aggravating or mitigating factor applicable to the circumstances of the case,
 +
such as financial benefits obtained or losses avoided, direct or
 +
indirectly, through the offense. "
 +
In this regard, of the aforementioned few or non-existent claims in
 +
regarding the alleged breaches, it can only be interpreted that EDP
 +
COMERCIALIZADORA complies with the general and majority requirements
 +
included in the RGPD, a criterion that must be taken into account as mitigating
 +
potential applicable sanction.
 +
First, with respect to the alleged violation of Article 25 of the RGPD, the
 +
AEPD, seems to intend to sanction assuming the non-existence of
 +
legally required documentation, without the Authority itself having required it.
 +
For this reason, the AEPD in the sanction proposed in the writing of Agreement for the Start of
 +
Sanctioning Procedure, is based on a fiction, since the reality of the situation is
 +
that the documents on which the non-existence or inaccuracy is alleged comply with
 +
all obligations associated with data protection from the design and by
 +
defect, providing, as stated in the corresponding point, of
 +
relevant risk analyzes and impact assessments, including all relevant
 +
corrective measures, having followed both the analyzes and the internal plans
 +
with the criteria indicated by the AEPD.
 +
Therefore, the proposed sanction is not only disproportionate according to the above
 +
in this writing, but it is not applicable to the facts before which we
 +
we find.
 +
Second, as indicated in the second claim, the alleged
 +
infringement of article 6 of the RGPD, EDP COMERCIALIZADORA has not carried out
 +
any treatment related to the realization of a profiling and its subsequent use with
 +
commercial purposes, nor has it provided insufficient information regarding the identification of the
 +
responsible, being the same reflected at the contractual and informative level both in the
 +
first layer, as in the second, aspect that in any case would affect what was collected
 +
in article 13 of the RGPD. A greater abundance, as we have exposed
 +
previously, the collection of the purposes jointly, when these are
 +
They are subject to the same legitimizing basis, it is approved by the AEPD itself.
 +
For this reason, the proposed sanction is disproportionate and contrary to law.
 +
legal since the existence of any infraction has not been justified, nor has
 +
carry out the treatment in question.
 +
Likewise, as we have already stated previously, the AEPD, up to now, has not
 +
sanctioned in any file based on the violation of article 22 of the RGPD,
 +
thus requiring a detailed and justified review and substantiation, so that the
 +
proposed sanction is not considered disproportionate.
 +
Finally, based on what is stated in the fourth claim regarding the violation of the
 +
Article 13 of the RGPD and in relation to the provisions of this section, the
 +
information collected and provided to interested parties complies with legal requirements
 +
enforceable, not being punishable in any case the non-implementation of recommendations
 +
that the AEPD intends to impose on EDP COMERCIALIZADORA, as well as aspects that
 +
even despite being at one point defended and applied by the AEPD itself,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 57
 +
57/141
 +
are at this time arguments to justify the non-existent infringement by
 +
of EDP COMERCIALIZADORA of its duty of information.
 +
Therefore, as it has been shown and broken down throughout the present
 +
In writing, EDP COMERCIALIZADORA complies with both the requirements set out by the
 +
applicable regulations, as indicated by the guides and legal texts published by
 +
the AEPD itself.
 +
Likewise, the AEPD considers EDP COMERCIALIZADORA as an entity with a
 +
great business value, assuming this volume is a relevant aspect when it comes to
 +
raise the penalty, without proving, however, that the business value is sufficient to
 +
that the sanctions, which are widely high, can be considered as
 +
proportional.
 +
Likewise, as has been explained in each point, each and every one of the
 +
alleged infringing actions have mitigating factors that do not appear to be
 +
have been taken into account, since they only consider criteria that in addition to
 +
expressed independently of what is contained in the articles themselves, increase the
 +
amount of the potential sanction to impose.
 +
These aspects show the total disproportion and arbitrariness of the sanctions
 +
proposals, without there being any foundation in the Initiation Agreement that allows
 +
the AEPD to motivate the amounts proposed, nor the reasons why some
 +
same facts that until now had not even been sanctioned by the
 +
Control Authority previously - infringement of article 22 of the RGPD-,
 +
thus departing from the considerations of other procedures, as well as the
 +
evaluative criteria to determine unmotivated amounts and
 +
disproportionate.
 +
Therefore, the proposed sanction would not have to be applied, since there is no
 +
infringement, nor any breach, nor does it meet the criteria covered by the
 +
principle of proportionality.
 +
Added to the above, in the Judgment of October 15, 2012 (JUR / 2012/353649),
 +
Appeal 180/2010, the Chamber, applying the principle of proportionality, addressed the lack of
 +
of accreditation of the effects of the conduct as a criterion to reduce the sanction,
 +
pointing out the essential character of the principle, allowing the Chamber to eliminate or reduce
 +
sanction imposed:
 +
“As the appellant points out, it is not proven that the conduct
 +
anticompetitive would have any effect on the market, since there is no reasoning in the
 +
resolution appealed what has been the effect on consumers or users in this
 +
case of public hospitals (…) In Spain, the Supreme Court has recognized the
 +
capacity of the court to rectify the graduation of sanctions
 +
imposed by the Court for the Defense of Competition. Thus in sentence of 5 of
 +
March 2001, May 24, 2004, June 12, 2006, February 14, 2007
 +
points out that "the aforementioned principle of proportionality or of the individualization of
 +
sanction to adapt it to the seriousness of the fact, make the determination of the
 +
sanction a regulated activity and, of course, it is possible in a jurisdictional seat not
 +
only the confirmation or elimination of the sanction imposed but its modification to
 +
reduction "or in the judgment of October 8, 2001" there is no excess in the
 +
exercise of jurisdiction but observance without more than the constitutional mandates
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 58
 +
58/141
 +
referring to the right to judicial protection (article 24.1) and to the control of the legality of the
 +
administrative action (8 article 106.1), when the court, analyzing
 +
one of the reasons for challenging the administrative act, such as the resolution of the
 +
Competition Defense Court, decides which is the appropriate sanction in
 +
application of this principle of proportionality and of the provisions that for this purpose
 +
established the legal norm ".
 +
In this sense, it is also worth mentioning the Judgment of the TSJA resolving
 +
through resource number 795/2003:
 +
"The principle of proportionality has served in jurisprudence as an important
 +
control mechanism by the Courts of the exercise of power
 +
sanctioning of the Administration when the norm establishes for an infraction
 +
various possible sanctions or indicates a quantitative margin for setting the
 +
financial penalty. The principle of proportionality or the criminal principle of
 +
individualization of the sanction to adapt it to the seriousness of the act and the
 +
personality of the author, make the determination of the sanction a regulated activity.
 +
The Supreme Court has repeatedly maintained the provenance of specifying
 +
administrative sanctions in contemplation of the offense committed,
 +
grading them with the appropriate criterion of proportionality, based on the principles
 +
sanctioning law computers, weighing for this purpose the circumstances
 +
concurring in the constitutive act of the sanctioned offense, corresponding to
 +
jurisdictional activity, as stated in the judgment of September 26, 1990,
 +
not only the power to subsume the offender's conduct in a certain type
 +
legal, but also adapt the sanction to the act committed, since in both cases
 +
It involves the application of legal criteria set out in the written norm and
 +
deductible from the informing principles of the sanctioning legal system, such as
 +
they are those of congruence and proportionality between the offense and the sanction. "
 +
In short, analyzing each of the alleged infractions that are attributed to me
 +
represented, it is only possible to interpret that there is an absolute disproportionality in
 +
the interpretation made by the AEPD in this Agreement for the Beginning of
 +
Penalty Procedure, not only because it lacks motivation when it comes to
 +
consider the alleged offense to have been committed, but because of the fact that the sanctions
 +
Proposals escape any criteria previously assessed by the company itself.
 +
AEPD. And therefore, at least the correction by the AEPD corresponds, in
 +
case of not considering the due cancellation and filing of the proceedings, assuming
 +
therefore a substantial reduction of each potential infringement to its minimum degree,
 +
even reaching the warning, because there is no non-compliance, lack of
 +
motivation and disproportionality.
 +
C. DUPLICITY OF SANCTIONS AND COMPLIANCE WITH THE "NE BIS IN PRINCIPLE
 +
IDEM"
 +
An aspect is derived from the Agreement to Initiate Sanctioning Procedure that has
 +
been pointed out at various points in the present allegations thereto, and
 +
whose relevance cannot be ignored. Thus, the infractions that are indicated are
 +
reiterations of the same facts, whose estimation would cause a notorious
 +
duplicity in the sanctions imposed, either because they address circumstances
 +
previously examined by the AEPD or because it estimates the concurrence
 +
multiple infringements on the same fact.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 59
 +
59/141
 +
In the first place, this Agency has pointed out the concurrence of a
 +
infringement derived from the provisions of article 25 RGPD by estimating that they have not been
 +
carried out the appropriate actions, referring to the adequacy of the
 +
procedures that are implemented for contracting by third parties. Without prejudice to
 +
the arguments that have been expressed in the corresponding First allegation, to
 +
to which we refer for brevity, it is relevant to note that the appreciation of the
 +
commission of infringement derives from events that, prior to it,
 +
have been previously analyzed by the AEPD. This has meant that, considering the
 +
concurrent casuistry in the same, this was sanctioned in a procedure that,
 +
the date, is appealed.
 +
From the foregoing, it should necessarily follow that the imposition of the
 +
infringement causes the production of new facts that motivate the imposition of
 +
the proposed sanctions. Well, neither is this the casuistry that concerns us,
 +
there have been no new claims or circumstances that have led to the AEPD
 +
to this Agreement for the Initiation of Sanctioning Procedure. Certainly the
 +
imposition of the sanction that is proposed would suppose that, before a fact that has been
 +
evaluated and resolved or punished by the corresponding authority, be it again
 +
examined from the same perspective or, on the contrary, that, in the absence of
 +
materialization of said risk, said sanction would be imposed based on conducts
 +
that could potentially lead to non-compliance, but whose production is, to
 +
the date, nonexistent.
 +
Secondly, the AEPD makes use of different normative precepts to
 +
sanction the same act, by simultaneously constituting the commission of three
 +
infractions, although each of them is based on non-compliance with the
 +
duty of information regulated in article 13 of the RGPD
 +
In this sense, as has already been advanced in the previous allegations, although the
 +
Agreement to Initiate Sanctioning Procedure part of the applicability of three
 +
differentiated offenses, corresponding to articles 6, 13 and 22 of the RGPD,
 +
all of them are based on deficient information and ignorance of the
 +
user of the object of the consent request. Thus, the argumentation that embodies
 +
to substantiate your consideration regarding obtaining consent
 +
insufficient, it is indicated that: “It is considered that the consent thus given is not
 +
adjusted to the provisions of the RGPD and the LOPDGDD. Consent is requested with
 +
deficient information, as it is not indicated or what third-party databases are going to
 +
consult or what type of data will be collected, so that the interested party does not know
 +
absolutely that is what you are consenting to. Nor is it determined who is going to be
 +
the person responsible for the treatment, a generic reference is made to EDP, without the
 +
client who has contracted a service only with one of the two entities
 +
(EDP COMERCIALIZADORA SAU or EDP ENERGIA, SAU) know if you are
 +
Consenting that such treatments are carried out by both entities or only
 +
that of which you are a client. Nor is it clear what type of services will be allowed
 +
hire or not. Such deficiencies do not allow the interested party to know the
 +
consequences of your decision and thus assess whether or not to provide your
 +
consent." (Page 50 of the Agreement to Initiate Sanctioning Procedure).
 +
Similarly, regarding the alleged violation of article 22 RGPD, relating to the
 +
commission of automated decisions, the AEPD in its own written Agreement of
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 60
 +
60/141
 +
Initiation of Sanctioning Procedure, after collecting the aspects related to the
 +
treatment of data in which there are automated decisions, collects the following:
 +
“From all this it can be concluded that the consent given for such purposes does not
 +
is in accordance with the provisions of article 4.7 of the RGPD as long as it is not
 +
duly informed in general, the requirements are not met
 +
specific information established in article 13.2 for decisions
 +
automated and is not specific. The absence of such requirements determines that
 +
the same is not valid so that the treatments based on it lack
 +
legitimation, thus contravening the provisions of articles 6 and 22 of the RGPD. "
 +
(Page 52 of the Agreement to Initiate Sanctioning Procedure).
 +
In light of the foregoing, each insufficiency mentioned, derives cumulatively, to the
 +
potential breach of article 13 of the RGPD, regarding the duty of information.
 +
For these purposes, the presentation made by
 +
that Agency of two infractions derived from the absence of legitimation basis
 +
sufficient as it is not informed consent and, simultaneously, another infraction
 +
due to the lack of transparency in the information provided. About it, well
 +
It is known by the AEPD that our jurisprudence has reiterated in many
 +
occasions as a fundamental principle of Law, that the same fact cannot be
 +
sanctioned twice.
 +
The application of this principle non bis in idem supposes a manifest impossibility of
 +
impose two or more administrative sanctions, for the same act, provided that
 +
produces a de facto identity, is attributed to the same subject and is imposed
 +
based on a common foundation as regards the protected legal asset.
 +
Therefore, there is no doubt that, if the AEPD's assessment is applicable
 +
of the commission of an infringement by EDP COMERCIALIZADORA of the
 +
exposed facts referring to the indicated articles, this will require the necessary
 +
competition of applicable laws. In this sense, it is essential to bring up the
 +
provided in article 29.5 of the LRJSP, which states that: “When the commission of
 +
an offense necessarily derives the commission of another or others, it must be imposed
 +
only the sanction corresponding to the most serious offense committed. "
 +
Without prejudice to the scarce jurisprudence derived from said precept, as a result of its
 +
previous regulation (Royal Decree 1398/1993, of August 4, approving the
 +
Rules of Procedure for the Penalty Power), our Courts
 +
have preached that, for the assessment of the aforementioned contest, the regulations
 +
“(…) Requires, for the application of the medial contest, a necessary derivation of some
 +
infractions with respect to the others and vice versa ”(Judgment of the Supreme Court of 8
 +
February 1999).
 +
In application of this precept, there are favorable judgments of the Chamber of
 +
contentious-administrative law of the National Court that, in analysis of the matter
 +
it concerns us, stated that: “Accordingly, this Chamber considers that in the case of
 +
There is a direct connection between the violation of Article 6 (treatment of
 +
personal data without the consent of the affected party) and the violation of the
 +
Articles 4.3 (treatment of inaccurate data), both of the LOPD. Connection to be
 +
is highlighted by the fact that the processing of the complainant's data without his
 +
consent, is carried out only in communication by letter (from the
 +
information about the movements of the Cortefiel POS) to your old address, which is
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 61
 +
61/141
 +
which gives rise to the complaint presented by him, and that by not correcting (precisely
 +
because said incorrect treatment did not have any economic or accounting reflection in
 +
said Bank), is maintained in the different communications by letter made. It is
 +
In other words, as indicated by the plaintiff in the lawsuit, it turns out that the treatment that
 +
has consisted, exclusively, in improperly including some data of the affected party in a
 +
report of operations that do not refer to it, can only be produced without mediating its
 +
consent, so that the non-consensual treatment of data of article 6.1 LOPD
 +
necessarily derives from the improper or erroneous treatment thereof (Art
 +
4.3) .Therefore, the aforementioned article 4.4 of the Regulation for the
 +
exercise of the sanctioning power, therefore, since both offenses are the same
 +
gravity, it is necessary to impose a single sanction 60,101.21 Euros, which is considered
 +
be in this case the one corresponding to the infringement of the principle of treatment not
 +
consented, in which the infringement of the
 +
data quality principle, both of article 44.3.d) LOPD. " (Judgment of 19
 +
November 2009, rec 338/2009)
 +
In light of this, even though the precepts of the
 +
regulations that preceded the RGPD and would cover a differentiated scenario, there is no doubt
 +
that the National Court appreciated the appropriateness of estimating the concurrence of
 +
offenses based on a medial contest among the offenses contemplated
 +
in the data protection regulations, when necessarily the commission of a
 +
requires the production of the other. In this regard, said Hearing states that,
 +
if there is a single action from which two offenses could be derived, it can only be
 +
be taken into account the most serious. In the same way as in the aforementioned case,
 +
in which the improper obtaining of a data necessarily caused a treatment of
 +
inaccurate data, in the case that concerns us, the consideration by this AEPD of
 +
an illegitimate obtaining for not complying with the principles defined by the RGPD for
 +
determine that consent is informed and unequivocal, it must be subsumed
 +
in the assessment pertinent to the duty to inform, not allowing in any way the double
 +
assessment indicated in the penalty proposal. It does not fit, therefore, as has
 +
set out by the AEPD in this procedure, apply different precepts
 +
regulations (articles 6, 22 and 13 of the RGPD) independently, to sanction
 +
on a potential offense directly related to the line of duty
 +
of information, and in any case the penalties proposed in the
 +
Penalty Procedure Agreement.
 +
D. LACK OF RELEVANT EVIDENCE FOR IMPUTATION OF THE INFRINGEMENT
 +
AND CORRESPONDING IMPOSITION OF THE PENALTY.
 +
It is necessary to bring up the inquisitive principle or of dominant officiality in the
 +
administrative procedure, which implies that the administrative authority is the
 +
obliged to proceed to the verification of the alleged facts through the ex practice
 +
office of the pertinent tests, thus dominating the principle of material truth. A) Yes
 +
Therefore, in the administrative procedure it is an essential requirement that all
 +
affirmations made are subjected to confrontation with the facts, falling
 +
on the competent authority the accreditation of the same, in order to guarantee the
 +
legal certainty required for the sole purpose of complying with the purposes of the
 +
Public Administration .
 +
Likewise, it is pertinent to point out the provisions of article 53 of Law 39/2015 of 1
 +
October, of the Common Administrative Procedure of Public Administrations,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 62
 +
62/141
 +
regarding the presumption of innocence and the non-existence of responsibility while
 +
not to be proven otherwise.
 +
For more abundance, reference should be made to the Judgment of the Court
 +
Constitutional 76/1990, of April 26, 1990, Rec / 695/1985 that delimits the scope
 +
and respect for the presumption of innocence in the sanctioning procedure and that indicates
 +
the following: “Indeed, it cannot raise any doubt that the presumption of
 +
Innocence governs without exceptions in the sanctioning system and must be respected
 +
in the imposition of any sanctions, be they criminal, be administrative in
 +
general or tributary in particular, since the exercise of ius puniendi in its various
 +
manifestations is conditioned by art. 24.2 CE to the test set and a
 +
Contradictory procedure in which their own positions can be defended. On
 +
In this sense, the right to the presumption of innocence entails: that the sanction is
 +
based on acts or probative means of charge or incriminating conduct
 +
reproached; that the burden of proof rests with the accuser, without anyone being
 +
forced to prove his own innocence; and that any insufficiency in the result of
 +
The tests, carried out, freely assessed by the sanctioning body, must
 +
be translated into an acquittal.
 +
Likewise, we cannot affirm that the evidentiary activity carried out by the
 +
Administration can be considered of charge, and, in the event that this body
 +
so consider it, (STS of December 18, 2000- RJ 2000/92) it has been
 +
fully disproved by means of the statements made by this party, thus
 +
as well as through the documents attached to this lawsuit.
 +
Similarly, the jurisprudential line followed by
 +
Constitutional Court in its judgment of February 20, 1989, in relation to the
 +
principles and guarantees of criminal judicial procedure applicable to the procedure
 +
administrative sanctioning and, which indicates "Our doctrine and criminal jurisprudence have
 +
been arguing that, although both may consider as manifestations of
 +
a generic favor rei, there is a substantial difference between the right to presumption
 +
of innocence, which develops its effectiveness when there is an absolute lack of evidence
 +
or when those practiced do not meet the procedural guarantees and the principle
 +
jurisprudential in dubio pro reo that belongs to the moment of the valuation or
 +
evidentiary appreciation, and that has to judge when, that activity concurs
 +
indispensable evidence, there is a rational doubt about the real concurrence of
 +
objective and subjective elements that make up the criminal type in question "
 +
Regarding these criteria, the Spanish Agency has ruled, agreeing on the
 +
file of proceedings (E / 04684/2017) and stating the following literally:
 +
“(…) For this reason, it is necessary to review in relation to the principle of presumption of
 +
innocence that, to the Administrative Penalty Law, due to its specialty, are
 +
application, with some qualification, but without exceptions, the inspiring principles of the
 +
criminal order, being clear the full virtuality of this principle of presumption of
 +
innocence. In this sense, the Constitutional Court, in Sentence 76/1990, considers
 +
that the right to the presumption of innocence implies “that the sanction is based on
 +
acts or means of proof of charge or incriminating the reproached conduct; what
 +
The burden of proof rests with the accuser, without anyone being obliged to prove
 +
his own innocence; and that any shortcomings in the test result
 +
practiced, freely valued by the sanctioning body, should be translated into a
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 63
 +
63/141
 +
acquittal ”. In accordance with this approach, it is necessary to
 +
account that they can only be sanctioned for acts constituting an infringement
 +
administrative the natural and legal persons who are responsible for the
 +
themselves by way of fraud or fault ”(…) Ultimately, the application of the principle of
 +
presumption of innocence prevents the imputation of an administrative offense when
 +
has obtained and verified the existence of a proof of charge accrediting the
 +
facts that motivate this accusation. (…)
 +
Finally, review the Judgment of May 25, 2001, issued on appeal
 +
administrative litigation by this National Court, to number 29/2000,
 +
pronounce on the imposition of a sanction based on a presumption
 +
carried out by the Agency, and rules that “(…) the Chamber, as we went on to
 +
reason, from the assessment of the evidence in the administrative file, it reaches
 +
the conclusion that this integrating fact of the
 +
type, that is, it is not proven that the Bank delivered to Mr. ... the respective extract,
 +
This concrete fact provokes serious doubts, in the face of the required certainty ”. Y
 +
concludes by stating that without denying that the events could have occurred as indicated in the
 +
the complainant, neither can the possibility that the extract was not
 +
given to the husband by the Bank, but that he obtained it by taking advantage of some
 +
visit to the home or through the action of a relative, said in terms of
 +
pure hypothesis ”.
 +
In this same sense, the Superior Court of Justice of Madrid ruled in
 +
Judgment of 02/21/2001, in which it states that “The only evidence of the prosecution, of which the
 +
APD infers the responsibility of the appellant, it is the fact that it was the ex-husband
 +
of Dña ... who will provide the lawyer with said extract that was contributed to the incident
 +
modification of measures, and it must be agreed with the appellant that the possession of the
 +
Extract, in the opinion of this Chamber, is insufficient circumstantial evidence to destroy its
 +
presumption of innocence since, certainly, said extract could reach the possession of
 +
D ... through channels other than direct delivery by the bank, for
 +
what not being proven any of these hypotheses, this reasonable doubt
 +
about the way in which the ex-husband obtained the bank account statement
 +
The complainant must always operate for the benefit of the sanctioned, proceeding, in
 +
Consequently, uphold his claim to annul the sanction imposed for lack of
 +
sufficient proof of the appellant's participation in the delivery of the bank statement
 +
to a person other than the account holder ”In short, appreciating the various
 +
criteria taken into account by the competent body in matters of protection
 +
of data when carrying out the file of actions in those cases in
 +
those in which it is considered that there is a lack of evidence and in which, the
 +
outlined jurisprudential lines, this part considers that the
 +
legal guarantees that all procedures must respect.
 +
E. LACK OF LEGAL FOUNDATION
 +
As we have stated throughout this writing, the alleged infractions
 +
committed by my client, have not taken place, so it has not materialized,
 +
nor is there any possibility that EDP COMERCIALIZADORA has infringed the
 +
mentioned articles following what was alleged by the AEPD in the Agreement for the Beginning of
 +
Sanctioning Procedure.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 64
 +
64/141
 +
It should be noted that any sanctioning procedure and, where appropriate, the sanction
 +
resulting, must be motivated, grounded, and even more decisive, must comply
 +
with the due principle of legality, typicity. As a result of this aspect, it is brought up
 +
the Sentence of the Superior Court of Justice of Catalonia, number 870/2019,
 +
Rec: 454/2016, from which we extract the following:
 +
"The due effectiveness of the principle of typicity in administrative sanctioning matters
 +
whose requirement certainly derives from our administrative order
 +
sanctioner, also in tax matters, as a manifestation of the guarantees
 +
formal and material that are contained in the constitutional principle of legality
 +
sanctioning ex article 25.1 of the Constitution, and which previously included article 129 of
 +
the already repealed Law 30/1992, of November 26, on the legal regime of
 +
public administrations and the common administrative procedure, applicable to
 +
this case additionally for temporary reasons (and today Article 27 of the Law
 +
40/2015), as well as in this specific tax order, article 178 of the Law
 +
58/2003, General Tax, taking into account the implicit content of the aforementioned precept
 +
constitutional (Article 25.1 of the Constitution), despite its remarkable laconism
 +
(Constitutional Court ruling number 34/1996, of March 11), in which
 +
has highlighted the so-called material guarantee of the principle of legality (among others, and
 +
Since the ruling of the Constitutional Court 42/1987, of April 7, the
 +
Judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of June 8, 161,
 +
200 and 219/1989, of December 21, 61/1990, of March 29, 207/1990, of December 17,
 +
December, 120 and 212/1996, 133/1999, of July 14, 142/1999, of July 22, and 60 and
 +
276/2000, of November 16), which is identified with the traditional principle of
 +
typicity of the offenses and administrative sanctions and that requires a determination
 +
previous and certain regulations of the specific conduct or conducts that by action or
 +
omission is deemed to constitute a fault or an administrative offense, with
 +
prohibition of any analogue or extensive interpretation in malam partem
 +
(Constitutional Court ruling 125/2001, of June 4, citing the
 +
Judgments of the Constitutional Court 81/1995, of June 5, 34/1996, of
 +
March, 64/2001, of March 17, and 113/2002, of May 9), being likewise
 +
jurisprudential doctrine already well consolidated which teaches that in the exercise of its
 +
sanctioning administrative power the acting sanctioning administration does not
 +
responds, properly, to the exercise of an administrative power of essence or of
 +
discretionary trend but predominantly regulated for the application to each case
 +
concrete sanctioning regulatory framework pre-established with a general character in the
 +
applicable sanctioning legal system, which implies, from the outset, the
 +
requirement of the necessary adequacy and rigor in the qualification of the facts
 +
accused and in their punctual incardination and adequate subsumption in the offending type
 +
legally defined for its correction, in such a way that the opposite, certainly,
 +
it would be a determining factor of violation of the subjective fundamental right before
 +
pointed out and all recognized by the current constitutional text ex article 25.1 of the
 +
Constitution (rulings of the Constitutional Court 77/1983, of October 3, and
 +
3/1988, of January 21), which, because it is susceptible to constitutional protection, would
 +
incur in an eventual administrative sanctioning action that violates the same in
 +
the defect of nullity of full right previously provided for by article 62.1. a) of the
 +
Repeated Law 30/1992, applicable to the case for temporary reasons (today Article 47.1. a)
 +
of Law 39/2015) "
 +
For more abundance, article 89 of Law 39/2015, of October 1, on the
 +
Common Administrative Procedure of Public Administrations, which includes the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 65
 +
65/141
 +
following: 1. The investigating body will resolve the completion of the procedure, with
 +
file of the proceedings, without the need to formulate the proposal for
 +
resolution, when the procedural instruction shows that
 +
any of the following circumstances concur: a) The non-existence of the facts that
 +
could constitute the infringement. b) When the facts are not proven. c)
 +
When the proven facts do not manifestly constitute an infringement
 +
administrative. d) When there is no or it has not been possible to identify the person or
 +
responsible persons or appear exempt from liability. e) When
 +
conclude, at any time, that the offense has prescribed. In the present
 +
Of course, both a), b) and c) concur, which is why, therefore, it would not fit
 +
continue with the sanctioning procedure initiated, having to resolve, where appropriate, the
 +
file of the proceedings, a request that we present before the AEPD with character
 +
reiterated, since, as evidenced in this document, neither has
 +
committed the offending acts, nor are the alleged
 +
offending conduct, nor the interpretation and sanctions proposed by the AEPD remain
 +
motivated.
 +
TWELFTH: Received the allegations made by EDP
 +
Comercializadora, SAU to the agreement to initiate the reference procedure,
 +
noted that the document attached to them called "annexes 1, 2 and 4" is
 +
states that “given the technical limitations of the electronic office for the
 +
presentation of the content of annexes 1, 2 and 4, these are presented by means of a
 +
link to a folder ”, indicating a link to a website and a password, using
 +
written, dated October 3, 2020, a period of 5 business days is granted to
 +
present the documentation that appears in said document in the Registry of this
 +
Agency through the Electronic Office, for the purposes of recording
 +
Registry of the documentation presented, its origin and its integrity.
 +
On October 8, 2020, they are presented through the Registry of this Agency
 +
the following documents:
 +
Appendix 1:
 +
- Annex 1.a) Risk analysis methodology and implementation of Days
 +
- Annex 1.b) RAT contracting EDPC
 +
- Annex 1.c) RAT risk assessment- EDPC contracting
 +
- Annex 1.e) Impact Assessments -Risk Assessments
 +
- Annex 1.f) Impact evaluations - Reports
 +
Appendix 2:
 +
- EDP Methodology_Privacy by Design by Default
 +
- Operational Instruction Privacy by Design & Privacy by Default
 +
- Privacy by Design & Privacy by Default form
 +
- Privacy By Design Procedure Flowchart.
 +
Annex 4:
 +
- Examples of requests for the exercise of rights.
 +
Regarding these documents:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 66
 +
66/141
 +
- A risk analysis methodology is provided, whose history of
 +
versions dates version 1.0 on 11/24/2017, indicating in the notes of
 +
revision which is an "initial version-working document" and version 1.1 is
 +
dated 05/11/2108 indicating the revision notes “revision prior to the
 +
application of the RGPD ”. There is no evidence that any review has been carried out
 +
later. Various annexes are provided, the date of which does not appear, specifically
 +
These annexes are the following: 1.b) RAT contracting EDPC
 +
- Annex 1.c) RAT risk assessment- EDPC contracting
 +
- Annex 1.e) Impact Assessments -Risk Assessments
 +
- Annex 1.f) Impact evaluations - Reports
 +
The document contained in annex 1.b RAT, contracting EDPC, whose date does not
 +
It consists, includes a treatment purpose not included in the Activity Register
 +
of treatment sent to this Agency on June 17, 2020. Specifically
 +
said treatment that is now included has the following content:
 +
Responsible: EDP Comercializadora SAU
 +
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
 +
to hiring ”,
 +
Description: “Scoring of customers in the B2C segment prior to the
 +
contracting according to the internal pending debt and information from
 +
solvency (ASNEF). "
 +
Category of data holders: "Clients and potential clients."
 +
Category of personal data processed: "Identifying data and economic data."
 +
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
 +
Period of conservation of personal data: “5 years from the end of the
 +
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
 +
contract will be maintained until its cancellation or the limitation period of the actions
 +
pertinent legal recovery. "
 +
Data transfers (data recipients, other than those in charge of the treatment):
 +
“ASNEF is jointly responsible for the treatment, according to the signed agreement
 +
with ASNEF. "
 +
Categories in charge of treatment: The box has no content.
 +
International data transfer: No
 +
Annex 1.c) under the name “RAT Risk Assessment- EDPC Contracting”, whose
 +
date is also not reflected in the document, it contains a risk analysis, in the form
 +
of matrix, the same as that presented on June 17, 2020, although they have added
 +
two columns under the title “treatment requires PIA”, the two titled “Nº of
 +
EDP-W29 criteria ”, the first indicates a number that seems to correspond to
 +
its title and the second indicates the need to carry out an evaluation of
 +
impact. In said matrix there is also a new treatment whose purpose is the
 +
"Scoring clients in the B2C segment prior to hiring."
 +
Various documents entitled impact evaluations are provided, whose date
 +
Nor is it recorded, these impact evaluations are the following:
 +
-Risk assessment of B2C client scoring prior to hiring,
 +
in which, among other threats, the following are indicated:
 +
- “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated
 +
adequately ”, whose probability is set as high, with an impact rated as
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 67
 +
67/141
 +
very high and resulting in inherent risk High. Regarding the controls implemented
 +
Faced with this threat, it is stated that “the legal basis of the treatment is to satisfy a
 +
legitimate interest (fraud prevention) ”.
 +
- “At the time of data collection, the minimum information is not provided
 +
provided to the person or no information is provided. " In this case
 +
it is considered that neither the probability nor the impact “does not apply, nor is there a risk
 +
inherent, the controls being the “Data Protection clause included in the
 +
contract signed with the client with all the information required by the RGPD ”and the
 +
"Information provided to the client prior to carrying out the scoring process"
 +
-Evaluation of channel leads to be converted by telemarketing
 +
-Risk assessment Telemarketing upselling and dropouts
 +
-CAC channel risk assessment to clients or potential clients (inbound)
 +
-OOCC Channel Evaluation of clients and potential clients
 +
- Risk assessment of third-party stores for sale to potential customers.
 +
In all these impact evaluations, threats are considered among others
 +
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
 +
illegal or has not been properly formulated ”and“ at the time of collection of the
 +
data is not provided the minimum information provided to the person or is not
 +
provides no information "In both cases the probability is valued as high,
 +
the impact as very high and the inherent risk high. Controls are mentioned
 +
adopted, referring to the legitimizing basis of the treatment in the first of the cases
 +
and "Data Protection clause included in the contract signed with the client with
 +
all the information required by the RGPD ”in the second. They are described among the
 +
checks in progress for both threats on all channels except channel
 +
OOCC, “the implementation of a new contracting procedure through
 +
representative, incorporating the sending of an SMS / Email message through which the
 +
provides the basic information necessary in terms of data protection to the owner of the
 +
contract."
 +
The date on which the actions in progress were incorporated into the
 +
corresponding impact evaluations.
 +
THIRTEENTH: On 03/11/2021, a resolution proposal was issued in the
 +
following sense:
 +
FIRST: That the Director of the Spanish Agency for Data Protection
 +
sanction the entity EDP COMERCIALIZADORA, SAU, for an infringement of the
 +
Article 25 of the RGPD, typified in article 83.4.a) and classified as serious for the purposes
 +
of prescription in article 73.d) of the LOPDGDD, with a fine in the amount of
 +
500,000 euros (five hundred thousand euros).
 +
SECOND: That the Director of the Spanish Agency for Data Protection
 +
sanction the entity EDP COMERCIALIZADORA, SAU, for an infringement of the
 +
article 13 RGPD, typified in article 83.5.b) and classified as mild for the purposes of
 +
prescription in article 74.a) of the LOPDGDD, with a fine in the amount of
 +
1,000,000 euros (one million euros).
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 68
 +
68/141
 +
THIRD: That, due to lack of evidence, in application of the principle of presumption of
 +
innocence, it is declared not attributable to EDP COMERCIALIZADORA, SAU, the
 +
infringements of the provisions of articles 6 and 22 of the RGPD.
 +
FOURTEENTH: Notified to the entity EDP COMERCIALIZADORA, SAU the
 +
aforementioned resolution proposal, said entity submitted on 03/15/2021 a written
 +
in which an extension of the term was requested to formulate allegations. Granted the
 +
extension of term, on 04/07/2021 a written statement of
 +
allegations, in which it is requested that the file of the procedure be agreed
 +
sanctioner or, alternatively, the substantial reduction of each sanction proposed to
 +
its minimum amount or its substitution, even for the warning, if applicable. Base
 +
your requests in the considerations summarized below:
 +
ACQUISITION OF THE COMPANY OBJECT OF THE SANCTIONING RECORD. With
 +
preliminary character and for clarification purposes, EDP COMERCIALIZADORA puts in
 +
knowledge of this Agency that, on December 1, 2020, Total Gaz
 +
Electricité Holdings France (“Total Group”) acquired 100% of the shares of EDP
 +
MARKETING COMPANY. As a consequence of the foregoing, the
 +
migration of the website www.edpenergia.es to a new transitory domain
 +
(www.edp-residencialbytotal.es) and the email accounts have been modified
 +
that were previously under the domain @ edpenergia.es.
 +
FIRST.- ALLEGED BREACH OF ARTICLE 25 OF THE RGPD:
 +
(i)
 +
The contracting process through a representative is in accordance with the
 +
normative:
 +
The arguments presented in the allegations to the proposal of
 +
resolution, relating to the freedom of form of the mandate contract in accordance with
 +
provided for in the civil code, in particular it insists that “In this case, it does not seem
 +
that such a wide freedom of form is compatible with obtaining evidence of
 +
the existence of the representation or mandate, beyond the manifestations of the
 +
agent, protected by good contractual faith. Likewise, there is little
 +
understandable that a separate consent is required for the treatment of
 +
your data or a confirmation of the order by the principal, since this
 +
would imply denaturing the representation, inasmuch as it would be absurd that who is
 +
designated for the conclusion of a contract in favor of a third party cannot facilitate
 +
the data of the person on whose behalf it acts, or that confirmation is necessary
 +
separated from it to authorize said communication, since the need to
 +
Addressing the represented person directly would make the representative's intervention useless,
 +
since it would be meaningless. (the underline is from the entity that formulates
 +
the allegations)
 +
Likewise, and in relation to the possibility that the represented party may provide
 +
additional consents to the hiring itself, it should be noted that this
 +
possibility may well have been authorized by the represented in a way
 +
specific, but as the same freedom of form governs for the granting of this
 +
power (which the norm does not oblige in any case to provide in writing), nor is it
 +
its reliable accreditation is required at the time of hiring ”.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 69
 +
69/141
 +
Certainly, article 1725 of the Civil Code provides that the third party may request the
 +
agent that gives him knowledge of his powers to determine if the contracting
 +
is within their perimeter or if you are assuming the risk that the
 +
The principal does not subsequently ratify the actions of the agent. But this regulation is
 +
translates into a burden for the agent, not for the third party, since the interests
 +
that is to be safeguarded are those of the latter, and not those of the president nor
 +
of the principal. Therefore, for the third party it is optional to ask the agent to
 +
give knowledge of the powers with which it claims to act.
 +
In the vision that the AEPD manages in the Resolution Proposal, this obligation
 +
would be aimed, however, not to protect the interest of the third party in terms of
 +
object of the contract made by the agent, but to preserve the interest of the
 +
principal regarding the legitimacy of the agent to express the will of the
 +
principal regarding the processing of their personal data by the third party.
 +
However, this consequence cannot be extracted from the regulation of the Civil Code.
 +
in terms of the mandate contract, in which - as we have just seen - the interest to
 +
protect with the exhibition of powers of the agent is strictly that of the third party, and
 +
not that of the principal, which, in the Civil Code scheme, is safeguarded at
 +
through the power of ratification, the granting of which or not always remains in the hands
 +
of the principal.
 +
Thus, the risks referred to in the Proposal for Resolution (“can be
 +
generate various risks, being able to be mentioned, as an example, the one consisting of
 +
a processing of data of the represented without legitimation, the risk of impersonation of
 +
identity or economic or other damages that may be caused to the
 +
interested party ”) are not such: in the event that the agent has exceeded the
 +
exercise of the mandate, the principal will not be bound by that action, except
 +
his subsequent ratification, from which no harm may actually be suffered unless
 +
that accepts - expressly or tacitly - what has been done by the agent a posteriori
 +
From here on, and as optional power of the third party that contracts with the
 +
agent, if and how the third party exercises that power depends on his will and the
 +
circumstances of the hiring. In this sense, the fact that in hiring in
 +
the channel of own commercial offices EDP COMERCIALIZADORA requires the
 +
representative an accreditation of their status as such, does not prove absolutely nothing,
 +
Unlike what the Motion for Resolution says. Since EDP
 +
COMMERCIALIZADORA, as a third party that contracts with the authorized, enjoys the
 +
the power to carry out this verification or not, whoever does it on some occasions and not
 +
in others, or the fact that it does not perform the same in all contracting channels, is not a source
 +
of any obligation - which is not imposed by law or by contract - but simple
 +
manifestation of the exercise of a permit.
 +
At the doctrinal and jurisprudential level, the exercise of rights of the
 +
personality through voluntary representation, particularly when it comes to
 +
articulate ad hoc authorization for specific acts of intrusion1. That possibility
 +
It should be understood as reinforced when the mandate to exercise a right of the
 +
personality is linked to the empowerment to enter into a contract, of which said
 +
Exercise is a conditioning or complementary element. Thus, the agent o
 +
representative of an artist mandated to celebrate on behalf of his client
 +
a lease for services to perform in a concert hall or
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 70
 +
70/141
 +
record a disc, it is commonly mandated to authorize the organizer of the
 +
show or record company for the use of the artist's voice and image.
 +
Similarly, those authorized to contract with EDP COMERCIALIZADORA in
 +
name of another person, appear first as mandated subjects for the
 +
conclusion of the supply contract, and concomitantly, because it is about
 +
a factor inherent to the hiring itself, they are also to authorize employment
 +
and treatment of the personal data of its clients. In this sense, it turns out
 +
It should be noted that there is no doubt that the processing of data from the
 +
represented that is necessary for the execution of the contract of which the represented
 +
becomes a party, it should be considered a fully lawful treatment in light of the
 +
Article 6.1.b) of the RGPD.
 +
But in addition, as long as it is possible to establish that the president has standing to
 +
take all relevant decisions within the framework of the recruitment process for the
 +
that has been empowered, the consent that said agent provides on the
 +
data processing of the represented party and that EDP COMERCIALIZADORA collects for
 +
one or more specific purposes within the framework of the contracting process, allows
 +
consider equally lawful the treatment of the data thus obtained ex article 6.1.a)
 +
of the RGPD or any other basis of legitimacy. And it is that, who hires on behalf
 +
of another - once it is assumed that he acts in such a condition - he must be able to lend the
 +
same consents regarding personal data as the interested party if
 +
it was this who concluded the contract, and this whether the contract is concluded in situ
 +
in a business office as if it is held over the phone.
 +
It must be concluded, contrary to what the AEPD indicates in the Proposal for Resolution,
 +
what:
 +
(i)
 +
EDP ​​COMERCIALIZADORA is not obliged to carry out with third parties
 +
authorized who contract through the telephone channel or sales forces
 +
external no verification of the existence and scope of its
 +
mandate, nor a fortiori does this verification have to be analogous to the one
 +
eventually carry out with those who contract through offices
 +
own commercials;
 +
(ii)
 +
(ii) in the power to contract the service through an authorized third party
 +
resides the power to give the consents inherent to the process of
 +
contracting, including those related to the processing of personal data;
 +
(iii)
 +
and (iii) the legality of the treatment by EDP cannot be questioned
 +
MARKETER of the personal data of those who contract with
 +
it through an authorized third party, either through commercial offices
 +
own or through the telephone channel or through sales forces
 +
external, for the simple fact of having contracted through a third party
 +
authorized, insofar as the legal basis for data processing
 +
personal information of a person acting through representation should
 +
be the same as when acting on your own behalf.
 +
(ii) EDP COMERCIALIZADORA has correctly assessed the real risks and
 +
implemented the appropriate mitigating measures.
 +
It reiterates that the risk assessments provided in this procedure are
 +
in accordance with the data protection regulations and the AEPD guides, in force in the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 71
 +
71/141
 +
timing of the analysis, and identify the actual risks applicable to the
 +
different hiring processes.
 +
The AEPD, in its Resolution Proposal, refers to hypothetical or theoretical risks
 +
that he cites, in addition, merely as an example and of those that does not offer greater detail or
 +
Explanation.
 +
As explained in the previous point and in the Allegations to the Initiation Agreement,
 +
These risks are non-existent or lack a sufficient entity for their
 +
consideration. Thus, it can be affirmed against the list contained in the Proposal for
 +
Resolution - not exhaustive since the list of the AEPD is a mere title
 +
example -, among others: (i) that there is no risk of identity theft in
 +
so much so that there is representation and mandate, (ii) that there is no economic damage to
 +
those interested in so far as the cost is assumed by EDP COMERCIALIZADORA in all
 +
case; or (iii) that there is no risk of lack of legitimation basis as EDP
 +
COMERCIALIZADORA may assume, in accordance with the aforementioned civil legislation
 +
and in accordance with the legal framework applicable to these contracts, the existence of
 +
authorization to the agent for data processing and (iv) that, in the event of
 +
excess, the principal's interests are safeguarded by his right to
 +
ratify or not the actions of the president outside the limits of the mandate.
 +
For this reason, EDP COMERCIALIZADORA has correctly assessed the risks
 +
real rates of the different contracting channels according to an analysis
 +
solid legal - and doctrinally and jurisprudentially supported - of the figure of the mandate
 +
in the Spanish legal system and has implemented mitigating measures
 +
appropriate in relation to such risks. The risk analysis carried out is, therefore,
 +
coherent and was carried out in accordance with the legal institute of the civil mandate and its
 +
jurisprudence.
 +
To the extent that the consistency of the analysis carried out has been established, the
 +
AEPD must assess the analysis in accordance with these consolidated civil criteria or, if
 +
on the contrary, the AEPD considers that a different legal criterion should be adopted and
 +
contrary to that of civil regulations and its established jurisprudence, it must substantiate
 +
its legal basis in any way in order to allow EDP COMERCIALIZADORA its
 +
understanding and defense. In any case, EDP's interpretation of the mandate
 +
MARKETING COMPANY in accordance with the regulations, jurisprudence and civil doctrine
 +
-including that relating to personality rights- should be interpreted in a good way.
 +
faith and exclude any guilt on your part.
 +
(iii) Hiring through a representative constitutes a very high proportion
 +
minority of the total contracts made by EDP COMERCIALIZADORA.
 +
It is essential to point out that contracting through a representative constitutes
 +
a minority part of the total contracts carried out by EDP
 +
MARKETING COMPANY. Specifically, of the total number of contracts that EDP
 +
COMMERCIALIZADORA carried out in 2019, less than 13% corresponds to hiring
 +
through representatives of which in less than 1.8% the representative and the
 +
represented would not have a family relationship.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 72
 +
72/141
 +
Therefore, when the AEPD states that EDP's contracting procedure
 +
COMERCIALIZADORA violates the principle of data protection from the design, the
 +
erroneously does, in strict defense terms, as if the
 +
contracting procedure in its entirety violates said principle. Furthermore, at the
 +
When quantifying the sanction, the AEPD refers to the global billing volume of
 +
EDP ​​COMERCIALIZADORA to quantify it, when it should take into account
 +
exclusively, and where appropriate, the billing data (volume) generated by the
 +
eventual alleged breach -related exclusively to the hiring by
 +
representation-.
 +
It should also be taken into account that, in any case, the AEPD could have invoked the
 +
article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD (“the benefits
 +
obtained as a consequence of the commission of the offense ”) to graduate the sanction
 +
proposal. Therefore, in the hypothetical and eventual case that it is considered infringed
 +
Article 25 of the RGPD, the maximum volume of business obtained by EDP
 +
MARKETING COMPANY to take into account should be 2,550,000 euros
 +
approximately, which is the amount obtained “as a consequence of the [eventual]
 +
infringement ”, that is, in contracting by representation, and not in the global
 +
hiring. In this sense, the annual turnover of contracting through
 +
representative would represent 0.26% (approximately) of the business volume
 +
Annual total of the entire client portfolio of EDP COMERCIALIZADORA. Also, the
 +
sanction that this Agency proposes to impose on EDP COMERCIALIZADORA for this
 +
infringement presupposes 20% of the turnover of the contracting through
 +
representative. Since the profit is much lower than the turnover, the penalty
 +
proposal would be disproportionate to the same
 +
In an administrative procedure of a sanctioning nature, counting how it did
 +
the AEPD with objective and sufficient quantifying criteria in relation to the volume
 +
(marginal) that the representation supposes, it is especially relevant the fulfillment
 +
of the principles of proportionality of the sanction and legality and should, therefore,
 +
have taken into account: (i) That the part that corresponds to the procedures of
 +
representation hiring is a small and very limited part of the
 +
EDP ​​COMERCIALIZADORA's global contracting procedure, and, therefore, must
 +
take into account the low magnitude of the contracting that has the use of this type
 +
contracting at EDP COMERCIALIZADORA, being a type of contracting
 +
minority. In addition, as stated in the information provided in this
 +
procedure, there is a single claim before the Agency during the years 2018-
 +
2019 (with respect to a total of 33,848 hires made through
 +
representative), which reflects the low relevance and materialization of the risks
 +
attributed by the AEPD to the contracting process implemented by EDP
 +
MARKETING COMPANY.
 +
That the AEPD's proposed sanction of five hundred thousand (500,000) euros has been
 +
made in the Proposal for Resolution erroneously by attending to a factor not
 +
provided for in the regulations (the volume of business and the status of large company) and by
 +
take into account the volume of recruitment and the global profits of EDP
 +
MARKETING COMPANY -which include both direct contracting (majority) and
 +
hiring by representation (minority) -, which has nothing to do with “the benefits
 +
obtained as a consequence of the commission of the offense ”to which it refers
 +
expressly article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD -the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 73
 +
73/141
 +
Which would represent 0.26% of the business volume-. Therefore, in a way
 +
subsidiary and in the hypothetical case that the AEPD questions the validity of the mandate
 +
civil law for the contracting procedures and declare the offense committed, the
 +
quantification of the eventual sanction should be significantly corrected to have
 +
take into account the real volume of business generated by contracting by representation
 +
exclusively.
 +
All of the foregoing makes clear the disproportionality of the sanction proposed in the
 +
Resolution motion
 +
Lastly and without prejudice to the foregoing, despite the fact that EDP COMERCIALIZADORA
 +
does not consider that its action deserves any legal reproach, in view of the
 +
suggestions made by the AEPD, EDP COMERCIALIZADORA informs the
 +
AEPD that it has proceeded to reinforce the contracting process by means of
 +
representative in line with the protocol that was already provided to the AEPD on
 +
July 2020. This protocol, which was submitted to the AEPD on a voluntary basis and before
 +
of the beginning of the present sanctioning procedure, it was aimed precisely at
 +
collaborate with this Agency to reach an agreed procedure regarding
 +
representation and to satisfy the proposals that the AEPD may have.
 +
In the Allegations to the Initiation Agreement, EDP COMERCIALIZADORA responded
 +
in addition to the doubts raised by the AEPD regarding its content and
 +
implementation and confirmed that it is a procedure with double verification by
 +
SMS and in compliance with the best market standards. For these purposes, the
 +
AEPD must take into account: (i) that EDP COMERCIALIZADORA contacted
 +
proactively in July 2020, without success, with the AEPD to present a new
 +
protocol that proposed changes in the contracting procedure by
 +
representation. Far from being considered, as the Proposal for Resolution does,
 +
negatively and against EDP COMERCIALIZADORA, that proactivity as
 +
sign of acknowledgment of guilt -the arguments of legality have already been made
 +
previously-, the cooperation proposal with the AEPD should be valued as a
 +
a sign of good faith and of EDP COMERCIALIZADORA's firm commitment to the
 +
compliance with data protection regulations and the improvement of its processes as well
 +
as a mitigating circumstance in the graduation of the sanction (article 83.2.f) of the
 +
GDPR);
 +
(ii) that despite not obtaining a response other than the opening of this
 +
procedure, EDP COMERCIALIZADORA in light of the AEPD's comments in
 +
the Initiation Agreement and the Proposal for Resolution, has eliminated from its procedure
 +
contracting by representation the possibility of requesting consents for
 +
marketing and commercial purposes referred to by the AEPD on the pages
 +
112, 113 and 114 of the Proposal. Attached as Documents No. 1 and No. 2 example of
 +
contract and voice-over script for the telephone channel that evidence this elimination.
 +
To the extent that EDP COMERCIALIZADORA has adopted measures to adjust its
 +
procedure to the proposals of the AEPD, this circumstance, in accordance with article
 +
83.2.c) of the GDPR should also be considered as an extenuating circumstance
 +
for the graduation of an eventual sanction, and
 +
(iii) that EDP COMERCIALIZADORA confirms to the AEPD that the new protocol -with
 +
the content communicated in July 2020- is already implemented for all channels
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 74
 +
74/141
 +
hiring, since last January . Attached again to this writing
 +
as Document No. 3, the contract protocol for the aforementioned representative.
 +
In document number 1 under the title durable support, a company acting as
 +
Trusted third party certifies that the data included in the document are those that
 +
They are recorded in your electronic communications and processes record. Such data is the
 +
sending an e-mail with an associated URL, in relation to a contract,
 +
informing the recipient that a person has made the contracting on their behalf
 +
related to your energy supply / services. It is provided as a document
 +
I enclose the contract, in which there are no references to consents for the
 +
sending commercial communications or for the realization of profiling, and the
 +
general contracting conditions.
 +
Document 2 has the following content:
 +
Registration (representative) ML - Spanish
 +
"[XXX] we will record your agreement. It is [hh: mm] on [dd] of [mm] of [20XX].
 +
[name and surname] with DNI [DNI number], as [husband / wife / child / attorney / representative] and in
 +
representation of the holder [name and surname / company name] with DNI / CIF [DNI / CIF number] telephone
 +
[phone] and email [email] accepts EDP Residencial's offer for the address
 +
[supply address] consisting of [plan conditions -dto. in light-] for [CUPS
 +
LIGHT: ES…] on the current EDP Residential price of electricity [price of power (€ / kW
 +
month) and energy term price (€ / kWh)] and / or [plan conditions -dto. in gas] for [CUPS
 +
GAS: ES…] and current EDP Residential gas price [price term availability (€ / month) and
 +
term energy price (€ / kWh)]; and / or It works [annual price of the service, plan conditions
 +
promotion works].
 +
[If the collection date is not chosen] The payment method chosen is [direct debit at your
 +
current account / in the account ...] and will be charged on the date indicated on the invoice.
 +
[If the collection date is chosen] The payment method chosen is [direct debit at your
 +
current account / in the account ...] and will be charged on a specific date, the days [DD] of
 +
month. In that case, the payment period may be less than or greater than the 20 days established in
 +
the normative".
 +
On behalf of your client and after passing an analysis of the risk of the operation, we will
 +
the necessary steps to activate the access contracts, at which point the user will enter
 +
the new contract is in force.
 +
The contract (s) is / are not permanent and will have a duration of one year, extendable for
 +
The same period except for a 15-day advance complaint. Are you satisfied with the above
 +
information and conditions of the contract / s? [Yes / Ok]. Thank you.
 +
In a few days, your client will receive the contract (including withdrawal document) for
 +
duplicate, of which you only have to return one of the copies signed in the envelope
 +
self-postage, you do not need a stamp, which we will attach.
 +
Your client has 14 calendar days to exercise their right of withdrawal. Not
 +
However, if you request it, we can start the procedures now. In that case, yes
 +
subsequently withdraw from the contract, you must pay the amount corresponding to the period of
 +
supply borrowed. Do you want your hiring to be processed immediately? [OTHERWISE]
 +
With the entry into force of the contract, your client will receive the invoice from EDP Residencial
 +
with all our advantages.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 75
 +
75/141
 +
Your personal data and that of your client may be processed by EDP Residencial to
 +
the management of your contracts, fraud prevention, profiling based on
 +
customer information and EDP Residencial, sending personalized communications about
 +
related products or services, as well as participating in sweepstakes, promotions and surveys
 +
of quality, being able to oppose at any time.
 +
[Read only legal persons calling on behalf of a business] Also, so that
 +
we can advise you with the best proposals: • Can you allow us to present your client
 +
offers related to energy after the end of the contract, or send you information on
 +
non-energy products and services, typical of Collaborating Companies? [YES / NO] • Do we
 +
allows you to complete the business profile of your client with information provided by
 +
third parties, to send you personalized proposals? [OTHERWISE]
 +
Shortly, the Distributor's technicians will contact you. [Remember that you must
 +
give them the Certificate of Individual Gas Installation, when they begin to register].
 +
[Altas Gas] For your safety, we remind you of the legal obligation to collaborate with your Company
 +
Distributor, facilitating access to its facilities. This request has been registered with the
 +
code [we indicate the code] "
 +
THIRD.- ALLEGED BREACH OF ARTICLE 13 OF THE RGPD
 +
(i)
 +
Regarding the information provided in the CAC Inbound Channel.
 +
It indicates that it provides the information regarding the processing of personal data to
 +
through a multi-layered system. Thus he reiterates that in all calls
 +
incoming messages, a voiceover is automatically reproduced that informs of the following
 +
“This call can be recorded. The data you provide us will be processed by
 +
EDP ​​Energía, SAU and / or EDP Comercializadora, SAU to manage your request
 +
or query. You can exercise the rights of access, rectification, deletion, opposition,
 +
limitation and portability at any time. See the Privacy Policy at
 +
our website edpenergia.es or press 0 "
 +
It indicates that the address provided to users has been updated in the locution,
 +
currently indicating edp-residencialbytotal.es/privacidad, so that, if the user
 +
type that address in the browser, access -directly and easily- to the
 +
information related to data protection.
 +
The interested party can consult the second layer through the privacy policy of
 +
the web page or by pressing 0. In this case, a voiceover is reproduced whose content is
 +
the next:
 +
"The use of this TELEPHONE CHANNEL does not oblige the user to provide any information
 +
about himself. However, to use certain services or access certain
 +
content, users must previously provide some personal data.
 +
In the event that the user provides personal information, we inform you that the
 +
data will be PS / 00037/2020 Brief of allegations to Resolution Proposal 15/37
 +
treated by EDP Energía, SAU and EDP Comercializadora, SAU, with registered office at
 +
Oviedo, Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, in
 +
hereinafter "EDP", as data controllers, as established by the Regulation
 +
General Data Protection ((EU) 2016/679), hereinafter "RGPD", and its regulations on
 +
growth.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 76
 +
76/141
 +
Specifically, your data may be processed, when the user so requests, to manage the
 +
attention and follow-up of requests and inquiries directed through the website, as well as
 +
for conducting surveys and participating in raffles, games and promotions.
 +
The data requested will be mandatory and limited to those necessary to proceed with
 +
the provision and / or management of the requested service, which will be conveniently informed in
 +
the time of collection of your personal data. In case of not providing them or not
 +
provide them correctly, the service will not be provided.
 +
In these cases, the user guarantees that the personal data provided is true and is
 +
is responsible for communicating any changes to them.
 +
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration in the
 +
itself, the data processing carried out is based on the legal relationship derived from
 +
your request.
 +
The processing of data for conducting surveys is based on the legitimate interest of EDP
 +
in order to improve the quality of the services provided to customers and / or users, being able to
 +
oppose said treatments at any time, without affecting the legality of the
 +
treatments carried out previously.
 +
In no case may they be included in the forms contained in the TELEPHONE CHANNEL
 +
personal data corresponding to third parties, unless the applicant
 +
had previously obtained your consent in the terms required by article
 +
7 of the RGPD, responding exclusively to the breach of this obligation and
 +
any other regarding personal data.
 +
The personal data of the users registered on the website may be transferred to the
 +
Public Administrations that by law correspond, to other companies of the business group
 +
for internal administrative purposes, and to the providers of the data controller
 +
necessary for the proper fulfillment of contractual obligations.
 +
Personal data will be kept for the duration of your supply contract with
 +
EDP, in all other cases, during the time necessary to answer your requests or to
 +
analyze the content of your responses to surveys. Once the relationship is over
 +
contractual, answered their requests or analyzed their responses, as appropriate in
 +
each case, your personal data will be erased, keeping the rest of the information
 +
anonymized for statistical purposes only. Notwithstanding the foregoing, the data may
 +
be kept for the period established to comply with the legal obligations of
 +
maintenance of the information and, at most, during the prescription period of the
 +
corresponding legal actions, and the data must be kept blocked during the
 +
mentioned limitation period. After this period, the data will be deleted.
 +
In application of the provisions of article 32 of the RGPD, EDP undertakes to comply with the
 +
security obligations of those data provided by users, trying to establish
 +
all technical means at your disposal to avoid loss, misuse, alteration, access not
 +
authorized and theft of the data that the user provides through it, taking into account the
 +
state of technology, the nature of the data provided and the risks to which they may
 +
be exposed. Notwithstanding the foregoing, the user must be aware that the measures
 +
security in the TELEPHONE CHANNEL are not impregnable.
 +
EDP ​​will treat the user's data confidentially, at all times, keeping the
 +
mandatory duty of secrecy regarding them, in accordance with the provisions of the regulations
 +
of application.
 +
The user can exercise their rights of access, rectification, deletion, opposition,
 +
limitation and portability, as well as the revocation of the consents granted
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 77
 +
77/141
 +
previously, in the terms established by law, communicating it in writing to EDP, at the
 +
following address: LOPD Communication Channel, Plaza del Fresno, nº2, 33007 Oviedo.
 +
Likewise, you can exercise these rights by sending an email with your data
 +
personal to cclopd@edpenergia.es. In both cases, a photocopy of the
 +
ID of the holder or document that proves their identity.
 +
Likewise, you may contact the EDP Data Protection Officer, at the
 +
following postal address: Plaza del Fresno, 2 33007 Oviedo or by email
 +
dpd.es@edpenergia.es, in the event that you understand that any of your rights have been violated
 +
related to data protection, or where appropriate, file a claim with the
 +
Spanish Agency for Data Protection at the address Calle de Jorge Juan, 6, 28001
 +
Madrid".
 +
In the hiring process, the following is reported again: “Your data
 +
personal and those of its client will be treated by EDP Comercializadora SAU and
 +
EDP ​​Energía SAU for the management of its contracts, fraud prevention, execution
 +
of profiles based on customer and EDP information, as well as the performance of
 +
personalized communications about directly related products or services
 +
with their contracts, being able to oppose them at any time ”.
 +
Therefore, it is not possible to blame a lack of information to those interested in the
 +
incoming calls while the information referred to in the first informational layer
 +
(ie, the one provided at the beginning of each call) complies with the information
 +
necessary of article 11 of the LOPDGDD (that is, identity of the person in charge, purposes of
 +
treatment and possibility of exercising rights) and a direct means and
 +
easy to access the rest of the information (by accessing the website or
 +
pressing 0). It is important to note that the speech of the first informational layer is
 +
automatically plays at the beginning of each incoming call and, therefore,
 +
Therefore, it is mandatory to listen to all interested parties who make a call. For
 +
For this reason, all those interested before reaching the contract have already been
 +
informed about the possibility of exercising their rights and how to access the
 +
rest of information about the treatment of your data. Also, before the
 +
contracting, EDP COMERCIALIZADORA reminds interested parties - through a
 +
second locution- part of the basic information on data protection.
 +
In accordance with article 13.4 of the RGPD, the obligation to inform does not apply
 +
to the extent that the interested party already has the information; in the case that we
 +
occupies, taking into account that the initial speech is reproduced automatically
 +
In each call, it is sufficiently proven that any interested party who
 +
puts in contact with EDP COMERCIALIZADORA through the CAC Inbound Channel
 +
receives the information regarding the protection of personal data. In this sense, the
 +
Article 29 Group (now known as the European Committee for the Protection of
 +
Data) indicates in its Guidelines on Transparency under Regulation (EU)
 +
2016/67 (“Transparency Guidelines”), it should be understood that article 13.4
 +
of the RGPD is applicable in those cases in which the information had
 +
been provided, for example, in the previous six months. Regarding the
 +
Canal CAC Inbound, not only would have spent a time clearly less than 6 months
 +
rather, the time span can be measured in minutes, so it is clear that the
 +
interested party knows, knows and remembers perfectly the information on protection of
 +
data without it being necessary to reiterate this information
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 78
 +
78/141
 +
(ii)
 +
Regarding the information provided in the Telemarketing channels and
 +
Leads
 +
It points out that this Agency questions the means to access the second layer
 +
informative (ie, the General Conditions available on the website
 +
edpenergia.es) be "simple and immediate"
 +
It indicates that EDP COMERCIALIZADORA has accredited in the present
 +
the following procedure: • First, the information on the protection of
 +
data (i) is clearly identified within the general conditions of
 +
contracting of EDP COMERCIALIZADORA (in section 16 and entitled LOPD) and
 +
(ii) occupies one of the four pages of the document in length, so its
 +
location has no loss for the interested party.
 +
Please inform this Agency that you have created a separate document containing,
 +
exclusively, the data protection information of the conditions
 +
general contracting, which is easily accessible through its own
 +
website and at the following address: www.edp-residencialbytotal.es/rgpd ; So what
 +
likewise, the general contracting conditions continue to include the
 +
clause relating to the processing of personal data, so that the interested party
 +
You have various means through which you can access the information
 +
In a simple way.
 +
• Secondly, it alleges that the way in which the information on the
 +
The second layer of information can be diverse and, as such, has been recognized by the
 +
data protection authorities. As indicated in the Allegations to the
 +
Initiation Agreement, when the contracting occurs, the conditions are sent
 +
general contracting - which includes the specific clause regarding
 +
Data Protection-; therefore, making this information available to
 +
through the website should be understood as an alternative system and
 +
complementary.
 +
In this sense, the Transparency Guidelines expressly indicate that
 +
“When the first contact with an interested party is by telephone, this
 +
information [first informational layer] could be provided during the call with the
 +
interested party and he could receive the rest of the information required under the
 +
Article 13 or 14 by an additional means other than, for example, by sending you a
 +
copy of the privacy policy by email or a link to the
 +
online privacy statement / notice of the person in charge ”.
 +
In accordance with the criteria of the competent authorities, including the AEPD, EDP
 +
COMMERCIALIZADORA would not have committed an infringement of the duty of
 +
transparency, while complete information on data protection
 +
(with the content required by the regulations) is contained within the conditions
 +
general contracting that are sent to the interested party after contracting. The
 +
Transparency Guidelines also indicate that, depending on the circumstances
 +
of the collection and processing of data, a data controller could
 +
be forced to additionally use other possible means of transmitting the
 +
information to stakeholders applicable to the relevant settings provided that the
 +
information from the first informational layer is transmitted in the first mode
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 79
 +
79/141
 +
used to communicate with the interested party. For this reason, EDP
 +
COMERCIALIZADORA complies with its obligation of transparency by facilitating the
 +
information from the first informational layer by telephone and the second layer
 +
informative in writing (either physical or electronic document). That's it
 +
It is important to note that the most transparent and suitable way for the interested party
 +
receive information about the processing of your personal data is by including it
 +
together with the information on the contracting of services, as this is
 +
the circumstance with which the processing of your data is related and is, in addition,
 +
a document that the interested party will keep during their contractual relationship with
 +
EDP ​​COMMERCIALIZADORA.
 +
(iii)
 +
Regarding the content of the information provided by telephone and in the
 +
general conditions:
 +
• Specification of the data controller:
 +
The AEPD questions the clarity with which the interested party knows which entity acts
 +
as responsible for the treatment, however, as accredited in the conditions
 +
general contracting of EDP COMERCIALIZADORA (provided as evidence
 +
6) of this procedure, the client is informed about the identity of the person in charge
 +
of the treatment through the privacy policy in relation to the conditions of
 +
hiring:
 +
Privacy policy: "the data will be processed by EDP Comercializadora SAU and
 +
EDP ​​Energía SAU ”.
 +
Specific conditions of the contract:
 +
"The customer contracts, for the supply indicated, the supply of gas with EDP
 +
Comercializadora, SAU and the supply of electricity and / or services
 +
complementary with EDP ENERGIA, SAU, (hereinafter joint and / or
 +
individually, as appropriate, referred to as “EDP”) in accordance with the Conditions
 +
Specific that are collected below and the General Conditions in annex ”.
 +
As explained in the allegations to the Initiation Agreement, information is included
 +
on both entities while, depending on the service requested by the
 +
interested party (gas and / or electricity), one or another entity will be responsible for the treatment
 +
(or both if the interested party hires both services). Therefore, the
 +
interested party -which has full capacity to contract and, therefore, is
 +
assumes that you should be able to understand the terms and conditions that
 +
govern such contracting, you are aware at all times that, depending on how you contract
 +
the gas and / or electricity supply service, your data will be processed by one or
 +
both entities.
 +
• Purposes and bases of legitimation
 +
It is alleged that neither article 13 of the RGPD nor any other legal precept requires that the
 +
privacy policy list each purpose specifically indicating the basis of
 +
legitimation that results from application. Even so, when it comes to treatments
 +
subject to consent, if it is expressly indicated which they are. In any case, as
 +
was already indicated in the Allegations to the Initiation Agreement, in the case of the bases of
 +
legitimation of "contractual performance" and "legitimate interest", it is evident for
 +
anyone who hires EDP's supply services
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 80
 +
80/141
 +
MARKETING COMPANY that the treatments closely linked to the execution
 +
of the contract such as “manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or improvement of the service ”find their basis of legitimacy in the execution of the
 +
contract, being the other treatments assignable to the legitimate interest (e.g. the
 +
carrying out fraud prevention actions or sending communications
 +
commercial). Legitimate interests are clearly stated and placed in
 +
relationship with the purposes pursued (that is, fraud prevention and
 +
marketing, in relation to the sending of commercial communications
 +
personalized) and since there is an identification between the reported purpose and the
 +
pursued self-interest, making a separate allusion would be redundant.
 +
• Profiling
 +
It is stated in the allegations that in the Resolution Proposal, the AEPD considers
 +
that, in relation to "profiling", it is not clear what its purpose is or
 +
the legitimate interest that supports the treatment. In this sense, the AEPD states in
 +
the Proposed Resolution as follows: “In this case, in the opinion of this
 +
Agency, the information requirements described above. EDP ​​COMMERCIALIZADORA,
 +
SAU, is limited to reporting on the "profiling", but does not offer a
 +
information on the type of profiles to be carried out, the specific uses to which
 +
these profiles or the possibility that the interested party can exercise the
 +
right of opposition in application of article 21 of the RGPD. " However, the
 +
Profiling is associated with the sending of commercial communications
 +
personalized: “will be treated (...) for the purpose of (...) profiling,
 +
personalized commercial communications based on information provided by the
 +
Client and / or derived from the provision of the service by the Marketer / s and
 +
relating to products and services related to the supply and consumption of energy,
 +
maintenance of facilities and equipment ”.
 +
While the wording could have included “for the submission of” (that is, the text
 +
out "as well as making profiles for sending commercial communications
 +
based on information provided by the Client (...) ”), this absence does not
 +
It should be understood that EDP COMERCIALIZADORA violates article 13 of the
 +
GDPR.
 +
• Exercise of rights:
 +
It is alleged that in the opinion of the AEPD, it should be expressly indicated which are the
 +
treatments to which the right of opposition applies. However, as I already know
 +
stated in the Allegations to the Initiation Agreement, the obligation to detail the
 +
specific treatments to which the interested party has the right to oppose not only is it not
 +
an obligation contained in the RGPD, the LOPDGDD or any other regulation of
 +
application, but also the AEPD in its guides and tools (among others, the Guide
 +
for the fulfillment of the duty to inform2 or the Facilita tool3) does not indicate that
 +
The informative clauses on the right to object must specify the
 +
treatments on which the right of opposition applies, not even as an example of
 +
Good practice. In any case, EDP COMERCIALIZADORA expressly indicates that
 +
the interested party may object to some voluntary treatments such as the
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 81
 +
81/141
 +
promotion, profiling, automated decision-making, and
 +
realization of commercial offers.
 +
It points out that the motion for a resolution indicated that: “It is imprecise to indicate
 +
that the interested party may oppose the automated decision-making of their
 +
personal information. These can only be carried out by the person in charge in the
 +
assumptions provided for in article 22 of the RGPD, based in the present case on the
 +
consent of the interested party, so he must be able to know that he can revoke
 +
the consent given for the adoption of such decisions in any
 +
moment, without prejudice to being informed of the rights conferred by the
 +
Article 22 to the interested parties. " It is alleged that the semantic and technical nuance associated with
 +
the terms "opposition" and "revocation" in the context of the exercise of rights do not
 +
can have an impact on the interested party, since with both terms the user achieves a
 +
same objective, which is that a treatment specifically identified in the policy
 +
stop occurring.
 +
Furthermore, the term used by EDP COMERCIALIZADORA (opposition) in the
 +
The context of this type of treatment is understood in the regulations and by the
 +
market in a broader way - and therefore more guarantee - since it allows the
 +
user delete a treatment is based on consent, is based on interest
 +
legitimate.
 +
• Treatments based on consent:
 +
The AEPD considers that the information on the treatments subject to consent
 +
it is not completely clear. However, this part cannot agree with
 +
this interpretation for the following reasons:
 +
In the first place, the AEPD questions that in point (IV) it is not clear as to what
 +
data refers to the phrase "the results obtained from the aggregation of the data
 +
indicated ”and argues the existence of confusion as to whether the aggregated data
 +
are those referred to in point (II) and / or in point (III). However, as manifested
 +
in the Allegations to the Initiation Agreement, from reading it is clear that "the results
 +
obtained from the aggregation of the indicated data ”refers to the indicated data
 +
above, that is, the data referred to in point (II) and (III), since it is evident that
 +
the use of the anaphoric term "indicated" refers to the data referred to in the points
 +
previous.
 +
Second, the AEPD states that the difference in data processing
 +
advertising this point with the previous points is not obvious. However, the
 +
difference is clear:
 +
the advertising treatment derived from point (I) refers to offers of "services
 +
financial, payment protection services, automotive or related and electronics,
 +
own or third parties, offered by EDP and / or participation in contests
 +
promotional, as well as for the presentation of related commercial proposals
 +
to the energy sector after the end of the contract ”, that is, services offered by
 +
EDP ​​COMERCIALIZADORA not related to the contracted services but to the
 +
energy sector or other sectors such as financial or automotive and in addition to
 +
generic type - not custom;
 +
▪ point (II) refers to “personalized products and services”, that is, offers
 +
tailored to the customer's business profile; Y
 +
▪ point (IV) refers to “making personalized offers, specifically aimed at
 +
to achieve the contracting of certain products and / or services from EDP or third parties
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 82
 +
82/141
 +
entities ”, that is, to the realization of personalized offers with an objective
 +
specifically to achieve the sale of certain products or services, being the
 +
personalization not only with respect to the client but also with respect to the concrete
 +
service or product offered.
 +
The AEPD's criticism of the granularity offered by EDP COMERCIALIZADORA does not
 +
can be understood in the light of its own recommendations and those of the European Committee
 +
of Data Protection, which ask for precisely such detail and granularity.
 +
FOUR.- COOPERATION AND PROACTIVE ATTITUDE OF EDP
 +
MARKETING COMPANY.
 +
EDP ​​COMERCIALIZADORA is studying and analyzing the implementation of the
 +
timely measures with a view to the adoption and adaptation to the recommendations,
 +
best practices and the criteria established by the AEPD both in the present
 +
procedure as in their guides and publications (in addition to the improvements already
 +
implanted referred to above), in order to improve all its
 +
data protection policies, clauses and general conditions through the
 +
which is informed about the treatment of the personal data of its clients and
 +
Potential customers
 +
FIFTH.- BREACH OF THE PRINCIPLE OF INTERDICTION OF THE
 +
ARBITRARINESS.
 +
It is noted that certain recommended practices (and even applied by the AEPD in
 +
their own privacy policies) have served in this case to argue and
 +
motivate the alleged infringements committed by EDP COMERCIALIZADORA (for
 +
For example, the presentation of information related to the exercise of rights of the
 +
interested parties included in the Second Allegation). These aspects that, a priori, the AEPD
 +
recommends and puts into practice, considering them examples that fit the
 +
applicable regulations, are used as infringing elements to justify the
 +
alleged breach of different legal precepts by EDP
 +
MARKETING COMPANY.
 +
SIX.- LACK OF GUILT IN EDP'S ACTION
 +
MARKETER-
 +
By virtue of all the above, the actions of EDP
 +
COMMERCIALIZADORA cannot be considered guilty in the eventual commission of
 +
the administrative illicit in the matter of data protection that are imputed to him. In the
 +
administrative sanctioning environment it is not enough that the conduct is typical and
 +
unlawful (which in this case, it is not either), but is also a requirement
 +
it is inescapable that he is guilty, that is, a consequence of an imputable act or omission
 +
to the person responsible for fraud or inexcusable fault, without any fate being admissible
 +
of strict liability that exempts the Administration from accrediting
 +
the requirement of guilt or intentionality in the commission of the
 +
infringement. (Judgments of the Supreme Court of July 9, 1994, May 16,
 +
1995, December 12, 1995, January 12 and 19, 1996, April 15, 1996, between
 +
many others.)
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 83
 +
83/141
 +
It is also worth mentioning that the appreciation of the subjective element of the
 +
offense is determined by the degree of predictability it had for the subject
 +
affected that their conduct could be considered typical and unlawful and, therefore,
 +
liable to be sanctioned. The subjective element of guilt can only
 +
concur when, in view of the existing situation at the time of the
 +
conduct, the subject could reasonably anticipate that he was committing a
 +
infringement Sentences of the Hon. Third Chamber of the Supreme Court of May 8
 +
from 2003 - ref. Aranzadi RJ 4209—, of July 7, 2003 - ref. Aranzadi RJ 5832—,
 +
and of January 28 and 27, 2010 - ref. Aranzadi RJ 1362 and 1357.
 +
Likewise, the doctrine of contentious-administrative courts has excluded the
 +
concurrence of the essential guilty element when the subject who has
 +
objectively committed the offense has acted based on a reasonable
 +
interpretation of the legal system.
 +
A reasonable interpretation of the applicable regulations, even if it is not ultimately
 +
considered correct by the courts, excludes guilt, especially in
 +
those cases in which the applicable legal norms are not clear or univocal.
 +
SEVENTH.- SUBSIDIARILY, THE PROPOSED SANCTIONS ARE
 +
MANIFESTLY DISPROPORTIONATE AND SHOULD BE APPLIED
 +
ATTENUATING CIRCUMSTANCES.
 +
In short, analyzing each of the alleged infractions that are attributed to
 +
EDP ​​COMERCIALIZADORA, it can only be interpreted that there is an absolute
 +
disproportionality in the interpretation made by the AEPD in the Proposal for
 +
Resolution, not only because it lacks motivation when it comes to considering the
 +
alleged infringement, but because of the fact that the proposed sanctions are beyond
 +
any criteria previously assessed by the AEPD itself. In this sense,
 +
It should be added that the amounts of previous sanctions imposed in cases of
 +
Similar facts are not comparable to the proposals in this case.
 +
Extenuating circumstances must be applied: Indeed, any sanction that is
 +
imposed on EDP COMERCIALIZADORA, it would have to be set in accordance with the
 +
Articles 83.2 of the RGPD and 76.2 of the LOPDGDD, which contemplate instruments
 +
relevant for the Administration to adjust the proportionality of the sanctions. On
 +
the present case, as stated in the Allegations to the Initiation Agreement,
 +
the following extenuating circumstances concur that here are
 +
resume:
 +
• The nature, seriousness and duration of the offense: according to article 83.2.a) of the
 +
RGPD, the assessment of this circumstance must take into account “the nature,
 +
scope or purpose of treatment ”(...) and“ the level of damages that may have
 +
suffered ”. In this sense, what is attributed to EDP COMERCIALIZADORA is the
 +
need to improve some aspects of their data protection policies, without
 +
that in no case the texts used so far can be understood as
 +
have generated a high level of damages. Also, the treatments
 +
provided for in these policies - which are known to the interested parties - are not
 +
particularly sensitive, neither because of the type of data processed nor because of the characteristics
 +
treatment activities. Therefore, it is not only not appropriate to consider as
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 84
 +
84/141
 +
circumstance aggravating the nature of this offense but, the foregoing must
 +
considered as a mitigating circumstance applicable to the present procedure.
 +
• The intentionality or negligence in the infringement: EDP COMERCIALIZADORA has not
 +
shown any intent or negligence. The AEPD, in its Proposal for
 +
Resolution, indicates that “the defects indicated in the information provided show the
 +
EDP ​​COMERCIALIZADORA's lack of diligence in complying with the
 +
transparency obligations ”. Therefore, what this Agency seems to refer to is
 +
the absence of all the diligence that, according to said Authority, would be expected of EDP
 +
MARKETING COMPANY. However, it does not seem that this statement can
 +
be understood as "intentionality or negligence" in their actions insofar as, as
 +
has been stated in the Allegations to the Initiation Agreement and in these
 +
allegations, EDP COMERCIALIZADORA has carefully observed the guidelines,
 +
guidelines and tools made available by the AEPD itself and the Committee
 +
European Data Protection for the fulfillment of its obligations of
 +
Data Protection. For this reason, the diligence of EDP COMERCIALIZADORA
 +
it should be taken into account as a mitigating circumstance.
 +
• The high link between the activity of the offender and the performance of treatment of
 +
personal data: EDP COMERCIALIZADORA is dedicated, as stated by the AEPD in the
 +
Motion for a Resolution, to the supply of gas, an activity that is not intensive in the
 +
processing of personal data and that although it is true that the development of the
 +
EDP ​​COMERCIALIZADORA's activity involves the processing of personal data,
 +
This is instrumental without its activity being based on the exploitation of data
 +
personal. In this sense, the low link between EDP's activity
 +
COMERCIALIZADORA in the processing of personal data should be considered a
 +
extenuating circumstance.
 +
• Any measure taken to alleviate damages: as stated
 +
In the knowledge of the AEPD, EDP COMERCIALIZADORA is immersed in the
 +
review and improvement of its procedures and clauses in order to adapt and
 +
implement the recommendations made by this Agency, preventing it from
 +
occur any type of damage or harm to the interested parties. Proof of this is that
 +
some of the recommendations of this Agency are already implemented,
 +
such as improving access to information on data protection, which is already
 +
available at the address edp-residencialbytotal.es/rgpd as well as the new protocol
 +
of contracting through a representative, which was already contributed to the procedure
 +
last July 16, 2020 and it has already been implemented last January.
 +
• Degree of cooperation with the authority: EDP COMERCIALIZADORA has shown
 +
From the beginning of this procedure, a completely collaborative attitude with the
 +
AEPD, as has been accredited in this writing. In the Allegations to
 +
Initiation Agreement provides more complete information regarding the
 +
cooperation shown by EDP COMERCIALIZADORA.
 +
• Categories of data and affectation of the rights of minors: the data subject
 +
treatment are not special categories of data and the data have not been affected.
 +
rights of minors (EDP COMERCIALIZADORA clients are always
 +
of legal age with the capacity to contract).
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 85
 +
85/141
 +
• Continued nature of the infringement: as has been proven, EDP
 +
MARKETING COMPANY, from the moment it has had knowledge of the
 +
improvements that, in the opinion of the AEPD, could be adopted in its policies, has proceeded to
 +
analyze their texts and procedures. Therefore, it cannot be understood that it is
 +
an infringement of a continuing nature, although this Agency must understand that in
 +
complex corporate groups the processes of change and adaptation of
 +
procedures cannot be done immediately. However, this does not mean that
 +
The alleged infringement that is imputed should be understood as "continuing".
 +
• Status of a large company and its turnover: the fact that EDP
 +
MARKETING COMPANY is considered a large company cannot be used
 +
as an aggravating circumstance as it is not a circumstance foreseen or in the RGPD
 +
nor in the LOPDGDD. In addition, in this sense, the Supreme Court (judgment of April 4,
 +
November 2015, appeal 100/2014) has stated in recent jurisprudence but
 +
consolidated statement that "it is not feasible, in any case, to presume malicious conduct by the
 +
mere fact of the special circumstances surrounding the taxpayer of the
 +
taxation (economic importance, type of advice received, etc.) (...). [It
 +
that the public power cannot do, without violating the principle of guilt that
 +
derives from art. 25 CE [see, for all, the Judgment of this Section of June 6,
 +
2008 (rec. Cas. For the unification of doctrine no. 146/2004), FD 4], is to impose a
 +
sanction to a taxpayer (or confirm it in the administrative or judicial phase of
 +
recourse) due to its subjective circumstances -even if it is a legal person,
 +
has great financial means, receives or can receive the most competent of the
 +
advice and is habitually or exclusively dedicated to the activity taxed by the
 +
unfulfilled norm ”. For this reason, it is neither legal nor constitutional to assess the
 +
large company status as an aggravating circumstance. Likewise, the AEPD also
 +
refers to “its business volume” (a fact that is not considered as
 +
aggravating circumstance neither in the RGPD nor in the LOPDGDD). When it comes to quantifying the
 +
sanction, the AEPD refers to EDP's global billing volume
 +
MARKETER to quantify it, when it should take into account
 +
exclusively, and where appropriate, the billing data generated by the eventual
 +
alleged non-compliance - in the case of article 25 of the RGPD, relating exclusively
 +
to hiring by representation-. In this sense, the AEPD, in its research in
 +
within the framework of the procedure, requested and obtained specific data on the volume of
 +
contracting by representation and the very small part that corresponds in the global
 +
activity of EDP COMERCIALIZADORA, and should in any case have had it in
 +
account in the Motion for Resolution, which has not happened. Also, as it has
 +
indicated in the First Allegation, the volume of business derived from the
 +
contracting with a representative represents approximately 0.26% of the volume of
 +
global business. For its part, as regards the sanction associated with the alleged
 +
infringement of article 13 of the RGPD, the AEPD should not have taken into consideration the
 +
global billing of your activity
 +
Benefits obtained as a consequence of the infringement: the alleged commission of the
 +
The alleged infringement has not generated any type of economic benefit, direct or
 +
indirectly, to EDP COMERCIALIZADORA. In any case, if this Agency considers the
 +
Otherwise, the benefit should be calculated according to the criteria that have been
 +
indicated in the First Claim, taking into account that the volume of business
 +
derived from contracting through a representative, account for only 0.26% of the
 +
global business volume and that the proposed penalty (500,000 euros) represents a
 +
disproportionate amount in relation to the benefits obtained
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 86
 +
86/141
 +
. • High volume of data and treatments: contrary to what this Agency indicates
 +
in its Proposal for Resolution, the alleged infractions attributed to EDP
 +
COMERCIALIZADORA does not affect "all data processing carried out by the
 +
entity EDP COMERCIALIZADORA SAU ”, but only to the treatments related to
 +
customers. In fact, the AEPD itself recognizes in the section on "High
 +
number of interested parties ”that“ [t] he infringement affects all natural person clients
 +
of the entity ”, but does not indicate any other group of interested parties. Also, in what
 +
which refers to contracting by third parties on behalf of the owner, it is relevant
 +
note that such contracting only affects 0.26% of the business volume
 +
of EDP COMERCIALIZADORA, so it is evident that the volume of data and
 +
treatments affected is minimal. For this reason, the small number of
 +
treatments affected, and especially, in relation to contracting through
 +
representative, must be taken into account as an extenuating circumstance.
 +
• Recent acquisition of EDP COMERCIALIZADORA: as we have indicated in the
 +
Preliminary argument of this writing, EDP COMERCIALIZADORA has been
 +
recently acquired by the Total Group. By virtue of article 76.2.e) of the
 +
LOPDGDD, in conjunction with article 83.2.k) of the RGPD, understands this part that
 +
This circumstance must be taken into consideration when, where appropriate, modular and
 +
attenuate the potential sanction - sanction that in any case this part understands that
 +
proceeds-. Although the aforementioned precept includes the cases in which the
 +
structural modification is a fusion by absorption, in application of the principle of
 +
teleological interpretation, its regulation should be extended to other modifications
 +
structural actions carried out after the commission of the offense and that have
 +
as a consequence the imposition of disproportionate and burdensome sanctions on the
 +
new entity that did not commit the initial offense.
 +
Of the actions carried out in this procedure and of the documentation
 +
Obrante in the file, the following have been accredited:
 +
PROVEN FACTS
 +
1. It appears in the file that EDP COMERCIALIZADORA uses the following
 +
channels to formalize the contracting of their services:
 +
A. Telephone Channel, with partial or definitive closure of the contracting process
 +
through a phone call. It includes the following subchannels:
 +
- CAC Inbound: Call reception, from customers to EDP. On
 +
In general, they are already EDP customers who are identified from the beginning of the call
 +
through a security protocol, although they can also be received
 +
calls from potential customers.
 +
- Telemarketing: Issuance of calls, from EDP to databases
 +
own customers for upselling or abandonment recovery. Used
 +
to make the call the telephone number that appears in the file
 +
of the client, and that has been provided by said person previously.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 87
 +
87/141
 +
- LEADS: Issuance or reception of calls, about users who have
 +
expressed an interest in any platform or website (sweepstakes,
 +
promotions, offer comparators, blogs, advertising agencies, etc.)
 +
leaving their basic data to be contacted or contacting themselves at
 +
the phone number shown to them. Usually such users still
 +
they do not have active contracts with EDP.
 +
B. Web channel, closed by means of a digital form. The user accesses through
 +
a website and start a hiring process totally online, without interaction with
 +
agents.
 +
C. Distributors, with face-to-face or digital closing of the contracting process,
 +
including:
 +
- EDP's own Commercial Offices. Normally already EDP clients who
 +
they proactively go to the office, although they can also be clients
 +
potentials.
 +
- Third -party stores (eg *** STORE.1 ). In general, new clients who come to
 +
make their purchases and are interested in EDP's offer.
 +
D. External Sales Forces, with in-person closing of the contracting process,
 +
including:
 +
- Stands at Fairs, Shopping Centers, etc. In general new clients that
 +
they go to such events or places and are interested in EDP's offer.
 +
- Home visits with prior request. Clients or potential clients who have
 +
provided your data and consent to receive proposals from an agent of
 +
EDP ​​at home.
 +
2. The contracting procedures implemented in those cases in which the
 +
Contracting is carried out by a third party on behalf of the owner are the following:
 +
A) Telephone channels:
 +
A.1 - CAC INBOUND 1) When the user indicates that he wishes to make a contract
 +
As a representative, you are asked about your relationship with the owner and if you have
 +
authorization of said person. 2) Once the previous point has been confirmed, they are requested
 +
identification data of the representative, and all the data of the owner necessary to
 +
formalize the hiring. 3) Finally the Consent is read and recorded in audio
 +
Representative express. 4) The holder of the contract, for informational purposes, is sent
 +
in duplicate, with a stamped envelope, the contractual documentation in compliance
 +
of the provisions of the consumer and user protection regulations.
 +
A.2 - TELEMARKETING 1) When the user indicates that he wishes to carry out a
 +
hiring as a representative is asked about their relationship with the owner. 2) A
 +
Once the previous point has been confirmed, identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. 3) Then
 +
the Express Consent of the representative is read and recorded in audio. 4) Finally
 +
durable support is sent to the phone / sms provided by the representative, and is expected
 +
upon your confirmation. 5) The holder of the contract, for informational purposes, is sent by
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 88
 +
88/141
 +
duplicate, with a stamped envelope, the contractual documentation in compliance with the
 +
provided in the consumer and user protection regulations.
 +
A.3 - LEADS 1) When the user indicates that he wishes to make a contract as
 +
representative is asked about his relationship with the owner. 2) Once the
 +
previous point, identification data of the representative is requested, and all the data of the
 +
holder necessary to formalize the contract. 3) It is then read and recorded in
 +
audio the Express Consent of the representative. 4) Then support is sent
 +
durable to the phone / sms provided by the representative, and awaits your confirmation.
 +
5) The contract holder, for informational purposes, is sent in duplicate, with envelope
 +
franked, the contractual documentation in compliance with the provisions of the
 +
consumer and user protection regulations. 6) In this channel, by the mode of
 +
contracting and the characteristics of the clients who use it, it is in progress,
 +
as a pilot test, communication via SMS or e-mail to the represented (in cases of
 +
not related to the representative to study its effectiveness and receptivity.)
 +
B. Distributors:
 +
In the case of contracts made in EDP's own Commercial Offices (in
 +
third-party stores there is no possibility of contracting in the name and on behalf of
 +
a third) the procedure is as follows:
 +
1) In those cases in which the user indicates that he wishes to make a contract
 +
as a representative of a third party, you are asked about your relationship with the owner. 2) A
 +
Once the information is obtained, the identification data of the representative is requested, and
 +
all the data of the owner necessary to formalize the contract. Likewise,
 +
requires a photocopy of the NIF, both the representative and the represented. 3)
 +
The presentation of an authorization document is also required.
 +
completed and signed by both interested parties (representative and owner).
 +
C. External Sales Forces:
 +
In the case of contracts made by external sales forces (fair stands,
 +
shopping centers and home visits, provided there is prior request by
 +
of the interested party), in the contract the identification data of the representative will be collected,
 +
Also requesting the data of the owner necessary to formalize the contract.
 +
In the contract, it is expressly specified that the representative declares to have
 +
of sufficient powers to sign the contract on behalf of the client to whom it is
 +
is responsible for informing of all the conditions thereof. It is required, on the other
 +
part of a photocopy of the representative's NIF.
 +
Next, an audio verification of the hiring is recorded where you are
 +
indicates on two occasions to the representative, the fact that he acts on behalf of the
 +
holder of the supply and the relationship-kinship that binds them is confirmed.
 +
To prove the representation, the contracting stub is formalized where the
 +
representative declares to have sufficient powers to sign the contract in
 +
name of the client who is responsible for informing of all the conditions of
 +
this. Likewise, a copy of the representative's NIF is provided.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 89
 +
89/141
 +
3 . It appears in the file that the documentation used by EDP
 +
COMERCIALIZADORA, SAU to prove the representation of the owner when subscribing
 +
a contract is as follows:
 +
A. Telephone Channel:
 +
In the three subchannels of the telephone channel (evidences 2, 3 and 4, CAC Inbound channels,
 +
Telemarketing and Leads respectively) the representative is requested, during the
 +
recording of the contracting procedure, confirmation of the following aspects:
 +
of your identity and ID, of your performance on behalf of the owner, of the relationship with
 +
the represented (as husband, wife, child, attorney, representative); of identity
 +
(name, surname, DNI) of the represented, and telephone and email. The
 +
Documentation accrediting the representation of the contract holder consists of the
 +
recordings in which the representative makes the aforementioned confirmations. On
 +
In the case of telemarketing and LEADS channels, a
 +
sms / email with the following text “EDP Offer: Please, answer with a YES to this
 +
SMS to accept and activate discounts. " (evidences 10 and 12).
 +
B. Distributors: In the case of EDP Comercializadora's own commercial offices
 +
DP, it is requested completed and signed by both interested parties (representative
 +
and owner) a document of express authorization in which the data of both
 +
people and copies of their NIF.
 +
In the channel own commercial offices (evidence 5) the representation is accredited
 +
by means of a document called "representative management authorization template",
 +
in it the owner (identified with his name and ID or CIF), in his own name or
 +
representation of the company authorizes the representative also identified with his
 +
name and ID to carry out different procedures (registration / cancellation, change of ownership,
 +
change of direct debit and / or other procedures) must be indicated in the box
 +
contiguous to each one of them which or which are the authorized procedures. Saying
 +
document requires the signature of the authorizer and the authorized person. Also, said document
 +
contains the following warning “TO BE VALID, THIS AUTHORIZATION
 +
IT MUST BE PRESENTED ACCOMPANIED BY A PHOTOCOPY OF THE HOLDER'S ID AND
 +
OF THE AUTHORIZED. WHEN IT IS AN AUTHORIZATION GRANTED BY A
 +
REPRESENTANTE DEL TIPO SA, SL, AIE, UTE, CB, COMMUNITY OF
 +
OWNERS, FOUNDATIONS, SCHOOLS, ALSO WILL BE REQUIRED
 +
PHOTOCOPY OF THE WRITING OF POWER OF ATTORNEY ”.
 +
C. External Sales Forces: In the case of external sales forces (stands of
 +
fairs, shopping centers and home visits, provided there is prior request by
 +
part of the interested party), a document is used to prove the representation
 +
called sales book (evidence 6). In this checkbook, they contain
 +
spaces to fill in the data of the contract holder (name, surname,
 +
telephone and email) and representative data (name, NIF and address) and
 +
include several boxes to mark that the representative is representative in the capacity of
 +
spouse / registered partner, ascendant / descendant or attorney-in-fact) below such
 +
boxes a text indicates that “it declares to have sufficient powers to subscribe
 +
this contract on behalf of the client who is responsible for informing
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 90
 +
90/141
 +
all the conditions of the same. " A verification recording is made where
 +
confirms with the representative the data of the represented, as well as the relationship or
 +
kinship that unites them (evidence 16)
 +
4. It is evident in the evidence presented that in the hiring subchannels
 +
telephone representatives are informed that “On behalf of their client, and
 +
After passing an analysis of the risk of the operation, we will take the necessary steps
 +
to activate the access contracts, at which point the
 +
new contract being terminated the previous one. "
 +
5. It is established that during the hiring process, in the hiring channels
 +
By telephone, the representative's consent is requested on behalf of the represented
 +
to carry out other treatments such as sending offers related to the
 +
energy adapted to your profile after the end of the contract or send you at any
 +
information on non-energy products or services of companies or
 +
collaborated with EDP. (evidences 2, 3 and 4).
 +
During this process, the consent of the representative is also requested in
 +
name of the represented to complete the commercial profile with information on bases
 +
of third-party data, in order to send you personalized proposals and the
 +
possibility of contracting or not certain services.
 +
In the channel of external forces, the possibility of providing such
 +
consents. As evidence 6 shows under the heading
 +
CLIENT / REPRESENTATIVE, after noting that the information related to the protection of
 +
data can be read on the back, allows you to mark the following consents,
 +
marking the joint box for each of them:
 +
 I consent to the processing of my personal data once the relationship has ended
 +
contractual, to carry out commercial communications adapted to my profile
 +
of products and services related to the supply and consumption of energy. In addition,
 +
I consent to the aforementioned treatments during the term and after the end of the
 +
contract, on non-energy products and services, both of the Group companies
 +
EDP ​​and third parties.
 +
 I consent to the processing of my personal data for the elaboration of my profile
 +
with information from third party databases, for the
 +
adoption, by EDP, of automated decisions in order to send
 +
personalized commercial proposals, as well as to allow, or not, the contracting
 +
of certain services.
 +
6. Evidence 2, 3 and 4 show that during the telephone contracting process
 +
the following information is provided to the representative: "Your personal data and those of your
 +
represented will be treated by EDP Comercializadora SAU and EDP Energía SAU to
 +
the management of your contracts, fraud prevention, profiling based on
 +
customer and EDP information, as well as communication
 +
personalized information on products or services directly related to their
 +
contracts, being able to oppose them at any time ".
 +
In the telemarketing and leads channel evidences 3 and 4 the following is added "Les
 +
We remind you that you can exercise your access rights at any time,
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 91
 +
91/141
 +
rectification, opposition, deletion, limitation and portability, through any of
 +
the routes indicated in the General Conditions that can be consulted on our website
 +
www.edpenergia.es. "
 +
This information does not appear in evidence 2 corresponding to the CAC inbound channel.
 +
In the own offices channel, the information provided is as follows (evidence 5)
 +
"Interested parties are informed that the personal data provided in
 +
This form will be treated as the data controller by EDP ENERGÍA,
 +
SAU and EDP COMERCIALIZADORA, SAU so that they can be used
 +
for the processing of authorized management.
 +
The personal data that you provide us will be used, in the form and with the
 +
limitations and rights recognized by the General Data Protection Regulation
 +
(EU) 2016/679.
 +
The interested parties whose data are subject to treatment may exercise their rights
 +
of access, rectification, deletion, portability, limitation and opposition to treatment
 +
of these data, proving your identity, by email addressed to
 +
cclopd@edpenergia.es or by writing to the person responsible for the treatment at the
 +
Address Plaza del Fresno, 2 - 33007 Oviedo (Asturias). Likewise, you can put
 +
in contact with the EDP Data Protection Officer, at the same address
 +
postal or email dpd.es@edpenergia.es, if you understand
 +
violated any of your rights related to data protection, or in your
 +
case, file a claim with the Spanish Agency for Data Protection "
 +
In the External Forces Channel, the sales book provides the following
 +
information. On the back of the first page there is a section, entitled
 +
"Basic Information on Data Protection": which includes the following:
 +
"Personal data will be processed by EDP COMERCIALIZADORA,
 +
SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as
 +
Responsible for the Treatment, for the maintenance, development, compliance and
 +
management of the contractual relationship, fraud prevention, profiling
 +
based on information provided by the Client and / or derived from the provision of the
 +
service by EDP, as well as sending commercial communications, related to
 +
products and services related to the supply and consumption of energy,
 +
maintenance of facilities and equipment, and that can be customized in
 +
based on your Client profile, as reported in the General Conditions, being able to
 +
object at any time to the sending of commercial communications.
 +
Additionally, the Client gives his explicit consent for the treatments of
 +
personal data collected on the front. Without prejudice to consents
 +
provided, the client may exercise, at any time, their access rights,
 +
rectification, opposition, deletion, limitation and portability, through any of
 +
the routes indicated in the General Conditions. "
 +
In the part of general conditions the following information regarding
 +
personal data protection:
 +
“LOPD Purposes of the processing of personal data. According to
 +
provided in current regulations, the client is informed that all data
 +
provided in this contract are necessary for the purposes of its formalization.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 92
 +
92/141
 +
Said data, in addition to those obtained as a result of the execution of the
 +
contract, will be processed by EDP COMERCIALIZADORA, SAU, domiciled at
 +
c / General Concha, 20, 48001, Bilbao and by EDP ENERGIA, SAU with address at
 +
Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers,
 +
in order to manage, maintain, develop, complete and control the
 +
contracting supply of electricity and / or gas and / or complementary services of and / or
 +
gas and / or complementary services of revision and / or technical assistance and / or program of
 +
points, and / or improvement of the service, to carry out actions to prevent
 +
fraud, as well as profiling, personalized commercial communications
 +
based on information provided by the Client and / or derived from the provision of the
 +
service by EDP and related to products and services related to the
 +
supply and consumption of energy, maintenance of facilities and equipment.
 +
These treatments will be carried out in strict compliance with the legislation
 +
current and insofar as they are necessary for the execution of the contract and / or the
 +
satisfaction of EDP's legitimate interests, provided that the latter are not
 +
other rights of the client prevail.
 +
Provided that the client has explicitly accepted it, their personal data will be
 +
treated, even once the contractual relationship has ended and provided that there is no
 +
Produces opposition to said treatment, to:
 +
(I) The promotion of financial services, payment protection services, automotive
 +
or related and electronic, own or third parties, offered by EDP and / or participation in
 +
promotional contests, as well as for the presentation of commercial proposals
 +
linked to the energy sector after the end of the contract, (II) The preparation of
 +
Commercial profiles of the Client by aggregating the databases of
 +
third parties, in order to offer the Client personalized products and services,
 +
thus improving the customer experience, (III) Decision-making
 +
automated, such as allowing the contracting, or not, of certain products
 +
and / or services based on the Client's profile and particularly, on data such as, the
 +
history of defaults, the history of hires, permanence, locations, data
 +
consumption, types of devices connected to the energy network, and similar data
 +
that allow to know in greater detail the risks associated with the contracting. (IV)
 +
Based on the results obtained from the aggregation of the indicated data,
 +
EDP ​​may make personalized offers, specifically aimed at achieving the
 +
contracting of certain products and / or services from EDP or from third parties
 +
depending on whether the client has consented to it or not, being in any case treated
 +
data whose age will not exceed one year. In the event that said process was carried out
 +
carried out in an automated way, the client will always have the right to obtain intervention
 +
human rights by EDP, admitting the challenge and, where appropriate, assessment of the
 +
resulting decision.
 +
Categories of data processed
 +
By virtue of the contractual relationship, EDP may process the following types of data
 +
personal: (I) Identifying data (name, surname, ID, postal address, address
 +
email address, supply point, etc.), (II) Identification codes or keys
 +
User and / or Client, (III) Personal characteristics data (date of birth,
 +
sex, nationality, etc.), (IV) Data of social circumstances (hobbies, style of
 +
life, marital status, etc.), (V) Data on energy consumption and derived lifestyle habits
 +
of these, (VI) Economic, financial, solvency and / or insurance data.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 93
 +
93/141
 +
Personal data will be kept for the duration of the contractual relationship
 +
and at most, during the statute of limitations for legal actions
 +
corresponding, unless the Client authorizes its treatment for a longer period,
 +
applying organizational and security measures from the beginning of the treatment
 +
to ensure the integrity, confidentiality, availability and resilience of data
 +
personal
 +
Communications and recipients of personal data.
 +
All personal data derived from the provision of the service and those obtained in
 +
By virtue of this contract, they may be communicated to the following entities:
 +
i)
 +
The corresponding distribution company, producing with it a
 +
permanent exchange of information for the adequate provision of the
 +
service, including the request for access to your network, readings (which in the case
 +
remote-managed meter will be hourly) and / or consumption estimate, control
 +
quality of supply, request for supply cuts, modifications in
 +
power, etc.
 +
ii)
 +
The Organizations and Public Administrations that by Law correspond.
 +
iii)
 +
Banks and financial entities for the collection of services rendered.
 +
iv)
 +
Other companies of the business group, solely for administrative purposes
 +
internal and the management of the products and services contracted.
 +
v)
 +
National equity solvency and credit services (Asnef-Equifax,
 +
...) to which in case of non-payment, without just cause by the Client,
 +
You will be able to communicate the debt, as well as fraud prevention services,
 +
for the sole purpose of identifying erroneous or fraudulent information provided
 +
during the hiring process.
 +
saw)
 +
EDP ​​suppliers necessary for the adequate compliance with the
 +
contractual obligations, including those that may be located outside
 +
of the European Economic Area, in which case it is duly
 +
adequate international data transfer.
 +
Rights of the data owner
 +
The client will have at all times the possibility of exercising freely and
 +
completely free of charge the following rights:
 +
i)
 +
Access your personal data that is processed by
 +
EDP.
 +
ii)
 +
Rectify your personal data that is processed by EDP
 +
that are inaccurate or incomplete.
 +
iii)
 +
Delete your personal data that is processed by EDP
 +
iv)
 +
Limit EDP's treatment of all or part of its
 +
personal information.
 +
v)
 +
Oppose certain treatment and decision-making
 +
automated data processing, requiring the intervention
 +
human rights in the process, as well as to challenge the decisions that
 +
are finally adopted by virtue of the processing of your data.
 +
saw)
 +
Port your personal data in an interoperable format and
 +
self-sufficient.
 +
vii)
 +
Withdraw at any time, the consents granted
 +
previously.
 +
In accordance with current regulations, the user can exercise their rights
 +
requesting it in writing, and together with a copy of a reliable accreditation document
 +
identity, at the following postal address: Plaza del Fresno, 2, 33007 Oviedo or
 +
in the email cclopd@edpenergía.es
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 94
 +
94/141
 +
Likewise, you can contact the data protection officer of
 +
EDP ​​at the following postal address Plaza del Fresno, 2, 33007 Oviedo or by mail
 +
electronic dpd, es @ edpenergía.es, in the event that you understand that any of the
 +
your rights related to data protection, or, where appropriate, file a
 +
claim before the Spanish Agency for Data Protection, at the address Calle de
 +
Jorge Juan, 6, 28001. Madrid "
 +
7. It is established that the number of contracts signed in 2018 and 2019 by third parties
 +
representing natural persons is the following:
 +
A. Telephone Channel:
 +
A.1 - CAC INBOUND
 +
Year Channel Representation
 +
No. Contracts
 +
2018 CAC Relationship
 +
1,346
 +
2018 CAC Unrelated
 +
394
 +
2019 CAC
 +
Relationship
 +
983
 +
2019 CAC Unrelated
 +
278
 +
A.2 - TELEMARKETING
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 TELEMARKETING
 +
Relationship
 +
2,865
 +
2018 TELEMARKETING
 +
No kinship
 +
82
 +
2019 TELEMARKETING
 +
Relationship
 +
1,201
 +
2019 TELEMARKETING
 +
No kinship
 +
42
 +
A.3 - LEADS
 +
Channel Year
 +
Representation
 +
No. Contracts
 +
2018 LEADS
 +
Relationship
 +
5,518
 +
2018 LEADS
 +
No kinship
 +
849
 +
2019 LEADS
 +
Relationship
 +
6,127
 +
2019 LEADS
 +
No kinship
 +
1,160
 +
B. Web: Hiring with a representative is not contemplated.
 +
C. Distributors (own commercial offices):
 +
Year Channel Representation
 +
No. Contracts
 +
2018 OOCC Relationship
 +
194
 +
2018 OOCC Unrelated
 +
67
 +
2019 OOCC Relationship
 +
174
 +
2019 OOCC Unrelated
 +
78
 +
D. External Sales Forces: (trade fair stands, shopping centers - home visit)
 +
Year Channel Representation
 +
No. Contracts
 +
2018 FVE
 +
Relationship
 +
10,758
 +
2018 FVE
 +
No kinship
 +
118
 +
2019 FVE
 +
Relationship
 +
1,556
 +
2019 FVE
 +
No kinship
 +
58
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 95
 +
95/141
 +
8. It establishes that on July 16, a written entry from EDP was entered into the AEPD
 +
Comercializadora SAU in which it states that "it has reviewed the procedure to follow
 +
in contracting by third parties on behalf of the owner, in order to strengthen said
 +
procedure and reduce the risks of possible identity theft carried out
 +
in bad faith by the contracting party in this type of process, taking into account,
 +
additionally, the particular needs identified as a result of the state of
 +
alarm decreed last March and that has necessarily required that
 +
all contracts are carried out in a non-face-to-face way.
 +
That in order to inform the AEPD of the specific actions that are
 +
are being carried out in relation to this matter by EDP, in compliance
 +
of their duty of proactive compliance (accountability), we attach the
 +
"Contracting procedure by third parties on behalf of the owner", so that they have
 +
visibility on the modifications that are being implemented in these processes
 +
in order to meet your request in this regard, as well as to highlight the
 +
EDP's proactivity regarding its suggestion of adaptation of said
 +
process." This procedure is detailed below.
 +
9. EDP ​​COMERCIALIZADORA SAU, contributes in response to the request made
 +
by this Agency in the framework of research activities extract from the Registry
 +
of Treatment Activities that includes the records related to the activities that
 +
are carried out in the field of contracting products and / or services and the analysis of
 +
risks carried out in relation to the treatments carried out in the context of the
 +
contracting products and / or services.
 +
The risk analysis is contained in an Excel document, it does not contain a date
 +
nor signature. 15 risk factors are listed; 1. Information commercially
 +
sensitive, 2. Commercial Communications, 3. Data Origin (external source or
 +
internal), 4. Data transfers. 5, Treatment Managers. 6. Transfers
 +
international 7. Scoring / Profiling activities. 8.Decisions
 +
automated. 9. Systematic monitoring of headlines. 10. Categories
 +
special data. 11. Large-scale data processing. 12.
 +
Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders.
 +
14. Application or use of innovative technologies.15. Unavoidable treatment /
 +
Restriction of the exercise of rights or access to the service. Regarding the valuation
 +
potential of inherent risk, the risk scale has 4 levels: low, with a
 +
score from 0 to 12; average score from 13 to 25; tall from 26 to 38 and very tall
 +
from 39 to 51. The assessment or weight given to each of the factors of
 +
risk is from 1 to 4. In the risk analysis, for each of the
 +
sales channels a yes or no in each of the 15 risk factors above
 +
listed. The sum of the weight attributed to each of the factors for
 +
each channel determines the inherent risk. The result of inherent risk is
 +
medium in all the contracting channels, except in the web channels and
 +
external forces through home visits in which the outcome of the
 +
inherent risk is low. Risk correction measures are not indicated.
 +
These documents are declared reproduced in this act for evidentiary purposes.
 +
10. It is clear that to access the General Conditions, which are referred to in the
 +
telephone processes to obtain the rest of the information regarding the treatment of
 +
personal data, on the www.energía.es page, the following process must be followed:
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 96
 +
96/141
 +
-Access through the internet browser to the address
 +
https://www.edpenergia.es/es/
 +
- Introduction in the search engine of the text page itself: "General Conditions"
 +
-The website shows, under the following address:
 +
https://www.edpenergia.es/es/buscadorGeneral.do?tiposBusqueda=C%7CM
 +
% 7CD & idMenuSegmento = 18 & textBusqueda = Conditions + General, 2 tabs
 +
one called related information and the other Documents.
 +
-The "Documents" tab of the Search Results is selected. Is
 +
offers a total of 78 results, the third of which corresponds to the
 +
"General contracting conditions".
 +
-The "General contracting conditions" are selected and automatically
 +
open a new browser window pointing to the following internet address:
 +
https://www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales-
 +
de-contratacion.pdf, where the document can be downloaded.
 +
11 .The following documents are provided in support of the allegations made:
 +
Annex 1.a) Risk analysis methodology and implementation of Days
 +
- Annex 1.b) RAT contracting EDPC
 +
- Annex 1.c) RAT risk assessment- EDPC contracting
 +
- Annex 1.e) Impact Assessments -Risk Assessments
 +
- Annex 1.f) Impact evaluations - Reports
 +
Appendix 2 :
 +
- EDP Methodology_Privacy by Design by Default
 +
- Operational Instruction Privacy by Design & Privacy by Default
 +
- Privacy by Design & Privacy by Default form
 +
- Privacy By Design Procedure Flowchart.
 +
Annex 4:
 +
- Examples of requests for the exercise of rights.
 +
The Risk Analysis Methodology and DPIAS (DATA PRIVACY
 +
ASSESSMENTS) contains on its first page a version history, being the
 +
date of the initial version 11/24/2017 and the last one on 05/11/2018 revision date
 +
prior to the applicability of the RGPD. It is accompanied by various annexes whose date
 +
not included or provided.
 +
The document contained in annex 1.b RAT, EDPC, whose date does not appear, includes
 +
a treatment purpose not included in the register of treatment activities
 +
sent to this Agency on June 17, 2020. Specifically, said treatment
 +
that is now included has the following content:
 +
Responsible: EDP Comercializadora SAU
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 97
 +
97/141
 +
Purpose of the treatment: "Carrying out Scoring of customers of the B2C segment prior
 +
to hiring ”,
 +
Description: “Scoring of customers in the B2C segment prior to the
 +
contracting according to the internal pending debt and information from
 +
solvency (ASNEF). "
 +
Category of data holders: "Clients and potential clients."
 +
Category of personal data processed: "Identifying data and economic data."
 +
Legal basis for carrying out the treatment: "Satisfaction of legitimate interests."
 +
Period of conservation of personal data: “5 years from the end of the
 +
contractual relationship. The certain, past due and enforceable debt derived from the execution of the
 +
contract will be maintained until its cancellation or the limitation period of the actions
 +
pertinent legal recovery. "
 +
Data transfers (data recipients, other than those in charge of the treatment):
 +
“ASNEF is jointly responsible for the treatment, according to the signed agreement
 +
with ASNEF. "
 +
Categories in charge of treatment: The box has no content.
 +
International data transfer: No
 +
Annex 1.c) under the name “RAT Risk Assessment- EDPC Contracting”, whose
 +
The date is not reflected in the document either, it contains the risk analysis, in the form of
 +
matrix, the same as the one presented on June 17, 2020, with the same content, if
 +
either two columns have been added under the title "treatment requires PIA", both
 +
entitled "No. of EDP-W29 criteria", the first indicates a number that seems
 +
correspond to its title and the second indicates the need to carry out a
 +
Impact evaluation. In this matrix there is also a new treatment whose
 +
The purpose is the “Scoring of customers in the B2C segment prior to the
 +
hiring ”.
 +
Various documents entitled impact evaluations are provided, whose date
 +
Nor is it recorded, these impact evaluations are the following:
 +
-Risk assessment of B2C client scoring prior to hiring,
 +
in which, among other threats, the following are indicated:
 +
- “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated
 +
adequately ”, whose probability is set as high, with an impact rated as
 +
very high and resulting in inherent risk High. Regarding the controls implemented
 +
Faced with this threat, it is stated that “the legal basis of the treatment is to satisfy a
 +
legitimate interest (fraud prevention) ”.
 +
- “At the time of data collection, the minimum information is not provided
 +
provided to the person or no information is provided. " In this case
 +
it is considered that neither the probability nor the impact “does not apply, nor is there a risk
 +
inherent, the controls being the “Data Protection clause included in the
 +
contract signed with the client with all the information required by the RGPD ”and the
 +
"Information provided to the client prior to carrying out the scoring process"
 +
-Evaluation of channel leads to be converted by telemarketing
 +
-Risk assessment Telemarketing upselling and dropouts
 +
-CAC channel risk assessment to clients or potential clients (inbound)
 +
-ChannelOOCC evaluation of clients and potential clients
 +
- Risk assessment of third-party stores for sale to potential customers.
 +
In all these impact evaluations, threats are considered among others
 +
many, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 98
 +
98/141
 +
illegal or has not been properly formulated ”and“ at the time of collection of the
 +
data is not provided the minimum information provided to the person or is not
 +
provides no information "In both cases the probability is valued as high,
 +
the impact as very high and the inherent risk high. Controls are mentioned
 +
adopted, referring to the legitimizing basis of the treatment in the first of the cases
 +
and "Data Protection clause included in the contract signed with the client with
 +
all the information required by the RGPD ”in the second. They are described among the
 +
checks in progress for both threats on all channels except channel
 +
OOCC, “the implementation of a new contracting procedure through
 +
representative, incorporating the sending of an SMS / Email message through which the
 +
provides the basic information necessary in terms of data protection to the owner of the
 +
contract."
 +
The date on which the actions in progress were incorporated into the
 +
corresponding impact evaluations.
 +
These documents are declared reproduced in this act for evidentiary purposes.
 +
FOUNDATIONS OF LAW
 +
I
 +
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679,
 +
of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of
 +
Individuals with regard to the Processing of Personal and Free Data
 +
Circulation of this Data (General Data Protection Regulation, hereinafter
 +
RGPD) recognizes each Control Authority, and as established in the articles
 +
47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
 +
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the
 +
Director of the Spanish Data Protection Agency is competent to initiate and
 +
solve this procedure.
 +
Article 63.2 of the LOPDGDD determines that: “The procedures
 +
processed by the Spanish Data Protection Agency will be governed by the provisions
 +
in Regulation (EU) 2016/679, in this organic law, by the provisions
 +
regulations dictated in their development and, as long as they do not contradict them, in a
 +
subsidiary, by the general rules on administrative procedures. "
 +
II
 +
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the
 +
Council of April 27, 2016, regarding the protection of natural persons in the
 +
regarding the processing of personal data and the free circulation of these data
 +
(General Data Protection Regulation, hereinafter RGPD), under the rubric
 +
"Definitions", provides the following:
 +
"2)" treatment ": any operation or set of operations carried out on
 +
personal data or personal data sets, whether by procedures
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 99
 +
99/141
 +
automated or not, such as collection, registration, organization, structuring,
 +
conservation, adaptation or modification, extraction, consultation, use,
 +
communication by transmission, broadcast or any other form of authorization of
 +
access, collation or interconnection, limitation, deletion or destruction ”.
 +
7) "data controller" or "controller": the natural or legal person,
 +
public authority, service or other body that, alone or together with others, determines the
 +
purposes and means of the treatment; whether the law of the Union or of the Member States
 +
determines the purposes and means of the treatment, the person responsible for the treatment or
 +
Specific criteria for their appointment may be established by Union law.
 +
or of the Member States "
 +
Article 24.1 of the RGPD provides for the responsibility of the person responsible for the
 +
treatment that “Taking into account the nature, scope, context and purposes of the
 +
treatment, as well as risks of varying probability and severity to the rights and
 +
freedoms of natural persons, the data controller will apply measures
 +
appropriate technical and organizational techniques in order to ensure and be able to demonstrate that the
 +
treatment is in accordance with this Regulation. These measures will be reviewed and
 +
will update when necessary . "
 +
In the present case, it is established that EDP COMERCIALIZADORA, SAU is the
 +
responsible for data processing, referred to in the factual background of the
 +
present agreement to initiate the sanctioning procedure, since, in accordance with the
 +
definition of article 4.7 of the RGPD, it is who determines the purpose and means of the
 +
treatments carried out for the purposes indicated in the documentation provided
 +
relating to the contracting of their services, so in their capacity as responsible for the
 +
treatment is obliged to comply with the provisions of transcript art 24 of the RGPD and in
 +
special regarding the effective and continuous control of "technical and organizational measures
 +
appropriate in order to guarantee and be able to demonstrate that the treatment is in accordance with the
 +
this Regulation "
 +
Likewise, article 25. 1 of the RGPD establishes that “ Taking into account the state of
 +
the technique, the cost of the application and the nature, scope, context and purposes of the
 +
treatment, as well as the risks of varying likelihood and severity posed by the
 +
treatment for the rights and freedoms of natural persons, the person responsible for the
 +
treatment will apply, both at the time of determining the means of treatment
 +
as at the time of the treatment itself, technical and organizational measures
 +
appropriate, such as pseudonymisation, designed to effectively apply the
 +
data protection principles, such as data minimization, and integrating the
 +
guarantees necessary in the treatment, in order to meet the requirements of this
 +
Regulation and protect the rights of the interested parties. "
 +
For these purposes, the provisions of the following recitals of the
 +
GDPR:
 +
74. “The responsibility of the person responsible for the treatment for
 +
any processing of personal data carried out by himself or on his own. On
 +
In particular, the person responsible must be obliged to apply timely and effective measures and
 +
must be able to demonstrate the compliance of the processing activities with the
 +
this Regulation, including the effectiveness of the measures. These measures must have
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 100
 +
100/141
 +
take into account the nature, scope, context and purposes of the processing as well as the
 +
risk to the rights and freedoms of natural persons. "
 +
75. “The serious and serious risks to the rights and freedoms of natural persons
 +
variable probability, may be due to the processing of data that could cause
 +
Physical, material or immaterial damages, particularly in cases where
 +
that the treatment may give rise to problems of discrimination, usurpation of
 +
identity or fraud, financial loss, reputational damage, loss of
 +
confidentiality of data subject to professional secrecy, unauthorized reversal of the
 +
pseudonymization or any other significant economic or social damage; in the
 +
cases in which the interested parties are deprived of their rights and freedoms or are
 +
prevent exercising control over your personal data; in cases where the data
 +
personal treaties reveal ethnic or racial origin, political opinions, religion
 +
or philosophical beliefs, union membership and the processing of genetic data,
 +
data relating to health or data on sexual life, or convictions and offenses
 +
criminal or related security measures; in the cases in which they are evaluated
 +
personal aspects, in particular the analysis or prediction of aspects related to the
 +
job performance, financial status, health, preferences or interests
 +
personal, reliability or behavior, situation or movements, in order to create or
 +
use personal profiles; in the cases in which personal data of
 +
vulnerable people, in particular children; or in cases where the treatment
 +
involves a large amount of personal data and affects a large number of
 +
interested. "
 +
76. “The probability and severity of the risk to the rights and freedoms of the
 +
stakeholder should be determined with reference to the nature, scope, context and
 +
the purposes of data processing. Risk should be weighted on the basis of a
 +
objective evaluation by which it is determined whether the treatment operations of
 +
data pose a risk or if the risk is high. "
 +
Therefore, the controller must carry out an analysis of the
 +
risks that the data processing carried out may have for the rights and
 +
freedoms of natural persons, implementing technical and organizational measures
 +
appropriate to apply the principles of data protection and integrate the guarantees
 +
necessary in the treatment in order to comply with the requirements of the RGPD, being able to
 +
demonstrate that the treatment is in accordance with the provisions of the aforementioned standard.
 +
The data protection principles are contained in article 5 of the
 +
RGPD, the first of which should be highlighted here regarding the legality of the
 +
treatment. In accordance with article 5.1.a of the RGPD “Personal data will be: a)
 +
treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
 +
loyalty and transparency '). The second number of article 5 provides that “The
 +
responsible for the treatment will be responsible for compliance with the provisions of the
 +
paragraph 1 and capable of demonstrating it ('proactive responsibility'). "
 +
The legality of the treatment implies that personal data can only be
 +
treated by the person responsible for the treatment when any of the bases
 +
legitimating entities listed in article 6 of the RGPD.
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 101
 +
101/141
 +
Taking into account the documentation provided by the person responsible for the treatment,
 +
It should be noted that the contracting of gas services by EDP,
 +
COMERCIALIZADORA, SAU can be carried out through different channels being
 +
these the following:
 +
A- Telephone, which includes the following sub-channels: CAC Inbound, Telemarketing and
 +
Leads.
 +
B. Web Channel.
 +
C. Distributors, which includes EDP's own Commercial Offices and third-party stores.
 +
D. External Sales Forces, which can be: Stands at Fairs, Centers
 +
Commercial, etc., or home visits with prior request.
 +
According to said documentation, the contracting of the service can be carried out
 +
with a customer representative, except for the web channel and sub-channel
 +
third-party stores where it is not allowed. Examination of procedures
 +
contracting the service described by the person in charge and the documentation provided
 +
show that when the service is contracted through
 +
representative is not required to prove the representation he claims to hold.
 +
This absence of accreditation has a single exception when the hiring of the
 +
service is carried out in the sub-channel of our own commercial offices in which a
 +
document certifying the authorization granted for contracting by the
 +
represented together with the presentation of his / her DNI (evidence 5).
 +
Thus, to the extent that a procedure has not been implemented that allows
 +
certify the representation of the person who makes a contract on behalf of a
 +
third, various risks may be generated and may be mentioned, by way of
 +
For example, the one consisting of a data processing of the represented without legitimation, the
 +
risk of identity theft or economic or other damages that are
 +
may cause the interested party as a result of the change of company
 +
service provider with the consequent cancellation of the original contract or the
 +
change of ownership of the contract or the type of contract with the company
 +
supplier, without the interested party having consented to such changes.
 +
Secondly, in the documentation provided, it is observed that in the channel of
 +
telephone contracting (CAC inbound, Telemarketing and leads subchannels) together with the
 +
hiring the service, consent is requested to carry out other
 +
treatments, such as sending energy-related offers tailored to the
 +
customer profile upon completion of the contract or referral at any time of
 +
information on non-energy products or services of collaborating companies or
 +
EDP. This request is made to the representative as is clear from the own
 +
literality of the text of evidence 2, 3 and 4 submitted, according to which the
 +
this one: “May we present to your client offers related to energy
 +
adapted to your profile after the end of the contract, or send you at any time
 +
information of non-energy products and services, of Collaborating Companies or of
 +
EDP? " (Evidence 2)" Can you allow us to present your client with related offers
 +
with the energy after the end of the contract, or send you at any time
 +
information on products and services of the financial, insurance and
 +
automotive, Collaborating Companies or EDP? " (evidence 3). "Allows us
 +
present you with energy-related offers tailored to your profile after the
 +
termination of the contract, or send you at any time product information and
 +
non-energy services, of Collaborating Companies or EDP? (evidence 4).
 +
C / Jorge Juan, 6
 +
www.aepd.es
 +
28001 - Madrid
 +
sedeagpd.gob.es
 +
Page 102
 +
102/141
 +
In none of the three cases, as can be seen from the analysis of the
 +
procedures followed by the person in charge in the contracting processes,
 +
requests proof that the representative has been authorized to provide such
 +
consent on behalf of the principal.
 +
Nor is it proven that the representative has been authorized by his client.
 +
to consent to the processing of data for advertising purposes that has been done above
 +
reference, if it does so, when the hiring process is carried out
 +
carried out through the channel of EDP's own commercial offices
 +
COMERCIALIZADORA, SAU since no such possibility is contemplated in the
 +
document presented as evidence 5, which contains the authorizations
 +
for various treatments by the representative, taking into account
 +
which must, where appropriate, be a specific mandate without being deduced from
 +
a general authorization for other treatments.
 +
In the case of contracting through the external forces channel, evidence 6, at the
 +
that the person in charge calls sales check, contains, in the box entitled
 +
"Client / representative", a box to consent to the processing of personal data,
 +
in the following terms: "I consent to the processing of my personal data once
 +
once the contractual relationship has ended, to carry out commercial communications
 +
adapted to my profile of products and services related to the supply and consumption of
 +
Energy. Likewise, I consent to the aforementioned treatments during the term and after
 +
the termination of the contract, on non-energy products and services, both of the
 +
EDP ​​Group companies and third parties. " In said contract or sales stub,
 +
as it has been called by the person in charge, it also appears, after the spaces
 +
destined to the data of the representative who “declares to have powers
 +
sufficient to sign this contract on behalf of the client to whom it is
 +
is responsible for informing of all the conditions of the same. " Nor in this
 +
hiring procedure requires an accreditation of the representation that is
 +
claims to hold to contract or give consent for other treatments in
 +
name of the represented, being the representation merely declared by the
 +
representative.
 +
Neither in these cases has a procedure been implemented that allows to accredit
 +
that the representative had the authorization of the principal to consent to such
 +
treatments, producing the risk of data processing of the represented without
 +
legitimation, being exposed to the reception of publicity even after
 +
the contractual relationship has ended. In the case of the external sales forces channel,
 +
increases the risk, since the contract is not even sent to the represented, but
 +