AEPD (Spain) - EXP202105644

From GDPRhub
AEPD - PS/00100/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 04.11.2021
Decided: 08.06.2022
Published: 25.08.2022
Fine: 80,000 EUR
Parties: Naturgy Enery Group S.A.
National Case Number/Name: PS/00100/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Jette

The Spanish DPA fined Naturgy Energy Group €80,000 for disclosing a customer's personal data to a third party and changing her registered email address without her consent. The DPA held that Naturgy failed to adopt the necessary security measures and violated the principle of integrity and confidentiality.

English Summary

Facts

A customer (data subject) of Naturgy Energy Group, a gas and electricity supplier (controller) discovered that her email address registered with the controller had been changed by a third party. This third party also asked the controller to send him two of the data subjects invoices.

After the data subject became aware of this change, she filed a complaint with the controller. However, the controller stated it did nothing wrong, as it asked the questions necessary according to its security policy. The third party identified himself as a relative of the data subject and provided the controller with the data subject's name, ID number, address, the last four digits of her bank account and her contract reference number.

Therefore, the data subject filed a complaint with the DPA against the controller for changing her contract data without her consent, in particular her email address.

Holding

The DPA stated that despite the security measures mentioned, the controller ended up sending two invoices to the email address of someone claiming to have some kind of relationship with the data subject. The DPA held that the controller therefore violated Article 5(1)(f) GDPR (principle of integrity and confidentiality).

The DPA followed that the security measures in place were evidently not enough to prevent the events mentioned above. It held that the controller also violated Article 32 GDPR by failing to adopt the necessary security measures to guarantee the protection of the data subjects personal data.

The DPA fined the controller €80,000: €50,000 for the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR.

The original fine of €80,000 was reduced to €48,000 due to voluntary payment and admission of responsibility.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                              1/10











     File No.: EXP202105644

       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTEER


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND


FIRST: On June 8, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against NATURGY ENERGY
GROUP, S.A. (hereinafter, the claimed party), through the Agreement that is
transcribe:


<<



File No.: EXP202105644



            AGREEMENT TO START A SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following

                                      FACTS

FIRST: A.A.A. (hereinafter, the claimant party) dated November 4,

2021 filed a claim with the Spanish Data Protection Agency.

The claim is directed against the company COMERCIALIZADORA REGULADA GAS
& POWER, S.A., belonging to NATURGY ENERGY GROUP, S.A. with NIF
A08015497 (hereinafter, the claimed party), of which the claimant is a client.


The claimant has become aware that a third party has used her data
personal to change the email and request that they send two invoices
his, for which he files a claim with the claimed party, and they inform him that this
change was made by telephone, providing the name of this third party, and

indicating that they had done the right thing since the caller provided
the name, DNI, address and contract reference of the claimant.

Therefore, the reason on which you base your claim is the change in your
contract with the claimed entity, specifically your email without your

consent.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10








Together with the notification, the emails exchanged with the
claimed stating the facts, as well as a response to them, detailing in
one of them the name of the person who called (which does not match the name of the

claimant) and the email provided.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on December 27, 2021, said communication was
claim to the claimed party, so that it proceeded to its analysis and inform the

this Agency within a month, of the actions carried out to adapt to
the requirements set forth in the data protection regulations.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations

Public (hereinafter, LPACAP), was collected on December 28, 2021 as
It is stated in the acknowledgment of receipt that is in the file.

On January 27, 2022, this Agency received a written response from the
claimed entity indicating the following:
“On October 4, 2021, the Comercializadora customer service

Regulada received a call from a person who identified himself as a “family member” of the
claimant, and indicated that he wished to request a duplicate of the last invoice of the
electricity supply corresponding to the claimant's supply point,
providing an email address for the invoice to be sent.


To be able to carry out the requested procedures, it is necessary to overcome the policy of
security of the Regulated Marketer, for which the person who
calls certain information of the holder of the supply contracts that only
should know said owner or person authorized by it.


The Submitter had all the information necessary to overcome the policy of
security and carry out the procedures requested. Thus, specifically, it provided the name and
surnames, as well as the DNI of the claimant and also the last four digits of the
claimant's bank account.

All these data and, in particular, the last four digits of the account number

bank, constitute information that only the Claimant should know.

In fact, those last four digits of the bank account constitute a
information that is not even visible in the documents that Comercializadora
Regulada generates for its clients, since they always appear hidden, both in the

invoices and through the Private Area, as a security measure.”

For all these reasons, the respondent entity considers that its action has been in all
time diligent and adjusted to law.


THIRD: On February 4, 2022, in accordance with article 65 of the
LOPDGDD, the claim filed by the claimant was admitted for processing.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10








                           FOUNDATIONS OF LAW

                                            Yo


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Agency for Data Protection is competent to initiate and to
resolve this procedure.


                                            II


The principles relating to the processing of personal data are regulated in the
Article 5 of the RGPD where it is established that “personal data will be:

“a) processed in a lawful, loyal and transparent manner in relation to the interested party (“lawfulness,
loyalty and transparency»);


b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with those purposes; according to article 89,
paragraph 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not

deemed incompatible with the original purposes ("purpose limitation");

c) adequate, pertinent and limited to what is necessary in relation to the purposes for which
that are processed ("data minimization");


d) accurate and, if necessary, updated; all measures will be taken
reasonable to eliminate or rectify without delay the personal data that
are inaccurate with respect to the purposes for which they are processed (“accuracy”);

e) kept in a way that allows the identification of the interested parties during
longer than necessary for the purposes of the processing of personal data; the

Personal data may be kept for longer periods provided that it is
processed exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with Article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that
This Regulation is imposed in order to protect the rights and freedoms of the

interested party (“limitation of the retention period”);

f) processed in such a way as to ensure adequate security of the data
including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures

or appropriate organizational ("integrity and confidentiality").

The data controller will be responsible for compliance with the provisions of
section 1 and able to demonstrate it (“proactive responsibility”).”

Article 72.1 a) of the LOPDGDD states that “according to what is established in the

article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10








after three years the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:


a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679”.

                                            III

Security in the processing of personal data is regulated in article 32 of the

RGPD where the following is established:

"1. Taking into account the state of the art, the application costs, and the nature
nature, scope, context and purposes of the treatment, as well as risks of probability
variable and seriousness for the rights and freedoms of natural persons, the responsible
The controller and the data processor will apply appropriate technical and organizational measures.

to guarantee a level of security appropriate to the risk, which, where appropriate, includes
yeah, among others:
a) pseudonymization and encryption of personal data;

b) the ability to ensure confidentiality, integrity, availability and resilience
permanent treatment systems and services;

c) the ability to restore the availability and access to the personal data of
quickly in the event of a physical or technical incident;

d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.


2. When evaluating the adequacy of the security level, particular account shall be taken
ta the risks that the treatment of data presents, in particular as a consequence
of the accidental or unlawful destruction, loss or alteration of personal data transmitted
stored, stored or otherwise processed, or unauthorized communication or access
two to said data.


3. Adherence to a code of conduct approved under article 40 or to a mechanism
certification body approved under article 42 may serve as an element for
demonstrate compliance with the requirements established in section 1 of this
Article.


4. The person in charge and the person in charge of the treatment will take measures to guarantee that
Any person acting under the authority of the person in charge or the person in charge and having
access to personal data can only process said data following instructions
of the person in charge, unless it is obliged to do so by virtue of Union Law or

member states.”

Article 73.f) of the LOPDGDD, under the heading "Infringements considered serious
has:

“According to article 83.4 of Regulation (EU) 2016/679, they will be considered serious and

Infractions that suppose a substantial violation will prescribe after two years.
of the articles mentioned therein, and in particular the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10








f) The lack of adoption of those technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679


                                          IV

In accordance with the evidence available at the present time, and
without prejudice to what results from the instruction of this sanctioning procedure,
considers that the claimed entity has violated the confidentiality required in the

processing of personal data, since despite the indicated security measures,
has allowed access to a customer's personal data without their consent,
managing to send two customer invoices to the third party's email
claiming to obtain such information, the existence of some type of kinship
with the client.


Therefore, article 5.1 f) of the RGPD has been violated, which governs the principle of
integrity and confidentiality, so that the data is treated in such a way that it is
ensures adequate security of personal data, including the protection
against unauthorized or unlawful processing and against loss, destruction or damage
accidental, through the application of appropriate technical or organizational measures.


This Agency also considers that we are facing a violation of the
article 32 of the RGPD, since the security measures of the claimed entity do not
are adequate and must be improved after it has been verified that they have not
have been sufficient to prevent the events denounced.


Thus, this Agency considers that the entity claimed, without prejudice to what
result of the instruction, has violated articles 5.1 f) and 32 of the RGPD, by violating the
principle of integrity and confidentiality, as well as not adopting measures of
security necessary to guarantee the protection of personal data

of your customers.

                                           v

Article 58.2 of the RGPD provides the following: "Each control authority will have
of all the following corrective powers indicated below:


d) order the person in charge or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period;


i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;

                                          SAW


The infringement of article 5.1 f) of the RGPD can be sanctioned with a fine of 20,000
€000 maximum or, in the case of a company, an amount equivalent to 4%
as a maximum of the overall annual total turnover of the financial year

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10








above, opting for the highest amount, in accordance with article 83.5 of the
GDPR.


Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD, considering as
aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the
treatment of personal data.
.


                                          7th

The infringement of article 32 of the RGPD can be sanctioned with a fine of 10,000,000
€ maximum or, in the case of a company, an amount equivalent to 2%
as a maximum of the overall annual total turnover of the financial year

above, opting for the highest amount, in accordance with article 83.4 of the
GDPR.

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD, considering as
aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the

treatment of personal data.

Therefore, based on the foregoing,

By the Director of the Spanish Data Protection Agency, IT IS AGREED:


FIRST: START A SANCTION PROCEDURE against NATURGY ENERGY
GROUP, S.A. with NIF A08015497, for the alleged infringement in accordance with the
provided for in article 58.2.b) of the RGPD, for the alleged infringement of article 5.1.f)
of the RGPD, typified in article 83.5.a) of the RGPD.



SECOND: START A SANCTION PROCEDURE against NATURGY ENERGY
GROUP, S.A. with NIF A08015497, in accordance with the provisions of article
58.2.b) of the RGPD, for the alleged infringement of article 32 of the RGPD, typified in the
article 83.4.a) of the RGPD.


THIRD: APPOINT B.B.B. and, as secretary, to C.C.C.,
indicating that any of them may be challenged, as the case may be, in accordance with
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).


FOURTH: INCORPORATE to the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents
obtained and generated by the General Subdirectorate for Data Inspection during the
investigation phase, as well as the report of previous Inspection actions.


FIFTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Public Administrations,


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10








A penalty of €50,000 (fifty thousand euros) would correspond, for the infraction of the
article 5.1 f) of the RGPD, without prejudice to what results from the instruction.


SIXTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Public Administrations,
A penalty of €30,000 (thirty thousand euros) would correspond, for the infraction of the
article 32 of the RGPD, without prejudice to what results from the instruction.

SEVENTH: NOTIFY this agreement to NATURGY ENERGY GROUP, S.A. with

NIF A08015497, granting a hearing period of ten business days for
formulate the allegations and present the evidence that it deems appropriate. In its
Allegation brief must provide your NIF and the procedure number that appears
at the top of this document


If within the stipulated period it does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your

responsibility within the term granted for the formulation of allegations to the
this initiation agreement; which will entail a reduction of 20% of the
sanction to be imposed in this proceeding. With the application of this
reduction, the first sanction would be established at €40,000, and the second at
€24,000, resolving the procedure with the imposition of both sanctions.


Similarly, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the first sanction would be established at €40,000 and the second at €24,000, and their

payment will imply the termination of the procedure.

The reduction for the voluntary payment of the penalty is cumulative with the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
arguments at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions apply, the amount of the first penalty
would be established at 30,000 euros and the second at 18,000 euros.

In any case, the effectiveness of any of the two reductions mentioned will be

conditioned to the abandonment or renunciation of any action or resource in via
administrative against the sanction.

In case you chose to proceed to the voluntary payment of any of the amounts
indicated above €40,000 or €30,000 for the first sanction, or €24,000 or

€18,000 for the second, you must make it effective by depositing it in account no.
ES00 0000 0000 0000 0000 0000 opened on behalf of the Spanish Agency for
Data Protection in the banking entity CAIXABANK, S.A., indicating in the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10








concept the reference number of the procedure that appears in the heading
of this document and the reason for the reduction of the amount to which it avails itself.


Likewise, you must send proof of payment to the General Subdirectorate of
Inspection to proceed with the procedure in accordance with the quantity
entered.


The procedure will have a maximum duration of nine months from the
date of the start-up agreement or, where appropriate, of the draft start-up agreement.
Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.


Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.


                                                                               935-260122
Sea Spain Marti
Director of the Spanish Data Protection Agency



>>

SECOND: On June 21, 2022, the claimed party has proceeded to pay
the sanction in the amount of 48,000 euros making use of the two reductions

provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via

administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.


                           FOUNDATIONS OF LAW


                                           Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of

digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10











                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:


"1. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in

any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction is solely pecuniary in nature, the

competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.


The reduction percentage provided for in this section may be increased
regulations."

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: TO DECLARE the termination of procedure EXP202105644, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to NATURGY ENERGY GROUP, S.A..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10












                                                                                                          936-240122
Sea Spain Marti

Director of the Spanish Data Protection Agency








































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es