AEPD (Spain) - PS/00100/2022
|AEPD - PS/00100/2022|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
|Parties:||Naturgy Enery Group S.A.|
|National Case Number/Name:||PS/00100/2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA fined Naturgy Energy Group €80,000 for disclosing a customer's personal data to a third party and changing her registered email address without her consent. The DPA held that Naturgy failed to adopt the necessary security measures and violated the principle of integrity and confidentiality.
English Summary[edit | edit source]
Facts[edit | edit source]
A customer (data subject) of Naturgy Energy Group, a gas and electricity supplier (controller) discovered that her email address registered with the controller had been changed by a third party. This third party also asked the controller to send him two of the data subjects invoices.
After the data subject became aware of this change, she filed a complaint with the controller. However, the controller stated it did nothing wrong, as it asked the questions necessary according to its security policy. The third party identified himself as a relative of the data subject and provided the controller with the data subject's name, ID number, address, the last four digits of her bank account and her contract reference number.
Therefore, the data subject filed a complaint with the DPA against the controller for changing her contract data without her consent, in particular her email address.
Holding[edit | edit source]
The DPA stated that despite the security measures mentioned, the controller ended up sending two invoices to the email address of someone claiming to have some kind of relationship with the data subject. The DPA held that the controller therefore violated Article 5(1)(f) GDPR (principle of integrity and confidentiality).
The DPA followed that the security measures in place were evidently not enough to prevent the events mentioned above. It held that the controller also violated Article 32 GDPR by failing to adopt the necessary security measures to guarantee the protection of the data subjects personal data.
The DPA fined the controller €80,000: €50,000 for the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: EXP202105644 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On June 8, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against NATURGY ENERGY GROUP, S.A. (hereinafter, the claimed party), through the Agreement that is transcribe: << File No.: EXP202105644 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the claimant party) dated November 4, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against the company COMERCIALIZADORA REGULADA GAS & POWER, S.A., belonging to NATURGY ENERGY GROUP, S.A. with NIF A08015497 (hereinafter, the claimed party), of which the claimant is a client. The claimant has become aware that a third party has used her data personal to change the email and request that they send two invoices his, for which he files a claim with the claimed party, and they inform him that this change was made by telephone, providing the name of this third party, and indicating that they had done the right thing since the caller provided the name, DNI, address and contract reference of the claimant. Therefore, the reason on which you base your claim is the change in your contract with the claimed entity, specifically your email without your consent. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 Together with the notification, the emails exchanged with the claimed stating the facts, as well as a response to them, detailing in one of them the name of the person who called (which does not match the name of the claimant) and the email provided. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on December 27, 2021, said communication was claim to the claimed party, so that it proceeded to its analysis and inform the this Agency within a month, of the actions carried out to adapt to the requirements set forth in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on December 28, 2021 as It is stated in the acknowledgment of receipt that is in the file. On January 27, 2022, this Agency received a written response from the claimed entity indicating the following: “On October 4, 2021, the Comercializadora customer service Regulada received a call from a person who identified himself as a “family member” of the claimant, and indicated that he wished to request a duplicate of the last invoice of the electricity supply corresponding to the claimant's supply point, providing an email address for the invoice to be sent. To be able to carry out the requested procedures, it is necessary to overcome the policy of security of the Regulated Marketer, for which the person who calls certain information of the holder of the supply contracts that only should know said owner or person authorized by it. The Submitter had all the information necessary to overcome the policy of security and carry out the procedures requested. Thus, specifically, it provided the name and surnames, as well as the DNI of the claimant and also the last four digits of the claimant's bank account. All these data and, in particular, the last four digits of the account number bank, constitute information that only the Claimant should know. In fact, those last four digits of the bank account constitute a information that is not even visible in the documents that Comercializadora Regulada generates for its clients, since they always appear hidden, both in the invoices and through the Private Area, as a security measure.” For all these reasons, the respondent entity considers that its action has been in all time diligent and adjusted to law. THIRD: On February 4, 2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 FOUNDATIONS OF LAW Yo By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and to resolve this procedure. II The principles relating to the processing of personal data are regulated in the Article 5 of the RGPD where it is established that “personal data will be: “a) processed in a lawful, loyal and transparent manner in relation to the interested party (“lawfulness, loyalty and transparency»); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with those purposes; according to article 89, paragraph 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); c) adequate, pertinent and limited to what is necessary in relation to the purposes for which that are processed ("data minimization"); d) accurate and, if necessary, updated; all measures will be taken reasonable to eliminate or rectify without delay the personal data that are inaccurate with respect to the purposes for which they are processed (“accuracy”); e) kept in a way that allows the identification of the interested parties during longer than necessary for the purposes of the processing of personal data; the Personal data may be kept for longer periods provided that it is processed exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with Article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures that This Regulation is imposed in order to protect the rights and freedoms of the interested party (“limitation of the retention period”); f) processed in such a way as to ensure adequate security of the data including protection against unauthorized or unlawful processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ("integrity and confidentiality"). The data controller will be responsible for compliance with the provisions of section 1 and able to demonstrate it (“proactive responsibility”).” Article 72.1 a) of the LOPDGDD states that “according to what is established in the article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679”. III Security in the processing of personal data is regulated in article 32 of the RGPD where the following is established: "1. Taking into account the state of the art, the application costs, and the nature nature, scope, context and purposes of the treatment, as well as risks of probability variable and seriousness for the rights and freedoms of natural persons, the responsible The controller and the data processor will apply appropriate technical and organizational measures. to guarantee a level of security appropriate to the risk, which, where appropriate, includes yeah, among others: a) pseudonymization and encryption of personal data; b) the ability to ensure confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to the personal data of quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular account shall be taken ta the risks that the treatment of data presents, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted stored, stored or otherwise processed, or unauthorized communication or access two to said data. 3. Adherence to a code of conduct approved under article 40 or to a mechanism certification body approved under article 42 may serve as an element for demonstrate compliance with the requirements established in section 1 of this Article. 4. The person in charge and the person in charge of the treatment will take measures to guarantee that Any person acting under the authority of the person in charge or the person in charge and having access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of Union Law or member states.” Article 73.f) of the LOPDGDD, under the heading "Infringements considered serious has: “According to article 83.4 of Regulation (EU) 2016/679, they will be considered serious and Infractions that suppose a substantial violation will prescribe after two years. of the articles mentioned therein, and in particular the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 f) The lack of adoption of those technical and organizational measures that result appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679 IV In accordance with the evidence available at the present time, and without prejudice to what results from the instruction of this sanctioning procedure, considers that the claimed entity has violated the confidentiality required in the processing of personal data, since despite the indicated security measures, has allowed access to a customer's personal data without their consent, managing to send two customer invoices to the third party's email claiming to obtain such information, the existence of some type of kinship with the client. Therefore, article 5.1 f) of the RGPD has been violated, which governs the principle of integrity and confidentiality, so that the data is treated in such a way that it is ensures adequate security of personal data, including the protection against unauthorized or unlawful processing and against loss, destruction or damage accidental, through the application of appropriate technical or organizational measures. This Agency also considers that we are facing a violation of the article 32 of the RGPD, since the security measures of the claimed entity do not are adequate and must be improved after it has been verified that they have not have been sufficient to prevent the events denounced. Thus, this Agency considers that the entity claimed, without prejudice to what result of the instruction, has violated articles 5.1 f) and 32 of the RGPD, by violating the principle of integrity and confidentiality, as well as not adopting measures of security necessary to guarantee the protection of personal data of your customers. v Article 58.2 of the RGPD provides the following: "Each control authority will have of all the following corrective powers indicated below: d) order the person in charge or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; SAW The infringement of article 5.1 f) of the RGPD can be sanctioned with a fine of 20,000 €000 maximum or, in the case of a company, an amount equivalent to 4% as a maximum of the overall annual total turnover of the financial year C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 above, opting for the highest amount, in accordance with article 83.5 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD, considering as aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the treatment of personal data. . 7th The infringement of article 32 of the RGPD can be sanctioned with a fine of 10,000,000 € maximum or, in the case of a company, an amount equivalent to 2% as a maximum of the overall annual total turnover of the financial year above, opting for the highest amount, in accordance with article 83.4 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD, considering as aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the treatment of personal data. Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: START A SANCTION PROCEDURE against NATURGY ENERGY GROUP, S.A. with NIF A08015497, for the alleged infringement in accordance with the provided for in article 58.2.b) of the RGPD, for the alleged infringement of article 5.1.f) of the RGPD, typified in article 83.5.a) of the RGPD. SECOND: START A SANCTION PROCEDURE against NATURGY ENERGY GROUP, S.A. with NIF A08015497, in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged infringement of article 32 of the RGPD, typified in the article 83.4.a) of the RGPD. THIRD: APPOINT B.B.B. and, as secretary, to C.C.C., indicating that any of them may be challenged, as the case may be, in accordance with established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). FOURTH: INCORPORATE to the disciplinary file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and generated by the General Subdirectorate for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FIFTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Public Administrations, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 A penalty of €50,000 (fifty thousand euros) would correspond, for the infraction of the article 5.1 f) of the RGPD, without prejudice to what results from the instruction. SIXTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Public Administrations, A penalty of €30,000 (thirty thousand euros) would correspond, for the infraction of the article 32 of the RGPD, without prejudice to what results from the instruction. SEVENTH: NOTIFY this agreement to NATURGY ENERGY GROUP, S.A. with NIF A08015497, granting a hearing period of ten business days for formulate the allegations and present the evidence that it deems appropriate. In its Allegation brief must provide your NIF and the procedure number that appears at the top of this document If within the stipulated period it does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the term granted for the formulation of allegations to the this initiation agreement; which will entail a reduction of 20% of the sanction to be imposed in this proceeding. With the application of this reduction, the first sanction would be established at €40,000, and the second at €24,000, resolving the procedure with the imposition of both sanctions. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the first sanction would be established at €40,000 and the second at €24,000, and their payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions apply, the amount of the first penalty would be established at 30,000 euros and the second at 18,000 euros. In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the abandonment or renunciation of any action or resource in via administrative against the sanction. In case you chose to proceed to the voluntary payment of any of the amounts indicated above €40,000 or €30,000 for the first sanction, or €24,000 or €18,000 for the second, you must make it effective by depositing it in account no. ES00 0000 0000 0000 0000 0000 opened on behalf of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A., indicating in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which it avails itself. Likewise, you must send proof of payment to the General Subdirectorate of Inspection to proceed with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the start-up agreement or, where appropriate, of the draft start-up agreement. Once this period has elapsed, it will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-260122 Sea Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On June 21, 2022, the claimed party has proceeded to pay the sanction in the amount of 48,000 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "1. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure EXP202105644, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to NATURGY ENERGY GROUP, S.A.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 936-240122 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es