AEPD (Spain) - PS/00126/2021

From GDPRhub
AEPD (Spain) - PS/00126/2021
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 6(1)(b) GDPR
Type: Complaint
Outcome: Upheld
Decided: 20.05.2021
Published: 03.06.2021
Fine: 6000 EUR
National Case Number/Name: PS/00126/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA fined an energy supply company €6000 for processing personal data without a legal basis. The DPA held that the company could not rely on Article 6(1)(b) GDPR where it had not entered into a valid legal contract with the data subject.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint with the Spanish DPA (AEPD) against an energy services provider. The controller had used the complainant's personal data to contract gas and electricity supplies, as well as a maintenance service called Servielectric Xpress, which were not requested by the complainant. The respondent entered into these contracts without the consent or knowledge of the data subject.

Holding[edit | edit source]

The AEDP held that the controller had used the data subject's personal data to make them party to a contract without any legitimacy, as the data subject had not requested such services. Therefore, the contract was not valid, what implied that the controller had processed the data without any legal basis.

The AEPD therefore argued that for the legal basis for the processing set forth in Article 6(1)(b) GDPR to be legitimate, the data must be provided by the data subject. The controller has the obligation to verify with due diligence that the data subject had actually provided their data, setting identification requirements, for example, as part of their accountability and proactive responsibility obligation.

The DPA concluded that the controller had violated Article 6(1) GDPR for processing data without a legal basis, and thus fined the controller €6000.

In the present case, the following were taken into account as aggravating circumstances:

  • the intentionality or negligence of the infringement (Article 83(2)(b) GDPR)
  • the impact on basic personal identifiers (Article 83(2)(g) GDPR)

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure No.: PS / 00126/2021


Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following:


FIRST: D. A.A.A. (hereinafter, the claimant) on July 21, 2020 filed
claim before the Spanish Agency for Data Protection. The claim is directed
against CREATOR ENERGY, S.L., with NIF B67301036 (hereinafter, the claimed one).

The claimant declares the use of their personal data without their consent to
contract gas and electricity supplies at your home, as well as a service of
maintenance called Servielectric Xpress. These contracts were discharged by
the claimed.

SECOND: In accordance with the mechanism prior to the admission for processing of the
claims that are made before the AEPD, provided for in article 65.4 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of the
digital rights (hereinafter, LOPDGDD), which consists of transferring the

same to the Data Protection Delegates appointed by those responsible or
those in charge of the treatment, or to them when they have not designated them, and with the purpose
indicated in the aforementioned article, the claim was transferred to the defendant on 18 and 29
September 2020, through the electronic notifications service and the service
post office, so that it could proceed to its analysis and respond within a month.
Being the same ones returned on September 29 and October 6, 2020. It was not received

answer in this Agency by the claimed party.

THIRD: On October 28, 2020, after analyzing the documentation that
in the file, a resolution was issued by the director of the AEPD, agreeing the non-admission
to process the claim. The resolution was notified to the claimant on

October 2020, through the Citizen Folder, according to confirmation of receipt
that appears in the file.

FOURTH: On November 6, 2020, the claimant files an optional appeal
of replacement through the Electronic Registry of the AEPD, against the resolution relapsed in
file E / 06596/2020, in which you disagree with the resolution
contested, and provides new documentation and new facts, stating that on the part
of the claimed person, responsible for the collection of their personal data and treatment of the
Without their consent, no information or clarification has been received.

Consequently, the director of the AEPD resolves on March 10, 2021,
estimate the appeal for replacement.

FIFTH: On April 16, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure for the complained party, by the
alleged violation of Article 6.1.b) of the RGPD, typified in Article 83.5 a) of the RGPD
C / Jorge Juan, 6
28001 - Madrid 2/8

and considered very serious in 72.1.b), for the purposes of prescription, setting a penalty
initial 6,000 euros (six thousand euros).

SIXTH: Having been notified electronically, the initiation agreement. Being the date
made available on April 16, 2021 and the automatic rejection date on the
27 of the same month and year.

SEVENTH: Formally notified of the initiation agreement, the one claimed at the time of the
This resolution has not submitted a brief of allegations, so it is applicable

indicated in article 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, which in its section f) establishes
that in case of not making allegations within the established period about the content of the agreement
initiation, it may be considered a resolution proposal when it contains a
precise pronouncement about the imputed responsibility, so we proceed to

issue Resolution.

       In view of all the actions, by the Spanish Agency for the Protection of
Data in this procedure are considered proven facts the following:


FIRST: It is clear that the complainant used the personal data of the complainant to
contract gas and electricity supplies, as well as a maintenance service
called Servielectric Xpress, not requested by the claimant.

SECOND: It is verified that said contracts were discharged by the defendant.

THIRD: It is clear that the defendant did not reply to this Agency, following the requirements
carried out on September 18 and October 6, 2020.

FOURTH: On April 16, 2021, this sanctioning procedure was initiated for the infraction

of article 6.1.b) of the RGPD, being notified on the 27th of the same month and year. Not
having made allegations, the claimed, to the initiation agreement.

                              FOUNDATIONS OF LAW


       By virtue of the powers that article 58.2 of the RGPD recognizes to each authority
of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of
the Spanish Data Protection Agency is competent to initiate and resolve
this procedure.


           Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:

           "1. The treatment will only be lawful if it complies with at least one of the following

C / Jorge Juan, 6
28001 - Madrid 3/8

      a) the interested party gave their consent for the processing of their personal data
      for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the

      interested is part or for the application at the request of this of measures
      (…) "

      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for the

imposition of administrative fines ”, it states:

      "5. Violations of the following provisions will be sanctioned, in accordance with
section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of
of a company, of an amount equivalent to a maximum of 4% of the business volume

Global annual total for the previous financial year, opting for the highest amount:

      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "

      Organic Law 3/2018, on Protection of Personal Data and Guarantee of

Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions
considered very serious ”provides:

      "1. In accordance with the provisions of article 83.5 of Regulation (E.U.) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a

substantial violation of the articles mentioned therein and, in particular, the

       b) The processing of personal data without any of the conditions

       of legality of the treatment established in article 6 of the Regulation
       (EU) 2016/679. "


       In the present case, it is important to point out that if the contracting takes place

fraudulent of a product and the consent to perfect said contract has been
provided by a person other than the owner of the data (identity theft), not
we can understand that there is contractual consent on the part of the latter, that
is harmed.

       In legal terms, we can consider that in this fraud situation there is no

would have perfected the legal business, which would determine the non-existence of legitimation
to process the personal data of the interested party. And this because, once the contract is signed,
the legal basis of the treatment that legitimizes the contractor as responsible for the treatment
to process the personal data of the owner of these in a product contracting

would be the one provided for in art. 6.1.b) of the RGPD.

       For this legal basis of art. 6.1.b) of the RGPD exists and legitimizes the treatment
of data of the owner necessary for the execution of a contract, it is required that the data
are supplied by the owner, which does not happen when identity is spoofed. Yes
C / Jorge Juan, 6
28001 - Madrid 4/8

no, there would be a processing of personal data regarding a contract or
service that has not been requested.

       Therefore, to avoid fraud, it must be verified that indeed the
contractual consent is provided by the true owner of the data, and must

deploy the contractor due diligence in the process of identification and verification of
identity of the contracting person. The SAN of April 29, 2010 considers that "the
question (…) it is not so much to elucidate whether the appellant processed the personal data of the
whistleblower without their consent, such as whether or not they employed reasonable diligence when
to try to identify the person with whom he signed the financing contract ”.

       Identity theft is a risk specifically considered by the
legislator, according to recital 75 of the RGPD and art. 28 of the LOPDGDD, which imposes
those responsible for the treatment the deployment of all due diligence to eradicate it
or minimize it, within the framework of its proactive responsibility. This risk involves important
risks, consequently greater diligence, greater reinforcement of the measures of

security (recital 94 of the RGPD in relation to the mitigation of damages) to
obtain a valid contractual consent from its true owner, especially if you can
involve minors or vulnerable people.

       The correct identification of clients and the adoption of diligent measures to

verifying your identity then falls squarely within the scope of data protection
personal, because, if not, the risk of identity theft would materialize, which
It can probably materialize in this type of hiring.

       Therefore, we can consider due diligence to be the attention of duty.
legal care.

       Being duly diligent implies, in terms of this legal duty of care, preventing
the materialization of the risk (identity theft) establishing with character
in advance of the treatment an effective system of adequate measures to avoid it; such
system must be constantly evaluated. As stated by jurisprudence, the

Responsibility derives from the actions of the person who is responsible for being diligent and
“It cannot be considered excluded or attenuated by the fact that the possible
fraudulent action of a third party, since the responsibility of the plaintiff does not derive
of his performance, but of his own ”.

       Consequently, due diligence is made up of four elements: identifying
(evaluation of the real and potential impact of data processing activities);
prevent, mitigate (through follow-up and monitoring) and, ultimately, be accountable
(communicating the way in which the negative consequences of the
improper data processing). And all this, within a continuous process.

       Due diligence, which must be adapted to the business environments in which
the data controller moves, includes not only the adoption of measures
technical and organizational appropriate to the treatment in question, but the ability to
prove its compliance.

       Therefore, the controller must “be obliged to apply measures
timely and effective and must be able to demonstrate compliance of the
treatment with this Regulation, including the effectiveness of the measures. Said
C / Jorge Juan, 6
28001 - Madrid 5/8

Measures should take into account the nature, scope, context and purposes of the
treatment, as well as the risk to the rights and freedoms of natural persons ”,
Recital 74 of the RGPD.

       Demonstrating due diligence is essential, and it is not enough to allege the
absence of guilt, since as affirmed by the National High Court, for all the Judgment
278/2015 of June 30, 2015 (Rec. 163/2014), “To the foregoing must be added, following
the judgment of January 23, 1998, partially transcribed in the SSTS of October 9
of 2009, Rec 5285/2005, and of October 23, 2010, Rec 1067/2006, that "although the

culpability for the conduct must also be proven, must be considered in
order to the assumption of the corresponding load, that ordinarily the elements
volitional and cognitive skills necessary to appreciate it are part of the behavior
proven typical, and that their exclusion requires that the absence of such elements be accredited,
or in its normative aspect, that the diligence that was required by whoever

alleges its non-existence; it is not enough, in short, for the exculpation of a behavior
typically unlawful the invocation of the absence of guilt ".

      In conclusion, to act with due diligence, the data controller
must comply with the RGPD and the LOPDGDD and establish mechanisms in advance
adequate to verify the identity of the people whose personal data is going to process or

treats (if it is later detected, during the treatment, an impersonation of
identity), to ensure, ultimately, that it has legitimacy to deal with such
personal information.


      The documentation in the file shows that the defendant violated the
Article 6.1 of the RGPD, every time you processed and communicated your data
personnel without legitimacy to do so in order to register supply contracts
of energy not requested by the claimant, without having proven that there was

legitimately hired, had legal coverage for the collection and treatment
later of your personal data, or there is any other cause that makes the
treatment carried out.

      Consequently, it has carried out a processing of personal data without having
accredited that has the legal authorization to do so.

      Article 6.1 RGPD says that the treatment “will be lawful if it is necessary for the
execution of a contract in which the interested party is a party ”.

      It was therefore essential that the defendant accredited to this Agency that the

claimant had contracted with her the supplies of gas, electricity, as well as a
maintenance service called Servielectric Xpress.

      The defendant did not reply to this Agency, after the requirements made on 18
September and October 6, 2020, nor did it make any allegations to the start-up agreement

of the present sanctioning procedure.


C / Jorge Juan, 6
28001 - Madrid 6/8

          In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:

             "Each control authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are effective in each individual case,
proportionate and dissuasive. "

       "Administrative fines will be imposed, depending on the circumstances of each

individual case, as an additional or substitute for the measures contemplated in article
58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its
amount in each individual case will be duly taken into account:
        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question as well

        such as the number of interested parties affected and the level of damages that
        have suffered;
        b) intentionality or negligence in the infringement;
        c) any measure taken by the controller or processor to
        mitigate the damages and losses suffered by the interested parties;
        d) the degree of responsibility of the person in charge or the person in charge of the treatment,

        taking into account the technical or organizational measures that have been applied in
        under articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of the
        f) the degree of cooperation with the supervisory authority in order to remedy

        the infringement and mitigate the possible adverse effects of the infringement;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement, in
        particular if the person in charge or the person in charge notified the infraction and, in such case, in
        what measure;

        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person in charge or the person in charge in
        regarding the same matter, compliance with said measures;
        j) adherence to codes of conduct under Article 40 or to mechanisms of
        certification approved in accordance with Article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the

        case, such as financial benefits obtained or losses avoided, direct or
        indirectly, through the offense. "

      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

        "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

The following may also be taken into account:

        a) The continuing nature of the offense.

        b) The linking of the activity of the offender with the performance of treatment of
personal information.

C / Jorge Juan, 6
28001 - Madrid 7/8

       c) The benefits obtained as a result of the commission of the offense.

       d) The possibility that the affected person's conduct could have led to the
commission of the offense.

       e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

       f) Affecting the rights of minors.

       g) Have, when not mandatory, a data protection officer.

       h) The submission by the person in charge or in charge, on a voluntary basis,
to alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "

      In accordance with the transcribed precepts, in order to set the amount of the penalty
of fine to impose on the claimed person, as responsible for an offense typified in the
Article 83.5.a) of the RGPD, the following factors are considered concurrent:

- The intentionality or negligence of the offense (art. 83.2 b).

      - Basic identifiers present are affected (name, address,
          bank account number) (art. 83.2 g)

     That is why it is considered appropriate to graduate the sanction to impose on the claimed and
set it at the amount of € 6,000 for the violation of article 6.1.b) of the RGPD.

       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE CREATOR ENERGY, S.L, with NIF B67301036, for an infraction
of Article 6.1b) of the RGPD, typified in Article 83.5.a) of the RGPD, a fine of 6,000
euros (six thousand euros).

SECOND: NOTIFY this resolution to CREATOR ENERGY, S.L, with NIF

THIRD: Warn the sanctioned person that he must enforce the sanction imposed once
that this resolution be enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period

established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by means of their entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency
of Data Protection in the banking entity CAIXABANK, S.A .. Otherwise,

it will be collected in the executive period.

C / Jorge Juan, 6
28001 - Madrid 8/8

        Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and last days of each month, both inclusive, the payment term will be
until the 5th of the second following or immediately subsequent business month.

        In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

        Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of
the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the Director of

the Spanish Data Protection Agency within a month from the day
following notification of this resolution or directly contentious appeal
administrative law before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision
of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,

within two months from the day following notification of this act,
as provided in article 46.1 of the aforementioned Law.

        Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
The firm resolution may be suspended provisionally by administrative means if the interested party

expresses its intention to file a contentious-administrative appeal. If this is the
In this case, the interested party must formally communicate this fact by writing to
the Spanish Agency for Data Protection, presenting it through the Registry
Electronic of the Agency [], or through
any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of 1

October. You must also forward to the Agency the documentation that proves the
effective filing of the contentious-administrative appeal. If the Agency did not have
knowledge of the filing of the contentious-administrative appeal within a period of two
months from the day following the notification of this resolution, would
end of the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid