AEPD (Spain) - PS/00132/2020

From GDPRhub
AEPD - PS/00132/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Fine: 50000 EUR
National Case Number/Name: PS/00132/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA fined EDP Energy €50000 for processing personal data of a citizen (relating to the supply of electricity) without a legal basis for doing so.

English Summary


A citizen filed a complaint with the AEPD after he was disconnected from his electricity supply at Endesa Energia and had been put in the name of another person at EDP without his consent. He was re-registered at Endesa, also without his consent, 15 days later.

EDP claimed to the AEPD that the complainant has not been their customer, so they did not have any data on him in their database.

Endesa argued that, in accordance with the guidelines of the National Securities Market Commission (CNMV), the company responsible for providing consent to the change of electricity supplier is the incoming company. In this case, therefore, it would be up to EDP to prove that the customer had given its consent to the processing of data.


Is the processing of electricity supply data, without the consent of the data subject, a breach of Article 6 (1) GDPR?


The Spanish DPA held that the processing of data relating to electricity supply consists of processing personal data, and therefore they cannot be transmitted without the consent of the person concerned, or another legal basis where appropriate.

According to the case-law of the Spanish Supreme Court, the data called "CUPS" ("Codigo Universal de Punto de Suministro") are encrypted personal data, since the identity of the resident can be ascertained through simple checks.

In this case, the aggravating circumstances (Article 83(2) GDPR) have been taken into account, namely, the fact that it was a negligent, unintentional but significant action and, furthermore, the evident link between the business activity of the person claimed and the processing of personal data of customers or third parties.

In view of the above, the Spanish DPA imposed a penalty of €50000 on EDP ENERGY S.A.U. for infringing Article 6(1) GDPR by processing personal data without a legal basis.


The Spanish Supreme Court in its ruling STS 2484/2019 analyzed the obligation of supply companies to transmit data relating to supply contracts to the public authorities.

In this ruling, the Spanish Supreme Court ruled that the data transmitted by supply companies are personal data since they can be linked to a specific person through simple procedures. Furthermore, it denied the need to request the consent of the data subjects when these data are transmitted to the government, as it is covered by the legal basis of pursuing the general interest, namely to prevent electricity fraud and to preserve the proper functioning of the national electricity network.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Product No.: PS/00132/2020

From the procedure instructed by the Spanish Data Protection Agency and based on the following:


D. A.A.A. (hereinafter the complainant) dated 10 July 2019 filed a complaint with the Spanish Data Protection Agency. The complaint is directed against EDP Energía, S.A.U., with NIF A33543547 (in the one being claimed).
The complainant states that he was the holder of a contract for the supply of electricity with the company Endesa Energía S.A.U., (hereinafter "Endesa Energía") associated with the supply point located in the street ***DIRECTION.1 from 21 February 2017 until 19 December 2018, when he was discharged due to a change of marketing company and there was also a change of title in the aforementioned contract, not knowing the name of the latter. 

Subsequently, in relation to the aforementioned point of supply, A new contract was concluded by the complainant on 3 January 2019. It provides, among others, the following documents:

 -Last invoice from Endesa Energía (from 08/11/2018 to 19/12/2018).
- Notification from Endesa Energía dated 20/12/2018, participating in the deregistration of street electricity contract ***DIRECTION.1.
- Copy of the complaint filed with the Provincial Citizenship Service and Social Rights of the Government of Aragon filed on 24/01/2019 and reply to it. 

He states: "that he has been discharged from the electricity bill at Endesa Energía and have been put in the name of another person at EDP. Without your consent and that you have been re-registered with Endesa on


In accordance with Article 65.4 of the LOPDGDD, which provides for a mechanism prior to the admission of complaints to the AEPD, consisting of transferring them to the Data Protection Delegates
appointed by the controllers or persons responsible for the processing, for the purposes in Article 37 of the said law, or to them when they have not been designated, was transfer of the claim to the entity being claimed for analysis and respond to the complainant and to this Agency within one month.

As a result of this procedure:

In its letter of 10 July 2019, Endesa Energía states that when they receive a communication from the distributor in the sense of "activation of change of marketer" with regard to one of their clients, they initiate the procedure the internal "Change of Marketing Company", proceeding to meet the request for
the distributor.
On the other hand, they are registered in their internal company systems, that the claimant was the holder of an electricity supply contract with Endesa Energy, for the above-mentioned point of supply, from 21 February 2017 to 19 December 2018 and currently from 3 January 2019.

However, in accordance with the procedure laid down by the CNMC, in the case concerning to the complainant, Endesa Energía acted as the outgoing marketer, not having the aim  is therefore obliged to verify the holder's consent to the request for a change of received from the distributor, but that obligation to verification of consent falls to the incoming marketer as new holder of the supply contract with the customer.

2º.- The claimed party declares to this Agency, on March 18th 2019, that the claimant is not, and has not been, at any time a client, and therefore do not have data relating to it is included in its database.

The electricity supply for this address was marketed for the one claimed between 20 December 2018 and 2 January 2019, although the contract was signed by a third party other than the claimant, without the claimant's data were not collected or could not be identified.

That, from 3 January 2019, the indicated point of supply will not figure marketed by this marketing company.


On 5 June 2020, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the respondent, with in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"), LPACAP), for the alleged violation of Article 6.1 of the GRPD, as defined in Article 83.5 of the RGPD.


Once the above-mentioned agreement was notified, the party complained against presented a brief of
claims that, in summary, after the recruitment process concerning the point of supply, the technical data of the contract were uploaded in the EDP commercial system in order to check the database of the distributors the technical and location data, submitted the request for access to the distributor, who accepted it. At this point they activated the contract, the customer to count on the supply marketed by EDP, a request that
sent to Endesa by the distributor as a request for passive withdrawal.

They add that the claimant has merely complied with its legal obligations and expressly defined at the time of operating the communication of its client.

They also point out that the defendant has not processed the personal data of the claimant.
They request the closure of the proceedings corresponding to the Procedure Sanctioning, dismissing the imposition of any sanctions on the party claimed, for having acted correctly and in accordance with the law in relation to the facts under consideration in these proceedings.

In the alternative, the reduction of the penalty to be imposed on its minimum expression.


On 10 July 2020, the testing period began, to consider the complaint as reproduced for evidential purposes
by the claimant and his documentation, the documents obtained and generated that are part of the file and allegations to the agreement to initiate PS/00132/2020, submitted by the entity denounced.


On 9 September 2020, a motion for a resolution was tabled in the following terms:

That by the Director of the Spanish Data Protection Agency sanction EDP Energía, S.A.U., with NIF A33543547, for an infringement of Article 6.1 of the GPRD, as defined in Article 83.5 of the GPRD, a fine of
(fifty thousand euros).

The proposal for a decision was notified electronically to the respondent, the date of availability on 9 September 2020 and the date of acceptance on that date same day.


On September 23, 2020, you will have access to the electronic headquarters of this Agency the arguments of the respondent to the motion for a resolution in which requests that the proceedings be closed on the grounds that he has acted, he says, in accordance with a Law.

In defence of its claim, the defendant reiterates the allegations made to date formulated in the initial agreement and, in summary, puts forward the following arguments: "In this case, as in all others, EDP has simply complied with the all the time with the specific indications of the CNMC, not counting on the capacity to be able to request the consent required by the SPCA. It adds, that EDP as a marketer has no possibility to access information about the owner of the property, and does not even have the capacity to know the current commercializing the service.

For all these reasons, it has the customer's consent to comply with this obligation. This obligation does not extend to the investigation of the holder and in this case complainant".

The proceedings in these proceedings and the following documents have been accredited



The claimant was the holder of an electricity supply contract with the company Endesa Energía S.A.U., (hereinafter "Endesa Energía") associated with supply point located on the street ***DIRECTION.1 from 21 February 2017 until 19 December 2018, when he was discharged due to a change of trading company and there was also a change of ownership in the mentioned contract, not knowing the name of the latter.


There is a notification from Endesa Energía dated 20/12/2018, participating in the cancellation of the street electricity contract ***DIRECTION.1 


It is stated in the complaint filed with the Provincial Service of Citizenship and Social Rights of the Government of Aragon who have withdrawn from the the electricity bill at Endesa Energía and has been put in the name of another person in EDP, without his consent and that he has been re-registered with Endesa on 03/01/2019.

By virtue of the powers conferred on each of the parties by Article 58(2) of the GDPR authority, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.

The defendant is charged with an infringement of Article 6 of the GPRS, "Lawfulness of processing", which states in paragraph 1 the cases in which the processing of third party data is considered lawful:
 "1. Processing shall be lawful only if at least one of the following conditions is met conditions:
a) the data subject has given his consent to the processing of his data for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the interested is a party to or for the application at his request of measures pre-contractual;
The infraction is typified in Article 83.5 of the RGPD, which considers it as such:
“5. Infringements of the following provisions shall be sanctioned, in accordance with paragraph 2, with administrative fines of up to EUR 20 000 000 or in the case of a company, an amount equivalent to a maximum of 4% of the total annual turnover for the previous financial year, opting for the largest:

(a) The basic principles for treatment, including the conditions for consent under articles 5, 6, 7 and 9.  Organic Law 3/2018, on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered to be very serious" he states:

"In accordance with the provisions of Article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will expire after three years if constitute a substantial breach of the articles mentioned in that one and, in In particular, the following:

b) The processing of personal data without any of the conditions for the lawfulness of processing laid down in Article 6 of Regulation (EU)2016/679.

The documentation in the file provides evidence that the party claimed violated Article 6.1 of the RGPD.
In this sense, it is accredited that the defendant processed the personal data of the claimant without legitimizing it. It is clear that the claimant (marketer the claimant's contract with the company (the
(Endesa Energía), which is done through the number of CUPS that is associated with housing.

It should be taken into account, without prejudice to the above, that the claimed party provides the contract for the change of ownership, for the aforementioned point of supply, but it is noted that it is completed by a person as representative of the new owner. They provide the representative's ID card and the signed contract by the latter, but in no case the consent of the new owner.

And, for this purpose, Law 24/2013, of 26 December, on the electricity sector (in the "Electricity Sector Act"), establishes the consumer's right to change as a marketing company in accordance with the European directives of the internal electricity market.

To this end, the legislation sets out the general process to be followed between the new marketer or incoming marketer, the distributor, and the existing or outgoing marketing company. This change implies the registration of a new energy supply contract with the incoming marketer and the withdrawal of the existing contract with the outgoing marketer, through an agent who executes the change that is the distributor.

Likewise, Article 46 of the Electricity Sector Law establishes among the obligations of marketers, in paragraph 1(g) that of "Formalising the supply contracts with consumers in accordance with the regulations
that is applicable". The mention by the Law of the obligation to formalize the contract between the obligations of the marketers shows that it is the The marketing company is the holder of the supply contract with the consumer. Therefore, corresponds to the marketer and, in the event of a change of marketer, to the
incoming marketer, check the identity and the voluntary, correct and informed provision of consent by the consumer, who is his counterpart in the supply contract.

In this sense, the new marketer (the one claimed) will have to manage the termination of the claimant's contract with its outgoing trading company (Endesa Energía), this is done through the number of CUPS associated with the home. At definitively, it treats your personal data.

Therefore, having established that the data was processed by the respondent the claimant's personal data, who refuses to consent to the processing, and insofar as the first has not provided any evidence to disprove such evidence, it is estimated that the facts submitted for assessment by this Agency constitute a
violation of Article 6.1 of the RGPD, violation of Article 83.5 of the same Regulation 2016/679.


In determining the administrative fine to be imposed, the following must be observed provisions of articles 83.1 and 83.2 of the RGPD, which state "Each supervisory authority shall ensure that the imposition of the fines administrative offences under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are on a case-by-case basis effective, proportionate and dissuasive".

"Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account:

(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damage and damages they have suffered;
(b) the intentionality or negligence of the infringement;
(c) any measure taken by the controller or processor to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of treatment, taking into account any technical or organisational measures that have applied under Articles 25 and 32;
(e) any previous infringement committed by the person responsible for or in charge of the processing
(f) the degree of cooperation with the supervisory authority for the purpose of remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, to what extent;
(i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement".

With respect to paragraph k) of Article 83.2 of the RGPD, the LOPDGDD, Article 76, "Sanctions and corrective measures", it provides:
"In accordance with Article 83(2)(k) of Regulation (EU) 2016/679 may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the carrying out of the processing of personal data.
c) The benefits obtained as a result of the commission of the infringement.
(d) The possibility that the conduct of the data subject may have led to the commission of the offense.
(e) The existence of a post-commission merger process of the infringement, which cannot be attributed to the absorber.
f) Affecting the rights of minors.
g) Having, when not compulsory, a delegate for the protection of data.
h) The submission by the person responsible or in charge, with a to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested."


In deciding whether to impose an administrative fine and the amount of that fine in each case individual will take into account the aggravating and mitigating factors identified in art. 83.2 of the RGPD, as well as any other that may be applicable to circumstances of the case.

Consequently, they have been taken into account as aggravating circumstances:
In the present case we are dealing with negligent action, not intentional, but significant (Article 83.2 b GPRS).
The obvious link between the business activity of the respondent and the processing of personal data of clients or third parties art. 83.2 k) of the RGPD, in relationship with art. 76.2 of the LOPDGDD.

Therefore, in accordance with the applicable legislation and assessed on the basis of graduation of the sanctions whose existence has been accredited, the Director of Spanish Data Protection Agency RESOLVES:

FIRST: To impose to EDP ENERGIA, S.A.U., with NIF A33543547, by a violation of Article 6.1 of the GRPD, as defined in Article 83.5 of the GRPD, a fine 50,000 (fifty thousand euros).

SECOND: NOTIFY this resolution to EDP ENERGIA, S.A.U., with NIF A33543547

THIRD: To warn the sanctioned party that he/she must make effective the sanction imposed by a once this decision becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of 1 October, on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), within the payment period established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification number of the of procedure set out in the heading of this document, in the account restricted No ES00 0000 0000 0000 0000, open on behalf of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period.

Once notification has been received and once it has become enforceable, if the enforceability date the deadline for the completion of the registration process is between the 1st and 15th of each month, inclusive.
Voluntary payment will be until the 20th day of the following month or the next business day, and if is between the 16th and the last day of each month, inclusive, the deadline of payment will be made until the 5th of the second following month or immediately thereafter.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, on an optional basis, an appeal for reversal to the Director of the Spanish Data Protection Agency within a period of month from the day following notification of this resolution or directly contentious-administrative appeal to the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law.

Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP, the final decision may be suspended in administrative proceedings as a precautionary measure if the person concerned indicates his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, by submitting it through the Agency's Electronic Register [], or through one of the other registrations provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. Also
must send to the Agency the documentation proving the effective intervention of the contentious-administrative appeal. If the Agency was not aware of the the lodging of the contentious-administrative appeal within two months of day following notification of this resolution, would terminate the precautionary suspension.

Mar España Marti
Director of the Spanish Data Protection Agency