AEPD (Spain) - PS/00139/2023
|AEPD - PS/00139/2023|
|Relevant Law:||Article 6(1) GDPR|
Article 83(5)(a) GDPR
|National Case Number/Name:||PS/00139/2023|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA fined HOLALUZ €70,000 for unlawful data processing without consent by registering the electricity supplies of several properties of the data subject, violating Article 6(1) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
Holaluz is an electric power and gas commercialization company. It has three three channels for contracting: internet, telephone and commercial networks (with collaboration contracts).
On July 28, 2021 four energy supply contracts were signed up through the collaborator BLANER ENERGY, S.L. for supply points associated with the data subject.
On December 11, 2021 the data subject contacted Holaluz communicating the identity fraud suffered in order to contract with Holaluz, stating that it was not her who signed and subscribed to the agreement.
On May 4, 2022, the data subject initiated a procedure at AEPD against Holaluz for unlawful data processing without her consent, based on the identity theft to contract with Holaluz for electricity contracts.
Allegedly, based on the fraudulent contract between the data subject and Holaluz, the company proceeded with the cancellation of the energy contract the data subject had previously with another energy commercial company, Energía XXI, using her personal data without her consent.
As a result, there was a discharge of electric energy supplies from one of her four properties subscribed to Energía XXI. In addition, the email address given in the contract did not actually belong to the data subject.
Holaluz alleged that was unable to detect that the contracting had been signed without the consent of the data subject, considering that the collaborator appeared to be truthful in the contracting. Holaluz affirmed that it randomly performs a subsequent review of the contract made by new employees and that Blaner carries out its activities for them both directly or through “sub-agents”.
They also confirmed the deletion of the data subject’s personal data from its database.
Holding[edit | edit source]
AEPD concluded that Holaluz has registered the electric energy supplies of four properties from the data subject, using her personal data, without her consent and, based on that, the processing was unlawful.
AEPD considered the fact that the data subject had previously subscribed to energy supplier service with Energía XXI and that the contract informed a different email address than the one the data subject has.
In addition, although Holaluz has a system for validating the contracts made by its employees and commercial partners, AEPD considered that there is no evidence that the validation was carried out correctly in this case, since they send the contracts unsigned as well as the e-mail sent for such validation for an email that did not belong to the data subject.
The AEPD pointed out a violation of Article 6(1) GDPR by processing data without an adequate basis of legitimacy, since the data subject had not given her consent to carry out such contracts. It was determined that personal data were incorporated into the company's information system without accrediting a legitimate contract, and therefore the processing was unlawful, leading to a fine of €70,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/17 File No.: EXP202203969 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On April 20, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanction proceedings against HOLALUZ-CLIDOM, S.A. (hereinafter the claimed party). Once the initiation agreement has been notified and after analyzing the allegations presented, on June 19, 2023, the proposal for resolution which is transcribed below: << File No.: EXP202203969 PROPOSED RESOLUTION OF SANCTION PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: Ms. A.A.A. (hereinafter, the claiming party) dated March 2, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against HOLALUZ-CLIDOM, S.A. with NIF A65445033 (in forward, the claimed or Holaluz). The reasons on which the claim is based are the following: following: The complaining party states that Holaluz has registered the energy supplies electricity of four properties that the claimant had previously signed with the marketer Energía XXI using your personal data, without your consent. In addition, the complaining party indicates that it became aware of such a situation in the month of December 2021 when the supply cut occurred in one of the estate. And, provide the following relevant documentation: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/17 - Allegations made by Holaluz, on February 2, 2022, in which states that it has sent the claimant an agreement on which it has not received reply. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to Holaluz, so that proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on April 5, 2022 as stated in the acknowledgment of receipt in the file. On April 28, 2022, this Agency received a written response indicating: - That it is a marketer of electricity and gas. It also has of three channels for contracting: internet, telephone, and sales network. With the latter sign collaboration contracts. - That on July 28, 2021 they registered through the collaborator BLANER ENERGY, S.L (hereinafter Blaner) four supply points associated with the claimant. The coding of said supply points (CUPS) is: ***ENCODING.1, ***ENCODING.2, ***ENCODING.3, and ***ENCODING.4. - That, due to the fact that the employee appeared to be truthful in the hiring, he did not was able to detect that said contract had been carried out without the consent of the holder, until the complaining party revealed it. - That they appear in the Holaluz database (“since they are the same incorporated by the collaborator") associated with the complaining party the email ***USER.email@example.com and the phone number ***PHONE.1. - That within the framework of the contracting, the conditions to the email address linked to the consigned claimant in the contract for validation. The latter issue which, as indicated, was done. - That the problem that occurred was that the email address e-mail consigned in the contract did not actually belong to the owner, but rather was "knowingly facilitated by the Collaborator to perpetuate his fraud, something that, in principle, it was impossible to detect on this side, despite the mechanisms of established controls”. - That on December 11, 2021 the claimant contacted the defendant communicating the identity theft suffered in the execution of said hires. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/17 - That he contacted the collaborator in order to clarify the facts on the 17th of January 2022 and, after no response, again on January 24, 2022. - That as a measure to prevent this type of event from occurring, it randomly a subsequent review of the quality of the calls and the discharges made by new collaborators. It states that the protocol consists of the internal customer service agents of the defendant call a significant percentage of new customers contributed by commercial channels with whom a collaboration contract had been signed the previous month. - That it proceeds to delete the personal data of the claimant from its databases. Relevant documentation provided by Holaluz: - Contract for the provision of services signed on March 30, 2017 between CLIDOM ENERGY, S.L. and Blaner whose object includes the processing of customer registrations in relation to the supply of electrical energy (hereinafter Collaborator Contract#2). - Email dated January 17, 2022 addressed from firstname.lastname@example.org to ***USUARIO.email@example.com in which the claim received in relation to the contracted CUPS. In it it is stated that “the contracts were validated from an email that is not yours ***USUARIO.firstname.lastname@example.org" and information is requested in this regard. - Email dated January 24, 2022 addressed from email@example.com to ***USUARIO.firstname.lastname@example.org in which it communicates that has to deal with the claim since it does not have the "sales call" and expresses that "the channel will have to take charge of the invoices until the date of low". THIRD: On May 4, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: RESULT OF INVESTIGATION ACTIONS Holaluz, in its response to the transfer made by the AEPD, stated that on the 28th of July 2021, the supply points were registered through the collaborator Blaner associated with the claimant that are the subject of controversy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/17 In relation to these contracts, both Holaluz and Blaner have provided the following documents (document annexed to the Writ under the name of "Contracts", and annex II the EscritoBlaner): Four documents are provided with the documentation mentioned in the aforementioned paragraphs and that each of them refers to each of the four supply points Blaner has confirmed that he carries out the activity of a collaborator of the defendant through of the telephone and face-to-face sales channels. It also states that it exercises its activity for the claimed both directly and through "subagents". So, expresses that the contracts that are the subject of controversy were carried out through the subagent (...). FIFTH: According to the report collected from the AXESOR tool, the entity HOLALUZ-CLIDOM, S.A. is a large company established in 2010, and with a turnover of 564,590,423 euros in the year 2021. SIXTH: On April 20, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. SEVENTH: Notification of the aforementioned initiation agreement in accordance with the established regulations in Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the claimed party submitted a written of allegations in which it repeats the response to the request dated April 28, 2022, in summary, stated that: <<that, in relation to the possible violation of the principle of legality, although it is true that HOLALUZ-CLIDOM, S.A, hereinafter (CLIDOM) responds and identifies with the definitions referring to the person responsible for treatment in articles 4 and 24.1 of the GDPR, it is before the contractual relationship that exists with Blaner Energy 2 S.L. (hereinafter, "Blaner") for the purposes of the contract of signed with it on March 30, 2017 and updated on December 1, 2017. December 2021 for the performance of contract promotion services supply of electricity and acquisition of potential customers, which is attached for the record for the appropriate purposes as Document number 1 and 2 respectively. For the fulfillment of the contract, the processing of personal data is required physical, since Blaner must capture potential clients so that they register with CLIDOM's energy supply services. Notwithstanding the foregoing, it is It is important to emphasize that, in the contract signed between the two parties, CLIDOM, as responsible for the treatment, included, as a contractual obligation, Blaner, as of treatment manager, the proactive responsibility of collecting the consent of the interested parties in accordance with the requirements of the GDPR. That, in this case, a commercial hired by Blaner, posing as A.A.A. (hereinafter, the Client), registered in CLIDOM the supply points with CUPS ***ENCODING.1; ***ENCODING.2; ***ENCODING.3; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/17 ***ENCODING.4, respectively. which, as can be verified The commercial then validated both contracts with his own email (***USUARIO.email@example.com), thus perpetuating recruitment fraud: That the person in charge Blaner, acted against the instructions of CLIDOM as soon as to the obligation to obtain the consent of the interested parties since, this supplanted the identity of the affected party and, in addition, signed an invalid consent without could comply with the principles of transparency, freedom and express consent. Therefore, Blaner being fully responsible for the negligent actions of your provider, for breach of article 6.1 of the GDPR. That is why, on May 10, my client sent an email addressed to Blaner requesting again the documentation that accredits the hiring -since it had already been required on previous occasions-. Likewise, a reminder of the contractually established obligations was made that concern the Collaborator. Next, Blaner was contacted again on May 12 after the negative response from the latter. The email chain between the two is attached parties involved as Document number 3. CLIDOM has implemented verification and assurance measures for the actions entrusted to Blaner, thus complying with the principle of proactive responsibility. Likewise, in order to comply with the principle of proactive responsibility, we also Blaner is requested documentation proving that the interested party has consented to the treatment of your data for the management of the contracting of your supply of energy. In addition, and again to comply with the principle of responsibility proactively, CLIDOM establishes in its Annex IV different measures to control the quality of services provided by Collaborators, among which are verification of the privacy, security and confidentiality policies applied by the Collaborators, verification of the security controls applied by Collaborators to their subcontractors, etc. Finally, CLIDOM sent the document related to the "Recruitment and activation procedures" to all its Collaborators whose content establishes the clear guidelines set by the Company for the formalization of contracts. In the present case, on February 17, Blaner was sent the email attaching the aforementioned document. It is provided as Document number 5, the document regarding the Procedures and as Document number 6 the email sent to Blaner. Request. - That, taking this document as presented, it is served to admit it, and, by virtue, Consider that the allegations against the Commencement Agreement have been presented in a timely manner and, in view of the foregoing statements, issue a resolution by which, Estimating these allegations, disciplinary procedure No. EXP202203969 is archived>>. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/17 EIGHTH: On May 17, 2023, the instructor of the procedure agreed practice the following tests: <<1. They are reproduced for probative purposes the claim filed by Ms. A.A.A. and its documentation, the documents obtained and generated during the phase of admission to processing of the claim, and the report of previous investigation actions that are part of the procedure AI/00230/2022. 2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement to initiate the aforementioned sanctioning procedure, presented by HOLALUZ-CLIDOM, S.A., and the documentation that they accompanies. The result of these tests may lead to other tests>>. NINTH: A list of documents in the file is attached as an annex. procedure. PROVEN FACTS Of the actions carried out in this procedure and of the information and Documentation presented has proven the following facts: First: Holaluz, on July 28, 2021, registered through its collaborator Blaner four supply points associated with the claimant. The encoding of said supply points (CUPS) is: ***CODE.1, ***CODE.2, ***CODE.3, and ***CODE.4 that the claimant previously had subscribed with the marketer Energía XXI using their personal data, without your consent. Second: It is verified that the contracting process implies the sending for its validation, via email, of the contractual conditions to the email address linked to the holder in the contract itself. Third: That in the Holaluz database associated with the complaining party there are the email ***USER.firstname.lastname@example.org and the telephone number ***TELEPHONE 1. Fourth: It is proven that the email address stated in the contract does not It actually belonged to the owner. Fifth: It is verified that in the email dated January 17, 2022 addressed from email@example.com to ***USUARIO.firstname.lastname@example.org the claim received in relation to the contracted CUPS. In it it is stated that “the contracts were validated from an email that is not yours ***USUARIO.email@example.com" and information is requested in this regard. Sixth: It is verified in the email dated January 24, 2022 addressed from firstname.lastname@example.org to ***USUARIO.email@example.com it is communicated that has to address the claim since it does not have the "sales call" and expresses that "the channel will have to take charge of the invoices until the cancellation date." FUNDAMENTALS OF LAW Yo C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/17 Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Arguments to the initiation agreement As stated by the claimant in its statement of claim dated March 2 of 2022, that Holaluz has registered the electrical energy supplies of four properties that the claimant had subscribed with the marketer Energía XXI using your personal data without your consent Definitely. The claimant denounces identity theft to contract with Holaluz four contracts of light. The defendant alleges that the hiring was done by his in charge of the treatment fraudulently by stating an address of email different from the one the claimant has. Well then, the defendant has planned a contract validation system that carried out by those in charge, and although it indicates that in the present case the validation correctly, there is no evidence in this regard, since it sends the contracts without signing as well as sending the email for such validation, but there is no evidence that such validation has been performed by someone. It is proven that the defendant processed the personal data of the claimant without legitimacy for it. It is clear that Holaluz (incoming marketer) had to manage the withdrawal of the claimant's contracts with the outgoing marketer (Energía XXI), which is done through the number of CUPS that is associated with the households. Law 24/2013, of December 26, of the electricity sector (hereinafter, "Law of the Electric"), establishes the consumer's right to change company marketer in accordance with the provisions of the European directives of the market electricity inside. For this, the regulations establish the general process that must be carried out between the new marketer or incoming marketer, the distributor and the existing marketer or outgoing marketer. Said change implies the registration of a new energy supply contract with the incoming retailer and the deregistration of the existing contract with the outgoing marketer, through an agent who C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/17 execute the change that is the distributor. Likewise, article 46 of the Electricity Sector Law establishes among the obligations of the marketers, in its section 1 letter g) that of "Formalize the contracts of supply with consumers in accordance with the regulations that result of application". The mention by the Law of the obligation to formalize the contract between the obligations of the marketers shows that it is the marketer the holder of the supply contract with the consumer. Therefore, corresponds to the retailer and, in the event of a change of retailer, to the incoming marketer, verify the identity and the voluntary, correct and informed provision of consent by the consumer, who is his counterpart in the supply contract. In this sense, the new marketer (the defendant) will have to manage the cancellation of the claimant's contract with its outgoing retailer (Energía XXI), which is It is done through the CUPS number that is associated with the home. Definitely, treats your personal data. Thus, having been accredited that the defendant processed the personal data of the claimant, who denies her consent to the treatment, and while the first has not provided any evidence to disprove such evidence, it is estimated that the facts that are submitted to the evaluation of this Agency could constitute an infringement of article 6.1 of the GDPR, infringement typified in article 83.5 of the aforementioned Regulation 2016/679. II breached obligation Article 6.1 of the GDPR establishes the assumptions that allow the use of processing of personal data. "1. Processing will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the data subject or of another Physical person. e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/17 f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not outweigh the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions.” On this question of the legality of the treatment, Recital 40 also affects of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the Personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance with Law, either in the present Regulation or by virtue of another Law of the Union or of the Member States to which referred to in this Regulation, including the need to comply with the legal obligation applicable to the data controller or the need to perform a contract with to which the interested party is a party or in order to take measures at the request of the concerned prior to the conclusion of a contract." In relation to the above, it is considered that there is evidence that the treatment data of the claimant object of this claim has been made without csa legitimizing the data collected in article 6 of the GDPR. The GDPR applies to personal data, which is defined as "personal data": any information about an identified or identifiable natural person ("data subject"); An identifiable natural person shall be considered any person whose identity can be be determined, directly or indirectly, in particular by means of an identifier, such as for example a name, an identification number, location data, a online identifier or one or more elements of physical identity, physiological, genetic, psychological, economic, cultural or social of said person. The documentation in the file shows that the defendant violated the Article 6.1 of the GDPR, since it processed the personal data of the claimant without having any standing to do so. The personal data of the claimant were incorporated into the company's information systems, without that he has proven that he had contracted legitimately, disposed of his consent to the collection and further processing of your personal data, or there was some other cause that would make the treatment carried out lawful. The personal data of the claimant were registered in the files of the claimed and were processed for the issuance of invoices for services associated with the claimant. Consequently, it has processed personal data without that has accredited that it has the legal authorization to do so. Article 6.1 of the GDPR states that processing "will be lawful if it is necessary for the performance of a contract to which the interested party is a party. It was therefore essential that the defendant prove to this Agency that the claimant had contracted with it for the supply of electricity; that at the time of the recruitment had deployed (through its treatment manager) the diligence that the circumstances of the case required to ensure that the person C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/17 who canceled the service with the marketer "Energía XXI", registering with Holaluz was indeed its headline. It should be noted that the defendant in his response to the request for information of this Agency dated April 28, 2022 and in its allegations to the Agreement of Start dated May 16, 2023 acknowledges that the email address consigned in the contract did not actually belong to the owner, but was “knowingly facilitated by the Collaborator to perpetuate his fraud, something that, in principle, it was impossible to detect on this part, despite the control mechanisms established”. Email dated January 17, 2022 addressed from firstname.lastname@example.org to ***USUARIO.email@example.com in which the claim received in relation to the contracted CUPS. In it it is stated that “the contracts were validated from an email that is not yours ***USUARIO.firstname.lastname@example.org" and information is requested in this regard. Email dated January 24, 2022 addressed from email@example.com to ***USUARIO.firstname.lastname@example.org in which it communicates that has to deal with the claim since it does not have the "sales call" and expresses that "the channel will have to take charge of the invoices until the date of low". Well then, Holaluz has planned a contract validation system that carried out by those in charge, and although it indicates that in the present case the validation correctly, there is no evidence in this regard, since it sends the contracts without signing as well as sending the email for such validation, but there is no certainty that such validation has been performed. Hence, the defendant does not accredit a basis of legitimacy for the treatment of the data of the complaining party. In this sense, Recital 40 of the GDPR states: "(40) For processing to be lawful, personal data must be processed with the consent of the interested party or on some other established legitimate basis in accordance with Law, either in this Regulation or under another Law of the Union or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the data controller treatment or the need to execute a contract in which the interested party is a party or in order to take measures at the request of the interested party prior to the conclusion of a contract." IV. Classification and classification of the offense In accordance with the evidence available at the present time of agreement to start the disciplinary procedure, and without prejudice to what results from the instruction, it is considered that the facts exposed fail to comply with the provisions of the article 6.1 of the GDPR, so it could mean the commission of an infringement typified in article 83.5 of the GDPR, which provides the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/17 Violations of the following provisions will be penalized, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9.” The LOPDGD, for the purposes of the prescription of infringements, qualifies in its article 72.1 of very serious infractions, being in this case the limitation period of three years, "b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679”. V Sanction proposal In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR, precepts that state: "Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 9 and 6 are effective in each individual case, proportionate and dissuasive.” "Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infraction; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the potential adverse effects of the infringement; g) the categories of personal data affected by the infringement; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/17 h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what extent; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the violation, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) Submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party.” In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the fine to impose on the defendant, as responsible for an infraction typified in article 83.5.a) of the GDPR, in an initial assessment, the following are considered concurrent factors: - The seriousness of the infringement taking into account the scope of the operation of treatment, circumstance provided for in article 83.2.a) GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/17 Significant circumstance in the case examined in which it affects that they were various electricity supply contracts to which the defendant would have linked the personal data of the claimant and the issuance of the corresponding invoices. - "The link between the activity of the offender and the performance of treatment of personal data", circumstance provided for in article 76.2.b) LOPDGDD in connection with article 83.2.k) GDPR. The business activity of the defendant necessarily processes personal data. This characteristic of its business activity has an impact, reinforcing it, on the diligence that must unfold in compliance with the principles that preside over the treatment of personal data and the quality and effectiveness of the technical measures and organizational measures that must be implemented to guarantee respect for the right fundamental. As a circumstance that mitigates the liability required, without prejudice to what results from the instruction, in this phase of the procedure the provided for in article 83.2. c) GDPR: "any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested”. He immediately proceeded to manage the cancellation of the services and the payment of the billed amounts. It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 70,000 € for violation of article 83.5 a) GDPR. In view of the foregoing, the following is issued PROPOSED RESOLUTION That the Director of the Spanish Agency for Data Protection sanctions HOLALUZ-CLIDOM, S.A. with NIF A65445033, for a violation of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 70,000 euros (seventy thousand euro). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs that it may, at any time prior to the resolution of this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/17 procedure, carry out the voluntary payment of the proposed sanction, which It will mean a reduction of 20% of the amount of the same. With the application of this reduction, the sanction would be established at 56,000 euros and its payment will imply the completion of the procedure. The effectiveness of this reduction will be conditioned by the withdrawal or waiver of any administrative action or appeal against the sanction. In case you choose to proceed to the voluntary payment of the specified amount above, in accordance with the provisions of the aforementioned article 85.2, you must do it effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000 0000 open in the name of the Spanish Data Protection Agency in the entity bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause, for voluntary payment, reduction of the amount of the sanction. You must also send the Proof of admission to the Sub-Directorate General of Inspection to proceed to close The file. By virtue of this, you are notified of the foregoing, and the procedure is revealed. so that within TEN DAYS you can allege whatever you consider in your defense and present the documents and information that it deems pertinent, in accordance with article 89.2 of the LPACAP). B.B.B. INSPECTOR/INSTRUCTOR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/17 EXHIBIT File index EXP202203969 03/02/2022 Claim by A.A.A. 03/30/2022 Claim by A.A.A. 03/31/2022 Transfer of claim to HOLALUZ-CLIDOM S.A. 04/28/2022 Response to HOLALUZ-CLIDOM SA requirement 05/04/2022 Admission for processing to A.A.A. 06/22/2022 Request. information Hello Luz to HOLALUZ-CLIDOM, S.A. 07/28/2022 Response to HOLALUZ-CLIDOM SA requirement 02/06/2023 ORANGE requirement to ORANGE ESPAGNE, S.A.U. 02/06/2023 TELEFONICA request to TELEFÓNICA DE ESPAÑA, S.A.U. 02/08/2023 DEUTSCHE requirement to DEUTSCHE BANK, S.A.E. 02/08/2023 Request TELEFÓNICA MOVILES to TELEFÓNICA MÓVILES ESPA- ÑA, S.A.U. 02/09/2023 Postal Blaner Requirement to BLANER ENERGY S.L. 02/09/2023 Blaner requirement to BLANER ENERGY S.L. 02/09/2023 HolaLuz 2 requirement to HOLALUZ-CLIDOM, S.A. 02/09/2023 Diligence References 02/13/2023 Allegations of C.C.C. 02/14/2023 Response to DEUTSCHE BANK SAE requirement 02/17/2023 Allegations of D.D.D. 02/17/2023 Response to D.D.D. 02/24/2023 Response to HOLALUZ-CLIDOM SA requirement 03/03/2023 Communication from BLANER ENERGY, LIMITED PARTNERSHIP 03/06/2023 Blaner 2 requirement to BLANER ENERGY S.L. 03/06/2023 DRC requirement to E.E.E. 03/23/2023 Information on planned actions 04/20/2023 Commencement agreement to HOLALUZ-CLIDOM, S.A. 04/24/2023 Information. Claimant to A.A.A. 05/05/2023 HOLALUZ-CLIDOM SA term extension request 05/08/2023 Amp. Term to HOLALUZ-CLIDOM, S.A. 05/16/2023 Allegations of HOLALUZ-CLIDOM SA 05/16/2023 Communication from HOLALUZ-CLIDOM SA 05/17/2023 Notification p. tests to HOLALUZ-CLIDOM, S.A. >> SECOND: On July 1, 2023, the claimed party has proceeded to pay the penalty in the amount of 56,000 euros making use of the reduction provided for in the motion for a resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource in the against the sanction, in relation to the facts referred to in the resolution proposal. FUNDAMENTALS OF LAW Yo C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/17 Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202203969, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to HOLALUZ-CLIDOM, S.A.. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/17 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 968-171022 Mar Spain Marti Director of the Spanish Data Protection Agency 28001 – Madrid 6 sedeagpd.gob.es