AEPD (Spain) - PS/00218/2023
|AEPD - PS/00218/2023|
|Relevant Law:||Article 6(1) GDPR|
Article 83(5) GDPR
|Parties:||SUMINISTRADOR IBERICO DE ENERGIA S.L.|
|National Case Number/Name:||PS/00218/2023|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA fined másLUZ Energía (SIE) €70,000 for violating Article 6(1) GDPR as it unlawfully processed personal data after the cancellation of an energy and gas supply contract.
English Summary[edit | edit source]
Facts[edit | edit source]
On 14 July 2021 the data subject mistakenly signed a contract with másLUZ Energía (marketed by SUMINISTRADOR IBÉRICO DE ENERGÍA - SIE) through an SMS. As he later realized that másLUZ Energía was posing as the complainant's own energy supplier, he requested the cancellation of the contract for gas supply on 10 August 2021 and for electricity supply on 26 August 2021.
Nonetheless, másLUZ Energía (SIE), the controller, continued issuing energy consumption invoices to the data subject, which were automatically paid via his bank account. Further, in January 2022, the controller again changed the electricity contract without consent of the data subject. On 24 April 2022, the data subject filed a complaint with the Spanish DPA against SIE.
Holding[edit | edit source]
The Spanish DPA considered the certification of the digital signature of the supply contract through the sending of an SMS with másLUZ Energía (SIE) on 14 July 2021 and, with this, the registration in the services in August 2021. The DPA also acknowledged the request by the data subject to withdraw from the contract for gas supply on 10 August 2021 and for electricity supply on 26 August 2021.
As a matter of fact, the controller was able to provide evidence (through call recordings and SMS) of the contract, but only with respect to the contract signed on 14 July 2021, from which the claimant withdrew on 10 and 26 August 2021 respectively. However, the controller failed to adduce evidence of the contract of January 2022, according to which two invoices were issued by másLUZ Energía (SIE) between 8 and 18 January 2022, and another one with consumptions made between 19 January and 11 February 2022. The controller thus failed to provide a legitimate basis for processing activities that took place after the data subject withdrew from the contract.
Accordingly, the Spanish DPA held that the processing activities carried out after cancellation of the contract lacked a legal basis under Article 6(1) GDPR. In light of this, the DPA issued a fine of €70,000 to másLUZ Energía (SIE) by virtue of Article 83(5) GDPR for unlawful processing activities in violation of Article 6(1) GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: EXP202205932 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following: BACKGROUND FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated April 24, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against Suminidor Ibérico de Energía, S.L. with NIF B67421867 (hereinafter, the claimed part or SIE). The reasons on which the claim are the following: The claimant states that in August 2021, posing as his marketing company, supposedly signed a contract with Mas luz Energía (SIE) through of an SMS. Later, he realized what had happened and requested the cancellation of the contract. Mas luz Energía (SIE) issued three invoices that it paid, despite not having provided its consent for the change of the marketing company. This being the case, without your authorization or consent, in January 2022, More Luz Energía (SIE) once again changed the electricity services of its electricity marketer. He adds that he learned of this fact due to the direct debit of an electricity bill in your account under the name of SIE; and, on the other hand, indicates that he requested from his bank the refund of the invoice amount since it did not recognize this charge and, with this, This company will not charge your account again and even points out that the A paper bill arrived a week or two later, this time under Mas's name. Light Energy. And, provide the following relevant documentation: - Invoice from the Reference Regulated Marketer, with a period of consumption that covers from December 14 to January 7, 2022. - More Light Energy Bill, from January 8, 2022 to January 18, 2022 month and year. - More Light Energy Bill, from January 19 to February 11 of the year 2022. - Invoice from the Reference Regulated Marketing Company, dated February 11 from 2022 to the 23rd of the same month and year. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/11 SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on June 7, 2022 as It appears in the acknowledgment of receipt that is in the file. On July 7, 2022, this Agency received a response letter indicating: <<It is necessary to indicate that the procedures for formalizing the contract of electrical supply in SIE require, logically, verification and authentication of the client's expression of will to proceed with the signing of the contract. This implies that, when a telemarketing service provider formalizes a supply contract on behalf of SIE, you must provide the recording of the sale. In this way, SIE can verify that the contracting has been carried out in an appropriate. After reviewing the recordings of the phone call, we have been able check that the salesperson at no time said he worked for the third company company in question, but carried out the contracting process indicating to the Claimant that said contracting would be carried out with MAS LUZ ENERGÍA, which is a brand marketed by SIE. Regarding the origin of the personal data referred to by the Claimant, The following considerations should be made about the contracting process when This is carried out by a company that provides telemarketing services. ▪ The telemarketing service provider transfers to SIE the personal data of interested parties to whom SIE products and services will be offered. Subsequently, the telemarketing service provider acts as responsible for the processing of SIE for carrying out the activities of offering its products and services and contracting the products and services that correspond. ▪ However, the telemarketing service provider can only carry out commercial actions on those interested parties who have provided their consent to the transfer of your personal data to SIE for this purpose. Taking into account the above, from SIE it is not possible to determine where the telemarketing service provider the personal data of the Claimant, since that he obtained them as the independent controller of SIE. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/11 At the time of signing the contract for the provision of services, said service provider telemarketing services acquired the commitment to only transfer the data personal data of those interested parties who have given their consent for said purpose. Additionally, the service provider undertook to inform interested parties duly and in accordance with the regulations on data protection regarding of the transfer of your data to SIE. However, as has been reflected in the first section of this document, It has been confirmed that the contracting was carried out by informing the Complainant that this was produced with MAS LUZ ENERGY which is a brand marketed by SIE, and not with the supplying company with which at that time At the time he had contracted the electricity supply For this reason, and although in this case it has been possible to determine after the investigations made that their actions have been in accordance with data protection regulations personal, because incidents of a different nature have been detected in the procedure for contracting its services, SIE has adopted as a measure the total paralysis of the contracting procedure for its services since the past March 4, 2022>>. THIRD: On July 14, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: RESULT OF THE RESEARCH ACTIONS 1.- Products or services contracted by the client. Products with- Date of registration Date of cancellation Cause of cancellation treated by of A.A.A. are: Product Supply of elec- ***DATE.1 ***DATE.3 Withdrawal from customer tricity Gas supply ***DATE.2 ***DATE.4 Withdrawal from customer 2.- List of invoices issued, indicating those that are unpaid and the debt that, if applicable, the complaining party maintains with the entity. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/11 The claimed party provides a copy of the invoices issued for the supply of electricity, not showing outstanding debt. They provide a copy of the invoices issued for the gas supply, showing a debt pending for this product of XX €. From the analysis of the invoices provided, it appears that there are two invoices, one with date of consumption made between 8-1-2022 to 01-18-2022 and another with consumption carried out between 01-19-2022 and 02-11-2022, after the date of withdrawal of the gas and electricity services carried out in August 2021. 3.- Copy of the recording or contract signed by the claimant. The telephone contracting procedure consists of two phases, a first- This is the phase in which the interested party expresses her willingness to hire the teleoperator and, In a second phase, the interested party must complete the contracting process with the signing the contract by sending an SMS. In order to verify the contracting processes of the service providers telemarketing are required to provide both documents, both the recording such as the certification of the signature digitally through certification correspondent. They provide a recording of the claimant where she accepts the contracting of the services of electricity. And they provide certification of the digital signature of the supply contract by sending of an SMS. This certificate states that the contractor has carried out the following communications by SMS, email and WEB messages: 1. Sending: SMS message on 2021-07-14 17:37 CET to the mobile number ***PHONE.1 with sender ***PHONE.2 with the following text: "MASLUZ ENERGIA (Insignia Gas SL). To read the pre-contractual information and confirm the contract, accept at https://masluz.pulsa.me/h8175-id or reply OK to this SMS" 2. The "I accept" button contained on the WEB page was pressed at 2021-07-14 17:38 CET from address ***IP.1 FIFTH: According to the report collected from the AXESOR tool, the entity Iberian Energy Supplier, S.L. It is a microenterprise established in the year 2019, and with a business volume of 247,757 euros in 2020. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/11 SIXTH: On May 22, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, for the alleged violation of Article 6.1 of the RGPD, typified in Article 83.5 of the GDPR. SEVENTH: Notified of the Startup Agreement, through the Management service Unique Enabled Electronics (DEHÚ) certifies: “expired on June 3, 2023.” There is no evidence that the claimed party has submitted written allegations regarding it. Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP) - provision of which The claimed party was informed in the agreement to open the procedure. establishes that if allegations are not made within the established period regarding the content of the initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a resolution proposal. In it In this case, the agreement to initiate the sanctioning file determined the facts in which the imputation materialized, the violation of the RGPD attributed to the claimed and the sanction that could be imposed. Therefore, taking into consideration that the claimed party has not made allegations to the agreement to initiate the file and In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement initiation is considered in the present case as a proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS 1st. The claimant filed a claim with this Agency on April 24, 2022, in which it is stated that in August 2021, by passing off the claimed by its marketing company, supposedly signed a contract with Mas luz Energía (SIE) to via an SMS. 2nd. There is certification of the digital signature of the supply contract by sending of an SMS with SIE, on July 14, 2021 and, with this, the registration in the services in August 2021; and, on the other hand, his withdrawal appears in the entity for withdrawal on August 10, 2021 for gas service and on August 26 of 2021 for the supply of light. 3rd. SIE does not accredit the new hires, the claimed party provides two invoices of consumption made by the complaining party between January 8 and 18 of the year 2022 and another with consumption made between January 19 and February 11 of the same year, after the date of cancellation of gas and electricity services carried out in August 2021. FOUNDATIONS OF LAW Yo Competence C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/11 In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures". II Unfulfilled obligation Article 6.1 of the RGPD establishes the assumptions that allow the processing of personal data. "1. The treatment will only be legal if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or another Physical person. e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions. Recital 40 also affects this question of the legality of the treatment. of the aforementioned RGPD, when it provides that "For the treatment to be lawful, the Personal data must be processed with the consent of the interested party or on any other legitimate basis established in accordance with Law, whether in the present Regulation or under other law of the Union or of the Member States to which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/11 referred to in this Regulation, including the need to comply with the legal obligation applicable to the person responsible for the treatment or to the need to execute a contract with to which the interested party is a party or in order to take measures at the request of the interested prior to the conclusion of a contract." In relation to the above, it is considered that there is evidence that the treatment of the claimant's data that is the subject of this claim has been made without cause legitimizing those included in article 6 of the RGPD. The GDPR applies to personal data, which is defined as “personal data”: any information about an identified or identifiable natural person (“the interested party”); An identifiable natural person will be considered any person whose identity can be be determined, directly or indirectly, in particular by means of an identifier, such as for example a name, an identification number, location data, a online identifier or one or more elements of the physical identity, physiological, genetic, psychological, economic, cultural or social of said person. It has been verified that there is certification of the digital signature of the contract of supply by sending an SMS with SIE, on July 14, 2021 and, with this, he was discharged from the services in August 2021; and, on the other hand, it appears in the entity his withdrawal due to withdrawal on August 10, 2021 for the gas and August 26, 2021 for the electricity supply. It should be noted that SIE does not accredit new hires, the part claimed provides two invoices for consumption made by the complaining party between the 8th and the 18th January 2022 and another with consumption made between January 19 and January 11 February of the same year, after the date of cancellation of gas services and electricity carried out in August 2021. In short, SIE provides evidence (recording and SMS) of the contracting, but only regarding the contract carried out on July 14, 2021, about which the party The claimant was discharged on August 10, 2021, with respect to the gas and the 26th of the same month and year regarding the electricity service. However, does not provide justification for the hiring that was carried out in the month of January of the year 2022 and the claimed party provides two invoices for consumption made by the party claimant between January 8 and 18, 2022 and another with consumption made between January 19 and February 11 of the same year, after the date of withdrawal of the gas and electricity services carried out in August 2021 and, Consequently, the latter are not justified. Hence, the claimed party does not prove a basis of legitimacy for the treatment of the data of the complaining party. III Classification and classification of the offense In accordance with the evidence available, it is considered that the facts presented do not comply with the provisions of article 6.1, so it could involve the commission of the infraction classified in article 83.5 of the RGPD, which provides the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/11 "Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9.>> The LOPDGD, for the purposes of the prescription of infractions, qualifies in its article 72.1 of very serious infractions, in this case the limitation period being three years, “b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679”. IV. Sanction In order to establish the administrative fine that should be imposed, the following must be observed: provisions contained in articles 83.1 and 83.2 of the RGPD, which indicate: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/11 g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, “Sanctions and corrective measures” establishes that: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between them and any interested party." In accordance with the transcribed precepts, in order to set the amount of the sanction of fine to be imposed in the present case for the infraction classified in article 83.5.a) of the RGPD for which the claimed party is held responsible, are considered concurrent the following aggravating factors: - The evident link between the business activity of the defendant and the processing of personal data of clients or third parties (article 83.2.k, of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/11 RGPD in relation to article 76.2.b, of the LOPDGDD). The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which, with respect to entities whose activity entails continuous processing of client data, indicates that “…the Supreme Court has been understanding that Imprudence exists whenever a legal duty of care is neglected, that is That is, when the offender does not behave with the required diligence. And in the assessment of the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data must insist on rigor and exquisite “Be careful to comply with the legal provisions in this regard.” The balance of the circumstances contemplated in article 83.2 of the RGPD, with regarding the infraction committed by violating the provisions of article 6.1 of the GDPR allows a fine of 70,000 euros (seventy thousand euros) to be set. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. with NIF B67421867, for a violation of Article 6.1 of the RGPD, typified in Article 83.5 of the GDPR, a fine of 70,000 euros (seventy thousand euros). SECOND: NOTIFY this resolution to SUMINISTRADOR IBÉRICO DE ENERGY, S.L. THIRD: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/11 Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es