AEPD (Spain) - PS/00220/2020

From GDPRhub
AEPD - PS/00220/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(d) GDPR
Article 17 GDPR
Article 83(2)(b) GDPR
Article 83(2)(g) GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 21.01.2021
Published:
Fine: 100000 EUR
Parties: IBERDOLA CLIENTES, SAU
National Case Number/Name: PS/00220/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve

The Spanish DPA (AEDP) has imposed two fines of €50,000 on IBERDROLA CLIENTES, SAU for infringement of Article 5(1) GDPR and 17 GDPR respectively.

English Summary

Facts

A former IBERDROLA client complained to the Spanish DPA (AEPD) that the electricity supply company did not respond to his requests to delete his personal data.

The claimant moved house and informed the company of the change of address for notification purposes. Even so, the company continued to send letters to the previous address.

The claimant, in the same letter notifying the change of address, requested the withdrawal of his details due to the cancellation of the service, which was not answered due to the error in updating the claimant's details mentioned above.

Dispute

Is the lack of updating personal data a breach of Article 5(1)(d)?

Can this failure to update data result in a refusal to comply with Article 17 GDPR?

Holding

The AEPD held that IBERDROLA had failed to update the customer's data and that this resulted in the inclusion of the complainant's data in a creditworthiness file and in a failure to comply with its obligations regarding the request for deletion of personal data.

The application of the GDPR is determined because the maintenance of the incorrect address constitutes a continuous infringement that continues over time as long as the data quality problem, which caused the infringement in question, has not been remedied.

Therefore, in the present case, there is an infringement of Article 5(1)(d) of the GDPR because no payment order was issued due to a data quality problem.

The AEPD took into account the fact that it was a non-intentional, but significant negligent action (Article 83(2)(b) GDPR) and that basic personal identifiers were affected (Article 83(2)(g) GDPR).

The economic volume of the company is also taken into account in the penalty scale.

Comment

The Resolution refers to the former Organic Law on Data Protection (LOPD) because the events occurred before the entry into force of the Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDPGDD).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/9










     Procedure No.: PS / 00220/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   PRECEDENTS

FIRST: A.A.A. (hereinafter, the claimant) filed a claim with the Agency
Spanish Data Protection Agency on January 12, 2018.


The claim is directed against IBERDROLA CLIENTES, SAU (hereinafter, the
reclaimed).

The reasons on which you base the claim are that the claimed entities have
denied your right to cancel your personal data.

Which, according to the complainant, took place on the date of:
And, among others, attach the following documentation:

     Copy of the request for information on the processing of your data
       personal information and cancellation of these sent to IBERDROLA dated 11

       November 2016 and acknowledgment of receipt. In this request, you also inform the
       company of the new address for the purposes of notifications when not residing from the
       May 31, 2016 at the supply installation address.

     EQUIFAX IBERICA report on the reported data of the claimant

       dated August 16, 2016 to the ASNEF file.

SECOND: On January 26, 2018, after analyzing the documentation that
was in the file, a resolution was issued by the Director of the Spanish Agency
of Data Protection, in response to the protection of right TD / 00157/2018,

agreeing to reject the claim. The resolution was notified to the affected party with
dated January 30, 2018.

THIRD: On February 28, 2018, this Agency received, with
Registration number 070251/2018, appeal for reconsideration -RR / 00135 / 2018- filed

by the claimed against the inadmissibility of their claim, justifying it,
basically, in the same facts and arguments presented in your claim.

FOURTH: On April 24, 2018, the Director of the Spanish Agency for
Data Protection resolves to dismiss the appeal for reconsideration filed by the
claimed against the Resolution of this Agency issued on January 26,

2018, agreeing to file the claim.

FIFTH: On July 23, 2018, this Agency receives the number of
registry 186710/2018, official letter sent by the National Court, Contentious Chamber
Administrative, Section 001, informing of the filing before that court by the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9








Claimant of contentious-administrative appeal nº *** RECURSO.1 against the
resolution of this Agency, requesting a copy of the file and a copy of the supporting documents
of the locations of the interested parties.


SIXTH: On October 21, 2019 it is received at this Agency, with number
of registration 049866/2019, partial estimate judgment for proceedings to be opened
previous investigation regarding IBERDROLA CLIENTES S.A.U. with the object of
determine the reasons for the failure to comply with the claimant's right and determine whether
the mandatory prior payment requirement was produced as required by article 38.c

of the RLOPD.


SEVENTH: On November 11, 2019, these are opened
investigation actions, assigning the file number E / 10786/2019, in
relation to the claim presented by the claimant in order to determine the
aspects indicated in the judgment sent to this Agency by the National High Court,
Administrative Litigation Chamber, dated October 21, 2019.


                                  BACKGROUND

FIRST: In view of the facts denounced in the claim and the
procedures and Judgment to which they have given rise, the Subdirectorate of Inspection of
Data proceeded to carry out preliminary investigation actions for the

clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of

digital rights (hereinafter LOPDGDD).

As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is the one claimed.

Likewise, the following points are found:

Information requested from IBERDROLA on the aspects indicated in the judgment
sent to the Spanish Data Protection Agency on October 21,

2019, dated July 2, 2020 is received at this Agency, with number of
registration 022916/2020, brief of allegations stating the following facts:

     That an attempt was made to notify the prior request for payment in up to three
       occasions on the dates July 22, 2016, August 10, 2016 and
       November 2016 specifying:

       “If this prior payment requirement is disregarded, we will proceed to
       communicate data regarding non-payment to delinquency records
       corresponding ".

     That on November 21, 2016, a response was given to the request of the
       claimant indicating that he had 2 bills pending payment, reason for the
       which their data had been communicated to the ASNEF file. Also, on date 22

       December 2016, a communication is sent to the claimant again

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9








        informing him that his debt amounted to XXX.- €.
        Debt that still remains today.

     That notwithstanding the foregoing, the claimant has been terminated from the
        file of breach of monetary obligations ASNEF-EQUIFAX, with
        date June 4, 2020.


And they attach the following documents:


     - Communications dated November 21, 2016 and December 22,
       2016 informing the claimant of the debt.

     - Certificates of return of the previous request for payment dated 22
       July 2016, August 10, 2016 and November 23, 2016.


SECOND: Examined all this documentation it is verified that it exists
discrepancy between the claimant's address and the one recorded in the
IBERDROLA. The claimant informed the company of the new address for the purpose of
communications on November 11, 2016 having left the registered address

at IBERDROLA on May 31, 2016.

The notifications sent to the claimant made between July 22 and 23
November 2016 by IBERDROLA requesting the debt, they were sent to the address of
supply facility, where the claimant no longer resided, and were therefore
returned twice for “absent” and the third for “unknown”. Not yet

having been able to make the notification, your data was informed to the file of
financial solvency and credit ASNEF.

Regarding the request to cancel your data of November 11, 2016,
IBERDROLA ignored the change of address reported by the claimant to

this company in that same request, and returned the responses with dates
of November 21 and December 22, 2016 to the installation address of the
supply.

THIRD: On September 1, 2020, the Director of the Spanish Agency

of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged infringement of article 5.1.d) of the RGPD, article 17 of the RGPD, typified in the
Article 83.5 of the RGPD.

FOURTH: Once the aforementioned initiation agreement was notified, the defendant requested a copy of the
file and extension of the allegations period, both requests being

granted, sending a copy of the file which appears as received on
September 2020.

FIFTH: The defendant presented a brief of allegations in which, in summary,
stated that the claimant contracted on July 16, 2010 the electronic supply

of a house located in Benidorm, which is proven by telephone recording.

Secondly, he states that on March 15, 2016 he received the new
conditions of the electricity supply contract, in which clause 12.3 indicates that:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9









"The Client is informed that, in the event that payment is not made under the terms
provided for in condition 8 of this Contract and if all the requirements are met

required by Royal Decree 1720/2007, the data relating to non-payment may be
communicated to the files regarding the breach of monetary obligations. "

Third, the defendant indicates that, during the term of the contract, the
Claimant failed to pay the invoices issued on June 16,
2016, for an amount of 32.74 euros and July 19, 2016, for an amount of 20.32 euros,

reason for which the claimant was sent three requests for payment, on dates
July 22, 2016, August 10, 2016 and November 23, 2016, at the address of
the claimant incorporated into the contract and mentioning its inclusion in
solvency in accordance with clause 12.3 of the contract.


On November 21, 2016, the claimant requests the withdrawal of her contract of
electricity supply as a result of the termination of your contract of
lease referring to the home for which said supply was contracted,
including in its heading a new address for notification purposes.

In said letter, the withdrawal of the contract is requested with effect May 31, 2016, it is

that is, six months prior to the date on which the aforementioned
communication.

At the same time, the claimant requests the cancellation of her personal data from the
systems of the claimed entity.


In response to your request for cancellation, the claimed entity addresses the
claimant on November 22 and December 22, 2016, indicating the impossibility
to proceed to the cancellation of the data included in the ASNEF file as
consequence of non-payment of the service.


Fourth, the defendant states that he was not aware of the change in
address of the claimant until November 21, 2016.

SIXTH: On October 20, 2020, the procedure instructor agreed to the
opening of a period of practical tests, taking as incorporated the

preliminary investigation actions, E / 10786/2019, as well as the documents
provided by the claimed.

SEVENTH: On October 28, 2020, a resolution proposal was formulated,
proposing that the defendant be punished for the alleged infractions of the article

5.1 d) and 17 of the RGPD, infractions typified in article 83.5 a) and 83.5 b) of the RGPD and
classified as very serious in articles 72.1 a) and 72.1 k) of the LOPDPGDD
respectively for prescription purposes, with a fine of 50,000 euros (fifty thousand
euros) for the sanction of article 83.5 a) corresponding to the violation of article 5.1
d) of the RGPD and a fine of 50,000 euros (fifty thousand euros) for the sanction of the

article 83.5 b) for the violation of article 17 of the RGPD.

Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9









                                 PROVEN FACTS


FIRST: On *** DATE 1, the claimant contracted by telephone, the supply
electronic of a house located in *** LOCALIDAD.1.

SECOND: The claimant did not pay the invoices issued on dates 16
June 2016, for the amount of XXX euros and July 19, 2016, for the amount of XXX
euros, which is why the claimed entity sent the claimant three

payment requirements, on July 22, 2016, August 10, 2016 and
November 2016, sent to the supply installation address, where no longer
the claimant resided, and therefore they were returned twice for “absent” and
the third for "unknown",


THIRD: Despite not having been able to make the notification, the data of the
claimant were informed to the file of patrimonial solvency and credit ASNEF.

FOURTH: On November 21, 2016, the claimant requests the cancellation of the
your data and the cancellation of your electricity supply contract as a result of the
termination of your lease regarding the dwelling for which you

said supply was contracted, including in its heading a new address to
Notification effects.

FIFTH: The claimed entity ignored the change of address reported by
the claimant to this company, and again sent new communications dated 21

November and December 22, 2016 to the supply installation address, in
instead of to the new address indicated by the claimant.

                            FOUNDATIONS OF LAW


                                             I

The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the RGPD and
in art. 47 and 48.1 of LOPDGDD.
                                            II


Article 6.1 of the RGPD establishes that “in accordance with the provisions of the
Article 4.11 of Regulation (EU) 2016/679, means the consent of the
affected any manifestation of free, specific, informed and unequivocal will by
which he accepts, either through a declaration or a clear affirmative action, the

processing of personal data concerning you ”.

For its part, article 5 of the RGPD establishes that personal data will be:

“A) treated in a lawful, loyal and transparent manner in relation to the interested party (“ lawfulness,

loyalty and transparency ”);

b) collected for specific, explicit and legitimate purposes, and will not be processed
subsequently in a manner incompatible with said purposes; in accordance with article 89,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9








section 1, the subsequent processing of personal data for archiving purposes in
public interest, scientific and historical research purposes or statistical purposes are not
deemed incompatible with the original purposes ("purpose limitation");


c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that they are processed ("data minimization");

d) accurate and, if necessary, updated; all measures will be taken
reasonable so that the personal data that

are inaccurate with respect to the purposes for which they are processed ("accuracy");

e) maintained in a way that allows the identification of the interested parties during the
longer than is necessary for the purposes of processing personal data; the
Personal data may be kept for longer periods provided that

treat exclusively for archival purposes in the public interest, research purposes
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1,
without prejudice to the application of the appropriate technical and organizational measures that
imposes these Regulations in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");


f) treated in such a way as to guarantee adequate data security
personal, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ("integrity and confidentiality").


The person responsible for the treatment will be responsible for compliance with the provisions of
paragraph 1 and able to demonstrate it ('proactive responsibility'). "

                                             III


In the case analyzed here, it has been proven that the claimant exercised her
right of cancellation before the claimed on November 11, 2016, and their request
did not receive a response, despite the right recognized in article 16 of the LOPD, in force
at the time of the events, a right currently recognized in Article 17
of the RGPD, called the right to erasure ("the right to be forgotten") in which
precept the right of deletion of the claimant is governed, stating that he will have

right to obtain without undue delay from the controller the deletion
of the personal data that concerns you.

In addition to the evidence available in the present
moment, the notifications sent to the claimant made between July 22 and

November 23, 2016 by IBERDROLA requesting the debt, they were sent to
supply installation address, where the claimant no longer resided, despite
the new address was communicated in May 2016.

Therefore, these communications were returned on two occasions for being "absent."

and the third for "unknown".




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9








On the other hand, the claimed entity states that it had no knowledge of the
change of address of the claimant until November 21, 2016, although the
The complainant states that she communicated it on November 11, 2016.


Despite this, to indicate to the claimant the impossibility of proceeding with the cancellation
of the data included in the ASNEF file as a consequence of the non-payment of the
service, the claimed entity continued to address the claimant at the address of the
supply contract, instead of the new one indicated by the claimant, in its
communications dated November 22 and December 22, 2016, that is, with

after the date on which you declare to know the new address for the purposes of
communications.

Article 26 of Law 40/2015 on the Legal Regime of the Public Sector, establishes that
The sanctioning provisions in force at the time of

occur the facts that constitute an administrative offense.

Thus, it is considered that the claimant was improperly included in the
patrimonial solvency files, since the notifications of the prior requirement of
payment, they were all returned by absentee or unknown recipient, for being
addressed to an incorrect address, when the claimant ceases to reside at said address

since May 2016 and despite having been notified of the change of
address to which communications should be directed, continue to go to the
address of the supply contract, so it did not receive any of the
prior payment requirements, which implies the violation of articles 38.1 a),
and 43 of the RLOPD that state that "Personal data will be accurate and

updated in such a way that they respond truthfully to the current situation of the
affected ”, regulations in force at the time of the offense.

The application of the RGPD is determined because the maintenance of the address
wrongdoing constitutes a continuous offense that lasts for as long as

This data quality problem, which is the cause of the infraction in question, is not
corrective.

Therefore, in the present case there is an infringement of article 5.1 d) of the RGPD
because the due payment request was not made due to a quality problem of
the data.


                                           IV

Article 72.1.a) of the LOPDGDD states that “depending on what the
Article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe

At three years, infractions that involve a substantial violation of the
articles mentioned therein and, in particular, the following:

a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679


k) The impediment or the obstruction or the repeated neglect of the exercise of the
rights established in articles 15 to 22 of Regulation (EU) 2016/679.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9








                                           V

Article 58.2 of the RGPD provides the following: “Each control authority will have

of all of the following corrective powers listed below:

b) sanction any person responsible or in charge of the treatment with warning
when the treatment operations have infringed the provisions of this
Regulation;


d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;

i) impose an administrative fine in accordance with article 83, in addition to or instead of the

measures mentioned in this section, according to the circumstances of each case
particular;

                                           SAW

This offense can be sanctioned with a fine of a maximum of € 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
higher amount, in accordance with article 83.5 of the RGPD.

Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the

following criteria established in article 83.2 of the RGPD:

As aggravating factors the following:

In the present case we are dealing with unintentional negligent action, but significant

(article 83.2 b)

Basic personal identifiers are affected (name, surname,
address, telephone), according to article 83.2 g)

Therefore, in accordance with the applicable legislation and the criteria of

graduation of sanctions whose existence has been proven,

the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE IBERDROLA CLIENTES, SAU, with NIF A95758389 a

fine of 50,000 euros (fifty thousand euros), for the violation of article 5.1 d) and a
second fine of 50,000 euros (fifty thousand euros) for the violation of article 17
of the RGPD, each typified in articles 83.5 a) and 83.5 b) of the RGPD
respectively, and classified as very serious in articles 72.1 a) and 72.1 k) of the
LOPDPGDD for prescription purposes.


SECOND: NOTIFY this resolution to IBERDROLA CLIENTES, SAU.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9








THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es