AEPD (Spain) - PS/00236/2020: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
(→Facts) |
||
| Line 59: | Line 59: | ||
=== Facts === | === Facts === | ||
After receiving several complaints regarding the collection and processing of data of an energy company, the Spanish DPA (AEPD) launched an investigation. | |||
In the first place, they found that the controller allowed for contracting their services in the name of another person (as a representative) without properly verifying the identity and validating the representation power. This made it possible for the representative, for example, to consent to commercial communications, including being subject to automated decision-making for personalized commercial offers, or the transfer of the data to third parties without the controller verifying whether they had the power to do so. | |||
This also carried some risks, such as the possibility of contracting in others' names without having such power, leading to the creation of a binding contract without the permission or knowledge of any person that the representative claims to represent. This could lead to identity fraud or economic damages. | |||
These risks were not considered by the controller in its initial assessment; only risks regarding scoring/profiling and commercial communications were considered. | |||
Some additional clauses were implemented during the investigation, although the exact moment is not proven. | |||
=== Holding === | === Holding === | ||
in | The AEPD held that the controller should have had a system to verify the representation powers of the representative contracting in other's name, so the lawfulness of the legal basis for processing is verified. The representative must have a legitimate power to contract; otherwise, the legitimate basis used for the processing will not be lawful. | ||
Additionally, the consent powers should be expressively given by the representee, as consent shall be informed and specific. And, the DPA remarks, it is difficult to thing of a representee giving express instructions on that to the representative, as consent is asked for at the same time as contracting, without previous warning or explanation. | |||
The AEPD also remarks that the accountability principle makes the controller responsible for implementing the necessary measures, and that such obligation is not only a formal obligation; such measures must be effective and adequate. The obligation is also dynamic, so the controller has to modify them if necessary when identifying new risks. | |||
The controller, however, had not implemented adequate measures to avoid the mentioned risks. Therefore, the AEPD concluded that there had been a violation of Article 25 GDPR. | |||
== Comment == | == Comment == | ||
Revision as of 08:55, 10 May 2021
| AEPD (Spain) - PS/00236/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6 GDPR Article 13 GDPR Article 22 GDPR Article 25 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 04.05.2021 |
| Fine: | 1500000 EUR |
| Parties: | EDP ENERGÍA, S.A.U. |
| National Case Number/Name: | PS/00236/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
in progress
English Summary
Facts
After receiving several complaints regarding the collection and processing of data of an energy company, the Spanish DPA (AEPD) launched an investigation.
In the first place, they found that the controller allowed for contracting their services in the name of another person (as a representative) without properly verifying the identity and validating the representation power. This made it possible for the representative, for example, to consent to commercial communications, including being subject to automated decision-making for personalized commercial offers, or the transfer of the data to third parties without the controller verifying whether they had the power to do so.
This also carried some risks, such as the possibility of contracting in others' names without having such power, leading to the creation of a binding contract without the permission or knowledge of any person that the representative claims to represent. This could lead to identity fraud or economic damages.
These risks were not considered by the controller in its initial assessment; only risks regarding scoring/profiling and commercial communications were considered.
Some additional clauses were implemented during the investigation, although the exact moment is not proven.
Holding
The AEPD held that the controller should have had a system to verify the representation powers of the representative contracting in other's name, so the lawfulness of the legal basis for processing is verified. The representative must have a legitimate power to contract; otherwise, the legitimate basis used for the processing will not be lawful.
Additionally, the consent powers should be expressively given by the representee, as consent shall be informed and specific. And, the DPA remarks, it is difficult to thing of a representee giving express instructions on that to the representative, as consent is asked for at the same time as contracting, without previous warning or explanation.
The AEPD also remarks that the accountability principle makes the controller responsible for implementing the necessary measures, and that such obligation is not only a formal obligation; such measures must be effective and adequate. The obligation is also dynamic, so the controller has to modify them if necessary when identifying new risks.
The controller, however, had not implemented adequate measures to avoid the mentioned risks. Therefore, the AEPD concluded that there had been a violation of Article 25 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
