AEPD (Spain) - PS/00476/2021

From GDPRhub
AEPD (Spain) - PS/00476/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.04.2021
Decided:
Published: 11.04.2022
Fine: 150,000 EUR
Parties: Baser Comercializadora de Referencia, S.A.
National Case Number/Name: PS/00476/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Cesar Manso-Sayao

The Spanish DPA issued a fine of €150,000 against an electrical company for allowing a third party to modify a contract without the data subject's consent in violation of Article 6 GDPR, and for lacking adequate security measures under Article 32 GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a claim with the Spanish DPA (AEPD) against Baser Comercializadora de Referencia, S.A. (an electrical supply company) claiming that a third party had made changes to his electricity contract without his authorisation.

As evidence, the data subject offered an audio recording of a call made to the company, in which a woman states that she is the data subject’s sister. The woman also states that she is living in her brother’s house, and complains that she has been suffering power outages lately. The woman is informed that the electrical power output has been reduced online on the company’s website, from 1.8KW to 1.4KW. The woman proceeded to request that the company change the power supply back to 1.8KW.

According to their internal protocol, the company asked the woman to provide certain information related to the contract (name, surname, ID number, telephone number, and address) as security questions in order to change the electrical current supply back to 1.8KW.

In its defense, the company claimed that by answering these questions, the woman successfully overcame the security protocol, and was therefore considered by the company as effectively authorised to change the contract on the data subject's behalf.

Holding[edit | edit source]

The AEPD pointed out that the fact that the claimant’s sister knew her brother’s name, surname, ID number, telephone number and address could not lead to the presumption that she was authorised to represent him in order to make changes to the contract with the electricity company. The AEPD noted that in this case, the family relationship between the brother and sister allows her to easily know this data, and that this data could also be accessible to other third parties without the data subject’s knowledge. The AEPD stated that the mere fact that someone might have knowledge of this data should not imply that they can act on behalf of the data subject to modify the contract with the electrical company.

Based on these considerations, the AEPD held that the electrical company had violated Article 32 GDPR by failing to having an adequate security protocol in place to verify if someone was actually authorised to act on the data subject’s behalf. The AEPD also held that by not having an adequate security protocol in place, the company had modified the power supply contract without the data subject’s consent, in violation of Article 6 GDPR.

In light of the aforementioned violations, the AEPD imposed a fine of €150,000 against the electrical company (€50,000 for the violation of Article 32 GDPR and €100,000 for the violation of Article 6 GDPR).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/9










     File No.: PS/00476/2021


                RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated April 26, 2021
filed a claim with the Spanish Data Protection Agency.


The claim is directed against BASER REFERENCE MARKETER,
S.A. with CIF A74251836 (hereinafter, the claimed party).

The reason on which the claim is based is that a third party has contacted the entity
claimed with which you have contracted the electricity supply, requesting a
increase in the contracted power, based on a supposed authorization that he did not

granted.

Provide, among other things, the following documentation:

- Voice recording dated February 3, 2021 in which a woman calls the

claimed entity, claiming to suffer power outages.

You are asked to identify yourself with your DNI to which you respond if you provide yours or that of the holder
of the contract that is his brother. Provide the name and surnames and ID of the holder.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, on 3
June 2021, to proceed with its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.


On July 2, 2021, he presented in the telematic registry office the document of
allegations to the request for information in procedure E/06494/2021, but that
the platform enabled by the AEPD did not allow him to incorporate audio files to
his defense, for which documents are attached in legible digital format, of which

it follows that the claimed entity received a call from a woman who assured
live at the address of the supply, but that the contract was in the name of his
brother, so the claimed entity after requiring the DNI, name and surname of the
holder, responded to the questions raised by that woman, regarding the potency
hired.


The claimed entity informs its interlocutor that the contracted power is of
1.4 KW, to which it points out that someone has changed the contracted power because it was
1.8KW

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/9









The entity claimed informs you that through the website the owner changed the
contracted power from 1.8 KW to 1.4 KW on February 1, 2021.


The claimed entity informs you that you can make the power change again
which is done at your request.

For all these reasons, the entity claimed states that the customer service department
client complied with the Protocol, by requesting the owner's DNI, the name and surnames, the

telephone number and supply address, so it was not considered necessary
request additional information provided for in the Protocol, such as the email address
email or account or contract numbers.

THIRD: On September 20, 2021, the Director of the Spanish Agency

of Data Protection agreed to admit to processing the claim presented by the
claiming party.

FOURTH: On November 10, 2021, the Director of the Spanish Agency
of Data Protection agreed to initiate sanctioning procedure to the claimed, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged infringement of Article 6 of the RGPD, typified in Article
83.5 of the GDPR.

FIFTH: Having been notified of the aforementioned initiation agreement, the respondent submitted a written

allegations in which, in summary, it states that it has acted at all times in
accordance with the protocol that consists of verifying that the caller has
of the name, surnames and DNI of the contract holder, address of the supply point,
phone number or email address and, if the person
caller does not have the information corresponding to the telephone number or

email address, additionally, the last four digits of the
bank account in which the supply contract is domiciled in respect of which
you want or the contract number.

It is stated that the caller knew perfectly all the data
requested for what exceeded the Protocol, being therefore considered a representative

of the contract holder and proceeded to manage the requested power change.

It is considered that the modifications of the contracted power of electricity supply
in the direction of supply are constituted as a "pressure element" used by
the claimant to try to resolve a conflict of a family nature related to the
lack of payment of the rent of the house, by way of fact, and this is confirmed,

by the claimed entity when providing an arbitration award for such facts.

SIXTH: On December 15, the instructor of the procedure agreed to open
of a period of practical tests, taking into account the actions
prior investigation, as well as the documents provided by the defendant in

date November 23, 2021.

SEVENTH: On January 13, 2022, a resolution proposal was formulated,
proposing the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/9









That the Director of the Spanish Data Protection Agency sanction
BASER COMERCIALIZADORA DE REFERENCIA, S.A., with CIF A74251836, by

an infringement of article 6 of the RGPD, typified in article 83.5 of the RGPD, a
fine of 100,000 euros (one hundred thousand euros).

That the Director of the Spanish Data Protection Agency sanction
BASER COMERCIALIZADORA DE REFERENCIA, S.A., with CIF A74251836, by
an infringement of article 32 of the RGPD, typified in article 83.5 of the RGPD, a

fine of 50,000 euros (fifty thousand euros).

EIGHTH: Once the proposed resolution was notified, the respondent submitted a written
allegations in which, in summary, it reiterates those already alleged, emphasizing that the
complainant's sister has acted as his representative and therefore, his actions

must display the same effects as if they had been performed by the
complainant.

So that the treatment carried out on the personal data of the claimant
must have, in any case, its legal basis in the execution of the contract, based on
article 6.1.b) of the RGPD, understanding that the modification of the contract, made

by the claimant's sister, by acting as his representative, has in fact been
instances of the contract holder, that is, the claimant.

The respondent entity also states that it followed its security protocol and that
is not required to carry out any additional checks on the existence and

scope of the mandate or representation questioned in this case.

Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:


                                PROVEN FACTS

FIRST: The claimant has an electricity supply contract with the entity
claimed, which has made a change in the contractual conditions (increase
of the contracted power) without their consent.


SECOND: The respondent entity states that it received a call from a woman who
claimed to live at the address of the supply, so after requesting the owner's data,
proceeded to change the contracted power.

                           FOUNDATIONS OF LAW


                                            I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director

of the Spanish Agency for Data Protection is competent to initiate and to
resolve this procedure.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/9








                                            II

Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights, in its article 4.11 defines the consent of the
interested party as "any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either by means of a declaration or a
clear affirmative action, the treatment of personal data that concerns you”.

In this sense, article 6.1 of the LOPDGDD, establishes that "in accordance with the

provided in article 4.11 of Regulation (EU) 2016/679, consent is understood
affected person, any manifestation of free, specific, informed and inappropriate will.
equivocal by which he accepts, either through a statement or a clear action
affirmative, the treatment of personal data that concerns you”.


For its part, article 6 of the GDPR establishes the following:

"one. The processing will only be lawful if at least one of the following conditions is met:
nes:

a) the interested party gave their consent for the processing of their personal data

for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;


c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;

d) the treatment is necessary to protect the vital interests of the interested party or another
Physical person;


e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers vested in the data controller;

f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the data controller or by a third party, provided that said interests

interests do not prevail or the fundamental rights and freedoms of the interest
cases that require the protection of personal data, in particular when the interested
sado be a child.

The provisions of letter f) of the first paragraph shall not apply to the processing

by public authorities in the exercise of their functions.”

Secondly, to study the correct action protocol followed by the
claimed entity we have to go to article 32 of the RGPD “Security of the
treatment”, where it is established that:


"one. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for the rights and freedoms of individuals

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/9








physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which in your case includes, among others:


a) pseudonymization and encryption of personal data;

b) the ability to ensure confidentiality, integrity, availability and resilience
permanent treatment systems and services;


c) the ability to restore the availability and access to the personal data of
quickly in the event of a physical or technical incident;

d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.


2. When evaluating the adequacy of the security level, particular account shall be taken of
takes into account the risks presented by the processing of data, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
data transmitted, stored or otherwise processed, or the communication or
unauthorized access to said data.


3. Adherence to an approved code of conduct under article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.


4. The person in charge and the person in charge of the treatment will take measures to guarantee that
any person acting under the authority of the person in charge or the person in charge and
has access to personal data can only process said data following
instructions of the person in charge, unless it is obliged to do so by virtue of the Right of

the Union or the Member States.

                                            III

In this case, the entity claimed for the modification of the
characteristics of a supply contract concluded with the claimant without counting

with your consent.

The defendant entity has presented arguments to the initial agreement, as well as to the
motion for a resolution, expressing its disagreement with this procedure
sanctioning party, considering that he has acted at all times in accordance with the

protocol, which consists of verifying that the caller has the name,
surnames and DNI of the contract holder, address of the supply point, number of
telephone or email address and, in case the caller does not
have the information corresponding to the telephone number or address of
email, additionally, the last four digits of the bank account are requested

in which the supply contract is domiciled with respect to the one you want or the
contract number.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/9








In this specific case, following the protocol established by the claimed entity,
requested the ID of the holder, the name and surnames, the telephone number and address of
supply.


In this sense, it must be considered that the protocol of the claimed entity does not
reaches the security levels required to guarantee that the treatment of
personal data is in accordance with the data protection regulations, since the data
required by the claimed entity in its security protocol are data (DNI,
name and surnames, telephone and address) that could be available to third parties.


It must be indicated that knowing the ID of the holder, the name and surnames, the number of
telephone and supply address, for the sister of the claimant to whom he has
leased the dwelling object of the supply, cannot lead to the presumption of
representation, since your family and contractual relationship allows you to know such data,

without the need to imply the consent of the holder of the supply contract
to carry out your modification.

Thus, there are clear indications of two clear circumstances:

     The entity claimed has violated article 32 of the RGPD, for not

    have an adequate security protocol that allows verifying that
    is acting on behalf of the claimant, since its protocol of
    Security requires ID of the holder, name and surname, telephone number and
    supply address, data that may be available to third parties without your
    knowledge implies that it is acting on behalf of the contract holder.


     The claimed entity, by not having an adequate security protocol, has
    modified the contracted power without the consent of its owner, it is
    that is, of the claimant, which supposes a violation of art. 6 of the GDPR.


                                            IV

Article 72.1 b) of the LOPDGDD states that “according to what is established in the
article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe
after three years the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:


b) The processing of personal data without the concurrence of any of the conditions of
legality of the treatment in article 6 of Regulation (EU) 2016/679.”

Article 73 of the LOPDGDD, for prescription purposes, qualifies as "Infringements

considered serious”:

“Based on the provisions of article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the

following:

(…)


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/9








g) The breach, as a consequence of the lack of due diligence, of the
technical and organizational measures that have been implemented as required
by article 32.1 of Regulation (EU) 2016/679”.


                                           v

Article 58.2 of the RGPD provides the following: "Each control authority will have
of all the following corrective powers indicated below:


b) send a warning to any person responsible or in charge of the treatment when the
treatment operations have violated the provisions of this Regulation;

d) order the person in charge or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified period;

i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;


Thus, in response to what results from the investigation, it will be possible to order the
claimed party that within the designated period proceeds to carry out the actions
necessary so that the treatment of the personal data used adjusts to the
GDPR provisions.


                                           SAW

This infraction can be sanctioned with a fine of €20,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for the

of greater amount, in accordance with article 83.5 of the RGPD.

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD, considering as
aggravating factors:


     The negligence of the defendant in modifying the contract entered into with the
    claimant (article 83.2 b), without being certain that the person who called
    requesting the change represented the holder of the supply, since the data
    required in its protocol could be available to any third party.


     Linking the activity of the offender with the performance of treatment
    of personal data art. 76.2.b) LOPDGDD









C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/9








Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE BASER COMERCIALIZADORA DE REFERENCIA, S.A., with
CIF A74251836, for an infringement of article 6 of the RGPD, typified in article
83.5 of the RGPD, a fine of 100,000 euros (one hundred thousand euros).


SECOND: IMPOSE BASER COMERCIALIZADORA DE REFERENCIA, S.A.,
with CIF A74251836, for an infringement of article 32 of the RGPD, typified in the
article 83.4 of the RGPD, a fine of 50,000 euros (fifty thousand euros).

THIRD: NOTIFY this resolution to BASER COMERCIALIZADORA DE

REFERENCE, S.A.

FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term

voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency

Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment

voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from

counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/9









Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by

writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.


Sea Spain Marti
Director of the Spanish Data Protection Agency













































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es