AEPD (Spain) - PS/00476/2021
|AEPD (Spain) - PS/00476/2021|
|Relevant Law:||Article 6 GDPR|
Article 32 GDPR
|Parties:||Baser Comercializadora de Referencia, S.A.|
|National Case Number/Name:||PS/00476/2021|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Cesar Manso-Sayao|
The Spanish DPA issued a fine of €150,000 against an electrical company for allowing a third party to modify a contract without the data subject's consent in violation of Article 6 GDPR, and for lacking adequate security measures under Article 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject filed a claim with the Spanish DPA (AEPD) against Baser Comercializadora de Referencia, S.A. (an electrical supply company) claiming that a third party had made changes to his electricity contract without his authorisation.
As evidence, the data subject offered an audio recording of a call made to the company, in which a woman states that she is the data subject’s sister. The woman also states that she is living in her brother’s house, and complains that she has been suffering power outages lately. The woman is informed that the electrical power output has been reduced online on the company’s website, from 1.8KW to 1.4KW. The woman proceeded to request that the company change the power supply back to 1.8KW.
According to their internal protocol, the company asked the woman to provide certain information related to the contract (name, surname, ID number, telephone number, and address) as security questions in order to change the electrical current supply back to 1.8KW.
In its defense, the company claimed that by answering these questions, the woman successfully overcame the security protocol, and was therefore considered by the company as effectively authorised to change the contract on the data subject's behalf.
Holding[edit | edit source]
The AEPD pointed out that the fact that the claimant’s sister knew her brother’s name, surname, ID number, telephone number and address could not lead to the presumption that she was authorised to represent him in order to make changes to the contract with the electricity company. The AEPD noted that in this case, the family relationship between the brother and sister allows her to easily know this data, and that this data could also be accessible to other third parties without the data subject’s knowledge. The AEPD stated that the mere fact that someone might have knowledge of this data should not imply that they can act on behalf of the data subject to modify the contract with the electrical company.
Based on these considerations, the AEPD held that the electrical company had violated Article 32 GDPR by failing to having an adequate security protocol in place to verify if someone was actually authorised to act on the data subject’s behalf. The AEPD also held that by not having an adequate security protocol in place, the company had modified the power supply contract without the data subject’s consent, in violation of Article 6 GDPR.
In light of the aforementioned violations, the AEPD imposed a fine of €150,000 against the electrical company (€50,000 for the violation of Article 32 GDPR and €100,000 for the violation of Article 6 GDPR).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 File No.: PS/00476/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated April 26, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against BASER REFERENCE MARKETER, S.A. with CIF A74251836 (hereinafter, the claimed party). The reason on which the claim is based is that a third party has contacted the entity claimed with which you have contracted the electricity supply, requesting a increase in the contracted power, based on a supposed authorization that he did not granted. Provide, among other things, the following documentation: - Voice recording dated February 3, 2021 in which a woman calls the claimed entity, claiming to suffer power outages. You are asked to identify yourself with your DNI to which you respond if you provide yours or that of the holder of the contract that is his brother. Provide the name and surnames and ID of the holder. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, on 3 June 2021, to proceed with its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. On July 2, 2021, he presented in the telematic registry office the document of allegations to the request for information in procedure E/06494/2021, but that the platform enabled by the AEPD did not allow him to incorporate audio files to his defense, for which documents are attached in legible digital format, of which it follows that the claimed entity received a call from a woman who assured live at the address of the supply, but that the contract was in the name of his brother, so the claimed entity after requiring the DNI, name and surname of the holder, responded to the questions raised by that woman, regarding the potency hired. The claimed entity informs its interlocutor that the contracted power is of 1.4 KW, to which it points out that someone has changed the contracted power because it was 1.8KW C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/9 The entity claimed informs you that through the website the owner changed the contracted power from 1.8 KW to 1.4 KW on February 1, 2021. The claimed entity informs you that you can make the power change again which is done at your request. For all these reasons, the entity claimed states that the customer service department client complied with the Protocol, by requesting the owner's DNI, the name and surnames, the telephone number and supply address, so it was not considered necessary request additional information provided for in the Protocol, such as the email address email or account or contract numbers. THIRD: On September 20, 2021, the Director of the Spanish Agency of Data Protection agreed to admit to processing the claim presented by the claiming party. FOURTH: On November 10, 2021, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning procedure to the claimed, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 6 of the RGPD, typified in Article 83.5 of the GDPR. FIFTH: Having been notified of the aforementioned initiation agreement, the respondent submitted a written allegations in which, in summary, it states that it has acted at all times in accordance with the protocol that consists of verifying that the caller has of the name, surnames and DNI of the contract holder, address of the supply point, phone number or email address and, if the person caller does not have the information corresponding to the telephone number or email address, additionally, the last four digits of the bank account in which the supply contract is domiciled in respect of which you want or the contract number. It is stated that the caller knew perfectly all the data requested for what exceeded the Protocol, being therefore considered a representative of the contract holder and proceeded to manage the requested power change. It is considered that the modifications of the contracted power of electricity supply in the direction of supply are constituted as a "pressure element" used by the claimant to try to resolve a conflict of a family nature related to the lack of payment of the rent of the house, by way of fact, and this is confirmed, by the claimed entity when providing an arbitration award for such facts. SIXTH: On December 15, the instructor of the procedure agreed to open of a period of practical tests, taking into account the actions prior investigation, as well as the documents provided by the defendant in date November 23, 2021. SEVENTH: On January 13, 2022, a resolution proposal was formulated, proposing the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/9 That the Director of the Spanish Data Protection Agency sanction BASER COMERCIALIZADORA DE REFERENCIA, S.A., with CIF A74251836, by an infringement of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of 100,000 euros (one hundred thousand euros). That the Director of the Spanish Data Protection Agency sanction BASER COMERCIALIZADORA DE REFERENCIA, S.A., with CIF A74251836, by an infringement of article 32 of the RGPD, typified in article 83.5 of the RGPD, a fine of 50,000 euros (fifty thousand euros). EIGHTH: Once the proposed resolution was notified, the respondent submitted a written allegations in which, in summary, it reiterates those already alleged, emphasizing that the complainant's sister has acted as his representative and therefore, his actions must display the same effects as if they had been performed by the complainant. So that the treatment carried out on the personal data of the claimant must have, in any case, its legal basis in the execution of the contract, based on article 6.1.b) of the RGPD, understanding that the modification of the contract, made by the claimant's sister, by acting as his representative, has in fact been instances of the contract holder, that is, the claimant. The respondent entity also states that it followed its security protocol and that is not required to carry out any additional checks on the existence and scope of the mandate or representation questioned in this case. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS FIRST: The claimant has an electricity supply contract with the entity claimed, which has made a change in the contractual conditions (increase of the contracted power) without their consent. SECOND: The respondent entity states that it received a call from a woman who claimed to live at the address of the supply, so after requesting the owner's data, proceeded to change the contracted power. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and to resolve this procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/9 II Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, in its article 4.11 defines the consent of the interested party as "any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either by means of a declaration or a clear affirmative action, the treatment of personal data that concerns you”. In this sense, article 6.1 of the LOPDGDD, establishes that "in accordance with the provided in article 4.11 of Regulation (EU) 2016/679, consent is understood affected person, any manifestation of free, specific, informed and inappropriate will. equivocal by which he accepts, either through a statement or a clear action affirmative, the treatment of personal data that concerns you”. For its part, article 6 of the GDPR establishes the following: "one. The processing will only be lawful if at least one of the following conditions is met: nes: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the treatment is necessary to protect the vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers vested in the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests interests do not prevail or the fundamental rights and freedoms of the interest cases that require the protection of personal data, in particular when the interested sado be a child. The provisions of letter f) of the first paragraph shall not apply to the processing by public authorities in the exercise of their functions.” Secondly, to study the correct action protocol followed by the claimed entity we have to go to article 32 of the RGPD “Security of the treatment”, where it is established that: "one. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of individuals C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/9 physical, the person in charge and the person in charge of the treatment will apply technical measures and appropriate organizational measures to guarantee a level of security appropriate to the risk, which in your case includes, among others: a) pseudonymization and encryption of personal data; b) the ability to ensure confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to the personal data of quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular account shall be taken of takes into account the risks presented by the processing of data, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data data transmitted, stored or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to an approved code of conduct under article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The person in charge and the person in charge of the treatment will take measures to guarantee that any person acting under the authority of the person in charge or the person in charge and has access to personal data can only process said data following instructions of the person in charge, unless it is obliged to do so by virtue of the Right of the Union or the Member States. III In this case, the entity claimed for the modification of the characteristics of a supply contract concluded with the claimant without counting with your consent. The defendant entity has presented arguments to the initial agreement, as well as to the motion for a resolution, expressing its disagreement with this procedure sanctioning party, considering that he has acted at all times in accordance with the protocol, which consists of verifying that the caller has the name, surnames and DNI of the contract holder, address of the supply point, number of telephone or email address and, in case the caller does not have the information corresponding to the telephone number or address of email, additionally, the last four digits of the bank account are requested in which the supply contract is domiciled with respect to the one you want or the contract number. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/9 In this specific case, following the protocol established by the claimed entity, requested the ID of the holder, the name and surnames, the telephone number and address of supply. In this sense, it must be considered that the protocol of the claimed entity does not reaches the security levels required to guarantee that the treatment of personal data is in accordance with the data protection regulations, since the data required by the claimed entity in its security protocol are data (DNI, name and surnames, telephone and address) that could be available to third parties. It must be indicated that knowing the ID of the holder, the name and surnames, the number of telephone and supply address, for the sister of the claimant to whom he has leased the dwelling object of the supply, cannot lead to the presumption of representation, since your family and contractual relationship allows you to know such data, without the need to imply the consent of the holder of the supply contract to carry out your modification. Thus, there are clear indications of two clear circumstances: The entity claimed has violated article 32 of the RGPD, for not have an adequate security protocol that allows verifying that is acting on behalf of the claimant, since its protocol of Security requires ID of the holder, name and surname, telephone number and supply address, data that may be available to third parties without your knowledge implies that it is acting on behalf of the contract holder. The claimed entity, by not having an adequate security protocol, has modified the contracted power without the consent of its owner, it is that is, of the claimant, which supposes a violation of art. 6 of the GDPR. IV Article 72.1 b) of the LOPDGDD states that “according to what is established in the article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment in article 6 of Regulation (EU) 2016/679.” Article 73 of the LOPDGDD, for prescription purposes, qualifies as "Infringements considered serious”: “Based on the provisions of article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/9 g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented as required by article 32.1 of Regulation (EU) 2016/679”. v Article 58.2 of the RGPD provides the following: "Each control authority will have of all the following corrective powers indicated below: b) send a warning to any person responsible or in charge of the treatment when the treatment operations have violated the provisions of this Regulation; d) order the person in charge or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; Thus, in response to what results from the investigation, it will be possible to order the claimed party that within the designated period proceeds to carry out the actions necessary so that the treatment of the personal data used adjusts to the GDPR provisions. SAW This infraction can be sanctioned with a fine of €20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD, considering as aggravating factors: The negligence of the defendant in modifying the contract entered into with the claimant (article 83.2 b), without being certain that the person who called requesting the change represented the holder of the supply, since the data required in its protocol could be available to any third party. Linking the activity of the offender with the performance of treatment of personal data art. 76.2.b) LOPDGDD C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/9 Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE BASER COMERCIALIZADORA DE REFERENCIA, S.A., with CIF A74251836, for an infringement of article 6 of the RGPD, typified in article 83.5 of the RGPD, a fine of 100,000 euros (one hundred thousand euros). SECOND: IMPOSE BASER COMERCIALIZADORA DE REFERENCIA, S.A., with CIF A74251836, for an infringement of article 32 of the RGPD, typified in the article 83.4 of the RGPD, a fine of 50,000 euros (fifty thousand euros). THIRD: NOTIFY this resolution to BASER COMERCIALIZADORA DE REFERENCE, S.A. FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/9 Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es