AEPD (Spain) - PS/00099/2022: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 76: Line 76:
The data subject submitted a complaint against a gas and electric company (the controller) for receiving emails containing personal data belonging to different people, including names, surnames, ID numbers, signatures, and the universal supply point code (which is a unique and permanent code that identifies every home or business which receives energy). The data subject had a contract with another company called “Free Energy” whose corporate address was the same as the controller’s and proceeded to request the deletion of their data from the controller before submitting the complaint to the Spanish DPA.
The data subject submitted a complaint against a gas and electric company (the controller) for receiving emails containing personal data belonging to different people, including names, surnames, ID numbers, signatures, and the universal supply point code (which is a unique and permanent code that identifies every home or business which receives energy). The data subject had a contract with another company called “Free Energy” whose corporate address was the same as the controller’s and proceeded to request the deletion of their data from the controller before submitting the complaint to the Spanish DPA.


The DPA started an investigation against the controller for a violation of [[Articles 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]] and found out that the submission of those emails to the data subject was carried out by mistake by an employee of the company and that they were intended for another internal department. Moreover, the personal data breach was not noticed, therefore, not communicated to the DPA within 72 hours as foreseen in the GDPR. There were two affected persons and there was no evidence of access to those data by third persons other than the recipient. Finally, the controller proceeded with the deletion of data as requested by the data subject.  
The DPA started an investigation against the controller for a violation of [[Article 5 GDPR#1f|Article 5(1)(f)]] and [[Article 32 GDPR|32 GDPR]] and found out that the submission of those emails to the data subject was carried out by mistake by an employee of the company and that they were intended for another internal department. Moreover, the personal data breach was not noticed, therefore, not communicated to the DPA within 72 hours as foreseen in the GDPR. There were two affected persons and there was no evidence of access to those data by third persons other than the recipient. Finally, the controller proceeded with the deletion of data as requested by the data subject.  


After the notification of the proposed fines, the controller claimed, in the first place, that the DPA would be infringing the principle ‘''ne bis in idem''’ by sanctioning the company both under [[Article 5 GDPR|Articles 5]] and [[Article 32 GDPR|32 GDPR]]. Secondly, the controller argued that a fine would be disproportionate to the infringement. In the third place, the infringement was not intentional. Finally, after the incident, the company implemented a list of technical and organisational measures to ensure security of the processing.
After the notification of the proposed fines, the controller claimed, in the first place, that the DPA would be infringing the principle ‘''ne bis in idem''’ by sanctioning the company both under [[Article 5 GDPR|Articles 5]] and [[Article 32 GDPR|32 GDPR]]. Secondly, the controller argued that a fine would be disproportionate to the infringement. In the third place, the infringement was not intentional. Finally, after the incident, the company implemented a list of technical and organisational measures to ensure security of the processing.

Revision as of 10:34, 26 October 2022

AEPD - ps-00099-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 83(4) GDPR
Article 83(5) GDPR
§71 LOPDGDD
§72LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 35.000 EUR
Parties: n/a
National Case Number/Name: ps-00099-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA imposed a €35,000 fine on an energy company for the violation of Article 5(1)(f) GDPR and 32 GDPR because an employee accidentally sent an email to the data subject with personal data belonging to other clients.

English Summary

Facts

The data subject submitted a complaint against a gas and electric company (the controller) for receiving emails containing personal data belonging to different people, including names, surnames, ID numbers, signatures, and the universal supply point code (which is a unique and permanent code that identifies every home or business which receives energy). The data subject had a contract with another company called “Free Energy” whose corporate address was the same as the controller’s and proceeded to request the deletion of their data from the controller before submitting the complaint to the Spanish DPA.

The DPA started an investigation against the controller for a violation of Article 5(1)(f) and 32 GDPR and found out that the submission of those emails to the data subject was carried out by mistake by an employee of the company and that they were intended for another internal department. Moreover, the personal data breach was not noticed, therefore, not communicated to the DPA within 72 hours as foreseen in the GDPR. There were two affected persons and there was no evidence of access to those data by third persons other than the recipient. Finally, the controller proceeded with the deletion of data as requested by the data subject.

After the notification of the proposed fines, the controller claimed, in the first place, that the DPA would be infringing the principle ‘ne bis in idem’ by sanctioning the company both under Articles 5 and 32 GDPR. Secondly, the controller argued that a fine would be disproportionate to the infringement. In the third place, the infringement was not intentional. Finally, after the incident, the company implemented a list of technical and organisational measures to ensure security of the processing.

Holding

The DPA stated that for the application of the principle ‘ne bis in idem’, it is mandatory that a similarity existed between subject, facts and grounds, which was not observed in the case. Both Article 5(1)(f) and Article 32 GDPR related to different facts, since the former was applicable because the personal data of two persons had been unlawfully exposed to a third party, the data subject. The latter provision applied to the present case due to the obligation of the controller to implement technical and organisational measures to ensure an adequate security level, an obligation that was not observed since the company did not have a protocol to avoid or to filter the inclusion of client’s emails addresses in internal communications.

Regarding the second claim, the DPA noted that the violation of the mentioned provisions was foreseen as grievous under the national legislation (Articles 71 and 72 LOPDGDD) and that both extenuating and aggravating circumstances have been taken into account, thus the fines were proportionate.

Finally, DPA made clear that there was no attribution of intention to the controller but only responsibility. For this, it referred to the Supreme Court case law regarding the concept of culpability in administrative sanctions, which can be observed as a consequence of acts or omissions based on malice, imprudence, negligence or inexcusable ignorance. It also alluded to the recent Supreme Court case (Sentencia 188/2022 de 15/02/2022), which asserted that legal entities are responsible for their employees' acts. It is not an objective responsibility but the lack of due care that is transferred to the legal entities.

Considering the above, the Spanish DPA upheld the complaint and sanctioned the controller with €10,000 for the violation of Article 5(1)(f) GDPR and €25,000 for the violation of Article 32 GDPR.

Comment

There is a pattern in the Spanish DPA resolutions regarding the consideration as aggravating circumstances the industry to which the controller belongs and the amount of data that is meant to handle due to their activity. In the same sense, it is considered as an extenuating circumstance the fact that the breach of security did not affect more than three persons.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12










     File No.: PS/00099/2022



                RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated March 28, 2021
filed a claim with the Spanish Data Protection Agency. The

claim is directed against OES GLOBAL ENERGY S.L. with NIF B01901941 (in
forward, OES). The grounds on which the claim is based are as follows:

Indicates that you have gas and energy supply contracts with the company FREE
ENERGY, but has received an email from OES, whose address coincides with

that of FREE ENERGÍA, in which withdrawal documents of some
electricity contracts signed by two other customers, identified by their name and

DNI.

Provide, along with your written claim:

- Print email dated March 18, 2021 sent by
 clients@oesenergia.com (indicated to be from the Department of SAC and
 Incidences) to various email addresses, including that of

 the claiming party. In this email, it is indicated that the email of a client is attached
 requesting the withdrawal of contracts, and the name and surname of a
 client with 10 CUPS, and name and surname of another client with 2 CUPS. The names

 of these two clients are different from the claimant.

- Printing of two pages of the annex to the previous mail that are the last page of
 withdrawals with SUMINISTRADOR IBÉRICO DE ENERGÍA, S.L. – OES

 ENERGÍA (with NIF B67421875) and the two clients that appeared in the mail. Of
 These two clients show the following data: name, surname, DNI, CUPS and

 handwritten signature.

- Printing of email dated March 26, 2021 sent by the claimant to
 datos@oesenergia.com in which you request the deletion of your data because

 has received an email with data from other clients, and attaches the previous email from
 date March 18, 2021.





SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








hereinafter LOPDGDD), said claim was transferred to OES so that
proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of

Data Protection.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was not collected by the person in charge; reiterating the
transfer on 05/26/2021 by certified mail, it was returned again

for "unknown".

No response has been received to this transfer letter.

THIRD: On June 28, 2021, in accordance with article 65 of the

LOPDGDD, the claim filed by the claimant was admitted for processing.

FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of

Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following ends:

INVESTIGATED ENTITIES


During these proceedings, the following entity has been investigated:

OES GLOBAL ENERGY S.L. with NIF B01901941 with address in RAMBLA DEL
GARRAF, Nº 76 - 08812 SANT PERE DE RIBES (BARCELONA)



RESULT OF THE INVESTIGATION ACTIONS

The following information is provided, among others:

1. Indication that the incident described by the claimant occurred due to a

   punctual error when including the email address of the claimant as recipient of
   an internal company email.

2. Indication that this incident was not reported to the AEPD within 72 hours because,

   Since the security breach was not detected, the possibility of
   notify the AEPD or those affected.


3. Indication that, since there are two affected parties and due to the type of data, the incident
   does not imply a risk to the rights and freedoms of those affected.

4. Indication that there is no evidence that third parties have accessed the data, apart from the

   claimant.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12








5. Indication that the mail sent by the complaining party was not detected due to
   a human error; for this reason, OES did not respond to the request to delete

   the claimant until this file was sent to her by the AEPD.

6. Printing of email dated February 17, 2022 sent by
   juridico@grupovisalia.com to the email of the complaining party in which

   indicates that the response to your request to OES is attached. And also attached a
   letter addressed to the claimant with the following content:

         In response to your request for data protection, we inform you that,

         In accordance with the same, OES ENERGÍA has proceeded to process the
         deletion of your personal data.

         Notwithstanding the foregoing, and in accordance with the provisions of article

         17.3 RDPG, we will proceed to keep your data for the fulfillment of the
         legal obligations that may arise from its legal relationship with the
         company, as well as, where appropriate, to comply with judicial requirements.


         For all these reasons, and given that OES ENERGÍA wants to scrupulously respect
         the exercise of your rights, we inform you that we remain at your disposal
         for any clarification you need.


FIFTH: On April 4, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
for the alleged infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the
RGPD, and Article 32 of the RGPD, typified in article 83.4 of the RGPD


Once notified of the initiation agreement, OES submitted a brief of arguments in which
synthesis stated:

-That he considers the proposal for an economic sanction disproportionate for the alleged
Non-compliance with the normative precepts indicated, since the criterion that has

followed by the AEPD when imposing sanctions for presumed infractions of the
precepts included in articles 5.1.f) and 32 RGPD in other files, diverges
established in this Sanctioning Procedure, suffering OES a grievance
comparative.
OES adds that it does not quite understand what is the reason why the proposal for

penalty of this Penalty Procedure is so high, especially considering
account that the sanctioning activity of the Administration is subject to the principle of
proportionality, and that it understands that the amount of the sanctions imposed has not been
seen properly modulated.

       -In this regard, this Agency points out that, although the penalty initially set

       is within the framework established by articles 83.5 and 83.4 of the
       RGPD, for the infringement of articles 5.1.f) RGPD and 32 RGPD,
       respectively, it is no less true that there are several factors that must
       be considered when setting the sanction so that it is proportional and
       appropriate to the infraction analyzed in each case. Taking, then,

       consideration all the factors, studying the allegations made by
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12








       OES in this regard, it can be concluded that it would be appropriate to estimate
       partially the same in the sense of reducing the amount of the fines
       initially proposed.


-That one of the principles that governs the sanctioning administrative law is the
“non bis in idem” principle, which implies that two or more
sanctions on the same facts, and that the fact that prompts this Procedure
Sanctioning is the sending, due to a human and punctual error, of an internal mail to
a client who was mistakenly put as the recipient of the same.

OES understands that this fact is sanctioned by the AEPD twice, once by
infringement of article 5.1.f) RGPD in relation to the non-observance of the principle of
confidentiality and integrity, and another for the breach of article 32 RGPD in
regarding the lack of adoption of technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment,

must be sanctioned for a single infraction.

       -In this regard, it should be noted that Law 40/2015, of October 1, on Regime
       Legal Men of the Public Sector (LRJSP) includes the NON BIS IN IDEM principle,
       by establishing in its article 31.1:


       “The facts that have been criminal or administrative may not be sanctioned.
       mind, in cases in which the identity of the subject, fact and fundamentals
       unto”.


       In the present sanctioning procedure, the necessary presuppositions are not given.
       since different facts are imputed, each one of them, likewise,

       pified in different articles of the RGPD. The assumption typified in the article
       5.1.f) of the RGPD refers to the fact that the personal data of two clients
       of OES were exposed to a third party. The assumption typified in article 32
       refers to the fact that both the person in charge and the person in charge of the treatment
       Appropriate technical and organizational measures must be taken to ensure

       level of security appropriate to the risk, concluding that such measures do not
       had been adopted in the present case.


-That the facts that have led to the initiation of the Sanctioning Procedure are not
they obey, in no case, to a desire to break the confidentiality of the data
of OES clients, nor to any other type of intention of OES to breach
with its obligations in terms of data protection, not concurring the necessary
requirement of guilt to be able to impose an administrative sanction since it is
established the jurisprudential criterion that any sanction should be ruled out apart from

faulty or negligent conduct (principle of culpability in sanctioning matters);
so they want to show that, in no case, OES has sought a re-
result of disclosure of the personal data of its clients and that has only been pro-
duced a claim for these facts, being, as previously mentioned-
mind, due to human and punctual error.


       -In this regard, this agency cites the Judgments of the Supreme Court of 12
       (rec. 388/1994) and May 19, 1998, Sixth Section, which state that "in the

       scope of administrative responsibility it is not enough that the conduct is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








       unlawful and typical, but it is also necessary that he be guilty, that is,
       consequence of an action or omission attributable to its author due to malice or
       prudence, negligence or inexcusable ignorance (...)”


       In the present case, it can be seen that OES is responsible and, therefore, guilty,
       in the sense indicated by the aforementioned judgments, of the infractions imputed

       das, without being excused in the lack of intentionality, because there is no
       doubt that his conduct has been at least imprudent, in sending by co-
       e-mail to a client the contracts corresponding to two other people.
       nas, contracts containing personal data.


-That, from the moment you became aware of the security breach
that has originated in a first moment the Initial Requirement and, later, the
Sanctioning Procedure, has applied the following technical and organizational measures:

you go (in addition to those indicated in the response to the Initial Request):

• Implement training courses for employees


• Configuration of the e-mail of all the personnel, eliminating the predictive

mail autocomplete.

• Study of the feasibility of forwarding email to an external mail server.

terno to filter recipients.

       -In this regard, this Agency has nothing to object to or add to the measures

       days implemented.

SIXTH: On June 1, 2022, a resolution proposal was formulated,
proposing That the Director of the Spanish Data Protection Agency
sanction OES GLOBAL ENERGY S.L., with NIF B01901941:

-for an infringement of Article 5.1.f) of the RGPD, typified in Article 83.5 of the

RGPD, with a fine of €25,000 (twenty-five thousand euros).
-for an infringement of Article 32 of the RGPD, typified in Article 83.4 of the RGPD,
with a fine of €10,000 (ten thousand euros).

SEVENTH: Once the proposed resolution has been notified, OES presents a new written

allegations dated 08/04/2022, in which all the allegations are considered reproduced
made in the previous writings, and adds that:

- In relation to the reasoning set forth by the AEPD in response to the allegation
third in the motion for a resolution, does not share this argument by the
following reasons:


 1st. The AEPD on the one hand indicates that OES cannot be exonerated from its lack of
intentionality, but justifies the same in the existence of a conduct that “has been
reckless to say the least." This part understands that intentionality (fraud) and
imprudence are opposite terms and cannot be malicious conduct

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12








consequence of reckless conduct or, in other words, he cannot be
attribute to OES having acted intentionally when the conduct that
allegedly originates the fraud in the action is qualified as guilty by the

AEPD.

  2nd. In any case, the allegedly infringing conduct indicated by the AEPD and
imputes OES as "reckless", this part understands that it could only be
attributable to an alleged infringement of OES of article 32 RGPD in relation to the
technical and organizational measures applied to the processing of personal data since,

where appropriate, it would be up to the data controller to design and implement
those that are necessary to safeguard the security of the data
personal treated. However, the fact that in the field of activity
of the company, a worker, imprudently, has made a copy of
the claimant in an email whose recipients should have been

only internal personnel of the company, constitutes a circumstance that, more
beyond the possible technical and/or organizational measures that OES could have
implemented at the time, escapes the effective control of the company as soon as it is
a human and punctual error that has consisted in not checking the recipients of a
internal email prior to shipment.


In view of everything that has been done, by the Spanish Data Protection Agency
In this proceeding, the following are considered proven facts:


                                PROVEN FACTS


FIRST: It is proven that the claimant party had signed contracts of
gas and energy supply with the company FREE ENERGÍA.

SECOND: It is proven that the complaining party received an email

of OES, whose address coincides with that of FREE ENERGÍA, in which are attached
withdrawal documents from some electricity contracts signed by two other
customers, identified with their name and ID.


                           FOUNDATIONS OF LAW

                                           Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law

Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12








                                           II
In relation to the allegations presented to the resolution proposal, OES considers
reproduced those already presented above and adds that:

1-In relation to the reasoning set forth by the AEPD in response to the allegation

third in the motion for a resolution, does not share this argument since the
AEPD on the one hand indicates that OES cannot be exonerated from its lack of
intentionality, but justifies the same in the existence of a conduct that “has been
least reckless”, and they understand that intentionality (fraud) and recklessness are
opposite terms, not being able to be a malicious conduct as a result of a
reckless conduct or, to put it another way, OES cannot be credited with having

acted intentionally when the conduct that supposedly originates the fraud in
the action is qualified as negligent by the AEPD itself.

       -In this regard, this Agency clarifies that at no time has it been attributed to
       OES intentionality in action, but without responsibility, in the given sense
       by the sentences cited, Judgments of the Supreme Court of 12 (rec.

       388/1994) and May 19, 1998, Sixth Section, which state that “in the context
       of administrative liability it is not enough that the conduct is unlawful.
       and typical, but it is also necessary that it be guilty, that is, consequence.
       consequence of an action or omission attributable to its author due to malice or recklessness.
       inexcusable ignorance, negligence or ignorance (...)”



2- The allegedly infringing conduct indicated by the AEPD and attributed to OES
as "reckless", they understand that it could only be attributable to a supposed
violation of OES of article 32 RGPD in relation to technical measures and
organizational measures applied to the processing of personal data since, where appropriate,
It would be up to the data controller to design and implement those that
were necessary to safeguard the security of the personal data processed.

However, the fact that in the scope of the ordinary activity of the company, a
worker, recklessly, has put a copy to the claimant in an email
email whose recipients should have been only internal staff of the
company, constitutes a circumstance that, beyond the possible technical measures
and/or organizational that OES could have implemented at the time, escapes the
effective control of the company as it is a human and punctual error that has

consisted of not reviewing the recipients of an internal email prior to its
Shipping.

-In this regard, this Agency cites Judgment 188/2022 of the Third Chamber Section
of the Administrative Litigation of the Supreme Court, dated 02/15/2022, which in
its foundation of Third Law indicates:


(...) Finally, it is appropriate to remember that legal persons are responsible for the
action of its employees or workers. It does not therefore establish a
strict liability, but if the lack of
diligence of its employees, in this sense STC 246/1991, of December 19 f.j 2.
(…)


                                           III
Article 5.1.f) “Principles related to treatment” of the RGPD establishes:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12









"1. The personal data will be:
(…)


       f) treated in such a way as to ensure adequate security of the
       personal data, including protection against unauthorized processing or
       against its loss, destruction or accidental damage, through the application
       of appropriate technical or organizational measures ("integrity and
       confidentiality”).”


In the present case, it is clear that there was an improper exposure of personal data of
clients, stored in the OES database, since they were sent by mail
electronically signed documents containing personal data such as
name, surnames and DNI, to a third party.


                                           IV
Article 83.5 of the RGPD under the heading "General conditions for the imposition of
administrative fines” provides:

“The infractions of the following dispositions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for
the largest amount:


       a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that
“The acts and behaviors referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.

For the purposes of the limitation period, article 72 “Infringements considered very
serious” of the LOPDGDD indicates:

"1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the

following:

       a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679. (…)”


                                            v
For the purposes of deciding on the imposition of an administrative fine and its amount,
considers that the infringement in question is serious for the purposes of the RGPD and that
It is appropriate to graduate the sanction to be imposed in accordance with the following criteria that
establishes article 83.2 of the RGPD:


As mitigating factors:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12








           -The incident affected only three people, without which to date
           has verified that they suffered any damage derived from it. (Article
           83.2.a)


Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures
corrective measures” of the LOPDGDD:

As aggravating factors:

           - The link between the offender's activity and the performance of
           processing of personal data, since in the case of a company
           energy supplier, with numerous clients with whom it deals
           sign contracts, process a large number of personal data.
           (Article 76.2.b)


The balance of the circumstances contemplated in article 83.2 of the RGPD and the
Article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 5.1.f) of the RGPD, once examined, also, the
allegations of OES, allow a penalty of €25,000 (TWENTY-FIVE THOUSAND
EUROS).


                                          SAW
Article 32 “Security of treatment” of the RGPD establishes:

"1. Taking into account the state of the art, the application costs, and the

nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for the rights and freedoms of individuals
physical, the person in charge and the person in charge of the treatment will apply technical measures and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which in your case includes, among others:

       a)pseudonymization and encryption of personal data;
       b) the ability to guarantee the confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;
       c) the ability to restore the availability and access to personal data
       quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and evaluation of the effectiveness

       technical and organizational measures to guarantee the security of the
       treatment.

2. When evaluating the adequacy of the security level, particular account shall be taken of
takes into account the risks presented by the processing of data, in particular as

consequence of the accidental or unlawful destruction, loss or alteration of data
data transmitted, stored or otherwise processed, or the communication or
unauthorized access to said data.

3. Adherence to an approved code of conduct under article 40 or to a

certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12








4. The person in charge and the person in charge of the treatment will take measures to guarantee that
any person acting under the authority of the person in charge or the person in charge and
has access to personal data can only process said data following

instructions of the person in charge, unless it is obliged to do so by virtue of the Right of
the Union or the Member States.

In the present case, at the time of the breach, OES did not adopt a
minimum of measures tending to avoid that, together with the e-mail addresses
e-mail from people belonging to their own organization, to whom they were

intended for the withdrawal documents of several CUPS of two clients,
include the email address of the complaining party, which is why it ended
receiving documents not originally intended for her, with personal data from
others.


                                           7th
Article 83.4 of the RGPD under the heading "General conditions for the imposition of
administrative fines” provides:

“The infractions of the following dispositions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10,000,000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the
global total annual turnover of the previous financial year, opting for
the largest amount:

       a) the obligations of the person in charge and the person in charge pursuant to articles 8,

       11, 25 to 39, 42 and 43; (…)”

In this regard, the LOPDGDD, in its article 71 "Infringements" establishes that
“The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result

contrary to this organic law.

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“Based on the provisions of article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:

       (…)
       f) The lack of adoption of those technical and organizational measures that

       are appropriate to guarantee an adequate level of security when
       risk of treatment, in the terms required by article 32.1 of the
       Regulation (EU) 2016/679.

       (…)

                                          viii
For the purposes of deciding on the imposition of an administrative fine and its amount,
considers that the infringement in question is serious for the purposes of the RGPD and that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12








It is appropriate to graduate the sanction to be imposed in accordance with the following criteria that
establishes article 83.2 of the RGPD:


As mitigating factors:
           -The incident affected only three people, without which to date
           has verified that they suffered any damage derived from it. (Article
           83.2.a)

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the

following criteria established in section 2 of article 76 “Sanctions and measures
corrective measures” of the LOPDGDD:

As aggravating factors:
           - The link between the offender's activity and the performance of

           processing of personal data, since in the case of a company
           energy supplier, with numerous clients with whom it deals
           sign contracts, process a large number of personal data.
           (Article 76.2.b)

The balance of the circumstances contemplated in article 83.2 of the RGPD and the

Article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 32 of the RGPD, once analyzed, also, the allegations
presented by OES, allow a penalty of €10,000 (TEN THOUSAND EUROS) to be set.

Therefore, in accordance with the applicable legislation and having assessed the criteria for

graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE OES GLOBAL ENERGY S.L., with NIF B01901941, for a
infringement of Article 5.1.f) of the RGPD typified in Article 83.5 of the RGPD, a

fine of €25,000 (TWENTY-FIVE THOUSAND EUROS)

IMPOSE OES GLOBAL ENERGY S.L., with NIF B01901941, for an infringement of the
Article 32 of the RGPD, typified in Article 83.4 of the RGPD, a fine of €10,000
(TEN THOUSAND EUROS)


SECOND: NOTIFY this resolution to OES GLOBAL ENERGY S.L.

THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12








Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment

voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-

web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would end the precautionary suspension.


                                                                                938-120722
Sea Spain Marti
Director of the Spanish Data Protection Agency
















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es