AEPD - PS/00220/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(d) GDPR Article 17 GDPR Article 83(2)(b) GDPR Article 83(2)(g) GDPR Article 83(5)(a) GDPR Article 83(5)(b) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 21.01.2021 |
Published: | |
Fine: | 100000 EUR |
Parties: | IBERDOLA CLIENTES, SAU |
National Case Number/Name: | PS/00220/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve |
The Spanish DPA (AEDP) has imposed two fines of €50,000 on IBERDROLA CLIENTES, SAU for infringement of Article 5(1) GDPR and 17 GDPR respectively.
English Summary
Facts
A former IBERDROLA client complained to the Spanish DPA (AEPD) that the electricity supply company did not respond to his requests to delete his personal data.
The claimant moved house and informed the company of the change of address for notification purposes. Even so, the company continued to send letters to the previous address.
The claimant, in the same letter notifying the change of address, requested the withdrawal of his details due to the cancellation of the service, which was not answered due to the error in updating the claimant's details mentioned above.
Dispute
Is the lack of updating personal data a breach of Article 5(1)(d)?
Can this failure to update data result in a refusal to comply with Article 17 GDPR?
Holding
The AEPD held that IBERDROLA had failed to update the customer's data and that this resulted in the inclusion of the complainant's data in a creditworthiness file and in a failure to comply with its obligations regarding the request for deletion of personal data.
The application of the GDPR is determined because the maintenance of the incorrect address constitutes a continuous infringement that continues over time as long as the data quality problem, which caused the infringement in question, has not been remedied.
Therefore, in the present case, there is an infringement of Article 5(1)(d) of the GDPR because no payment order was issued due to a data quality problem.
The AEPD took into account the fact that it was a non-intentional, but significant negligent action (Article 83(2)(b) GDPR) and that basic personal identifiers were affected (Article 83(2)(g) GDPR).
The economic volume of the company is also taken into account in the penalty scale.
Comment
The Resolution refers to the former Organic Law on Data Protection (LOPD) because the events occurred before the entry into force of the Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDPGDD).
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 Procedure No.: PS / 00220/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following PRECEDENTS FIRST: A.A.A. (hereinafter, the claimant) filed a claim with the Agency Spanish Data Protection Agency on January 12, 2018. The claim is directed against IBERDROLA CLIENTES, SAU (hereinafter, the reclaimed). The reasons on which you base the claim are that the claimed entities have denied your right to cancel your personal data. Which, according to the complainant, took place on the date of: And, among others, attach the following documentation: Copy of the request for information on the processing of your data personal information and cancellation of these sent to IBERDROLA dated 11 November 2016 and acknowledgment of receipt. In this request, you also inform the company of the new address for the purposes of notifications when not residing from the May 31, 2016 at the supply installation address. EQUIFAX IBERICA report on the reported data of the claimant dated August 16, 2016 to the ASNEF file. SECOND: On January 26, 2018, after analyzing the documentation that was in the file, a resolution was issued by the Director of the Spanish Agency of Data Protection, in response to the protection of right TD / 00157/2018, agreeing to reject the claim. The resolution was notified to the affected party with dated January 30, 2018. THIRD: On February 28, 2018, this Agency received, with Registration number 070251/2018, appeal for reconsideration -RR / 00135 / 2018- filed by the claimed against the inadmissibility of their claim, justifying it, basically, in the same facts and arguments presented in your claim. FOURTH: On April 24, 2018, the Director of the Spanish Agency for Data Protection resolves to dismiss the appeal for reconsideration filed by the claimed against the Resolution of this Agency issued on January 26, 2018, agreeing to file the claim. FIFTH: On July 23, 2018, this Agency receives the number of registry 186710/2018, official letter sent by the National Court, Contentious Chamber Administrative, Section 001, informing of the filing before that court by the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 Claimant of contentious-administrative appeal nº *** RECURSO.1 against the resolution of this Agency, requesting a copy of the file and a copy of the supporting documents of the locations of the interested parties. SIXTH: On October 21, 2019 it is received at this Agency, with number of registration 049866/2019, partial estimate judgment for proceedings to be opened previous investigation regarding IBERDROLA CLIENTES S.A.U. with the object of determine the reasons for the failure to comply with the claimant's right and determine whether the mandatory prior payment requirement was produced as required by article 38.c of the RLOPD. SEVENTH: On November 11, 2019, these are opened investigation actions, assigning the file number E / 10786/2019, in relation to the claim presented by the claimant in order to determine the aspects indicated in the judgment sent to this Agency by the National High Court, Administrative Litigation Chamber, dated October 21, 2019. BACKGROUND FIRST: In view of the facts denounced in the claim and the procedures and Judgment to which they have given rise, the Subdirectorate of Inspection of Data proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it is verified that the responsible for the treatment is the one claimed. Likewise, the following points are found: Information requested from IBERDROLA on the aspects indicated in the judgment sent to the Spanish Data Protection Agency on October 21, 2019, dated July 2, 2020 is received at this Agency, with number of registration 022916/2020, brief of allegations stating the following facts: That an attempt was made to notify the prior request for payment in up to three occasions on the dates July 22, 2016, August 10, 2016 and November 2016 specifying: “If this prior payment requirement is disregarded, we will proceed to communicate data regarding non-payment to delinquency records corresponding ". That on November 21, 2016, a response was given to the request of the claimant indicating that he had 2 bills pending payment, reason for the which their data had been communicated to the ASNEF file. Also, on date 22 December 2016, a communication is sent to the claimant again C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 informing him that his debt amounted to XXX.- €. Debt that still remains today. That notwithstanding the foregoing, the claimant has been terminated from the file of breach of monetary obligations ASNEF-EQUIFAX, with date June 4, 2020. And they attach the following documents: - Communications dated November 21, 2016 and December 22, 2016 informing the claimant of the debt. - Certificates of return of the previous request for payment dated 22 July 2016, August 10, 2016 and November 23, 2016. SECOND: Examined all this documentation it is verified that it exists discrepancy between the claimant's address and the one recorded in the IBERDROLA. The claimant informed the company of the new address for the purpose of communications on November 11, 2016 having left the registered address at IBERDROLA on May 31, 2016. The notifications sent to the claimant made between July 22 and 23 November 2016 by IBERDROLA requesting the debt, they were sent to the address of supply facility, where the claimant no longer resided, and were therefore returned twice for “absent” and the third for “unknown”. Not yet having been able to make the notification, your data was informed to the file of financial solvency and credit ASNEF. Regarding the request to cancel your data of November 11, 2016, IBERDROLA ignored the change of address reported by the claimant to this company in that same request, and returned the responses with dates of November 21 and December 22, 2016 to the installation address of the supply. THIRD: On September 1, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged infringement of article 5.1.d) of the RGPD, article 17 of the RGPD, typified in the Article 83.5 of the RGPD. FOURTH: Once the aforementioned initiation agreement was notified, the defendant requested a copy of the file and extension of the allegations period, both requests being granted, sending a copy of the file which appears as received on September 2020. FIFTH: The defendant presented a brief of allegations in which, in summary, stated that the claimant contracted on July 16, 2010 the electronic supply of a house located in Benidorm, which is proven by telephone recording. Secondly, he states that on March 15, 2016 he received the new conditions of the electricity supply contract, in which clause 12.3 indicates that: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 "The Client is informed that, in the event that payment is not made under the terms provided for in condition 8 of this Contract and if all the requirements are met required by Royal Decree 1720/2007, the data relating to non-payment may be communicated to the files regarding the breach of monetary obligations. " Third, the defendant indicates that, during the term of the contract, the Claimant failed to pay the invoices issued on June 16, 2016, for an amount of 32.74 euros and July 19, 2016, for an amount of 20.32 euros, reason for which the claimant was sent three requests for payment, on dates July 22, 2016, August 10, 2016 and November 23, 2016, at the address of the claimant incorporated into the contract and mentioning its inclusion in solvency in accordance with clause 12.3 of the contract. On November 21, 2016, the claimant requests the withdrawal of her contract of electricity supply as a result of the termination of your contract of lease referring to the home for which said supply was contracted, including in its heading a new address for notification purposes. In said letter, the withdrawal of the contract is requested with effect May 31, 2016, it is that is, six months prior to the date on which the aforementioned communication. At the same time, the claimant requests the cancellation of her personal data from the systems of the claimed entity. In response to your request for cancellation, the claimed entity addresses the claimant on November 22 and December 22, 2016, indicating the impossibility to proceed to the cancellation of the data included in the ASNEF file as consequence of non-payment of the service. Fourth, the defendant states that he was not aware of the change in address of the claimant until November 21, 2016. SIXTH: On October 20, 2020, the procedure instructor agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 10786/2019, as well as the documents provided by the claimed. SEVENTH: On October 28, 2020, a resolution proposal was formulated, proposing that the defendant be punished for the alleged infractions of the article 5.1 d) and 17 of the RGPD, infractions typified in article 83.5 a) and 83.5 b) of the RGPD and classified as very serious in articles 72.1 a) and 72.1 k) of the LOPDPGDD respectively for prescription purposes, with a fine of 50,000 euros (fifty thousand euros) for the sanction of article 83.5 a) corresponding to the violation of article 5.1 d) of the RGPD and a fine of 50,000 euros (fifty thousand euros) for the sanction of the article 83.5 b) for the violation of article 17 of the RGPD. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 PROVEN FACTS FIRST: On *** DATE 1, the claimant contracted by telephone, the supply electronic of a house located in *** LOCALIDAD.1. SECOND: The claimant did not pay the invoices issued on dates 16 June 2016, for the amount of XXX euros and July 19, 2016, for the amount of XXX euros, which is why the claimed entity sent the claimant three payment requirements, on July 22, 2016, August 10, 2016 and November 2016, sent to the supply installation address, where no longer the claimant resided, and therefore they were returned twice for “absent” and the third for "unknown", THIRD: Despite not having been able to make the notification, the data of the claimant were informed to the file of patrimonial solvency and credit ASNEF. FOURTH: On November 21, 2016, the claimant requests the cancellation of the your data and the cancellation of your electricity supply contract as a result of the termination of your lease regarding the dwelling for which you said supply was contracted, including in its heading a new address to Notification effects. FIFTH: The claimed entity ignored the change of address reported by the claimant to this company, and again sent new communications dated 21 November and December 22, 2016 to the supply installation address, in instead of to the new address indicated by the claimant. FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. 58.2 of the RGPD and in art. 47 and 48.1 of LOPDGDD. II Article 6.1 of the RGPD establishes that “in accordance with the provisions of the Article 4.11 of Regulation (EU) 2016/679, means the consent of the affected any manifestation of free, specific, informed and unequivocal will by which he accepts, either through a declaration or a clear affirmative action, the processing of personal data concerning you ”. For its part, article 5 of the RGPD establishes that personal data will be: “A) treated in a lawful, loyal and transparent manner in relation to the interested party (“ lawfulness, loyalty and transparency ”); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; in accordance with article 89, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 section 1, the subsequent processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary in relation to the purposes for which that they are processed ("data minimization"); d) accurate and, if necessary, updated; all measures will be taken reasonable so that the personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties during the longer than is necessary for the purposes of processing personal data; the Personal data may be kept for longer periods provided that treat exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures that imposes these Regulations in order to protect the rights and freedoms of the data subject ("limitation of the conservation period"); f) treated in such a way as to guarantee adequate data security personal, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ("integrity and confidentiality"). The person responsible for the treatment will be responsible for compliance with the provisions of paragraph 1 and able to demonstrate it ('proactive responsibility'). " III In the case analyzed here, it has been proven that the claimant exercised her right of cancellation before the claimed on November 11, 2016, and their request did not receive a response, despite the right recognized in article 16 of the LOPD, in force at the time of the events, a right currently recognized in Article 17 of the RGPD, called the right to erasure ("the right to be forgotten") in which precept the right of deletion of the claimant is governed, stating that he will have right to obtain without undue delay from the controller the deletion of the personal data that concerns you. In addition to the evidence available in the present moment, the notifications sent to the claimant made between July 22 and November 23, 2016 by IBERDROLA requesting the debt, they were sent to supply installation address, where the claimant no longer resided, despite the new address was communicated in May 2016. Therefore, these communications were returned on two occasions for being "absent." and the third for "unknown". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 On the other hand, the claimed entity states that it had no knowledge of the change of address of the claimant until November 21, 2016, although the The complainant states that she communicated it on November 11, 2016. Despite this, to indicate to the claimant the impossibility of proceeding with the cancellation of the data included in the ASNEF file as a consequence of the non-payment of the service, the claimed entity continued to address the claimant at the address of the supply contract, instead of the new one indicated by the claimant, in its communications dated November 22 and December 22, 2016, that is, with after the date on which you declare to know the new address for the purposes of communications. Article 26 of Law 40/2015 on the Legal Regime of the Public Sector, establishes that The sanctioning provisions in force at the time of occur the facts that constitute an administrative offense. Thus, it is considered that the claimant was improperly included in the patrimonial solvency files, since the notifications of the prior requirement of payment, they were all returned by absentee or unknown recipient, for being addressed to an incorrect address, when the claimant ceases to reside at said address since May 2016 and despite having been notified of the change of address to which communications should be directed, continue to go to the address of the supply contract, so it did not receive any of the prior payment requirements, which implies the violation of articles 38.1 a), and 43 of the RLOPD that state that "Personal data will be accurate and updated in such a way that they respond truthfully to the current situation of the affected ”, regulations in force at the time of the offense. The application of the RGPD is determined because the maintenance of the address wrongdoing constitutes a continuous offense that lasts for as long as This data quality problem, which is the cause of the infraction in question, is not corrective. Therefore, in the present case there is an infringement of article 5.1 d) of the RGPD because the due payment request was not made due to a quality problem of the data. IV Article 72.1.a) of the LOPDGDD states that “depending on what the Article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe At three years, infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 k) The impediment or the obstruction or the repeated neglect of the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 V Article 58.2 of the RGPD provides the following: “Each control authority will have of all of the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; SAW This offense can be sanctioned with a fine of a maximum of € 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the higher amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: In the present case we are dealing with unintentional negligent action, but significant (article 83.2 b) Basic personal identifiers are affected (name, surname, address, telephone), according to article 83.2 g) Therefore, in accordance with the applicable legislation and the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE IBERDROLA CLIENTES, SAU, with NIF A95758389 a fine of 50,000 euros (fifty thousand euros), for the violation of article 5.1 d) and a second fine of 50,000 euros (fifty thousand euros) for the violation of article 17 of the RGPD, each typified in articles 83.5 a) and 83.5 b) of the RGPD respectively, and classified as very serious in articles 72.1 a) and 72.1 k) of the LOPDPGDD for prescription purposes. SECOND: NOTIFY this resolution to IBERDROLA CLIENTES, SAU. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the bank CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es