AEPD - PS/00025/2019

From GDPRhub
AEPD - PS/00025/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(a) GDPR

Article 5(1)(f) GDPR

Article 6(1)(a) GDPR

Type: Complaint
Outcome: Upheld
Decided: 31.10.2019
Published: n/a
Fine: 75,000 EUR
Parties: EDP comercializadora Vs anonymous
National Case Number: PS/00093/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

An energy provider was fined € 75.000 for not properly identifying a customer in an impersonation case.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant filed a complaint because they received an invoice at their name for a contract that they did not sign. Indeed, an unauthorized person called the energy supplier to ask to change the contract.

Dispute[edit | edit source]

To what extent did the integrity and confidentiality obligation apply to the controller?

Holding[edit | edit source]

Although, it is apparent from the recorded conversation that the person confirmed their power of representation, the energy supplier EDP comercializadora did not verify the identity of customer and the reliability of the information provided.

Thus, the AEPD found that the complainant’s personal data has been processed unlawfully. The controller violated Articles 5(1)(a), 5(1)(f), 6(1)(a) and (b) GDPR. The data subject did not consent to the processing and there was no contractual relationship with the energy supplier.

A fine of € 75.000 has been imposed and the APED ordered to implement a new reliable and appropriate method for establishing identity.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Style ID: PS/00025/2019
938-051119


DECISION ON DISCIPLINARY PROCEEDINGS

From the procedure instructed by the Spanish Data Protection Agency and in consideration of the following

BACKGROUND

FIRST: D. A.A.A. (hereinafter, the claimant) submits to the Spanish Agency of Data Protection (AEPD) on 19 and 20 September 2018 a written statement in which he explains that EDP COMERCIALIZADORA, S.A.U., with NIF A95000295 (hereinafter, EDP or the claimed) has processed his personal data (name, surname, NIF, address and mobile phone number) without his consent linked to a gas contract to which he is unconnected.

With the letter of 20/09/2018, he provides a copy of a document entitled "Notification of non-payment" - which the claimant calls "invoice" - issued on 31/05/2018. The complainant explains that after receiving this document, he contacted EDP by phone and filed a complaint for "billing me for services at the supply point located at ***ADDRESS.2 ...without having signed any contract or having any relation with that address".

The document referred to - "Notification of non-payment" - has in the section dedicated to the data of the recipient, the name, two surnames and the address of the claimant (located in ***ADDRESS.1). In the section on "Customer details", it contains, in addition to the name and surname of the claimant, his VAT number and a fixed number that the claimant claims does not belong to him (***PHONE.1). In the section "Data of the contract" - contract that is of light and gas with the number ***CONTRACT.1- there is the address of the supply point: street ***ADDRESS.2. On the right side of the document there is: "EDP ENERGÍA, S.A.U. Plaza de la Gesta 2, 33007 Oviedo (...) CIF A-33543547".

The claimant declares that, a few days after making a complaint to EDP by phone about the invoice he had received, the claimed entity sent him a contract for gas and electricity services to be returned signed. He adds that this document - of which he provides a copy to this Agency - contains, in addition to the personal data already reflected in the "Notification of non-payment" described above, the mobile number from which he made the telephone call to EDP.

In the contractual document received, just above the "Specific Conditions of the Contract", this legend appears:
 



"The customer contracts for the business premises or home indicated in the heading, the gas supply with EDP COMERCIALIZADORA, S.A.U. and the electricity supply and/or complementary services with EDP ENERGÍA,
S.A.U. (hereinafter jointly and/or individually, as appropriate, referred to as "EDP") in accordance with the Specific Conditions set out below and the General Conditions set out in the Annex". (The underlining is from the AEPD)

The right-hand side of the document states:

"EDP ENERGÍA, S.A.U. Plaza de la Gesta 2, 33007 Oviedo (...) CIF A-33543547 EDP COMERCIALIZADORA, S.A.U. C/General Concha, 20 48010 Bilbao (...)CIF A- 95000295"

SECOND: In view of the facts set out above, the AEPD, on 15 October 2018, in the context of file number E/07378/2018, pursuant to Article 9 of Royal Decree-Law No 5/2018 on urgent measures to adapt Spanish law to European legislation on data protection - legislation in force from 31 July 2018 until its repeal by Organic Law No 3/2018 of 5 December of Data Protection and Guarantees of Digital Rights (LOPDGDD) - transferred the complaint to the DPD of the entity complained of and requested that, within one month of its receipt, it inform this Agency of the circumstances that had given rise to the facts set out in the complaint, of the decision adopted to put an end to the irregular situation caused, and also proceed to communicate its decision to the complainant, having to prove to this Agency that this communication was received by the addressee.

The letter in which the complaint was notified to the complaining entity was signed by the AEPD on 15/10/2018 and notified to EDP electronically on the same date. The date of availability at the electronic site and the date of acceptance of the communication is 15/10/2018, as evidenced by the certificate issued by the FNMT on file.

On the same date, the AEPD sent the claimant a letter acknowledging the receipt of his complaint and informing him of the transfer to the respondent. The notification was made by postal mail dated 17/10/2018 and was delivered on 27/10/2018.

EDP responded to the request for information through a letter sent to the AEPD by registered mail dated 15/11/2018, which was entered in the register of this body on 20/11/2018. The letter was signed by the "Delegate of Data Protection" "on behalf of the commercial EDP COMERCIALIZADORA, S.A., (...) and with CIF A33543547" (wrong data because this NIF does not belong to the claimed entity, but to another entity of the group)

The following statements are made in the paper that are relevant for the purposes of the investigation:

- That the personal data of the complainant were provided to EDP, by telephone, on 17/05/2018, by Ms. B.B.B. who made the change in the ownership of the gas contract and stated that she acted on behalf of the
 



affected.

- A recording of the telephone conversation is provided. The entities complained of state that "As can be seen from the 7:56 minute of the audio file named ***AUDIO.1 of the telephone recording, in accordance with the data protection regulations in force on the date of the telephone conversation, EDP correctly informed about the processing that will be carried out on the personal data of both the Representative and her representative (the now Complainant), by virtue of the processing of the change of ownership". (The underlining is from the AEPD)

- That during the processing of the change of ownership - as can be seen in the recordings provided - EDP informed Ms. B.B.B. that the ID number of the affected person was detected by the system as wrong and needed to be verified by the holder. It adds that, the following day, 18/05/2017, the person who said he was acting on behalf of the affected party contacted EDP again by telephone to complete the procedures for the change of ownership and in the course of that conversation - whose recording has also been provided to this Agency - he again stated that he was acting on behalf of the claimant.

- EDP says that it "has taken all the necessary precautions with regard to both the contract and the obligation to provide information in the field of data protection". It adds that it understands that the reason for the request made by the Inspectorate of the AEPD may be due to the fact that "...the Representative has not properly conveyed to the Complainant the information concerning both the terms of the recruitment and the data processing".

- He states that, once he had received the information request from the Data Inspection, he contacted the complainant by letter to his home address dated 15/11/2018, of which he provides us with a copy. The letter sent to the claimant states that "...the contracting of the electricity supply with EDP Comercializadora, S.A. (hereinafter EDP) was carried out by telephone by Mrs. B.B.B." (emphasis added by the AEPD) Explanation that we consider erroneous because the contract document that was sent to the claimant and that the claimant has provided to the Agency clearly states that the customer contracts the "gas supply" with EDP Comercializadora, S.A.U., and the "electricity supply" with another company of the group, EDP Energía, S.A.U.

- It states that "Ms B.B.B., ...stated that she acted with your knowledge and on your behalf, and proceeded to change the ownership of the supply corresponding to the address at ***ADDRESS.2". It adds that the contracting was carried out "following all the required precautions, and complying with the duty of information (...), it being necessary that these become part of the customer database for the correct management of the contract signed".
 



On 30/11/2018, in accordance with the provisions of Article 9.5 of Royal Decree-Law 5/2018, the agreement for the admission of this claim is signed.

In accordance with Article 11 of Royal Decree-Law 5/2018, once the claim has been admitted for processing and before the adoption of the agreement to commence, within the framework of the preliminary investigation, the Inspection Service of this Agency lifts the Diligence dated 14/02/2019 by virtue of which the general information of the entity, extracted from the Mercantile Register on the same date, is incorporated into file E/7378/2018: The subscribed and paid-up share capital amounts to 1,487,898 euros. The company began operations on 19 November 1998.

THIRD: The facts that are the object of this claim are subject to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/2016 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data, which came into force on 25/05/2018.


The respondent states that she obtained the personal data of the claimant and registered a gas contract in his name on 17/05/2018, through a telephone call from a person who said he represented him.


Therefore, the processing of the personal data of the affected person began before Regulation (EU) 2016/679 came into force -which occurs on 25/05/2018- and when Organic Law 15/1999 on the Protection of Personal Data, LOPD, was still in force. However, the conduct of EDP in which the infringement is specified, the processing of the claimant's data linked to a gas contract without legitimacy, has been maintained over time until today or, at least, until 15/11/2018 as this is documented.


The infringement for which EDP is responsible is part of the nature of the so-called permanent infringements, in which the consummation is projected in time beyond the initial event and extends, in violation of data protection regulations, throughout the period of time in which the data is processed. In the present case, despite the fact that on the date on which the infringing conduct began the applicable rule was the LOPD, the applicable regulation is the one in force when the infringement is consummated, because it is at that moment that it is understood to have been committed.

The Supreme Court has ruled on the rule to be applied in those cases where the infringements are prolonged in time and there has been a change in the rules while the infringement was being committed. The STS of 17/04/2002 (Rec. 466/2000) applied a provision that was not in force at the initial moment of the commission of the infringement, but was in force at subsequent moments, when the infringing conduct continued. The Judgment examined a case involving the sanction imposed on a judge for failure to comply with her duty to abstain in a preliminary investigation. The sanction alleged that Article 417.8 of the LOPJ was not in force when the events occurred. The STS considered that the infraction had been committed
 



from the date of the opening of the preliminary proceedings until the moment when the judge was suspended in the exercise of her functions, so that this rule did apply.
In the same sense, the SAN of 16/09/2008 (Rec.488/2006)

FOURTH: On March 21, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the entity complained of, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on Common Administrative Procedure for Public Administrations (hereinafter LPACAP), for the alleged infringement of Article 6.1 of the RGPD, typified in Article 83.5(a) of the RGPD.

FIFTH: On April 9, 2019, the Registry of the AEPD received the allegations of the respondent to the agreement to initiate the sanctioning procedure, in which it requested that the proceedings be closed "for having acted ...in accordance with the law" and, alternatively, that the sanction be imposed in its minimum amount.

It provides as documentary evidence a CD with a recording, of which there is no date, in which a person who identifies himself with the name, surname and NIF of the claimant, makes a call to EDP and states that his supply has been cut off, while asking what the amount due is, adding that it sounds like 140.77 euros. The entity, after asking him about the supply point, informs him that he owes 170.80 euros and that he can pay by card.

In support of its claims, the defendant put forward the following arguments in the pleading to the agreement at the beginning:

- That "she has kept all the required precautions" and that the "contracting has been at all times in good faith on the part of EDP, complying at all times with the stipulations of the current regulations on data protection". It adds that for the reasons it claims - which we detail below - "the contractual relationship with the Complainant is perfectly valid, the data collection was carried out in accordance with the law and the processing of the Complainant's data is perfectly valid".

- In the event that the AEPD does not agree to close the proceedings, it argues that the sanction set out in the agreement to initiate the sanctioning procedure infringes the principle of proportionality. It maintains that there was no culpability or unlawfulness in its actions and that "the penalty to be imposed would have to correspond to a minor offence, in its minimal amount", since, it says, "not only would the alleged aggravating factors not be applied, but almost all the mitigating factors set out in the penalty regime would be applicable".

- It states that, as it proved in proceedings E/7378/2018, 'there is a valid contractual relationship' between EDP and the complainant. It states that the legitimacy of the processing of the complainant's data and the confirmation of a valid contractual relationship between the complainant and EDP is justified by two points which the Agency itself considered to be proven in the agreement at the outset but which it also stated were irrelevant since
 



in terms of the assessment it is responsible for making. Namely, "that the complainant's details were obtained through Mrs. B.B.B. and that this lady stated on several occasions, in the course of telephone conversations, that she was acting on behalf of the complainant".

- He states that this is an example of a representative mandate regulated by the Civil Code (articles 1709-1739), which leads him to state emphatically that "...therefore no rule has been infringed by EDP in the contracting ...". He adds that the mandate can be verbal, "provided that the circumstances can be deduced from the truthfulness and concession of the mandate" and that it can be express or tacit, deduced from the acts of the client. This doctrinal statement on the mandate contract links it to facts such as the recording attached to its pleading, which for EDP constitutes a ratification of the contract and the mandate. To this end, it invokes the First Chamber of the Supreme Court of January 9, 1964, according to which the client who takes advantage of the acts of the agent tacitly ratifies the mandate; the prohibition of abuse of rights (ex Article 7.2 of the Civil Code) - every time, it states, that the "complainant" has enjoyed the supplies provided - and would also be contrary to the good faith that should govern the exercise of rights (ex Article 7.1 of the Civil Code).

- It states that "the consequences of any negligence on the part of Mrs. B.B.B., ..., cannot in any case affect the validity of the contract, ... The contractual relationship between the parties is perfected and is fully legitimate".

- She invokes Article 83 of Royal Decree 1955/2000, which regulates the activities of transmission, distribution, marketing, supply and authorisation procedures for electrical energy installations, in which, she says, the consumer who is up to date with payment is granted the power to transfer his contract to another consumer who will make use of it under identical conditions. It insists that "the change of ownership occurs under the same contractual conditions, that is to say, without the change being considered a new registration and therefore a new contract".

- In view of the statement made by the Agency in the initial agreement that no evidence had been provided that the claimant had granted his representation to the person who claimed to act on his behalf (Ms. Conejo) nor that the entity had shown the minimum diligence required to verify that his interlocutor had indeed the representation that EDP claimed to have, he counter-arguments that "there is no such obligation" and that "the CC admits the freedom of form in the figure of the mandate, which may be this verbal

SIXTH: On 18/11/2019 a trial period was opened in which it was agreed, as the only evidentiary steps, to incorporate into the PS/25/2019 the documents that make up file E/07378/2018 - whose incorporation for this purpose was already announced in the Agreement on the Initiation of the Procedure: The claim letters; the documentation generated by the AEPD; the response of the respondent to the request for information and the Diligence dated 18/11/2019, raised during the previous investigation proceedings, with the information obtained on that date through AXESOR
 



regarding the result of the activity of the claimed company during the financial year 2018-. Likewise, the allegations of the Respondent in the initiation agreement and its attached documents are considered to have been incorporated into the sanctioning file.

SEVENTH: On 27/11/2019 a proposal for a resolution is formulated in the following terms:

<FIRST: That the Director of the Spanish Data Protection Agency sanctions EDP COMERCIALIZADORA S.A., with NIF A95000295, for an infringement of article 6.1 of the RGPD, typified in article 83.5.a) of the RGPD, with a fine of 75,000.00 euros (seventy-five thousand euros). (…)
SECOND: That, in accordance with article 58.2 of the RGPD, EDP COMERCIALIZADORA, S.A.U., should be required to adopt the measures that result in
INDISPENSABLE to adapt their telematic hiring protocols to the provisions on the lawfulness of the processing of personal data established by the RGPD; in particular in hiring through a representative, in which the representative must be able to prove both the reality of the representation granted by the data holder and the identity of the person who holds the condition of representative in the hiring. Likewise, if they have not been implemented, they must adopt them in the protocol for contracting in person. Measures that, if applicable, must be adopted within one month from the date on which the sanctioning resolution is enforceable.>>

The proposal for a resolution was notified electronically to the respondent, with the date of availability being 26/11/2019 and the date of acceptance being the same day.

In accordance with Article 73 of the LPACAP, the period for making allegations is ten days from the day following notification.

EIGHTH: On 12/12/2019, the arguments of the respondent to the motion for a resolution, in which it requests that the proceedings be closed because it has acted, it says, in accordance with the law, are entered on the website of this Agency.

In defence of its claim, the defendant reiterates the allegations made up to now - to the agreement to initiate the sanctioning file and in the previous information procedure - and, in summary, puts forward the following arguments:

- It states in the first argument that "the evidence presented by this representation marks the proactive action of the representative in contracting on behalf of the represented party, the latter ratifying the existence of the point of supply and therefore the existence of the contract". It considers that EDP's processing of the complainant's personal data is legitimate since, in its view, there is a valid contractual relationship between the two.

- In her second argument, the respondent maintains that she is the victim of a situation of "legal defencelessness" resulting from the action of the AEPD, since this Agency has admitted "to have accredited the origin of the data, provided in the call at the time of the hiring made by Ms. B.B.B., being however irrelevant for the purpose of accrediting the due processing
 



of the same when - argues the defendant - it is precisely this point that justifies the legitimacy of the processing of the complainant's data, since the existence of a valid contractual relationship between the parties is confirmed".

With regard to the sound document that EDP provided to this Agency as an annex to its submissions to the opening agreement, after reproducing the assessment of that evidence made by the file inspector in the motion for a decision, it adds the following statements, despite the fact that neither the sound document provides a date and neither it nor any other document justifies what it now claims: "That this representation not only indicates that the recording includes the consent of the individual who calls to proceed with the payment of the invoices, the date of the call being August 10, 2018, but that the said payer is the son of the complainant, knowing the latter as the holder of the contract". (The underlining is from the AEPD)

The defendant says that, in her opinion, the "contracting by representation,..., has been carried out in accordance with the law, not only by requesting the required documentation and obtaining proof of the contracting carried out, but that the same is ratified at a later time".

- In his third argument, he tries to refute the total lack of diligence in his actions that was attributed to him in the motion for a resolution, and in this respect he says "... however, my client acted in compliance with the requirements of civil and commercial law, ensuring the identification of the previous and new owner, as well as the recording in a durable medium of the operation carried out" and he emphasizes - it appears in bold type - that the AEPD "not only hinders and inhibits legal transactions, but also completely annuls the figure of the representative and the mandate, and this administrative body does not consider these operations carried out by third parties as legitimate acts".

- In the fourth plea - in response to the statement in the motion for a resolution that the entity has no action protocol whatsoever for telematic contracts when the person providing the data is not the holder, but a third party claiming to act on his behalf - it says "we are not dealing with a contract; that it has a double verification process implemented for new contracts" and that the case analyzed involves "a mere modification of the holder of the contract already signed" which leads him to state that "neither the contracting procedure" is applicable "nor the double verification is a legal guarantee that it must be implemented by my client". And he concludes by saying: "...the AEPD requires the accreditation of the granting of representation through a probative element to my represented, as a minimum necessary diligence duty, a requirement that the regulations do not include. Therefore, in this case, and for the AEPD to sanction for not complying with this requirement would mean a resolution not in accordance with the law".

- In its fifth plea it states: "The various viable possibilities, both technically and operationally speaking, are being analysed to strengthen the contracting procedures when such steps are
 



processed by a third party on behalf of the holder".


The following actions have been accredited

FACTS

D. A.A.A., with NIF ***NIF.1 and address ***ADDRESS.1, declares that he has received at his address the document "Notification of Default" (which he refers to as "invoice") bearing the anagram of EDP and signed on 31/05/2018. In this document EDP requests him to pay a debt arising from a contract that he denies having signed. The contract, to which he claims to be totally unconnected, corresponds to a supply address with which he has no connection.

2.- In the document mentioned in Fact 1, "Notification of non-payment", of which the claimant provided a copy to the AEPD with his claim, he is required to pay a debt amounting to 79.81 euros derived from a gas and electricity contract.

The document provides the following "Contract data": as "Type of contract", "Gas + light formula plan"; as "Account number/contract" on ***CONTRACT.2; as "Supply address" "CL ADDRESS.2".

In the document, in addition to the claimant's name and two surnames, the document includes the claimant's address, located in a different location from the point of supply, his tax identification number and a fixed telephone number that the claimant denies being the owner,
***PHONE.1

3.-Work in the file, provided by the claimant, the copy of the "Energy and/or services contract", which EDP sent to his home. At the bottom of the document, in the section for the signature of the entity, it is stated "EDP ENERGÍA, S.A.U. and/or EDP COMERCIALIZADORA, S.A.U.".
Above the heading "Specific conditions of the contract" there is the following legend: "The customer contracts for the business premises or dwelling indicated in the
heading, the supply of gas with EDP COMERCIALIZADORA, S.A.U. and
electricity supply and/or complementary services with EDP ENERGY,
S.A.U. (hereinafter jointly and/or individually, as appropriate, referred to as "EDP") in accordance with the Specific Conditions set out below and the General Conditions set out in the Annex". (The underlining is from the AEPD)

The "Energy and/or Service Contract" provided by the Claimant, described in Exhibit 3, offers the following information:

- In the section "Customer": as "Contract holder", "D. A.A.A."; as "Address" "CL ***ADDRESS.1". And in the section "Telephone 1" the mobile number ***TELEPHONE.2. The box "Telephone 2" and "Fax" does not contain any data. Neither is there any indication of the fixed telephone number that appeared in the default notification document (see Proved Fact 2)
 



- In the section "Supply details", the "Supply address
(***ADDRESS.2" and the CUPS numbers for electricity and gas.
- In the section "Nº Cta. Contrato" "***CONTRATO.2 Fórmula Gas+Luz"
- In the section 'Duration and invoicing' 'Date of issue: 18.05.2018

5.- The claimant has stated that, after receiving at his home the "invoice" - the document "Notice of Default" - he made the corresponding claim to EDP by means of a phone call from his mobile phone. He explained that a few days later he received at his home the copy of the contract for the supply point on which the notice of non-payment and his claim were based, so that he could sign it. He stressed that, without his consent, the contractual document received incorporated his mobile phone number, the number from which he made the telephone claim to EDP.

6.- EDP, in the framework of E/7378/2018, in its response to the Agency's request for information, stated that the personal data of the complainant were provided to it on 17/05/2018, by telephone, by Ms. B.B.B. "who states that she acts as representative of the complainant (hereinafter the "Representative") during the processing of the change of ownership of the supply corresponding to the address at
***ADDRESS.2" (emphasis added by AEPD)

7.- EDP, in the framework of E/7378/2018, sent to this Agency a CD containing two documents (1 and 2) Document 1 is composed of two audio files (i)
***AUDIO.1 and (ii) ***AUDIO.2
7.1. In audio (i) of document 1, the caller requests to make a change of holder and identifies himself as "former holder". The telephone operator says: "Please tell me first, if you please, the identity card of the incumbent that is currently valid, yours". The caller says: "Okay, it's a CIF, it's a company, okay? B24292534”. The name of the company providing it is "Obras y Pavimentacions Hidraulicas". The address of the supply company to be changed is given as ***ADDRESS.2. Mrs. B.B.B. identifies herself as the "representative" of the former contract holder and claims to be responsible for the administration of the company.
At minute 2:38 the operator says: "Tell me now the name of the new owner". The dialogue is as follows:
- "A.A.A. (…)”
- "Don A.A.A. I.D."
- "***NIF.1"
- "M for Madrid, right?"
- "Wait a moment, because he has written me an M but it looks like an H. And as he has written it to me. Let's see, I'll confirm it right now... M."
- "Tell me Don Agustin's phone number..."
- "***PHONE.3"
In the minute 5:21 of the recording you can hear: "Being 16 and 51 hours of the day May 17, 2018 Mrs. B.B.B. has called and wants to hire EDP for which we proceed to make the following recording in accordance. Do you agree?
 



- Yes
-Doña B.B.B., with DNI ***NIF.2 as administrator and representing the holder A.A.A., with DNI ***NIF.1, telephone ***TELÉFONO.3, accepts EDP's offer for the address ***DIRECCIÓN.2, which consists of a gas + light formula plan ...for the light CUPS (...) with a gas CUPS (...) On your behalf and on your behalf, after passing the risk analysis of the operation, we will make the necessary arrangements to activate the access contracts, from which time the new contract will come into force and the previous one will be terminated (...) Are you in agreement with the above information AND conditions of the contracts?
- Yes
- (...) Your personal data and those of your representative will be processed for the management of these contracts by EDP Energía, S.A.U., with CIF A 33543547 and EDP Comercializadora, S.A.U., with CIF A 95000295 (...)
At minute 8:35 of the recording the caller says:
- "Yes, I want to ask you something. Regarding the validity of the change, well, I'm not really worried, because he's been renting for quite a few months now and nothing is going to happen... but, really, the next bill is going to come in his name."
7.2.	  In the audio (ii) of document 1, the telephone operator informs Mrs. B.B.B. "..., you will see, that since we have had problems with the national identity card,
could you confirm that it was exactly an M, because I've been given the wrong system. To which Mrs. B.B.B. replies: Well, no, because it is written by hand.
- Of course we can prove that it was an H. But of course, without confirming it... it is still a national identity card and we can make a serious mistake... It remains to call again.


8.- The CD provided by EDP to the Agency within the framework of E/7378/2018, contains two documents. Document 2 is, in turn, made up of two audio files: (i)
***AUDIO.1 and (ii) ***AUDIO.2
8.1.	Audio (i) document 2: The caller says:
-Hello good morning. Yesterday I called to make a change of ownership. We did I think the whole process because the recording was made and such. But in the end no, well it didn't fit because the ID of the new owner, ...well the letter. We didn't have it 100% clear and we didn't continue (...)
In the 6:15 minute you hear it:
- "The billing delivery address. Address. Where do you want it sent? To the supply?"
- "Yes"
- "Perfect. Supply point address."
8.2. Audio (ii) document 2: At 2:44 minutes of recording, it is indicated:
- "It is now 1:46 p.m. on 18 May 2018. Mrs. B.B.B. calls us ... with an ID card ... and wants to contract with EDP for which
 



we proceed to make the following compliance recording, okay?"
- "Yes"
- "Very well, Mrs. B.B.B. ... with ID ... as representative and on behalf of the holder, Mr. A.A.A. ... with ID phone ... accepts the offer of EDP for the point of supply ... ". Mrs. B.B.B. nods to the question.
In the minute 6:32 you hear:
- "The reason we have to make the recording again is that if the ID is not valid the recording is not valid"


9.- Work in the file, provided by EDP, copy of the letter dated 15/11/2018, and in compliance with the request made by the AEPD in the information request letter (E/7378/2018), addressed to the complainant. It states the following:
- That the contracting of the electricity supply with EDP Comercializadora, S.A.U., "was carried out by telephone by Mrs. B.B.B., who stated that she acted with her knowledge and on her behalf,.."
- "That said hiring was carried out in accordance with all due caution...


10.- Work in the file, provided by EDP - allegations to the agreement of initiation - the recording of a telephone conversation, of which no date is provided, held between the entity and a person who identified himself with the data of the claimant - name, two surnames and NIF-. The person making the call claims to be calling to pay an outstanding bill, as they have been cut off.

The EDP employee asks him about the outstanding amount and answers: "it sounds to me like 140.77 euros". After asking him about the supply point, he is informed that he owes 170.80 euros and that he can pay by card.
The caller is asked for a telephone number and provides the
***PHONE.3


LEGAL FOUNDATIONS 

I

By virtue of the powers that Article 58.2 of the RGPD recognises to each supervisory authority, and as established in Articles 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.

II

The RGPD dedicates Article 5 to the principles that should govern the processing and, among them, mentions those of "lawfulness, loyalty and transparency". The precept provides:

"1. Personal data shall be:
 



Processed in a lawful, loyal and transparent manner with the data subject;"
(The underlining is from the AEPD)

Article 6 of the RGPD - under the heading "Lawfulness of processing" - details in its paragraph 1 the cases in which the processing of third party data is considered lawful:

"1. Processing shall be lawful only if it complies with at least one of the following conditions
(a) the data subject has given his consent to the processing of his personal data for one or more specified purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or for the implementation, at the request of the data subject, of pre-contractual measures;
(c) processing is necessary for compliance with a legal obligation applicable to the controller;
(d) processing is necessary to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
The provisions of point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties. (…)”

It should be recalled that Article 5 of the GPRS, after referring in its paragraph 1 to the principles relating to the processing of personal data - including, as set out in the previous paragraphs, the principle of 'lawfulness' - adds in paragraph 2

"The controller shall be responsible for compliance with the provisions of paragraph 1 and capable of demonstrating it (<<proactive responsibility>>)" (emphasis added by the AEPD)

The infringement of Article 6(1) of the RGPD is defined in Article 83 of the RGPD which, under the heading "General conditions for the imposition of administrative fines", states

“5. Infringements of the following provisions will be sanctioned, in accordance with paragraph 2, with administrative fines of a maximum of 20,000,000 euros or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater

(a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9

It should also be noted that the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), for the purposes of
 



prescription, qualifies in its Article 72.1.b) as a very serious infringement "The processing of personal data without meeting any of the conditions for the lawfulness of processing set out in Article 6 of Regulation (EU) 2016/679".

III

An infringement of Article 6.1 RGPD is attributed to the defendant in the present sanctioning procedure. The defendant processed the personal data of the claimant without legitimation. She has not been able to prove that the data processing carried out had a legal basis in any of the circumstances detailed in Article 6.1 of the RGPD.

A.- It has been proved through the documentation in the administrative file - essentially described in the Proven Facts - that EDP processed the claimant's personal data (name, surname, tax identification number, address and mobile phone number) linked to a gas contract to which the affected party denies having been a party and without the claimed party having provided any type of documentation that shows that the processing of the data was covered by any of the conditions of lawfulness that article 6.1 RGPD relates.

In accordance with article 6.1 of the RGPD the processing of the personal data of third parties must be "lawful", for which it must, in principle, comply with one of the conditions described in paragraphs a) to f) of the precept.

B.- In the analysed case, EDP attributes to the claimant the condition of party in the gas contract for the supply point located in the street ***DIRECTION.2. The claimant is domiciled in another Autonomous Community.

The claimant states that the claimant is a party to a gas energy supply contract concluded with her through the person who identified herself as her representative, Mrs. B.B.B., thus implying that the legal basis of the treatment is the execution of the contract (Article 6.1.b, of the RGPD).

However, in order to cover the treatment carried out by EDP in article 6.1.b) of the RGPD, it is necessary that the condition of contracting party of the affected party is accredited. The reason for this legitimization of the processing is precisely that, insofar as the data subject gives his/her consent to the contract, he/she also consents to the processing of his/her personal data in order to execute and fulfil the contract.

Therefore, the question is to determine whether EDP has provided evidence to prove that the data subject consented to contract with that entity; what is transferred to the case at hand will consist in assessing whether evidence has been provided that Mrs. B.B.B. was indeed representing the claimant or, in other words, that as the claimant states, the claimant had agreed with Mrs. B.B.B. a representative mandate to contract the supply of gas on his behalf.

EDP claims that this is sufficient evidence to show that the complainant had given his representation to Ms B.B.B. to sign with her, in her
 



name, a gas contract the sound document she has provided to this Agency: a CD with recordings of telephone conversations between that entity and a third person (Mrs. B.B.B.) in which she "states" "repeatedly" that she is representing the claimant in order to register in his name (or change the ownership of the supply contract that was in the name of a company in whose representation Mrs. B.B.B. is acting) an energy contract for the street supply point ***DIRECTION.2

The recordings sent to the Agency by EDP (described in Exhibits 7 and 8) prove exclusively that a person, Mrs. B.B.B., has insisted on representing the claimant in order to enter into a contract with EDP on his behalf. The aforementioned recordings do not prove that the claimant represented the aforementioned lady in order to contract the supply of gas on her behalf, nor do they provide any evidence to that effect.

However, the recordings sent by EDP (four audios, two of which are part of document 1 and the remaining document 2 of those provided with the response to the information request) do prove the origin of some of the personal data of the complainant that EDP processed associated to a contract that he denies having concluded: we refer to the name, surname and ID card of the complainant. These data, as shown by the audio recordings, were provided by Mrs. B.B.B. to EDP.

However, the recordings do not explain the origin of other data of the complainant that EDP also processed in connection with a contract to which the owner of the personal data is alien: his address at ***ADDRESS.1, which does not coincide, as already highlighted, with the point of supply and the mobile number of the complainant that EDP incorporated to the copy of the contract sent to his home.

The recordings also show these points:  That the aforementioned lady
B.B.B. - which in EPD's view acted on behalf of the complainant - requested that the invoice be sent to it at the address of the supply point
-street ***ADDRESS.2- but at no time did he provide an address other than that of the point of supply and provided only the mobile number of the person he said he represented on the ***PHONE.3.

Therefore, from the above we must conclude that it was not Mrs. B.B.B. who provided EDP with the data of the claimant's address -an address that has nothing to do with the point of supply, since it is located in another Autonomous Community,
***ADDRESS.1, at the address of ADDRESS.1-, address to which EDP sent the document called "Notice of Default" described in the Proofed Facts and later a copy of the contract to be sent to you signed.

Likewise, the claimant's mobile phone number, ***TELÉFONO.2, which EDP included in the contractual document sent to his home, was not provided by Mrs. B.B.B. either. Let us recall the explanation that the complainant has offered. That he made a telephone complaint to EDP through his mobile phone number and that the result was to receive from the entity a contractual document to be returned to him signed with his mobile phone number, from which he made the complaint call. Surprisingly enough, this contractual document did not
 



Neither the landline number that appeared on the Notice of Default, the
***TELEPHONE.1 - in respect of which the complainant stated in his complaint that it did not belong to him - nor the mobile number that Mrs.
B.B.B. provided EDP in the course of the recordings with the telephone number of its allegedly represented: ***PHONE.3

And finally, it is interesting to note that this mobile phone number (***TELÉFONO.3) is the same one that will later be provided to EDP by a person who will contact the entity following a power cut at the point of supply and ask how much the amount owed is. Recorded by EDP with its pleading to the agreement of initiation (see Evidence 10) that in its opinion would serve to justify the lawfulness of the data processing on which the complaint is about.

In short: EDP has not provided this Agency with any document that proves the status of representative of the claimant that Ms. B.B.B. claimed to have when she contacted the entity by phone and changed the ownership of the contract to the name of the claimant, providing at that time the name, two surnames and VAT number of the allegedly represented. EDP has also failed to establish the legitimacy to process other data of the complainant, such as his address or mobile phone number; data that Ms. B.B.B. did not provide to EDP.

Another significant factor should be added to the foregoing. In the light of the documentation provided by EDP - four audios with the calls made between that company and Ms. B.B.B. on 17 and 18 September 2018 in order to manage the registration of the contract in the name of the complainant - it is verified that at no time did the entity require the third party (Ms. B.B.B.) who provided it with the complainant's data and said that she was representing him to provide any document proving that point.

Nor is it known that the entity, before registering the gas supply contract in the name of the complainant - and despite the fact that the legitimacy of EDP to process the personal data of the complainant was based exclusively on the fact that they had been provided by his alleged representative - had taken any action to verify the reality of that representation.

Whether by contacting directly the data subject or by some other mechanism, EDP has not demonstrated that it has taken the least care to verify that the data subject has indeed given his representation to the third party who provided it (Ms. B.B.B.). Likewise, there is no evidence that this entity has implemented an ad hoc protocol.

C-. Respect for the principle of legality which must govern the processing of third party data and which is referred to in Article 6.1. of the RGPD, implies that the person responsible must be able to demonstrate compliance with it (principle of proactive responsibility, Article 5.2 of the RGPD)

In the present case - in which the respondent claims that the lawfulness of the processing is justified by the existence of a contract to which the data subject was a party - the burden of proof for the
 



The Court of First Instance shall have the burden of proving that it exercised due diligence in the performance of that obligation.

We refer to article 5.2 of the RGPD. In similar terms, Directive 95/46, which is currently repealed, was transposed into Spanish domestic law through Organic Law 15/1999 on Data Protection (LOPD), and which was clearly set out in the Regulations implementing the LOPD, approved by Royal Decree 1720/2007. Regulations in force when EDP started the data processing that is subject to assessment in this sanctioning file and that are currently repealed.

The Contentious-Administrative Chamber of the National Court, in cases such as this one, has considered under the previous rules that when the data owner refuses to hire, the burden of proof is on the person who claims its existence, and the person responsible for the processing of data from third parties must collect and keep the necessary documentation to prove the owner's consent.

We cite, for all of them, the SAN of 31/05/2006 (Rec. 539/2004), Fundamentals of the Fourth Law: "On the other hand, it is the person responsible for the processing (for all of them, the sentence of this Chamber of 25 October 2002 Rec. 185/2001) who is responsible for ensuring that the person from whom consent is requested actually gives it, and that the person who is giving consent is actually the owner of these personal data, having to keep the proof of compliance with the obligation at the disposal of the Administration, which is responsible for ensuring compliance with the Law".

D.- EDP also invokes, in defence of its declaration that it acted in accordance with the law and respected the principle of legality when processing the claimant's data, that the change of ownership of the gas contract that Mrs. B.B.B. - as representative of the company that was the holder of the energy contract for the street supply point ***DIRECTION.2 - did not oblige her to prove that the alleged representative was representing the new customer and owner of the processed data. This is justified by the fact that Article 83 of Royal Decree 1955/2000 grants the consumer who is up to date with payment the power to transfer his contract to another consumer who will make use of it under identical conditions. It also adds that in the present case "the change of ownership occurs under the same contractual conditions, that is to say, without the change being considered a new registration and therefore a new contract".

In response to this argument, with regard to the alleged enabling rule for the processing carried out (Royal Decree 1955/2000), it is sufficient to point out that Article 6.1 of the RGPD, in its paragraph c), considers as one of the cases of lawfulness of the processing that it is necessary for the fulfilment of a legal obligation applicable to the data controller.

However, the obligation in such a case must be imposed by a rule with the formal rank of a Law. The requirement that the enabling regulation should have the formal status of a Law was also established in the previous data protection regulation. We refer to Article 10.2 of the Regulation implementing the Data Protection Act, currently repealed, but in force when EDP began processing the claimant's data.
 




The STC/292/2000 had an impact on this issue in relation to article 6.1, in fine, of the LOPD, which mentioned the Law as an exception to the principle of consent. The Constitutional Court warned that a limitation to a fundamental right or to the exercise of the powers that comprise it requires that it be carried out through a Law in the formal sense, without limitations or restrictions to the content of a right of this nature being introduced through a regulatory norm.

In any case, and without prejudice to the preceding statement, the regulatory norm invoked by EDP has as a factual presupposition that the consumer was up to date with the payment. And as the hearing of the recording provided with the allegations to the opening agreement reveals - in which a person who identifies himself with the data of the claimant contacts EDP to ask for the amount due since the electricity supply has been cut off - three invoices were due.

With regard to the second reflection of the claimant - that there was not a new registration with the claimant's data but a subrogation of the claimant in the previous contract - this is a civil/commercial issue on which this Agency should not pronounce. What is relevant for the purposes at hand is that, regardless of whether we are dealing with a subrogation or a new contract, in both cases, the claimant would have, according to the claimant, the status of a contracting party. And as such, in order to use article 6.1.b) of the RGPD as the legal basis for the processing, it is essential that the data owner has given his alleged representative the consent to act in such capacity, which in no case has been accredited by EDP.

This Agency reiterates that none of the documents provided by EDP proves what is substantial in the case under examination: that the data subject granted Ms. B.B.B. his representation to manage the change in the ownership of the electricity contract of the street supply point on his behalf
***ADDRESS.2

Nor has the respondent provided any documents or evidence to show that the entity, faced with such a situation -a telematic contract through the person who claims to be the representative of the data owner-, displayed the minimum diligence required to verify that his interlocutor actually had the representation he claimed to have.

Respect for the principle of lawfulness, before the principle of consent, which is at the heart of the fundamental right to protection of personal data, requires proof that the data subject consented to a third party on his behalf entering into a contract with EDP or, at least, that the data controller exercised the necessary diligence to prove this. If this is not done -and if this Agency, which is responsible for ensuring compliance with the regulations governing the right to protection of personal data, does not require it- the result would be to empty the principle of legality, and in particular Article 6.1 of the LOPD, of its content.

E.- It has been confirmed that EDP processed the personal data of the claimant and it has also been confirmed that this entity has not provided the AEPD with any document that proves
 



that the claimant granted his representation to the person who entered into the contract with him and claimed to be acting on his behalf - which would have made it possible to consider the treatment under Article 6.1.b, of the RGPD to be lawful - it must be assessed whether the claimed entity was at fault or whether it omitted to take the appropriate steps, in view of the circumstances of the case, which are essential for the conduct analysed to be subsumable under the type of breach of Article 83.5. of the RGPD.

This is because in our law of sanctions the principle of culpability is in force, which prevents the imposition of sanctions based on the objective responsibility of the presumed offender. The presence of the element of guilt in a broad sense, as a condition for the emergence of liability for sanctions, has been recognized by the Constitutional Court, among others, in its STC 76/1999, in which it states that administrative sanctions participate of the same nature as criminal sanctions as they are one of the manifestations of the ius puniendi of the State and that, as a requirement derived from the principles of legal certainty and criminal legality enshrined in Articles 9.3 and 25.1 of the E.C., their existence is indispensable to impose it.

Article 28 of Law 40/2015 on the Legal Regime of the Public Sector, under the heading "Responsibility", states

"Only natural and legal persons, as well as, when a law recognizes their capacity to act, groups of affected persons, unions and entities without legal personality and independent or autonomous patrimonies, which are responsible for them by way of fraud or guilt, may be sanctioned for acts constituting an administrative infraction". (The underlining is from the AEPD)

In this case, not only is the element of guilt present - which the defendant denies in its allegations to the agreement of initiation - but there is also a very serious lack of diligence on the part of the defendant, which has a direct consequence on the determination of the amount of the penalty to be imposed.

In the fulfilment of the obligations that the RGPD imposes on the data controller, the latter must display the minimum diligence required by the circumstances of the case. The SAN of 29/04/2020 is illustrative - which, although it was issued in a case of fraudulent contracting and under the previous regulations, is perfectly extrapolated to the one we are dealing with - whose Legal Basis Sixth states

"The question is not whether the appellant treated the personal data of the complainant without her consent, as if she did or did not exercise reasonable diligence in trying to identify the person with whom she signed the contract". (Emphasis added by the AEPD)

Therefore, even if there is an anti-legal conduct, when the data controller proves to have acted with the diligence that the circumstances of the case require to comply with the obligations imposed by the data protection regulations, since objective liability is forbidden in our administrative law, the AEPD proceeds to file the file.

In the case we are examining, it has been found that the EDP entity did not display the slightest diligence in order to be able to prove that the holder of the
 



personal data had given their representation to the person who claimed to act on their behalf in the recruitment. The Respondent did not verify before managing the change of ownership of the gas supply contract in the name of the Claimant whether the person claiming to act on its behalf actually held it.

The lack of diligence demonstrated by EDP is so serious that the recordings of the conversations held between the entity and the person who identified himself as the representative of the complainant show that the alleged representative did not obtain the data of the ID of the affected person through the comparison of the document. On the contrary, as Ms. B.B.B. explained in the conversation with EDP whose recording is in the file, the information had been handwritten by the person she claimed to represent. It is also striking that despite the incidents that arose during the telephone solicitation with respect to the handwriting on the ID card of the person represented - which forced Ms. B.B.B. to call EDP a second time after verifying the handwriting on the document - the Respondent still failed to articulate any consistent measure to verify that the data subject had in fact granted his representation to the person involved in the solicitation.

In the light of the recordings in the file and the allegations made by EDP in its defence, it is clearly evident that the entity has no protocol of action for telematic contracts when the person providing the data is not the data subject but a third party claiming to act on his behalf. This lack also prevents compliance with the principle of proactive responsibility.

With regard to the element of culpability in the context of the penalty proceedings, it seems appropriate to refer to the SAN of 30/05/2015 (ECR 163/2014) which has highlighted the differences between the attribution of responsibility to a natural person and a legal person and connects the 'reproachability' of a certain conduct to a 'legal person' with the fact that the latter 'may or may not have provided effective protection for the legal good protected by the rule'. The second legal basis of the above-mentioned judgment states:

< However, the way in which liability is attributed to legal persons does not correspond to the forms of intentional or reckless culpability that are attributable to human conduct. Therefore, in the case of offences committed by legal persons, even if the element of guilt must be present, it is necessarily applied in a different way to that of natural persons. According to STC 246/1999 "(...) this construction, different from the imputability of the authorship of the infraction to the legal person, arises from the very nature of legal fiction to which these subjects respond. They lack the volitional element in the strict sense, but not the capacity to infringe the rules to which they are subject. Capacity of infringement and, therefore, direct reproachability derived from the legal good protected by the rule that is infringed and the need for such protection to be truly effective and for the risk that, consequently, must be assumed by the legal person that is subject to compliance with that rule">>.

EDP-taking into account the nature of the business activity it carries out, which implies the processing of many personal data - had the obligation to
 



taken the necessary and appropriate measures to be able to fulfil the obligations which are implicit in the principle of legality.

In short, the conduct of EDP, materialized in the processing of the personal data of the claimant - name, two surnames, NIF, mobile phone and address - linked to a gas energy contract in which he denies being a party, without having accredited this condition of the claimant and without having observed a minimum diligence in his actions, violates article 6.1.b, of the RGPD, action subsumable in the sanctioning type of article 83.5 of the RGPD.

IV

The arguments put forward by the complainant in her various writings - the content of which is summarized in the Second, Fifth and Eighth Backgrounds, and to which we refer in the Basis for this resolution - require some clarification:

In defence of her claim to have the EDP file closed, she makes a number of allegations which revolve around the same idea: the existence of a representative mandate contract between Mrs B.B.B. and the complainant for the former to enter into an energy contract with EDP on her behalf. The representative mandate is the legal basis for EDP's treatment.

In support of this claim, the respondent makes a number of assertions which are not legally binding. It states, for example, that 'there is a valid contractual relationship' between EDP and the complainant and justifies that assertion by two elements which, it states, the Agency considered to be proven in the agreement at the outset: 'that the complainant's data were obtained through Ms B.B.B. and that Ms B.B.B. stated on several occasions, in the course of telephone conversations, that she was acting on behalf of the complainant'.

In the allegations to the motion for a resolution, EDP stresses once again this issue to denounce now the legal defencelessness to which this Agency has submitted it.

Thus, it states that 'it is in a situation of legal defencelessness, since the AEPD itself admits that the origin of the data, provided in the call at the time of the recruitment made by Ms B.B.B., has been proved, but it is nevertheless irrelevant for the purpose of proving the due processing of those data, when it is precisely the point of reference that justifies the legitimacy of the processing of the Complainant's data, since the existence of a valid contractual relationship between the parties is confirmed'. Second argument of the statement of objections to the motion for a resolution. (Emphasis added by the AEPD)

Well, in relation to this "legal defenselessness" that EDP suffers, we must specify what this Agency did and did not say, but EDP wants to attribute it.

In Legal Basis II of the motion for a resolution, paragraph B (in the present resolution, Legal Basis III), it is stated that the recordings sent by EDP (Acts 7 and 8) 'are evidence, exclusively, that a
 



The complainant's representative, Mrs. B.B.B., insisted on representing the complainant to contract on his behalf with EDP". And then it is added: "The aforementioned recordings neither prove that the claimant granted his representation to the aforementioned lady to contract on his behalf the supply of gas nor do they provide any indication in this sense". It goes on to say that the "recordings sent by EDP (four audios, two of which are part of document 1 and the remaining two of the document provided with the answer to the information request) do prove the origin of some of the claimant's personal data that EDP processed associated with a contract that he denies having concluded: we refer to the name, surname and ID card details of the claimant. Data that, as shown by the hearing of the recordings, were provided by Mrs. B.B.B. to EDP". "However, the recordings do not explain the origin of other data of the complainant that EDP also processed in connection with a contract to which the holder of the personal data is alien: his address at ***ADDRESS.1, which does not coincide, as already highlighted, with the point of supply and the mobile number of the complainant that EDP incorporated in the copy of the contract sent to his home".

As it seems obvious, these paragraphs do not state anything other than that the EDP recordings show that the data of the complainant that were processed by the entity (except for his address and his mobile number) originate from or originate from the information that, in the light of the recordings sent to the AEDP, was provided to him by Ms. B.B.B. This is in contrast to other information about the complainant that EDP also processed but that was not provided by the aforementioned lady, since it is not mentioned in the recordings provided: the complainant's address and his mobile phone number.

To claim - as the complainant does - that in such paragraphs this Agency is acknowledging that it was the complainant who provided his data to Mrs. B.B.B. is totally inadmissible.

In short, when the Agency states that the recordings provided are irrelevant, it is referring to their lack of virtuality in order to prove or provide evidence that the complainant represented Mrs. B.B.B. Insofar as this representation is not accredited or evidence of its existence is not provided, it is not possible to accept, as the complainant claims, that a valid contractual relationship existed between the parties.

As evidence of the alleged validity of the contractual relationship between EDP and the Complainant, the Respondent has again invoked the recording that it provided as an attachment to the pleadings in the original agreement.

With regard to this recording - which, as I have already stressed, contains no date - EDP, surprisingly, provides new information which, however, is not accompanied by the necessary proof. In its pleading to the proposal - second allegation, third paragraph - the entity now says that the recording is from 10/08/2019 (which does not appear in the sound recording) and that "the said payer is the son of the Complainant, knowing the latter as the holder of the contract".

The recording provided by EDP with the pleading to the initiating agreement (Proof Tenth Event) - in which the caller and identifies with the
 



The personal data of the claimant asks how much the debt is, since the supply has been cut off, after which the telephone operator of the claimant interrogates him about the CUPS of the house and informs him of the amount pending of payment and the possibility of payment by card - it cannot have the probative effect that EDP wants to attribute to him.

In this regard, it is sufficient to note that the processing of the claimant's data without legitimation starts in May 2018; that the recordings indicate that the payment will be made by direct debit, which seems not to have happened given the existing situation of non-payment and that the claimant, who received at his home the notification of non-payment, was already fully aware of the amount due.

The entity also states (third argument of the allegations to the proposal, first paragraph) that it "acted...ensuring the identification of the previous and new holder, as well as the recording on a durable medium of the operation carried out".

Interesting statement that requires precision: identification is not the legal basis of the processing, but the alleged consent of the claimant to a mandate given to Mrs. B.B.B. Thus, it is true that in the recordings provided by EDP, Mrs. B.B.B., who insistently claims that she is the representative of the complainant, provided EDP, or in other words, "identified" before EDP her alleged representative and provided her name, two surnames and VAT number.

Evidently EDP through the recording provided - in which the alleged representative of the complainant identifies him - knows his name, surname and NIF. But the relevant question is another one: the accreditation that the mentioned lady acted as a representative of the claimant because it was agreed by both, which requires to prove that the claimant consented to that representation.

The various arguments put forward by EDP have the same common element. They intentionally omit any reference to what constitutes the core of the conduct contrary to the RGPD for which the entity is held responsible: the proof that the claimant granted Ms. B.B.B. his representation to intervene on his behalf in the contracting with EDP.

In relation to the above, we must bring up another interesting statement made by EDP in its defense (which the entity also highlighted in bold): that "the AEPD, not only hinders and inhibits the legal traffic, but completely cancels the figure of the representative and the mandate, this administrative body does not consider these operations carried out by third parties as legitimate acts" (The emphasis is on the AEPD)

Claim that again it starts from a false premise. This Agency - as it could not be otherwise since it is subject to the Spanish legal system - has nothing to say about the figure of the representative mandate

What is decisive is that EDP has not proven that the person who intervened in the recruitment, and said to act as a representative of the complainant, had such representation. What is relevant is the lack of evidence that the complainant - whose personal data has been processed by EDP in association with a contract that he denies having concluded -
 



had given his representation to the person involved in the recruitment and said he was acting in that capacity.

The respondent -who in her allegations to the agreement at the beginning explained in detail the provisions of the Civil Code that regulate the mandate and insisted that in our
The principle of freedom of form governs the Agency, so it cannot require that the mandate be documented - forgetting that Article 1278 of the CC provides that "Contracts shall be binding in any form whatsoever in which they are concluded, provided that they contain the essential conditions for their validity". And one of these conditions is consent. Consent of the claimant to the representative mandate that he had supposedly conferred on Mrs. B.B.B., which was an essential condition for his existence and about which EDP contributes nothing and says nothing.

With regard to the lack of diligence shown by EDP to verify that the person who provided it with the complainant's personal data was representing him and that, even after the telephone call, he did not carry out any activity to confirm the identity of the new owner, EDP has responded in its allegations to the proposal:

"However, this consideration is not correct, since neither in this case we are not dealing with a contract, nor does my client lack procedures that regulate such aspects". It then indicates:

"Firstly, my client has a double-checking process in place for new hires through a text message to the contact phone number provided and kept as evidence of the ratification of the hiring.

Secondly, this case involves a mere modification of the holder of the contract already signed ..." (The underlining is from the AEPD)

Allegations that only show confusion regarding the obligations to which the person responsible for processing the personal data of third parties is subject by specific legislation. Mere statements by those who claim to act on behalf of another cannot justify the lawfulness of the processing, nor do they constitute proof of respect for that principle in the processing of the data to which the controller is bound by the RGPD.

V

In order to specify the amount of the administrative fine to be imposed in each individual case, the provisions of Articles 83(1) and 83(2) of the RGPD must be complied with:

"Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive.

"Administrative fines shall be imposed, depending on the circumstances of
 



each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and the amount of that fine in each individual case, due account shall be taken of the circumstances of the case:
(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage they have suffered;
(b) whether the infringement was intentional or negligent;
(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous breach committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority with a view to remedying the breach and mitigating the possible adverse effects of the breach;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor notified the infringement;
(i) where the measures referred to in Article 58(2) were previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains obtained or losses avoided, directly or indirectly, through the infringement.

With regard to Article 83.2 (k) of the RGPD, the LOPDGDD, Article 76, "Sanctions and corrective measures", provides:

"In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account
(a) The continuing nature of the infringement.
(b) The link between the activity of the offender and the processing of personal data
(c) The benefits obtained as a result of the commission of the infringement.
(d) the possibility that the conduct of the data subject may have led to the commission of the infringement
(e) the existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity
(f) The effect on the rights of minors.
g) The availability, when it is not compulsory, of a data protection representative.
h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases where there are disputes between them and any interested party.

(A) In the light of the rules transcribed above and in order to specify the amount of the fine to be imposed on EDP as the party responsible for an infringement
 



in Article 83(5)(a) of the GPRS, it seems appropriate to make two clarifications:

The first is that Article 83.2 RGPD requires the supervisory authority to ensure that the penalty to be imposed in each case is "effective, proportionate and dissuasive" and, secondly, that the amount of the penalty provided for in the RGPD for the infringements referred to in Article 83.5 has as its maximum limit the greater of these two amounts: 20,000,000 euros or 4% of the total annual turnover of the previous financial year. During the financial year 2017, the turnover of EDP COMERCIALIZADORA, S.A., amounted to 268,476,000 Euros, so 4% of this amount amounts to 10,739,040 Euros.
It should also be pointed out that in its pleadings to the opening agreement, the respondent has requested that the minimum penalty provided for minor infringements be imposed on it. I argue that there is no reason to do so when the applicable rule is the RGPD which neither distinguishes between the minor, serious and very serious infringements provided for in the LOPD nor contemplates a mechanism equivalent to article 45.5 of the aforementioned Organic Law 15/1999.

Although the main claim of the Respondent has been to close the proceedings, in its allegations to the agreement at the beginning it requested in the alternative that the minimum penalty provided for minor infringements be imposed on it. It argues that it has no reason to be when - as here - the applicable rule is the RGPD which, unlike the LOPD, does not distinguish between minor, serious and very serious infringements and does not provide for a mechanism equivalent to Article 45.5 of the above-mentioned Organic Law 15/1999.

B) As to whether it is appropriate to consider any of the mitigating factors described in the EDP regulation, he argued that for the case in question "practically all the mitigating factors set out in the penalty system would be applicable".

However, we cannot agree with this statement of the defendant. Moreover, in the present case it is not even considered appropriate to assess as mitigating factors the fact that only one person was affected by EDP's action or the merely local scope of the infringement (Article 83(2)(a))

In a case such as the one we are analysing - in which the entity complained of, in the case of telematic contracts in which a third party intervenes on behalf of the data subject, lacks a protocol in accordance with the law which would allow it to prove that it is in fact representing the data subject - the infringing conduct does not constitute a specific and isolated event, the only specific event being the complaint made by the data subject. Therefore, it does not seem correct that the fact that the person affected by the conduct of the entity is a single person can be considered as an expression of lesser culpability or anti-juridicality of its conduct, nor can it be considered as mitigating the local scope of the infringement. The conduct that is contrary to the law is the result of a model of action through which EDP carries out its activity and which it continues to maintain since, in its opinion, it is in accordance with the law, even if it is obvious that the principles of legality and proactive responsibility have not been complied with.

Nor can the following be considered as mitigating circumstances in favour of EDP
 



described in Article 76.2.c) of the LOPDGDD, by reference to Article 832.k of the RGPD: "The benefits obtained as a result of the commission of the infringement".

In relation to that question, the Audiencia Nacional, Sala de lo Contencioso Administrativo, in its SAN of 17/04/2018 (Rec. 254/2017) rejected the claim of the plaintiff, sanctioned by the AEPD, that Article 45.5(e) LOPD should be admitted as an extenuating circumstance because of the absence of benefits. The third legal basis of the SAN states: 'With regard to the absence of benefits, it is only appropriate to reiterate what was argued in the contested decision, namely that Abanca's action was motivated by the search for economic benefit, so that the fact that such benefit was not finally obtained cannot serve as a basis for an attenuation of guilt or unlawfulness of its conduct'. This has also been the spirit of the SAN of 31/03/2017.

C) The following circumstances are considered to be aggravating:

- The duration of the illegitimate processing of the complainant's data by EDP The documentation in the file shows that processing began on 17/05/2018 (Exhibit 6) and continued at least until 15/11/2018, i.e. for almost five months. For this purpose, consideration is given to the letter sent by EDP to the complainant on November 15, 2018, in response to the request for information from the AEPD (Exhibit 9), which shows that it is continuing to process the data of the person concerned, since it considers that the complainant had signed a contract with it through Mrs. B.B.B. (Article 83(2)(a) of the RGPD).

- The turnover or activity figure of the entity (article 83.2.a, of the RGPD) We are in the presence of a large company in the energy sector. The total annual volume for the 2017 financial year was 268,476 million euros, (article 83.2.a of the RGPD)

- Article 83(2)(f) of the GPRS mentions "the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate possible adverse effects". This is also an aggravating circumstance. While it is true that EDP responded to the information requests of this Agency, it is also true that, despite the fact that it could not prove the lawfulness of the processing of the complainant's data, it decided to continue with the processing of his personal data associated to a gas contract, after the AEPD had made the information request to it, as shown in the letter dated 15/11/2018 addressed to the complainant, despite the fact that it did not have any document proving that the third party involved in the contracting was acting on behalf of the data subject.

- The scope of the processing (article 83.2.a, RGPD) as the personal data of the claimant that have been processed by EDP without legitimization were several: the name and two surnames, NIF, home address and mobile phone number.

- The respondent has acted with a very serious lack of diligence, (article 83.2.b, RGPD). We are not only dealing with a lack of diligence at the moment of linking the claimant's data to a gas contract by virtue of the consent
 



granted by whoever claimed to act on his behalf. As detailed in the previous Fundamentals, EDP has demonstrated that it absolutely lacks an action protocol that contemplates the need to obtain some document that would prove the representation that it claims to have in the telematic hiring in which the person who contacts the entity claims to intervene on behalf of another person.

- The obvious link between EDP's business activity and the processing of personal data of customers or third parties (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD)

VI

In accordance with Articles 58(2) and 83(2) of the RGPD, transcribed above, the supervisory authorities may impose, in addition to the penalty of a fine, any of the corrective measures or penalties referred to in Article 58(2)(a) to (h) and (j) of the RGPD.

In the present case, given that the requested party - with regard to the processing of personal data collected in telematic contracts in which a third party intervenes and declares that it represents the data subject and is represented - has no protocol for acting in accordance with the obligations imposed on it by the RGPD, it is agreed, pursuant to Article 582. d) of the RGPD, to order EDP to incorporate to the protocol of contracting that it has implemented for the contracting through representative all the changes that allow it to be in conditions to prove before this Agency that the represented, and holder of the data, has authorized such representation and has conferred it in favor of the person that intervenes in the legal business. The period within which he must have implemented the new measures shall be one month from the date on which the resolution so agreed upon is enforceable.

In the light of the above, Article 83.6 of the RGPD must be mentioned:  "Failure to comply with the decisions of the supervisory authority pursuant to Article 58(2) shall be punishable in accordance with paragraph 2 of this Article by administrative fines of not more than EUR 20,000,000 or, in the case of a company, of not more than 4% of the total annual turnover of the preceding financial year, whichever is greater".

Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of the penalties whose existence has been accredited,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: To impose EDP COMERCIALIZADORA S.A., with NIF A95000295, by
an infringement of Article 6(1) of the RGPD, as set out in Article 83(5) of the RGPD, a fine of

SECOND: Under article 58.2.d) of the RGPD, ORDER EDP COMERCIALIZADORA S.A., with NIF A95000295, to ADAPT its
 



telematic contracting to the PROVISIONS of the RGPD related to the TREATMENT TERMINATION, in particular in the contracting that is carried out THROUGH REPRESENTATIVE, in which as the person responsible for the processing he must be able to accredit both the reality of the representation granted by the data holder and represented and his identity.

The period within which EDP must implement the measures that it is ordered to adopt and prove before the AEPD its compliance, will be one month from the date in which this sanctioning resolution is enforceable.

THIRD: NOTIFY this resolution to EDP COMERCIALIZADORA S.A.

FOURTH: To warn the sanctioned party that it must make effective the sanction of administrative fine imposed once this resolution is enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to Article 62 of Law 58/2003, of 17 December, by means of its deposit, indicating the Tax Identification Number of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº ES00 0000 0000 0000 , opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S. Bank.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment shall be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the deadline for payment shall be up to the 5th of the second following month or the immediately following working month.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with article
48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, file an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly an administrative appeal before the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of Article 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this
 



made in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015 of 1 October. He must also send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Data Protection Agency