AEPD - PS/00025/2019
|AEPD - PS/00025/2019|
|Relevant Law:||Article 6(1) GDPR|
Article 58(2)(d) GDPR
|Parties:||EDP Comercializadora, S.A.U.|
|National Case Number/Name:||PS/00025/2019|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Sergi Ariño Mayans|
The Spanish DPA (AEPD) imposed a fine of €75,000 on EDP Comercializadora, S.A.U. for violating Article 6(1) of the GDPR by having processed personal data without the data subject's consent.
English Summary[edit | edit source]
Facts[edit | edit source]
On 19 and 20 September 2018, the claimant reported to the Spanish DPA (AEPD) that EDP Comercializadora, S.A.U. (the defendant) has been processing his personal data (name, surname, ID number, address, telefon number) without his consent in the context of a gas supply contract which according to the claimant, never signed. The defendant sustained that they have got his personal data through a third person, who called in on his behalf and signed the contract as the claimant's representative, which would be legal according to the Spanish civil law, and therefore, they have been relying on the Article 6(1)(b) (necessary for the performance of a contract) as a lawful basis for the processing of personal data.
Dispute[edit | edit source]
Could the defendant prove, under the specific circunstances of that case, that the processing of the claimant's personal data was relying on a lawful basis according to the Article 6(1) GDPR?
Holding[edit | edit source]
The AEPD held, that the defendant has not been able to prove the consent of the claimant signing the gas supply contract, nor that the third person ("representative") was acting on his behalf (lack of due diligence). Thus, the AEPD has fined EPD Comercializadora, S.A.U. €75,000 for violating the Article 6(1) GDPR, holding that they have been processing personal data without a proper lawful basis. Furthermore, the AEPD, based on the Article 58(2)(d) GDPR, has ordered EPD Comercializadora, S.A.U. to bring their processing operations into compliance, specifically with regard to their protocols for signing a contract telematically through a representative.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure Nº: PS / 00025/2019938-051119- RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and in consideration of the following BACKGROUNDFIRST: D. AAA (hereinafter, the claimant) submits to the Spanish Agency forData Protection (AEPD) on September 19 and 20, 2018, both writtenin which it states that EDP COMERCIALIZADORA, SAU, with NIF A95000295 (inhereinafter, EDP or the complainant) has processed your personal data (name, surname,NIF, address and mobile phone number) without your consent linked to agas contract to which he is oblivious.With the letter of 09/20/2018, provide a copy of a document that has the heading" Notification of non-payment " - which the claimant calls " invoice " - issued on05/31/2018. The claimant explains that after receiving this document he contactedby telephone with EDP and filed a claim for “ billing me for services in thesupply point located at *** ADDRESS.1 … without having signed any contractnor have any relationship with said address ”.The aforementioned document - " Notification of non-payment " - leads in the section dedicated tothe recipient's data, it bears the name, two surnames and the address of the claimant(located in *** LOCALIDAD.1) . In the " Customer data " section, they include, in addition to thename and surname of the claimant, his NIF and a fixed number that the claimant affirmsthat does not belong to you ( *** TELEPHONE.1 ). In the section " Contract data " -contractwhich is for electricity and gas with the number 700005852279- contains the address of thesupply: *** ADDRESS. 1. On the right side of the document it appears: “EDPENERGÍA, SAU Plaza de la Gesta 2, 33007 Oviedo (…) CIF A-33543547 ”.The claimant declares that, a few days after formulating, by callingtelephone, claim before EDP for the invoice it had received, the entityThe complainant sent him a contract for gas and electricity services so that he could return itsigned. And he adds that in that document -of which he provides a copy to this Agency-they consist, in addition to the personal data already reflected in the " Notification of non-payment "described above, the mobile number from which you made the phone call fromclaim to EDP.In the contractual document received, just above the " Conditionsspecific to the contract ”, this legend appears:"The client contracts for the business or home premises indicated in theheading, the gas supply with EDP COMERCIALIZADORA, SAU and thesupply of electricity and / or complementary services with EDP ENERGÍA,SAU (hereinafter, jointly and / or individually, as appropriate, referred to as“EDP”) in accordance with the Specific Conditions set out below andC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 2 2/30the General Conditions that appear in annex ”. (The underlining is from the AEPD)On the right side of the document it appears:“EDP ENERGÍA, SAU Plaza de la Gesta 2, 33007 Oviedo (…) CIF A-33543547EDP COMERCIALIZADORA, SAU C / General Concha, 20 48010 Bilbao (…) CIF A-95000295 "SECOND: In view of the facts presented, the AEPD, on 10/15/2018, in thescope of file number E / 07378/2018, under article 9 of the RealDecree-Law 5/2018, of urgent measures for the adaptation of Spanish Law to theEuropean regulations on data protection - regulation in force since07/31/2018 until its repeal by Organic Law 3/2018, of December 5, ofData Protection and Guarantees of digital rights (LOPDGDD) - gave transferof the claim to the DPD of the claimed entity and requested that, within a period ofmonth from its receipt, inform this Agency of the circumstances that hadoriginated the facts exposed in the claim, of the decision adopted to putend the irregular situation caused and also proceed to communicate its decision to theclaimant, having to prove to this Agency the receipt of that communicationby the recipient.The letter in which the claimed entity of the claim was transmitted issigned by the AEPD on 10/15/2018 and EDP was notified electronically in the samedate. The date of availability in the electronic office and the date of acceptanceof the communication is 10/15/2018, as evidenced by the certificate issued by theFNMT that is in the file.In turn, the AEPD sent the claimant, on that same date, a letter in thethat he acknowledged receipt of his claim and informed him of the transfer to the defendant. Thenotification was made by postal mail dated 10/17/2018 and was delivered on10/27/2018.EDP responded to the request for information through a letter sent to theAEPD by certified mail dated 11/15/2018, which had an entry in the registry ofthis body on 11/20/2018. The letter is signed by the " Data Protection Delegate "“ On behalf of the company EDP COMERCIALIZADORA, SA, (…) and with CIFA33543547 ” (erroneous data because that NIF does not belong to the claimed entity, butbelonging to another entity in the group)In the writing, the following statements are made with relevance to theResearch effects:-That the personal data of the complainant was provided to EDP,by telephone, on 05/17/2018, by Ms. BBB who made thechange in the ownership of the gas contract and stated that it would act inrepresentation of the affected party.-A recording of the telephone conversation is provided.The claimed entities state that “ As can be verified fromof minute 7:56 of the audio file named 803818026680675 of theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 3 3/30telephone recording, in accordance with the regulations ondata protection in force on the date of the telephone conversation, EDPcorrectly informed about the treatment to be carried out of thepersonal data of both the Representative and her client (thenow Complainant), by virtue of the processing of the change of ownership ”.(The underlining is from the AEPD)-That during the processing of the change of ownership -how cancheck in the recordings provided- EDP informed Ms. BBB ofthat the ID number of the affected person was detected by the system aserroneous and its verification by the owner was necessary. Add that, to the daynext, 05/18/2017, the person who claimed to act on behalf of the affectedcontacted EDP by phone again to complete theprocedures for the change of ownership and in the course of that conversation -whoserecording has also been provided to this Agency - he stated again thatacted on behalf of the claimant.-EDP says that “it has kept all the precautions required both in terms ofregarding the contracting as well as regarding the obligation of informationestablished on data protection ”. He adds that he understands thatreason for the request made by the AEPD Inspection mayThis is because “… the Representative has not adequately transferred theComplainant the information regarding both the terms of the contractas data processing ”.-It states that, once the information request of theData Inspection, contacted the claimant by letteraddressed to your address dated 11/15/2018 of which you provide us with a copy. In theThe letter sent to the claimant states that “… the hiring of theelectricity supply with EDP Comercializadora, SA (hereinafter EDP) iscarried out by telephone by Doña BBB … ” (the underlining is from theAEPD) Explanation that we consider erroneous inasmuch as the documentcontract that you sent to the claimant and that the latter has provided to the Agencyclearly states that the customer contracts the “gas supply ” with EDPComercializadora, SAU, and the electricity company with another group company,EDP Energía, SAU-It indicates that “ Doña BBB , .. declared to act with her knowledge andon their behalf, proceeding to the change of ownership of the supplycorresponding to the address located at *** ADDRESS.1 ”. He adds that thehiring was carried out “following all the precautions required, andfulfilling the duty of information (…), being necessary that thethem spend part of the customer database forcorrect management of the signed contract ”.On 11/30/2018, in accordance with the provisions of article 9.5 of the RealDecree-Law 5/2018, the acceptance agreement for processing of this is signedclaim.Under the protection of article 11 of Royal Decree-Law 5/2018, once admitted toC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/30processing the claim and before the adoption of the initiation agreement, within the framework of theprior investigation, by the Inspection service of this Agency,Diligence dated 02/14/2019 by virtue of which it is incorporated into the fileE / 7378/2018 the general information of the entity, extracted from the Mercantile Registry inthat same date: The subscribed and paid-up share capital amounts to 1,487,898euros. The company began operations on 11/19/1998.THIRD: The facts that are the object of this claim are subject to theprovisions of Regulation (EU) 2016/679, of the European Parliament and of the Council,of 04/27/2016, regarding the Protection of Individuals with regard to theTreatment of Personal Data and the Free Circulation of this Data, which entered intoeffective 05/25/2018.The respondent states that she obtained the claimant's personal data and gaveregister a gas contract in your name on 05/17/2018, through a calltelephone number of a person who claimed to be representing him.Thus, the processing of the personal data of the affected party began beforethat Regulation (EU) 2016/679 enters into force -which happens on 05/25/2018- andwhen Organic Law 15/1999 on Data Protection ofPersonal Character, LOPD. However, EDP's conduct in which theinfringement, the treatment of the claimant's data linked to a gas contractwithout legitimacy for it, it has been maintained in time until the present or, atless, until 11/15/2018 as it is documented as such.The infringement for which EDP is held responsible is of its own natureof the so-called permanent offenses, in which the consummation is projectedin time beyond the initial event and extends, violating the regulations ofdata protection, during the entire period of time in which the data is subject totreatment. In the present case, despite the fact that on the date on which theoffending conduct the applicable rule was the LOPD, the rule that results fromapplication is the one in force when the offense is consummated, because it is in thatinstant when it is understood committed.The Supreme Court has ruled on the rule to be applied inthose cases in which the infractions are prolonged in time and there have beena regulatory change while the offense was being committed. The STS of 04/17/2002 (Rec.466/2000) applied a provision that was not in force at the time of initialcommission of the offense, but in subsequent offenses, in which the conduct continuedoffending. The Judgment examined an assumption that related to the sanction imposedto a Judge for breach of her duty of abstention in some ProceedingsPrevious. The sanctioned alleged the non-validity of article 417.8 of the LOPJ whenthe events occurred. The STS considered that the offense had been committedfrom the date of initiation of the Preliminary Proceedings until the moment when theJudge was suspended in the exercise of her duties so that rule wasapplication.In the same sense, the SAN of 09/16/2008 (Rec. 488/2006) is pronouncedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 5 5/30FOURTH: On 03/21/2019 the Director of the Spanish Agency for the Protection ofData agreed to initiate a sanctioning procedure against the claimed entity, in accordance withthe provisions of articles 63 and 64 of Law 39/2015, of October 1, onCommon Administrative Procedure of Public Administrations (hereinafter,LPACAP), for the alleged violation of article 6.1 of the RGPD, typified in article83.5.a) of the RGPD.FIFTH: On 04/09/2019 the allegations are received in the Registry of the AEPDof the claimed to the agreement to initiate the sanctioning file in which it requeststhat the proceedings be filed " for having acted ... in accordance withLaw ”and, alternatively, that the sanction be imposed in its minimum amount.Provide as documentary evidence a CD with a recording, of which there is nodate, in which a person who identifies himself with the name, surname and NIF of theclaimant, makes a call to EDP and states that the supply has been cut off, bytime that asks what is the amount owed adding that it sounds to him that they are140.77 euros. The entity, after asking you for the supply point, informs youthat he owes 170.80 euros and that he can pay by card.The defendant, in support of her claims, used in the brief ofallegations to the starting agreement the following arguments:- That "it has kept all the required precautions " and that the " hiring has beenat all times in good faith on the part of EDP, complying at all timeswith the provisions of current regulations on data protection ”.It adds that for the reasons it alleges - which we will detail later - " thecontractual relationship with the Complainant is perfectly valid, the collection ofdata was carried out in accordance with the law and the treatment of the data of thewhistleblower is perfectly valid ”.- In the event that the AEPD does not agree to file the proceedings, it allegesthat the sanction established in the agreement to initiate the sanctioning fileviolates the principle of proportionality. He maintains that there was no guilt orunlawfulness in their actions and that “ the sanction to impose would have tocorrespond to a minor offense, in its minimum amount ", because, it says," noonly the alleged aggravating factors would not apply, but would applypractically all of the mitigating measures included in the sanctioning regime ”.- It states that, as proven in procedure E / 7378/2018, “ there is avalid contractual relationship ” between EDP and the claimant. It states that thelegitimation of the treatment of the claimant's data and the confirmation ofa valid contractual relationship between the claimant and EDP is justified by twoextremes that the Agency itself has considered proven in the agreement ofbeginning although, regarding them, he also affirmed that they were irrelevant from thepoint of view of the assessment that it is responsible for making. Namely, “ that the datathe claimant obtained them through Mrs. BBB and that this ladystated on several occasions, in the course of telephone conversations, thatacted on behalf of the claimant ”.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 6 6/30- Declares that we are facing an example of a representative mandate regulated inthe Civil Code (articles 1709-1739) which leads him to affirm with emphasis that“… For this reason no rule has been violated by EDP in thehiring… ”. It adds that the mandate can be verbal, “provided that of thecircumstances, the veracity and concession of the same can be deduced ” and thatIt can be express or tacit, deduced from the principal's own actions. Thisdoctrinal exposition on the mandate contract puts it in connection withfacts such as the recording attached to your brief of allegations; whatfor EDP it constitutes a ratification of the contract and the mandate. To sucheffect invokes the STS, First Chamber, of 01/09/1964, according to which the principaltaking advantage of the president's actions tacitly ratifies the mandate;the prohibition of abuse of rights (ex article 7.2 CC) - all the while, it states,the " Complainant" would have enjoyed the supplies provided - and would bealso contrary to good faith that should preside over the exercise of rights(ex article 7.1 CC)- It affects that “ the consequences of a possible negligent action bypart of Mrs BBB ,…, cannot in any case affect the validitycontractual, .. The contractual relationship between the parties is perfected and isfully legitimate ”.- It invokes article 83 of Royal Decree 1955/2000, which regulates theactivities of transport, distribution, marketing, supply andauthorization procedures for electrical power installations, in which,says, the consumer who is up to date with the payment is granted the power totransfer your contract to another consumer who will use it inidentical conditions. He insists that " the change of ownership occurs underthe same contractual conditions, that is, without the change being able to beconsidered a new discharge and therefore a new hiring ”.- Given the exposure made by the Agency in the initiation agreement regarding thatno evidence had been provided that the claimant had granted hisrepresentation to the person who claimed to act on their behalf (Mrs. BBB)nor that the entity deployed the minimum diligence required to verify thatindeed, his interlocutor had the representation that he claimed to holdEDP counters that " there is no such obligation " and that " the CC admits thefreedom of form in the figure of the mandate, being this verbal ... "SIXTH: On 11/18/2019 a trial practice period opens in whichagree, as the only evidentiary proceedings, the incorporation into PS / 25/2019 of thedocuments that make up file E / 07378/2018 -whose incorporation for this purpose alreadyit was announced in the Agreement to initiate the procedure-: The claim writings; thedocumentation generated by the AEPD; the respondent's response to the request forinformation and the Diligence dated 11/18/2019, raised during the proceedings ofprior investigation, with the information obtained on that date through AXESORrelated to the result of the activity of the claimed during the year 2018-.Likewise, the allegations of theclaimed to the initiation agreement and its accompanying documents.SEVENTH: On 11/27/2019 a resolution proposal is formulated in the followingC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 7 7/30terms:<< FIRST: That the Director of the Spanish Agency for Data Protectionsanction EDP COMERCIALIZADORA SA, with NIF A95000295, for an infractionof article 6.1 of the RGPD, typified in article 83.5.a) of the RGPD, with a fineof 75,000.00 euros (seventy-five thousand euros). (…)SECOND: That, in accordance with article 58.2 of the RGPD, it is imposed on EDPCOMERCIALIZADORA, SAU, the ADOPTION OF THE MEASURES resultingINDISPENSABLE to adapt your telematic contracting protocols to theprovisions that on the legality of the processing of personal data establishes theGDPR; in particular in contracting through a representative in which you mustbe in a position to prove both the reality of the representation granted by theowner of the data such as the identity of the person holding the conditionof represented. Also, if they are not implemented, you must adopt themin the face-to-face contracting protocol. Measures that, where appropriate, mustbe adopted within one month from the date on which the resolutionsanctioning is executive. >>The proposed resolution was notified electronically to the complainant, being thedate of availability on 11/26/2019 and the date of acceptance that same day.Pursuant to article 73 of the LPACAP, the deadline to formulate allegations isten days computed from the following to the notification.EIGHTH: On 12/12/2019 the electronic headquarters of this Agency have theallegations of the claimed to the proposed resolution in which it requests thatproceed to file the procedure for having acted, it says, according to law.In defense of her claim, the respondent reiterates the allegations so farformulated -to the agreement to initiate the sanctioning file and in the information processprevious- and, in short, it adduces the following arguments:- It states in the first allegation that “the evidence presented by thisrepresentation mark the proactive performance of the representative in hiring inname of your client, confirming the existence of thesupply and therefore the existence of the contract ”. Consider thattreatment that EDP has made of the complainant's personal data islegitimate because in his opinion there is a valid contractual relationship between the two.- In her second argument, the respondent maintains that she is the victim of asituation of " legal defenselessness " as a result of the actions of the AEPD every timethat this Agency has admitted “accredited the origin of the data, provided inthe call at the time of hire made by Mrs BBB ,However, it is irrelevant in order to prove proper treatmentof them when - argues the claimed - it is precisely that point thatthat justifies the legitimacy of the treatment of the complainant's data,since the existence of a valid contractual relationship between the partiesis confirmed "C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 8 8/30Regarding the sound document that EDP provided to this Agency annexed to itsallegations to the initiation agreement, after reproducing the assessmentthat test was made by the instructor of the file in the resolution proposal,adds the following statements, despite the fact that neither in the sound documentHe provides a date and neither in him nor in any other is what he now alleges justified:“ That this representation not only indicates that the recording captures theconsent of the natural person who calls to proceed with the payment of theinvoices, the date of the call being collected on August 10, 2018, butthat said payer is the Complainant's son, knowing the latteras the holder of the contract ”. (The underlining is from the AEPD)The defendant says that, in her opinion, “hiring by representation, .., hascarried out in accordance with Law, not only requesting the required documentationand obtained the proof of the hiring carried out, but it isratified at a later time ”.- In its third allegation it tries to refute the total lack of diligence in itsaction attributed to him by the motion for a resolution and in this regard it says: “…However, my client acted in compliance with the requirements of thecivil and commercial regulations, ensuring the identification of the old and newholder, as well as to record the operation carried out on a durable medium ” andhighlights - it is written in bold - that the AEPD “ not only hinders and inhibitslegal traffic, but completely nullifies the figure of the representative and themandate, this administrative body does not consider these operationsperformed by third parties as legitimate acts "- In the fourth claim - in response to the statement made by the proposalresolution that the entity completely lacks a protocol ofaction for telematic contracting when the person who facilitatesThe data is not the owner, but a third party who claims to act on their behalf - says:“ We are not facing a contract; which has a double processverification implemented for new hires ” and that the assumptionanalyzed supposes " a mere modification of the owner of the contract already signedpreviously ”which leads him to affirm that it is not applicable “ nor thecontracting procedure ”“ nor double verification is a guaranteelegal obligation to be implemented by my client ” . And he concludes by saying: “… theAEPD requires the accreditation of the granting of representation throughan element of evidence to my client, as a minimum duty of diligencenecessary, a requirement that the regulations do not include. Therefore, in this case and thatthe AEPD sanction for not complying with said requirement would suppose a resolutionnot in accordance with Law ”.- In its fifth claim, it states: “ The differentfeasible possibilities, both technically and operationally speaking, forreinforce recruitment procedures when such steps areprocessed by a third party on behalf of the owner ”.Of the actions carried out, the following have been accreditedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 9 9/30ACTS1.- D. AAA , with NIF *** NIF.1 and domicile at *** LOCALIDAD.1 ( *** CCAA.1 )*** ADDRESS.2 , declares to have received the document “ Notification ofnon-payment ” (which he refers to as“ invoice ”) that bears the EDP logo and issigned on 05/31/2018. In the aforementioned document, EDP requires you to pay a debtderived from a contract that he denies having signed. Contract to which he claims to betotally foreign and that corresponds to a supply address with which you do not haveno relationship.2.- In the document mentioned in Fact 1, “ Notification of non-payment ”, of which theclaimant provided a copy to the AEPD with their claim, they require the payment ofa debt of 79.81 euros derived from a gas and electricity contract.The document provides the following " Contract data ": As " Type ofcontract ”,“ Gas + electricity formula plan ”; as " No. Cta./Contrato " 70000852279 ; as" Supply Address " " *** ADDRESS.1".In the document they appear as " Customer data ", in addition to the name and twosurname of the claimant, his address, located in a town other than the point ofsupply; your NIF and a fixed telephone number of which the claimant denies ownership,***TELEPHONE 1.3.-Work in the file, provided by the claimant, the copy of the " Contract ofenergy and / or services ”, which EDP sent to your home. At the bottom of the document, in thesection for the signature of the entity, states “ EDP ENERGÍA, SAU and / or EDPCOMERCIALIZADORA, SAU "Above the heading " Specific conditions of the contract" appears this legend:" The client contracts for the business or home premises indicated in theheading, the gas supply with EDP COMERCIALIZADORA, SAU and thesupply of electricity and / or complementary services with EDP ENERGÍA,SAU (hereinafter, jointly and / or individually, as appropriate, referred to as“EDP”) in accordance with the Specific Conditions set out below andthe General Conditions that appear in annex ”. (The underlining is from the AEPD)4.- The " Energy and / or services contract " provided by the claimant, described in theProven Fact 3, it offers the following information:- In the " Client " section: as " Contract Holder ", "D. AAA "; as" Address " " *** DIRECCION.2 *** *** LOCALIDAD.1 CCAA.1 " . In section“ NIF ” the *** NIF.1. And in the section " Telephone 1" the mobile number*** PHONE . 2. The " Telephone 2" and "Fax" boxesdo not contain any data.Nor does the landline number that appeared in the notification documentnon-payment (see Proven fact 2)- In the section " Supply data ", the " Supply address( *** ADDRESS.1 ”and the CUPS numbers for electricity and gas.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 10 10/30- In the section “ Nº Cta. Contract ”“ 70000852279 Gas + Light Formula ”- In the "Duration and billing " section " Issue date: 05.18.2018 "5.- The claimant has declared that, after receiving the “ invoice ” -thedocument " Notification of non-payment" - made the corresponding claim before EDPby phone call from your mobile phone. He explained that a few days laterreceived at home the copy of the contract for the point of supply on whichHe made the notification of non-payment and his claim, in order for him to sign it. Underlines that,without your consent, the contractual document received incorporates your numbermobile phone, number from which you made the telephone claim to EDP.6.- EDP, within the framework of E / 7378/2018, in its response to the information request of theAgency, stated that the claimant's personal data was provided to him on the date05/17/2018, by telephone, by Mrs. BBB “ who declares to act in a condition ofRepresentative of the Complainant (hereinafter the “Representative”) during the processingof the change of ownership of the supply corresponding to the address located in*** ADDRESS.1 ” (the underlining is from the AEPD)7.- EDP, within the framework of E / 7378/2018, sent this Agency a CD containing twodocuments (1 and 2) Document 1 consists of two audio files (i)803818026680675 and (ii) 803818026680926.7.1. In the audio (i) of document 1, the person making the call requests to makea change of owner and is identified as " old owner". The operator says: “Say-First, if you are so kind, the ID of the current holder right now, yours ”. They are calling her-He tells you: “ Okay, it's a CIF, it's a company, okay? B24292534 ". The name of the companyThe one that facilitates is “ Hydraulic works and paving ”. As supply addressthat you want to change the owner, the *** ADDRESS is provided . 1. Mrs BBB isidentifies as a " representative" of the former contract holder and claims to be responsibleManagement of the company.At minute 2:38 the telemarketer says: " Now tell me the name of the new owner . " Thedialogue is as follows:- " AAA (...)"- "ID of Mr. AAA ?"- "*** NIF.1 "- "*** LETTER.1 of *** LOCALIDAD.2, right?"- "Wait a minute, because he wrote me a *** LETTER.1 but it looks like a *** LE-TRA.2. And as he wrote it to me. Let's see, I confirm it right now ... *** LE-TRA.1. "- "Tell me the phone number of Don AAA ..."- " *** TELEPHONE.2"At minute 5:21 of the recording it is heard: "Being 16 and 51 hours on the 17th ofMay 2018, Mrs. BBB has called and wants to contract with EDP for which she proceedsLet's make the following recording accordingly. Do you agree?- yesC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 11 11/30-Doña BBB , with DNI *** NIF.2 as administrator and on behalf of the ownerAAA , with DNI *** NIF.1 , telephone *** TELEPHONE.2, accepts EDP's offer for theaddress *** ADDRESS.1 , which consists of a gas + electricity formula plan ... for the CUPSof light (…) with a CUPS of gas (…) In his name and his representing, after supe-carry out the risk analysis of the operation, we will take the necessary steps to activatevar the access contracts, at which point the new agreement will come into force.deal being resolved the previous one (…) Are you satisfied with the previous information ANDconditions of the contracts?- yes- (…) Your personal data and those of your client will be processed for the management ofthese contracts by EDP Energía, SAU, with CIF A 33543547 and EDP Comercializado-ra, SAU, with CIF A 95000295 (…)At minute 8:35 of the recording the caller says:- “Yes, I want to ask you something. Regarding the validity of the change, well,I don't really care, because he's been renting for quite a few months now and he's not going tonothing will happen ... but, really, the next invoice is going to arrive in his name already. "7.2. In the audio (ii) of document 1, the teleoperator communicates to Mrs. BBB “…,You see, since we have had problems with the national identity document,Could you confirm that it was exactly an M? Because the system gave me the wrongtopic. To which Mrs. BBB responds : no, because it is written by hand.- Of course we can prove that it is an H. But of course, unconfirmed ... it does not stopbe a national identity card and we can make a serious mistake ... It isto call again.8.- The CD provided by EDP to the Agency within the framework of E / 7378/2018, contains twodocuments. Document 2 is, in turn, made up of two audio files: (i)803818026691798 and (ii) 803818026691972.8.1. Audio (i) document 2: Caller says:- Hello, good morning. Yesterday I called to make a change of ownership. We did i believethat the whole process because the recording was done and such. But in the end no, well not qua-draba because the DNI of the new holder, ... well the letter. We were not 100% clear andwe do not continue (...)At minute 6:15 you hear:- “The billing shipping address. Home. Where do you want to be sentwe? To the supply? "-"Yes"-"Perfect. Supply point address ”.8.2. Audio (ii) document 2: At minute 2:44 of the recording, it indicates:- “It is at this time 1 and 46 minutes in the afternoon of May 18, 2018.Mrs. BBB calls us … with ID… and wants to contract with EDP for which sheWe agree to make the next recording of compliance, okay? "C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 12 12/30- "Yes"- "Very good, Mrs. BBB ... with ID ... as representative and on behalf ofof the owner, Mr. AAA ... with IDtelephone …. accepts EDP's offer tothe point of supply… “. Doña BBB agrees to the question.At minute 6:32 you hear:- “The reason why we have to make the recording again is that if the DNI does notis valid the recording is not valid "9.- Work on file, provided by EDP, copy of the letter that dated11/15/2018, and in compliance with the request made by the AEPD in the brief ofinformative request (E / 7378/2018), addressed to the claimant. In it he states the following:- That the contracting of the electricity supply with EDP Comercializadora,SAU, “ was carried out by telephone by Mrs. BBB , who statedact with their knowledge and on their behalf, .. "- “ That said hiring was carried out following all the precautionsenforceable… ”.10.- Work on file, provided by EDP - allegations to the initiation agreement - therecording of a telephone conversation, of which no date is given, heldbetween the entity and a person who identified himself with the claimant's data -name,two surnames and NIF-. The person making the call says to call to pay apending invoice, since they have cut off the supply.The EDP employee asks him for the outstanding amount and he replies: “ Iit sounds like it's 140.77 euros ”. After asking about the supply point,They inform that you owe 170.80 euros and that you can pay by card.The caller is interrogated for a phone number and facilitates the*** PHONE. 2.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in arts. 47 and 48.1 of the LOPDGDD, theDirector of the Spanish Data Protection Agency is competent to resolvethis procedure.IIThe RGPD dedicates article 5 to the principles that should govern the treatment and,among them, he mentions those of "legality, loyalty and transparency ." The precept provides:"1. The personal data will be:Treaties in a lawful, loyal and transparent manner with the interested party; "C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 13 13/30(The underlining is from the AEPD)Article 6 of the RGPD - under the heading " Legality of treatment " - details in itssection 1 the cases in which the processing of third party data isconsidered lawful:"1. The treatment will only be lawful if it meets at least one of the followingterms:a) the interested party gave their consent for the processing of their personal datafor one or more specific purposes;b) the treatment is necessary for the execution of a contract in which the interested partyis part of or for the application at his request of pre-contractual measures;c) the treatment is necessary for the fulfillment of a legal obligation applicable to theresponsible for the treatment;d) the treatment is necessary to protect vital interests of the interested party or anotherPhysical person;e) the treatment is necessary for the fulfillment of a mission carried out in the interestpublic or in the exercise of public powers conferred on the data controller;f) the treatment is necessary to satisfy the legitimate interests pursuedby the person responsible for the treatment or by a third party, provided that on saidinterests do not override the interests or fundamental rights and freedoms of theinterested party who require the protection of personal data, in particular when theinterested is a child.The provisions of letter f) of the first paragraph shall not apply to the treatmentcarried out by public authorities in the exercise of their functions. (…) "It should be remembered that article 5 of the RGPD, after referring in its section1 to the principles relating to the processing of personal data -among them, as statedexposes in previous paragraphs, to that of " legality " -, adds in section 2:"The person responsible for the treatment will be responsible for compliance withprovided in section 1 and capable of demonstrating it (<< proactive responsibility >>) "(The underlining is from the AEPD)The infringement of article 6.1 of the RGPD is classified in article 83of the RGPD that, under the heading " General conditions for the imposition of finesadministrative ” , he says:"5. Violations of the following provisions will be sanctioned, in accordancewith section 2, with administrative fines of maximum 20,000,000 Eur or,in the case of a company, an amount equivalent to a maximum of 4% of thetotal annual global business volume of the previous financial year, opting forthe highest amount:a) The basic principles for the treatment, including the conditions for theconsent in accordance with articles 5,6,7 and 9. "It should also be noted that Organic Law 3/2018, on Data ProtectionPersonal Rights and Guarantee of Digital Rights (LOPDGDD), for the purposes ofprescription, qualifies in its article 72.1.b) as a very serious offense “ TreatmentC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 14 14/30of personal data without any of the conditions of legality of thetreatment established in article 6 of Regulation (EU) 2016/679 "IIIThe defendant in the present sanctioning procedure is attributed ainfringement of article 6.1 RGPD. The respondent processed the personal data of theclaimant without standing. It has not been able to prove that the data processingcarried out had its legal basis in any of the circumstances detailed in theArticle 6.1 of the RGPD.A.- It has been accredited through the documentation in the fileadministratively -described essentially in the Proven Facts- that EDP dealt with thepersonal data of the claimant (name, surname, NIF, address and number ofmobile phone) linked to a gas contract of which the affected person denies having beenpart and without the complainant having provided documentation of any kind of whichevidence that the data processing was covered by one of theconditions of legality that article 6.1 RGPD relates.In accordance with article 6.1 of the RGPD, the processing of personal data ofThird parties must be "lawful", for which it must, in principle, comply with any of theconditions described in sections a) to f) of the precept.B.- In the case analyzed, EDP attributes to the claimant the status of party to thegas contract for the supply point located at *** ADDRESS.1. TheClaimant denies having signed the aforementioned contract and denies knowing that point ofsupply. The claimant is domiciled in another Autonomous Community.The defendant affirms that the claimant is a party to a supply contractenergetic gas held with her through who identified himself as herrepresentative, Mrs BBB , thus implying that the legal basis of thetreatment is the execution of the contract (article 6.1.b, of the RGPD).However, to protect the treatment carried out by EDP in article6.1.b) of the RGPD it is necessary that the condition of contracting party of the affectedis credited. The reason for this cause of legitimation of the treatment isprecisely that, to the extent that the owner of the data gives consentto the contract, you also consent to the processing of your personal datanecessary for its execution and compliance.Thus, the question is to determine whether EDP has provided evidence that showsthat the affected party consented to contract with that entity; what transferred to the assumption thatOur concern will consist of assessing whether evidence has been provided that Mrs. BBBeffectively represented the claimant or, in other words, thatas claimed by the complainant, the complainant had agreed with Mrs. BBB arepresentative mandate to contract the gas supply on its behalf.EDP argues that this is sufficient evidence to show that the claimant hadgranted its representation to Mrs. BBB to sign with her, in hername, a gas contract, the sound document that you have provided to this Agency: aC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 15 15/30CD with recordings of telephone conversations held between thatentity and a third person (Mrs. BBB ) in which she " manifests""Repeatedly" that he represents the claimant to register hisname (or change the ownership of the supply contract that appeared in the name ofa company on whose behalf Mrs. BBB acts ) an energy contractfor the supply point of the *** ADDRESS . 1.The recordings sent to the Agency by EDP (described in the Factstests 7 and 8) exclusively prove that a person, the ladyBBB , insistently stated that it represents the claimant forcontract on your behalf with EDP. The aforementioned recordings do not prove that theclaimant will grant his representation to the aforementioned lady to contract on his behalfthe gas supply or provide any indication in this regard.Now, the recordings sent by EDP (four audios, of which two ofThey make up document 1 and the remaining document 2 of those provided with theresponse to the information request) do prove the origin of some of thepersonal data of the claimant that EDP processed associated with a contract that he denieshaving celebrated: we refer to the name, surname and ID of the claimant.Data that, as evidenced by listening to the recordings, wereprovided by Mrs BBB to EDP.However, the recordings do not explain the origin of other data from theclaimant that EDP also dealt with linked to a contract to which the owner of thepersonal data is foreign: your address at *** LOCALIDAD.1, *** CCAA.1 , which does notcoincides, as already highlighted, with the supply point and the numberclaimant's mobile phone number that EDP included in the copy of the contract that it sent to itshome.The recordings also show these extremes: That the aforementioned ladyBBB -which in EPD's opinion acted on behalf of the claimant- requested that thebilling was sent to your client at the address of the supply point- *** ADDRESS. 1- but at no time did he provide another address than thecorresponding to the point of supply and provided only as a mobile number ofthe person whom he said to represent the *** PHONE . 2.Therefore, from the above we must conclude that it was not Mrs. BBB whoprovided EDP with the data of the claimant's address - address that has nothing to do withwith the supply point, as it is located in another Autonomous Community,*** CCAA.1 , in the town of *** LOCALIDAD.1 , *** ADDRESS.2-, address to whichEDP sent the document called " Notification of non-payment " described in the FactsTested and later a copy of the contract to be sent signed.Also, the claimant's mobile number, *** TELEPHONE. 2 , which EDPincorporated into the contractual document that he sent to his address, it was not provided eitherby Mrs BBB . Let us remember the explanation that the claimant has offered. Whatmade a telephone claim with EDP through his mobile number and that theThe result was to receive a contractual document from the entity so that it could be returnedsigned in which his mobile number appeared, from which he made the call fromclaim. Well, in that contractual document, surprisingly, noC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 16 16/30Not even the landline number that appeared in the Notification of Default, the*** TELEPHONE. 1 -with respect to which the claimant stated in his brief ofclaim that it did not belong to him- nor the mobile number that the ladyBBB provided EDP in the course of the recordings as the phone number of itscourse represented: *** PHONE . 2.And finally, it is striking that this mobile number is curiously( *** TELEPHONE. 2 ) the same one that later will provide EDP with a person whowill contact the entity as a result of a cut in the supply point and askhow much is the amount owed. Recording that EDP has contributed with its writingof allegations to the commencement agreement (see Proven fact 10) that in his opinion would serveto justify the legality of the data processing on which the claim concernsoccupies us.In short: EDP has not provided this Agency with any document that makesproof of the claimant's representative status that Mrs. BBB affirmedshow when he contacted the entity by telephone and changed the ownership of thecontract in the name of the claimant, providing in that act the name, two surnames andNIF of your represented party. EDP has not proven the legitimacy eitherto process other data of the claimant, such as their address or mobile phone; data thatMrs. BBB did not provide EDP.It is necessary to add another circumstance of great significance to the above. In the light ofdocumentation provided by EDP -four audios with the calls made between thatcompany and Mrs. BBB on September 17 and 18, 2018 in order tomanage the registration of the contract on behalf of the claimant- it is verified that in noAt the time, the entity demanded that the third party (Mrs. BBB ) who provided thedata of the claimant and said to hold his representation provide a document thatcredit that extreme.Nor is it known that the entity, before registering thegas supply contract in the name of the claimant -and despite the legitimationEDP to process the claimant's personal data was supported,exclusively, in that they had been provided by their supposed representative - would havetaken some measure to verify the reality of that representation.Outside by directly contacting the owner of the data or articulating anyAnother mechanism, the truth is that EDP has not demonstrated that it had deployed aminimum diligence in verifying that, indeed, the owner of the datahe had given his representation to the third party who provided them (Mrs. BBB ).Likewise, there is no evidence that this entity has an ad hoc protocol implemented.C-. Respect for the principle of legality that should govern the processing of data fromthird parties and referred to in article 6.1. of the RGPD, it implies that the person responsiblebe able to demonstrate compliance (principle of proactive responsibility,article 5.2 of the RGPD)In the present case - in which the respondent affirms that the legality of the treatmentIt is justified in the existence of a contract in which the affected party was a party - it is transferredto the person responsible for the processing of personal data the burden of proof of theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 17 17/30hiring; or at least the burden of proof that he displayed the diligence that wasproceeding to comply with such obligation.We refer to article 5.2 of the RGPD. In similar terms it was pronouncedthe, currently repealed, Directive 95/46, which has been transposed into domestic lawSpanish through Organic Law 15/1999, Data Protection (LOPD) and thatclearly set out the Development Regulation of the LOPD, approved by theRoyal Decree 1720/2007. Rules in force when EDP started data processingwhich is the object of assessment in this sanctioning file and which is currentlyare repealed.The Administrative Litigation Chamber of the National High Court, in casessuch as the one presented here, has been considered under the previous regulations thatWhen the owner of the data denies the contract, the burden of proof corresponds towho affirms its existence, and the person responsible for the data processing ofthird parties collect and keep the necessary documentation to prove theconsent of the owner.We cite, for all, the SAN of 05/31/2006 (Rec. 539/2004), Foundation ofFourth Law: “ On the other hand, it is the person responsible for the treatment (for all,judgment of this Chamber of October 25, 2002 Rec. 185/2001) to whom it correspondsensure that the person from whom consent is requested, effectively gives it, andthat the person who is giving consent is effectively the owner of thosepersonal data, having to keep proof of compliance with the obligation toprovision of the Administration, in charge of ensuring compliance with the Law ”.D.- EDP also invokes, in defense of its statement that it acted in accordance withRight and respected the principle of legality when processing the claimant's data, that, thechange of ownership of the gas contract managed by Mrs. BBB -as ofrepresentative of the company that was the holder of the energy contract for thesupply of *** ADDRESS. 1- did not oblige him to prove that the allegedrepresentative held the representation of the new client and owner of the datatreaties. This statement justifies that article 83 of Royal Decree 1955/2000grants the consumer who is aware of the payment the power to transfer theircontract to another consumer who will use it under identical conditions.And it also adds that in the present case " the change of ownership occurs underthe same contractual conditions, that is, without the change being able to beconsidered a new discharge and therefore a new hiring ”.In response to such allegation, regarding the supposed enabling norm for thetreatment carried out (RD 1955/2000), it is enough to point out that article 6.1 of the RGPD,in its section c) considers as one of the assumptions of legality of the treatment thatthis is necessary for the fulfillment of a legal obligation applicable to theresponsible for the treatment.Now, the obligation in such a case must be imposed by a norm withformal rank of Law. The requirement that the enabling norm have the formal rank ofThe law was also established in the previous data protection regulations. UsWe refer to article 10.2 of the Development Regulation of the LOPD, currentlyrepealed, but in force when EDP began processing the claimant's data.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 18 18/30On this issue, STC / 292/2000 on the subject of theArticle 6.1, in fine, of the LOPD, which mentioned the Law as an exception to theprinciple of consent. The Constitutional Court warned that a limitation to afundamental right or the exercise of the powers that comprise it requires thatcarried out through a Law in the formal sense, without being able to introducelimitations or restrictions on the content of a right of that nature througha regulatory standard.In any case, and without prejudice to the preceding discussion, the regulatory standardinvoked by EDP has as a factual presupposition that the consumer was atcurrent of payment. And as the audition of the recording provided with theallegations to the initiation agreement - in which a person who identifies with the dataof the claimant contacts EDP to ask for the amount owed since they willthey have cut the power supply - three bills were owed.Regarding the second reflection of the claimed -that there was no dischargenew with the claimant's data but a subrogation of the claimant in theprevious contract- it is a matter of a civil / commercial nature on whichthis Agency should not pronounce itself. What is relevant for the purposes at hand is that,regardless of whether we are facing a subrogation or a new contract,In both cases, the claimant would have, according to the claimed claim, thecontracting party status. And as such, to assert as a legal basisof the treatment of article 6.1.b) of the RGPD, it is essential that the owner of the datahad given his alleged representative consent to act insuch condition, an extreme that in no case has been accredited by EDP.This Agency reiterates that none of the documents that EDP has providedaccredits what is substantial in the matter examined: that the owner of the data grantedto Mrs. BBB her representation so that on her behalf she could manage the change inownership of the electricity contract of the supply point of *** ADDRESS.1.The respondent has not provided documents or probative evidence thatevidence that the entity, in such a situation -a telematic contracting throughwho claims to be the representative of the owner of the data-, deployed the diligenceminimum required to verify that your interlocutor had therepresentation he claimed to hold.Respect for the principle of legality, before the principle of consent, which is inthe essence of the fundamental right to protect personal data, requiresprove that the owner of the data consented to a third party on his behalf to hold acontract with EDP or, at least, that the data controller deployed theessential diligence to prove this point. Not to act like that - and not to demand itthus this Agency, who is responsible for ensuring compliance with the regulationsregulating the right to protection of personal data- the result would beempty the content of the principle of legality and in particular article 6.1 of the LOPD.E.- Found that EDP processed the claimant's personal data and verifiedalso that this entity has not provided the AEPD with any document that demonstratesthat the claimant granted his representation to the person who entered into the contract withC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 19 19/30her and affirmed to act on her behalf - which would have allowed the treatmentunder article 6.1.b, of the RGPD- it must be assessed whether the fault of theclaimed entity or if it omitted the appropriate diligence, having attended thecircumstances of the case, essential for the conduct analyzed to besubsumed in the offending type of article 83.5. of the RGPD.This, because the principle of guilt governs in our sanctioning law,that prevents the imposition of sanctions based on the objective responsibility of the allegedoffender. The presence of the element of guilt in a broad sense, such ascondition for the sanctioning responsibility to arise, has been recognized by theConstitutional Court, among others, in its STC 76/1999, in which it affirms that theadministrative sanctions are of the same nature as criminal penalties as they areone of the manifestations of the ius puniendi of the State and that, as a requirementderived from the principles of legal certainty and criminal legality enshrined in theArticles 9.3 and 25.1 of the EC, its existence is essential to impose it.Law 40/2015 on the Legal Regime of the Public Sector provides in article28, under the heading " Responsibility":"1. They can only be sanctioned for acts constituting an infringementadministrative natural and legal persons, as well as, when a lawRecognize capacity to act, affected groups, unions and entities withoutlegal personality and independent or autonomous patrimonies, which areresponsible for the same by way of fraud or fault. " (The underlining is from the AEPD)In the case analyzed, not only is the element of guilt present -extreme that the defendant denies in its allegations to the initiation agreement - but ratherappreciates a very serious lack of diligence of the claimed that has a consequencedirectly in determining the amount of the penalty to be imposed.In compliance with the obligations that the RGPD imposes on the person responsible for thetreatment must display the minimum diligence required by the circumstancesof the case. The SAN of 04/29/2020 is illustrative -that, although it was issued in a matter offraudulent contracting and under the previous regulations, it is perfectly extrapolated to thethat concerns us- whose Sixth Legal Basis says:"The question is not to clarify whether the appellant processed the personal dataof the complainant without her consent, such as whether or not she used areasonable when trying to identify the person with whom you signed thecontract". (The underlining is from the AEPD)Therefore, even if there is unlawful conduct, when the person responsible for thetreatment accredits having acted with the diligence that the circumstances of the caserequired to comply with the obligations imposed by the regulations for the protection ofdata, since strict liability is prohibited in our Administrative Lawsanctioner, the AEPD proceeds to file the file.In the case that we examine, it is found that the EDP entity did not display theminimum diligence in order to be in a position to prove that the owner of thepersonal data had granted its representation to the person who claimed to act inC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 20 20/30your name when hiring. The respondent did not verify before managing the changeof ownership of the gas supply contract in the name of the claimant if who saidActing on his behalf effectively held it.To such an extent, the lack of diligence demonstrated by EDP in theOf course we are concerned that the recordings of the conversations held betweenthe entity and the person who identified themselves as the claimant's representativemanifest that the alleged representative did not obtain the data of the affected person's DNIby checking the document. On the contrary, as Mrs. BBB explained inthe conversation with EDP whose recording is in the file, the data had beenhandwritten by the person he claimed to represent. It is also striking thatdespite the incidents arising in the telephone contracting regarding the letter of the DNIrepresented -which forced Mrs. BBB to call a secondonce to EDP after verifying the letter of the document- the respondent continued withoutarticulate some consistent measure designed to verify that indeed the holder of thethe data had given its representation to the person who intervened in thehiring.In light of the recordings in the file and the allegations made by EDPin his defense, it is clearly evident that the entity completely lacks aaction protocol for telematic contracting when the person whofacilitates the data is not its owner, but a third party who claims to act on its behalf.Lack that, in addition, prevents compliance with the principle of responsibilityproactive.Regarding the element of guilt in the context of the proceduresanctioner seems appropriate to refer to the SAN of 05/30/2015 (Rec. 163/2014)which has highlighted the differences that exist between the attribution of responsibility toa natural person and a legal person and connects the "reprehensibility" of acertain conduct to a "legal person" with the circumstance that that“ Whether or not it had provided effective protection to the legal asset protected by thenorm ”. The Second Law Foundation of the aforementioned Judgment says:<< However, the mode of attribution of responsibility to peopledoes not correspond to the malicious or reckless forms of guilt thatare attributable to human behavior. So, in the case of infractionscommitted by legal persons, although the element of theguilt, it is necessarily applied differently from how it is done with respect toto natural persons. According to STC 246/1999 “(…) this different construction from theimputability of the authorship of the offense to the legal person arises from thenature of legal fiction to which these subjects respond. They lack thevolitional element in the strict sense, but not the ability to break the rules to thethat they are subjected. Infringement capacity and, therefore, direct reprehensibility thatderives from the legal right protected by the rule that is infringed and the need toThis protection is really effective and because of the risk that, consequently, mustassume the legal entity that is subject to compliance with said rule ">>EDP – taking into account the nature of the business it carries out, whichimplies the treatment of numerous personal data - I had the obligation tohave adopted the necessary and timely measures to be in conditions ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 21 21/30fulfill the obligations that are implicit in the principle of legality.In short, EDP's conduct, materialized in the processing of dataClaimant's personal - name, two surnames, NIF, mobile phone and address -linked to a gas energy contract in which he denies being a party, withoutaccredited that condition of the claimant and without having observed a minimumdiligence in its action, violates article 6.1.b, of the RGPD, subsumed actionin the sanctioning type of article 83.5 of the RGPD.IVThe arguments put forward by the claimant in her various briefs - writtenwhose content is summarized in the second, fifth and eighth Antecedents, and to whichwe make mention in the preceding Foundations of this resolution - they requiresome details:In defense of its claim to archive the file, EDP makes severalallegations that revolve around the same idea: the existence of a contract ofrepresentative mandate between Mrs. BBB and the claimant for the formerenter into an energy contract with EDP on your behalf. Representative mandate thatFor EDP, it is the legal basis for the treatment it has carried out.To support such a claim, the respondent makes countless claimslacking any legal consistency. He says, for example, that " there is a relationshipvalid contractual agreement ” between EDP and the claimant and justifies that statement in twoelements that, it states, the Agency considered proven in the initiation agreement:“ That the claimant's data was obtained through Mrs. BBB and that thisThe lady stated on several occasions, in the course of telephone conversations, thatacted on behalf of the claimant ”.In the allegations to the proposed resolution, EDP again affectsthis issue to denounce now the legal defenselessness to which this Agency hassubmitted.Thus, it states that “it is in a situation of legal defenselessness,that the AEPD itself admits the origin of the data, provided in the callat the time of the hiring carried out by Mrs. BBB , resulting in noHowever, irrelevant in order to prove their due treatment, whenIt is precisely the point of reference that justifies the legitimation of the treatment ofthe Complainant's data, since the existence of a valid contractual relationshipbetween the parties is confirmed. " Second allegation of the brief of allegations to themotion for resolution. (The underlining is from the AEPD)Well, in relation to this " legal defenselessness " that EDP suffers, we mustspecify what this Agency did say and what it did not say, but EDP wants to attribute it.In Legal Basis II of the motion for resolution section B (in thepresent resolution, Legal Basis III), it is said that the recordings sentby EDP (Proven Facts 7 and 8) “ exclusively prove that aperson, Mrs. BBB , insistently stated that she was representing theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 22 22/30claimant to contract on its behalf with EDP. " And then he adds: “ Theaforementioned recordings, nor do they prove that the claimant gave his representation to thementioned lady to contract on her behalf the supply of gas nor do they provide any indicationsome in that sense. " And it continues to say that the “ recordings sent by EDP(four audios, of which two of them make up document 1 and the rest thedocument two of those provided with the response to the informative request) do provewhat is the origin of some of the claimant's personal data that EDP processedassociated with a contract that he denies having entered into: we refer to the data ofname, surname and ID of the claimant. Data that, as evidenced bythe audition of the recordings, were provided by Mrs. BBB to EDP. "“However, the recordings do not explain the origin of other data from theclaimant that EDP also dealt with linked to a contract to which the owner of thepersonal data is foreign: your address at *** LOCALIDAD.1, *** CCAA.1 , which does notcoincides, as already highlighted, with the supply point and the numberclaimant's mobile phone number that EDP included in the copy of the contract that it sent to itshome"As it seems obvious, in such paragraphs nothing is stated other than the recordingsEDP show that the claimant's data that were processed bythe entity (except its address and mobile number) originate or originate in theinformation that, in light of the recordings sent to the AEDP, provided by Mrs.BBB . This, in contrast to other data of the claimant that EDP also processedbut that was not provided by the aforementioned lady, as they are not mentioned in the recordingsprovided: the claimant's address and mobile phone number.Pretend -as the claimant does- that in such paragraphs this Agency isacknowledging that it was the claimant who provided their data to Mrs. BBB is ofall inadmissible point.In short, when the Agency states that the recordings provided areirrelevant is referring to its lack of virtuality to prove or provide evidencethat the claimant gave representation to Mrs. BBB . While thatrepresentation is not credited or evidence of its existence is provided, it is not possibleaccept, as the claimant claims, that a valid contractual relationship existed betweenthe parts.The claimed, in proof of the alleged validity of the contractual relationship betweenEDP and the claimant, have again invoked the recording that they provided as a documentattached to the allegations to the initiation agreement.Regarding this recording - which, as I already underlined at the time, the Agency did notcontains date- EDP, surprisingly, provides novel information that, withoutHowever, it is not accompanied by the necessary proof. Now says the entity in itsbrief of allegations to the proposal -second allegation, third paragraph- that therecording is from 08/10/2019 (data that does not appear in the sound recording) and that " saidpayer, is the Complainant's son knowing the latter as the owner of thecontract "The recording provided by EDP with the brief of allegations to the agreement ofstart (Tenth Proven Fact) -in which the caller identifies with theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 23 23/30personal data of the claimant asks how much the debt amounts, since they havecut off the supply, after which the telephone operator of the claimed questionabout the CUPS of the home and informs you of the amount pending payment and thepossibility of card payment - cannot have the probative effect that EDP wantsattribute to him.It is enough to point out in this regard that the treatment of the claimant's data withoutlegitimation for this begins in May 2018; that in the recordings it is indicated thatpayment will be made through direct debit, which seems to have not happenedgiven the existing default situation and that the claimant, who received at his homethe default notification already knew perfectly well the amount owed.The entity also states (third claim of the claims to the proposal,first paragraph) that “acted… ensuring the identification of the previous and new owner,as well as to record the operation carried out on a durable medium "An interesting statement that demands precision: identification is not thelegal basis of the treatment, but it is the alleged consent of theclaimant to a mandate given to Mrs. BBB . Thus, it is true that inrecordings provided by EDP Mrs. BBB , who insistently affirms that sheis the representative of the claimant, provided EDP, or in other words, " identified " beforeEDP to his intended client and provided his name, two surnames and NIF.Obviously EDP through the recording provided - in which the supposedClaimant's representative identifies him - he knows his name, surname and NIF. But theThe relevant issue is another: the accreditation that the aforementioned lady acted in a conditionas the claimant's representative because both agreed to do so, which requires proof ofthat the claimant consented to that representation.The various arguments put forward by EDP have the same common element.They intentionally omit any reference to what constitutes the core of theconduct contrary to the RGPD for which the entity is responsible: proof thatthe claimant granted Mrs. BBB his representation to intervene in hisname when contracting with EDP.Related to the above, we have to bring up another of the interestingstatements made by EDP in its defense (which the entity also highlighted inbold): that “ the AEPD not only hinders and inhibits legal traffic, but also cancelscompletely the figure of the representative and the mandate, not considering thisadministrative body these operations carried out by third parties, as actslegitimate ” (The underlining is from the AEPD)Affirmation that again starts from a false premise. This Agency -of courseIt could be otherwise since it is subject to the Spanish legal system - nothinghas to say about the figure of the representative mandateThe decisive thing is that EDP has not proven that the person who intervened in thehiring, and claimed to act as the claimant's representative, held thatrepresentation. What is relevant is the lack of proof that the claimant - whose datapersonal has dealt with EDP associated with a contract that he denies having entered into-C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 24 24/30would have granted his representation to the person who intervened in the hiring and saidact in such a condition.The defendant -which in its allegations to the initial agreement explained in detailthe provisions of the Civil Code that regulate the mandate and insisted that in ourCc governs the principle of freedom of form, so this Agency cannot require youthat the mandate is documented - it forgets that Article 1278 of the CC provides that “ Thecontracts will be binding in whatever way they have been concluded,provided that the essential conditions for their validity concur ” . And one ofthese conditions is consent. Claimant's consent to the mandaterepresentative that he had supposedly conferred on Mrs. BBB , which wasAn essential condition for its existence and on which EDP contributes nothing and says nothing.Regarding the lack of diligence demonstrated by EDP to verify that theThe person who provided the claimant's personal data held hisrepresentation and that, even after the telephone call, did hesome type of activity to confirm the identity of the new owner EDP has respondedin their allegations to the proposal:“ However, this consideration is not correct, since not even in this casewe are facing a contract, nor my client lacks procedures that regulatesaid aspects. " Then it indicates:“ First of all, my client has a double verification processimplemented for new hires via text message to the phonecontact information provided, keeping it as proof of ratification of thehiring.Second, this case involves a mere modification of the owner of thecontract already signed previously ... ” (The underlining is from the AEPD)Allegations that only evidence confusion regarding the obligations towhich is subject to the person responsible for the processing of personal data of third parties byspecific legislation. The mere manifestations of those who claim to act inrepresentation of another cannot justify the legality of the treatment nor constitute aproof of respect for this principle in the processing of data to which complianceThe person in charge is bound by the RGPD.VIn order to specify the amount of the administrative fine to impose in each caseindividual, you must comply with the provisions of articles 83.1 and 83.2 of the RGPD,precepts that indicate:" Each supervisory authority will guarantee that the imposition of finesadministrative under this article for the infractions of thisRegulations indicated in paragraphs 4, 9 and 6 are in each individual caseeffective, proportionate and dissuasive. ""Administrative fines will be imposed, depending on the circumstances ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 25 25/30each individual case, as an additional or substitute for the measures contemplated in theArticle 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, severity and duration of the offense, taking into account thenature, scope or purpose of the processing operation in question as wellsuch as the number of interested parties affected and the level of damages thathave suffered;b) intentionality or negligence in the infringement;c) any measure taken by the person in charge of the treatment tomitigate the damages and losses suffered by the interested parties;d) the degree of responsibility of the person in charge or the person in charge of the treatment,taking into account the technical or organizational measures that have been applied by virtue ofof articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of the treatment;f) the degree of cooperation with the supervisory authority in order to remedy theviolation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement, inparticular if the person in charge or the person in charge notified the infringement and, if so, in whatmeasure;i) when the measures indicated in article 58, paragraph 2, have been orderedpreviously against the person in charge or the person in charge in relation to thesame issue, compliance with said measures;j) adherence to codes of conduct under article 40 or to mechanisms ofcertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of the case,such as financial benefits obtained or losses avoided, direct orindirectly, through the offense. "Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76," Sanctions and corrective measures ", provides:"2 . In accordance with the provisions of article 83.2.k) of Regulation (EU)2016/679 may also be taken into account:a) The continuing nature of the offense.b) The linking of the offender's activity with the performance of treatment ofpersonal information.c) The benefits obtained as a result of the commission of the offense.d) The possibility that the affected person's conduct could have led to the commissionof the offense.e) The existence of a merger by absorption process after the commission of theinfringement, which cannot be attributed to the absorbing entity.f) Affecting the rights of minors.g) Have, when not mandatory, a data protection officer.h) The submission by the person in charge or in charge, on a voluntary basis, toalternative dispute resolution mechanisms, in those cases in whichthere are controversies between those and any interested party. "A) In light of the transcribed rules and in order to specify the amount of the sanction offine to be imposed on EDP as responsible for a criminal offenseC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 26 26/30In article 83.5.a) of the RGPD, it seems appropriate to make two clarifications:The first, that article 83.2 RGPD requires that the supervisory authorityguarantee that the sanction to be imposed is in each case “ effective, proportionate anddissuasive ”and, secondly, that the amount of the penalty provided for in the RGPD forInfractions contemplated in article 83.5 have as a maximum limit the greater ofthese two amounts: 20,000,000 euros or 4% of the total annual turnoveroverall for the previous financial year. During the year 2017 the turnover ofEDP COMERCIALIZADORA, SA, amounted to 268,476,000 euros, so that 4%of this amount amounts to 10,739,040 euros.It must also be indicated that the respondent has requested in her allegations thestarting agreement that the minimum sanction provided for infractions is imposedmild. Allegation that has no reason to exist when the applicable norm is the RGPD that neitherdistinguishes between minor, serious and very serious infractions that the LOPD orcontemplates a mechanism equivalent to article 45.5 of the aforementioned Organic Law15/1999.Although the main claim of the defendant has been the file of theactions, in its allegations to the initiation agreement, it requested in the alternativethat the minimum sanction provided for minor offenses be imposed. Allegationwhich has no reason to be when -as it happens here- the applicable rule is the RGPDthat unlike the LOPD does not distinguish between minor, serious and veryserious and does not include a mechanism equivalent to article 45.5 of theaforementioned Organic Law 15/1999.B) On the origin of estimating any of the mitigating factors described in the standardEDP argued that for the matter at hand “ practically allof the mitigating measures included in the sanctioning regime ”.However, we cannot share this claim with the claimed one. It's more,In the present case, it is not even deemed appropriate to assess as mitigating theThe fact that only one person or the individual has been affected by EDP's actions.merely local scope of the offense (article 83.2.a)In a case like the one we analyze - in which the claimed entity, totelematic contracting in which a third party intervenes on behalf of theowner of the data, lacks a protocol adjusted to the Law that allowsdemonstrate that you actually hold that representation - the offending conduct does notconstitutes a specific and isolated event, the only specific event is the claimformulated by the affected person. Thus, it does not seem correct that the fact that theaffected by the conduct of the entity is a single person, can be considered asexponent of less guilt or unlawfulness of their conduct or appreciatenor as mitigating the local scope of the offense. Conduct contrary tostandard is the result of an action model through which EDP develops itsactivity and that it continues to maintain since, in its opinion, it is in accordance with the Law,no matter how obvious the breach of the principles of legality andproactive responsibility.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 27 27/30Nor can the circumstance be considered as mitigating in favor of EDPdescribed in article 76.2.c) of the LOPDGDD, by reference of article 832.k of theRGPD: " The benefits obtained as a result of the commission of the offense."Regarding this matter, the National Court, Contentious ChamberAdministrative, in its SAN of 04/17/2018 (Rec. 254/2017) rejected the claim of theplaintiff, sanctioned by the AEPD, that theArticle 45.5.e) LOPD due to lack of benefits. The third Legal Basis ofSAN says: “ Regarding the absence of benefits, we cannot but reiterate whatargued by the appealed resolution, regarding that what is relevant is that theAbanca's performance was motivated by the search for economic benefit, bywhat the fact that it was not finally obtained cannot serve asgrounds for an attenuation of guilt or unlawfulness of their conduct ”. That habeen also the spirit of the SAN of 03/31/2017.C) The concurrence, as aggravating circumstances, of the circumstances is appreciatedfollowing:- The duration of the illegitimate treatment of the claimant's data carried out byEDP. The documentation that makes up the file reveals that the treatment began on05/17/2018 (Proven fact 6) and was maintained, at least, until 11/15/2018; this is,for almost five months. The letter that EDP sent is taken into consideration for this purposeto the claimant, dated 11/15/2018, in response to the information request of theAEPD -Proven fact 9- in which it is evidenced that it continues to process the data of theaffected since it considers that the claimant had signed a contract with it throughof Mrs. BBB , (article 83.2.a, of the RGPD)- The volume of business or activity figure of the entity (article 83.2.a, of theGDPR) We are in the presence of a large company in the energy sector. The volumeglobal annual total for financial year 2017 amounted to 268,476 million euros,(Article 83.2.a of the RGPD)- Article 83.2.f) of the RGPD mentions “the degree of cooperation with thecontrol authority in order to remedy the infringement and mitigate the possibleadverse effects ” . Circumstance that also operates as an aggravating circumstance. WhileIt is true that EDP responded to the information requests of this Agency, it isAlso that, despite the fact that it could not prove the legality of the treatment of the data of theclaimant decided to continue with the processing of their personal data associated witha gas contract, after the AEPD had made the requirementinformative, as evidenced in the letter dated 11/15/2018 addressed to theclaimant, despite not having any document proving that the third partywho intervened in the hiring acted on behalf of the owner of the data.- The scope of the treatment (article 83.2.a, RGPD) since the personal dataof the claimant who have been subject to treatment by EDP without standing for itThere were several: the name and two surnames, NIF, private address and telephone numbermobile.- The respondent has acted with a very serious lack of diligence, (article83.2.b, of the RGPD). We are not only facing a lack of diligence at the momentC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 28 28/30to link the claimant's data to a gas contract by virtue of consentgranted by whoever claimed to act on their behalf. As detailed in thePreceding foundations, EDP has shown to be absolutely lacking in aaction protocol that contemplates the need to collect a document thatmake proof of the representation that is said to hold in the hiringtelematics in which whoever contacts the entity claims to intervene inrepresentation of another person.- The obvious link between EDP's business activity and the treatmentof personal data of clients or third parties (article 83.2.k, of the RGPD in relationwith article 76.2.b, of the LOPDGDD)SAWIn accordance with articles 58.2 and 83.2 of the RGPD, previously transcribed,the control authorities may impose, in addition to the fine,any of the corrective measures or sanctions contemplated in letters a) to h) and j)of section 2 of article 58 of the aforementioned RGPD.In the present case, taking into account that the claimed -with regard to the treatmentof personal data collected in telematic contracts in which a third partyintervenes and declares to hold the representation of the owner of the data and represented-completely lacks a protocol of action that respects the obligations thatIt is imposed by the RGPD, it is agreed, under article 58.2. d) of the RGPD, orderEDP that incorporates the contracting protocol that it has implemented for thehiring through a representative all changes that allow you to be inconditions to prove to this Agency that the represented, and owner of the data, hasauthorized such representation and has conferred it in favor of the person who intervenes inthe legal business. The period within which the new measures must have been implementedwill be one month computed from the date on which the resolution in which thisAgree to be executive.In line with the foregoing, article 83.6 RGPD must be brought up, which establishes:"Failure to comply with the resolutions of the supervisory authority in accordance with article58, section 2, will be sanctioned in accordance with section 2 of this article withadministrative fines of a maximum of EUR 20,000,000 or, in the case of acompany, of an amount equivalent to a maximum of 4% of the business volumeglobal annual total for the previous financial year, opting for the highest amount ”.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven,the Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE EDP COMERCIALIZADORA SA, with NIF A95000295 , foran infringement of article 6.1 of the RGPD, typified in article 83.5 of the RGPD, afine of 75,000 euros (seventy-five thousand euros).SECOND: Under article 58.2.d) of the RGPD, ORDER EDPC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 29 29/30COMERCIALIZADORA SA, with NIF A95000295, which ADEQUES its protocols fortelematic contracting to THE PROVISIONS of the RGPD relating to the LEGAL OF THETREATMENT, in particular in the contracting made THROUGHREPRESENTATIVE, in which as the data controller you must be inconditions to prove both the reality of the representation granted by the ownerof the data and represented as your identity.The period within which EDP must implement the measures ordered to itadopt and accredit before the AEPD its compliance, will be one month computed fromthe date on which this sanctioning resolution is enforceable.THIRD: NOTIFY this resolution to EDP COMERCIALIZADORA SAFOURTH: Warn the sanctioned person that the fine sanction must be effectiveadministrative imposed once this resolution is executive,in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1,of the Common Administrative Procedure of Public Administrations (inhereinafter LPACAP), within the voluntary payment term established in article 68 of theGeneral Regulation of Collection, approved by Royal Decree 939/2005, of 29July, in relation to article 62 of Law 58/2003, of December 17, through itsincome, indicating the NIF of the sanctioned person and the procedure number that appears inthe heading of this document, in the restricted account number ES00 0000 00000000 0000 0000, opened in the name of the Spanish Data Protection Agency atBanco CAIXABANK, SA Otherwise, it will be collected inexecutive period.Once the notification has been received and once it is executed, if the date of execution isfinds between the 1st and 15th of each month, both inclusive, the deadline to carry out thevoluntary payment will be until the 20th of the following or immediately subsequent business month, and ifis between the 16th and last days of each month, both inclusive, the term of thePayment will be made until the 5th of the second following or immediate business month.In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to administrative proceedings in accordance with article48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of article 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 30 30/30administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in article 16.4 of the aforementioned Law 39/2015, of October 1.You must also send the Agency the documentation that proves the filingeffective contentious-administrative appeal. If the Agency had no knowledgeof the filing of the contentious-administrative appeal within a period of two monthsfrom the day following the notification of this resolution, it would terminate theprecautionary suspension.Mar Spain MartíDirector of the Spanish Agency for Data Protection