Editing AEPD - PS/00025/2019

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 16: Line 16:
  
 
|Type=Complaint
 
|Type=Complaint
|Outcome=Violation found
+
|Outcome=Upheld
 
|Date_Decided=
 
|Date_Decided=
 
|Date_Published=11.12.2020
 
|Date_Published=11.12.2020
 
|Year=
 
|Year=
|Fine=75000
+
|Fine=75.000
 
|Currency=EUR
 
|Currency=EUR
  
Line 30: Line 30:
  
  
|Party_Name_1= EDP Comercializadora, S.A.U.
+
|Party_Name_1=
 
|Party_Link_1=
 
|Party_Link_1=
 
|Party_Name_2=
 
|Party_Name_2=
Line 50: Line 50:
 
}}
 
}}
  
The Spanish DPA (AEPD) imposed a fine of €75,000 on EDP Comercializadora, S.A.U. for violating Article 6(1) of the GDPR by having processed personal data without the data subject's consent.
+
The Spanish DPA (AEPD) has imposed a sanction to EDP Comercializadora, S.A.U. with a fine of €75,000 for violating Article 6(1) of the GDPR by having processed personal data without the data subject's consent.
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
On 19 and 20 September 2018, the claimant reported to the Spanish DPA (AEPD) that EDP Comercializadora, S.A.U. (the defendant) has been processing his personal data (name, surname, ID number, address, telefon number) without his consent in the context of a gas supply contract which according to the claimant, never signed.  
+
On 19 and 20 September 2018, the claimant reported to the Spanish DPA (AEPD) that EDP Comercializadora, S.A.U. (the defendant) has been processing his personal data (name, surname, ID number, address, telefon number) without his consent in the context of a gas supply contract which, according to the claimant, he never signed up.  
The defendant sustained that they have got his personal data through a third person, who called in on his behalf and signed the contract as the claimant's representative, which would be legal according to the Spanish civil law, and therefore, they have been relying on the Article 6(1)(b) (''necessary for the performance of a contract'') as a lawful basis for the processing of personal data.
+
The defendant sustained that they have got his personal data through a third person, who called in on his behalf and signed up the contract as the claimant's representative, which would be legal according to the Spanish civil law, and therefore, they have been relying on the Article 6 (1)(b) (necessary for the performance of a contract) as a lawful basis for the processing of personal data.
  
===Dispute===
+
=== Dispute ===
Could the defendant prove, under the specific circunstances of that case, that the processing of the claimant's personal data was relying on a lawful basis according to the Article 6(1) GDPR?
+
Could the defendant prove, under the specific circunstances of that case, that the processing of the claimant's personal data were relying on a lawful basis according to the Article 6(1) GDPR?
  
===Holding===
+
=== Holding ===
The AEPD held, that the defendant has not been able to prove the consent of the claimant signing the gas supply contract, nor that the third person ("representative") was acting on his behalf (lack of due diligence).
+
The AEPD held, that the defendant has not been able to prove the consent of the claimant signing up the gas supply contract, nor that the third person ("representative") was acting on his behalf (lack of due diligence).
Thus, the AEPD has fined EPD Comercializadora, S.A.U. €75,000 for violating the Article 6(1) GDPR, holding that they have been processing personal data without a proper lawful basis.  
+
Thus, the AEPD has fined EPD Comercializadora, S.A.U. €75,000 for violating the Article 6(1) GDPR.  
Furthermore, the AEPD, based on the Article 58(2)(d) GDPR, has ordered EPD Comercializadora, S.A.U. to bring their processing operations into compliance, specifically with regard to their protocols for signing a contract telematically through a representative.
+
Furthermore, the AEPD has ordered EPD Comercializadora, S.A.U. to bring their processing operations into compliance, specifically with regard to their protocols for signing up telematically for a contract through a representative, with basis on the Article 58(2)(d) GDPR.
  
==Comment==
+
== Comment ==
 
''Share your comments here!''
 
''Share your comments here!''
  
==Further Resources==
+
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: