AEPD - PS/00102/2020

From GDPRhub
AEPD - PS/00102/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 02.07.2020 [[Category:]]
Fine: 24.000 EUR
Parties: IBERDROLA CLIENTES, S.A.U.
National Case Number/Name: PS/00102/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

2 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Iberdrola Clientes, S.A.U. (the defendant) for the infringement of the confidentiality principle specified at Article 5(1)(f) GDPR, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (24,000 €) of the fine suggested by the AEPD (40,000 €).

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant had illegally sent his/her electricity bill (including his/her name, passport number, address and part of his/her IBAN) to a third party not related to him/her.

Dispute[edit | edit source]

The defendant did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure.

Holding[edit | edit source]

Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have infringed the confidentiality principle as per Article 5(1)(f) GDPR: after considering the available evidences, the defendant had not been able to guarantee an adequate level of security of the personal data processed. Consequently, after considering some aggravating circumstances [(i) the absence of intentionality but significant negligence, and (ii) the disclosure of basic personal data], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 40,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) early voluntary payment (32,000 €) and acknowledging of its liability (24,000 €). The defendant agreed to both concepts, so it paid 24,000 € and the sanction procedure was closed by the AEPD.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

936-031219 Procedure No.: PS / 00102/2020RESOLUTION R / 00269/2020 OF TERMINATION OF THE PAYMENT PROCEDUREVOLUNTARYIn the sanctioning procedure PS / 00102/2020, instructed by the AgencySpanish Data Protection to IBERDROLA CLIENTES, SAU , given the complaintpresented by AAA , and based on the following,BACKGROUNDFIRST: On March 24, 2020, the Director of the Spanish Agency forData Protection agreed to initiate sanctioning procedure to IBERDROLACLIENTES, SAU (hereinafter, the claimed), through the Agreement that is transcribed:<<Procedure Nº: PS / 00102/2020935-090320PENALTY PROCEDURE STARTING AGREEMENTOf the actions carried out by the Spanish Agency for the Protection ofData and based on the following:ACTSFIRST: Ms. AAA (hereinafter, the claimant) dated October 18, 2019filed a claim with the Spanish Agency for Data Protection. Theclaim is directed against Iberdrola Clientes, SAU with NIF A95758389 (hereinafter,the claimed).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
11/2In the complaint it is stated that a third party that has nothing to do with theclaimant, received your electricity bill at your email address,corresponding to the month of September of the year 2019.He adds that sensitive data (full name, NIF,address and part of the numbering of your bank account).You provide the following documentation with your claim:Email sent by the claimant to the third party, in which it is observedattached to it is the claimant's invoice issued on September 27,2019, which contains your personal data.SECOND: In view of the facts reported in the claim and thedocuments provided by the claimant, the Sub-Directorate General for Inspection ofData proceeded to carry out preliminary investigation actions for theclarification of the facts in question, under the powers of investigationgranted to supervisory authorities in article 57.1 of Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter RGPD), andpursuant to the provisions of Title VII, Chapter I, Second Section, of the LawOrganic 3/2018, of December 5, Protection of Personal Data and guarantee ofdigital rights (hereinafter LOPDGDD).As a result of the investigation actions carried out, it is foundthat the person responsible for the treatment is the one claimed.Also, the following points are found:The present claim is brought to the attention of the claimant on 27November 2019, requiring you to refer to this within one monthAgency, information on the response given to the claimant before the exercise ofrights regulated in articles 15 to 22 of the RGPD, the causes that have motivatedthe incidence that gave rise to the claim and the measures taken to preventsimilar incidents, dates of implementation and controls carried out occurC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
11/3to check its effectiveness, being notified by the Notifications ServiceElectronic and Electronic Address Enabled, with date of availability andacceptance on November 28, 2019.On February 11, 2020, the Director of the Spanish Agency forData Protection, agrees to admit the claim submitted for processing.The record shows that on the 18th of the same month and year, therequire the respondent to report to this within ten business daysAgency on the facts. Being notified on February 19 of this year.After the deadlines given in both notifications has not been obtainedresponse by the claimed party.FUNDAMENTALS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,The Director of the Spanish Agency for Data Protection is competent to initiateand to solve this procedure.IIThe RGPD, in its article 4.11 defines the consent of the interested party as“ Any manifestation of free, specific, informed and unequivocal will by which theinterested party accepts, either by means of a declaration or a clear affirmative action, theprocessing of personal data concerning you ”.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
11/4In this sense, Organic Law 3/2018, of December 5, on the Protection ofPersonal Data and guarantee of digital rights article 6.1 of the RGPD,establishes that " in accordance with the provisions of article 4.11 of the Regulations(EU) 2016/679, the consent of the affected party is understood as any manifestation offree, specific, informed and unequivocal will by which it accepts, eitherby means of a declaration or a clear affirmative action, the data processingpersonal that concern him ”.On the other hand, article 5 of the RGPD regulates the principles related totreatment of personal data establishing that they must be:a) processed lawfully, loyally and transparently in relation to the interested party("Legality, loyalty and transparency");b) collected for specific, explicit and legitimate purposes, and will not be processedsubsequently in a manner incompatible with said purposes; in accordance with article 89,section 1, the further processing of personal data for archiving purposes inpublic interest, scientific and historical research purposes or statistical purposes are notwill consider it incompatible with the initial purposes ("limitation of the purpose");c) adequate, relevant and limited to what is necessary in relation to the purposesfor those who are treated ("data minimization");d) accurate and, if necessary, updated; all measures will be takenreasonable to delete or rectify without delay the personal data thatare inaccurate with respect to the purposes for which they are processed ("accuracy");e) maintained in such a way that the identification of the interested parties is allowedfor no longer than necessary for the purposes of data processingpersonal; personal data may be kept for longer periodsprovided they are treated exclusively for archival purposes in the public interest,scientific or historical research or statistical purposes, in accordance with article89, paragraph 1, without prejudice to the application of technical and organizational measuresC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
11/5measures imposed by this Regulation in order to protect the rights andliberties of the interested party ("limitation of the conservation period");f) treated in such a way as to guarantee adequate security for thepersonal data, including protection against unauthorized or illegal treatment andagainst their loss, destruction or accidental damage, by applying measuresappropriate technical or organizational ("integrity and confidentiality").2. The data controller will be responsible for compliance with theprovided for in paragraph 1 and capable of proving it ("proactive liability").IIIIn accordance with the evidence available hereinmoment, and without prejudice to what results from the instruction, it is considered that of thedenounced facts, that is, the display of the claimant's data byfrom a third party outside of it, allow verifying that the person claimed was unableguarantee adequate security in the treatment of personal data of theclaimant, thereby incurring in violation of article 5.1 f) of the RGPD, which governsthe principles of integrity and confidentiality of personal data, as well as theproactive responsibility of the controller to demonstrate itscompliance.IVArticle 72.1.a) of the LOPDGDD states that “ depending on what is establishedArticle 83.5 of Regulation (EU) 2016/679 are considered very serious andthree years will prescribe the infractions that suppose a substantial violationof the articles mentioned in that and, in particular, the following:a) The processing of personal data in violation of the principles and guaranteesestablished in article 5 of Regulation (EU) 2016/679C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
11/6VArticle 58.2 of the RGPD provides the following: “Each supervisory authorityYou will have all the following corrective powers indicated below:b) sanction any person responsible or responsible for the treatment withwarning when the processing operations have violated the provisions ofthese Regulations;d) order the data controller or processor that the operations oftreatment complies with the provisions of this Regulation, where appropriate,in a certain way and within a specified period;i) impose an administrative fine pursuant to article 83, in addition or inplace of the measures mentioned in this section, depending on the circumstancesof each particular case;SAWThis infraction can be sanctioned with a fine of a maximum of € 20,000,000or, in the case of a company, an amount equivalent to a maximum of 4% of thetotal global annual turnover of the previous financial year, opting for theof greater amount, in accordance with article 83.5 of the RGPD.Likewise, it is considered that the sanction to be imposed should be graduated in accordancewith the following criteria established in article 83.2 of the RGPD:As aggravating the following:In the present case we are faced with unintentional negligent action, butsignificant identified (article 83.2 b)C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
11/7Basic personal identifiers (full name,NIF, address and part of the numbering of the bank account), according to article 83.2g)Therefore, in light of the above,By the Director of the Spanish Agency for Data Protection,HE REMEMBERS:FIRST: INITIATE SANCTIONING PROCEDURE for IBERDROLA CLIENTS,SAU with NIF A95758389, for the alleged violation of article 5.1 f) of the RGPD,typified in article 83.5 a) of the RGPDSECOND: ORDER IBERDROLA CLIENTES, SAU with NIF A95758389, fromin accordance with the provisions of article 58.2 d) of the RGPD, so that within tendays proceed to order the data controller or processor totreatment operations comply with the provisions of the RGPD.THIRD: APPOINT D. BBB as instructor and Dña. CCC as secretary ,indicating that any of them may be challenged, if applicable, in accordance with theestablished in articles 23 and 24 of Law 40/2015, of October 1, RegimePublic Sector Law (LRJSP).FOURTH: INCORPORATE into the sanctioning file, for evidentiary purposes, theclaim filed by the claimant and its documentation, the documentsobtained and generated by the General Sub-Directorate for Data Inspection.FIFTH: THAT for the purposes provided in art. 64.2 b) of law 39/2015, of 1 ofOctober, of the Common Administrative Procedure of Public Administrations, theC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
11/8sanction that could correspond would be 40,000 euros (forty thousand euros) withoutprejudice of what results from the instruction.SIXTH: NOTIFY this agreement to IBERDROLA CLIENTES, SAU with NIFA95758389, granting you a hearing period of ten business days to formulatethe allegations and present the evidence that it deems appropriate. In his writing ofallegations must provide your NIF and the procedure number that appears in theheading of this document.If, within the stipulated period, no allegations are made to this initial agreement, the samemay be considered a resolution proposal, as established in the article64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure ofPublic Administrations (hereinafter, LPACAP).In accordance with the provisions of article 85 of the LPACAP, in the event that thesanction to impose were a fine, you can recognize your responsibility within theterm granted for the formulation of allegations to this initial agreement; thewhich will entail a reduction of 20% of the sanction to be imposed inthe present procedure. With the application of this reduction, the sanction would remainestablished at 32,000 euros, resolving the procedure with the imposition of thissanction.In the same way, you may, at any time prior to the resolution of thisprocedure, carry out the voluntary payment of the proposed sanction, whichIt will mean a reduction of 20% of its amount. With the application of this reduction,the sanction would be established at 32,000 euros and its payment will imply the termination of theprocess.The reduction for the voluntary payment of the sanction is cumulative to the one that correspondsapply for the acknowledgment of responsibility, provided that this acknowledgmentof the responsibility is revealed within the term granted to formulateallegations to the opening of the procedure. Voluntary payment of the referred amountin the previous paragraph it may be done at any time prior to the resolution. InIn this case, if both reductions were to apply, the amount of the sanction would beestablished at 24,000 euros.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
11/9In any case, the effectiveness of any of the two mentioned reductions will beconditioned to the withdrawal or resignation of any action or resource in processadministrative against the sanction.In the event that you choose to proceed to the voluntary payment of any of the amountsindicated above (32,000 or 24,000 euros), you must make it effective through yourdeposit into account number ES00 0000 0000 0000 0000 0000 opened in the name of theSpanish Agency for Data Protection at Banco CAIXABANK, SA, indicatingin the concept the procedure reference number that appears in theheading of this document and the reason for the reduction of the amount to whichwelcomes.Likewise, you must send the proof of income to the General Subdirectorate ofInspection to continue the procedure in accordance with the quantityentered.The procedure will have a maximum duration of nine months from thedate of the initiation agreement or, if applicable, the draft initiation agreement.After this period will expire and, consequently, the file ofperformances; in accordance with the provisions of article 64 of the LOPDGDD.Finally, it is pointed out that pursuant to the provisions of article 112.1 of the LPACAP,There is no administrative appeal against this act. Mar España Martí, Director of the Spanish Agency for Data ProtectionC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
11/10>>SECOND : On June 19, 2020, the defendant has paid thesanction in the amount of 24000 euros making use of the two planned reductionsin the Initiation Agreement transcribed above, which implies the recognition of theresponsibility.THIRD : The payment made, within the period granted to make allegations tothe opening of the procedure, implies the renunciation of any action or recourse in processadministrative against the sanction and the recognition of responsibility in relation tothe facts referred to in the Home Agreement.FUNDAMENTALS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in art. 47 of Organic Law 3/2018, of 5 ofDecember, on Personal Data Protection and guarantee of digital rights (inhereinafter LOPDGDD), the Director of the Spanish Agency for Data Protectionis competent to sanction the infractions that are committed against saidRegulation; infractions of article 48 of Law 9/2014, of May 9, GeneralTelecommunications (hereinafter LGT), in accordance with the provisions of thearticle 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and38.4 d), g) and h) of Law 34/2002, of July 11, on services of the society of theinformation and electronic commerce (hereinafter LSSI), as provided in the article43.1 of said Law.IIArticle 85 of Law 39/2015, of October 1, of the Administrative ProcedureCommon of Public Administrations (hereinafter, LPACAP), under the heading" Termination in sanctioning procedures " provides the following:"one. Initiated a sanctioning procedure, if the offender acknowledges hisresponsibility, the procedure may be resolved with the imposition of the sanctionthat proceed.2. When the sanction is solely pecuniary or fitsimpose a pecuniary and a non-pecuniary sanction but it has been justifiedthe inadmissibility of the second, the voluntary payment by the alleged responsible, inany time prior to the resolution, will imply the termination of the procedure,except with regard to the replacement of the altered situation or the determination of thecompensation for the damages caused by the commission of the offense.3. In both cases, when the sanction is solely pecuniary in nature,the competent body to resolve the procedure will apply reductions of, toC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/11less, 20% on the amount of the proposed sanction, these being cumulativeeach. The aforementioned reductions must be determined in the notification ofinitiation of the procedure and its effectiveness will be conditioned to the withdrawal orwaiver of any administrative action or recourse against the sanction.The reduction percentage provided in this section may be increasedby regulation.According to what was stated,the Director of the Spanish Agency for Data Protection RESOLVES :FIRST: DECLARE the termination of the procedure PS / 00102/2020 , ofin accordance with the provisions of article 85 of the LPACAP.SECOND: NOTIFY this resolution to IBERDROLA CLIENTES, SAU .In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once the interested parties have been notified.Against this resolution, which ends the administrative procedure as prescribed bythe art. 114.1.c) of Law 39/2015, of October 1, of the Administrative ProcedureCommon of Public Administrations, interested parties may file an appealadministrative litigation before the Contentious-administrative Chamber of theNational Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-Administrative Jurisdiction, within a period of two months fromday after notification of this act, as provided in article 46.1 of thereferred Law.
Mar España Martí
Director of the Spanish Agency for Data Protection