Banner1.png
Banner3.png

Editing AEPD - PS/00220/2020

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 58: Line 58:
 
}}
 
}}
  
The Spanish DPA (AEDP) has imposed two fines of €50,000 on IBERDROLA CLIENTES, SAU for infringement of Article 5(1) GDPR and 17 GDPR respectively.
+
The Spanish DPA (AEDP) has imposed two fines of EUR 50,000 on IBERDROLA CLIENTES, SAU for infringement of article 5.1 GDPR and 17 GDPR respectively.
  
==English Summary==
+
== English Summary ==
  
===Facts===
+
=== Facts ===
A former IBERDROLA client complained to the Spanish DPA (AEPD) that the electricity supply company did not respond to his requests to delete his personal data.
+
A former IBERDROLA client complained to the AEPD that the electricity supply company did not respond to his requests to delete his personal data.
  
 
The claimant moved house and informed the company of the change of address for notification purposes. Even so, the company continued to send letters to the previous address.  
 
The claimant moved house and informed the company of the change of address for notification purposes. Even so, the company continued to send letters to the previous address.  
  
 
The claimant, in the same letter notifying the change of address, requested the withdrawal of his details due to the cancellation of the service, which was not answered due to the error in updating the claimant's details mentioned above.
 
The claimant, in the same letter notifying the change of address, requested the withdrawal of his details due to the cancellation of the service, which was not answered due to the error in updating the claimant's details mentioned above.
===Dispute===
 
Is the lack of updating personal data a breach of Article 5(1)(d)?
 
  
Can this failure to update data result in a refusal to comply with Article 17 GDPR?
 
  
===Holding===
+
 
 +
 
 +
=== Dispute ===
 +
Is the lack of updating personal data a breach of Article 5(1)(d)? Can this failure to update data result in a refusal to comply with Article 17 GDPR?
 +
 
 +
=== Holding ===
 
The AEPD held that IBERDROLA had failed to update the customer's data and that this resulted in the inclusion of the complainant's data in a creditworthiness file and in a failure to comply with its obligations regarding the request for deletion of personal data.
 
The AEPD held that IBERDROLA had failed to update the customer's data and that this resulted in the inclusion of the complainant's data in a creditworthiness file and in a failure to comply with its obligations regarding the request for deletion of personal data.
  
Line 80: Line 82:
 
Therefore, in the present case, there is an infringement of Article 5(1)(d) of the GDPR because no payment order was issued due to a data quality problem.
 
Therefore, in the present case, there is an infringement of Article 5(1)(d) of the GDPR because no payment order was issued due to a data quality problem.
  
The AEPD took into account the fact that it was a non-intentional, but significant negligent action (Article 83(2)(b) GDPR) and that basic personal identifiers were affected (Article 83(2)(g) GDPR).
+
The AEPD took into account the fact that it was a non-intentional, but significant negligent action (article 83 (2) (b) GDPR) and that basic personal identifiers were affected (article 83 (2) (g) GDPR).
  
 
The economic volume of the company is also taken into account in the penalty scale.
 
The economic volume of the company is also taken into account in the penalty scale.
==Comment==
+
 
 +
 
 +
 
 +
== Comment ==
 
The Resolution refers to the former Organic Law on Data Protection (LOPD) because the events occurred before the entry into force of the Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDPGDD).
 
The Resolution refers to the former Organic Law on Data Protection (LOPD) because the events occurred before the entry into force of the Organic Law on Personal Data Protection and Guarantee of Digital Rights (LOPDPGDD).
  
==Further Resources==
+
== Further Resources ==
 
''Share blogs or news articles here!''
 
''Share blogs or news articles here!''
  
==English Machine Translation of the Decision==
+
== English Machine Translation of the Decision ==
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
 
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: