RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on the following
BACKGROUND
FIRST: Various claims have been filed before this Agency against the entity EDP COMERCIALIZADORA, SAU in which the processing of personal data is substantially denounced without the consent of the interested party. Said treatments take place within the framework of the contracting of gas services supposedly carried out by a representative of the client, without said entity being able to prove the existence of such representation. Such claims have led to the initiation of various sanctioning procedures by this Agency, among which it is worth mentioning PS / 0025/2019, which has concluded by declaring the existence of an infringement of the provisions of the data protection regulations.
SECOND: In view of the antecedents mentioned in the previous number, on June 3, 2019, the Director of the Spanish Agency for Data Protection urged the General Sub-Directorate of Data Inspection to initiate preliminary investigation actions in order to prove, where appropriate, the existence of a regular and continued conduct of possible violation of data protection regulations by EDP COMERCIALIZADORA, SAU .
THIRD: On December 17, 2019, the Subdirectorate General for Inspection formulates a request to EDP COMERCIALIZADORA, SAU to provide the following information:
Specification of the contracting channels (telephony, internet, own or subcontracted distributors, sales force with own or subcontracted home visits, etc.…) of the services marketed by EDP COMERCIALIZADORA, SAU to individuals.
Description of the contracting procedure followed through each of the previous channels when the contracting is carried out by a third party on behalf of the natural person who owns the contract. In this regard, it is requested to provide, in addition to all the information it considers appropriate for the purposes of documenting the procedure, the following:
Copy of the documents (model forms, contracts, telephone arguments, etc.) used to collect the personal data of the owner and the third party who acts representing him, indicating the channel or channels for which each one is used.
Description of the procedures enabled through each of the contracting channels so that a third party can prove the representation of a holder when signing a contract with EDP COMERCIALIZADORA, SAU
Specification of the procedure followed by EDP COMERCIALIZADORA,
SAU to store the evidence that proves the capacity of representation of the third party in the procedures in which this type of contracting is carried out , indicating the channel or channels for which each one is used.
Attach models and / or examples of type evidence collected by virtue of the procedure followed in section 2.3.
Information on the number of contracts signed in 2018 and 2019 by third parties on behalf of the owners of the services (natural persons) with distinction of:
By virtue of what this representation is supported (power, degree of kinship, etc.)
Procedure or formula for accreditation of the representation followed.
Recruitment channel for telephony, internet, own distributors or subcontractors, sales force with own or subcontracted home visits, etc. …)
FOURTH : On January 13, 2020, the entry in the AEPD of the written reply from EDP COMERCIALIZADORA, SAU to the previous information request is recorded. In this document the following is stated:
“FIRST- Specification of the contracting channels (telephony, internet, own or subcontracted distributors, sales force with own or subcontracted home visits, etc.…) of the services marketed by EDP COMERCIALIZADORA, SAU to individuals.
EDP has different channels to formalize the contract, distinguishing the following:
Telephone Channel, with partial or definitive closure of the contracting process by means of a telephone call. It includes the following subchannels:
- CAC Inbound: Call reception, from customers to EDP. In general, they are already EDP customers who are identified from the beginning of the call through a security protocol, although calls from potential customers can also be received.
- Telemarketing: Issuance of calls, from EDP to their own databases and to clients for upselling or abandonment recovery. The telephone number that appears in the client’s file is used to make the call, and that has been provided by said person previously.
- LEADS: Issuance or reception of calls, about users who have expressed an interest in any platform or website (raffles, promotions, offer comparators, blogs, advertising agencies, etc.) leaving their basic data to be contacted or contacting themselves at the phone number shown to them. Normally, these users do not yet have active contracts with EDP.
Web channel, with closure using a digital form. The user accesses through a website and starts a completely online hiring process, without interaction with agents.
Distributors, with face-to-face or digital closure of the contracting process, including:
o EDP’s own Commercial Offices. Usually already EDP clients who come proactively to the branch, although they can also be potential clients.
o Third-party stores (eg *** STORE.1 ). In general, new customers who come to make their purchases and are interested in EDP’s offer.
External Sales Forces, with in-person closing of the contracting process, including:
• Stands at Fairs, Shopping Centers, etc. In general, new clients who attend these events or places and are interested in EDP’s offer.
• Home visits with prior request. Clients or potential clients who have provided their data and consent to receive proposals from an EDP agent at home.
SECOND.- Description of the contracting procedure followed through each of the previous channels when the contracting is carried out by a third party on behalf of the natural person who owns the contract.
1. Telephone Channel:
Next, the procedures implemented in EDP are described in those cases in which the contracting is carried out by a third party on behalf of a natural person via telephone:
1. – CAC INBOUND 1) When the user indicates that he wishes to contract as a representative, he is asked about his relationship with the owner and if he has the authorization of said person. 2) Once the previous point has been confirmed, identification data of the representative are requested, and all the data of the owner necessary to formalize the contract. 3) Finally, the Express Consent of the representative is read and recorded in audio. 4) The contract holder, for informational purposes, is sent in duplicate, with a franked envelope, the contractual documentation in compliance with the provisions of the consumer and user protection regulations.
2. – TELEMARKETING 1) When the user indicates that he wishes to contract as a representative, he is asked about his relationship with the owner. 2) Once the previous point has been confirmed, identification data of the representative are requested, and all the data of the owner necessary to formalize the contract. 3) The Express Consent of the representative is then read and recorded in audio. 4) Finally, durable support is sent to the telephone / sms provided by the representative, and confirmation is awaited. 5) The owner of the contract, for informational purposes, is sent by
duplicate, with a stamped envelope, the contractual documentation in compliance with the provisions of the consumer and user protection regulations.
3. – LEADS 1) When the user indicates that he wishes to contract as a representative, he is asked about his relationship with the owner. 2) Once the previous point has been confirmed, identification data of the representative are requested, and all the data of the owner necessary to formalize the contract. 3) The Express Consent of the representative is then read and recorded in audio. 4) Durable support is then sent to the phone / sms provided by the representative, and confirmation is awaited.
5) The contract holder, for informational purposes, is sent in duplicate, with a franked envelope, the contractual documentation in compliance with the provisions of the consumer and user protection regulations. 6) In this channel, due to the contracting method and the characteristics of the clients who use it, communication via SMS or e-mail to the represented is under way, as a pilot test (in cases of non-relationship with the representative to study their effectiveness and responsiveness.)
2. Web: The option of contracting with a representative is not offered.
3. Dealers:
In the case of contracts made in EDP’s own Commercial Offices (in other people’s stores there is no possibility of contracting in the name and on behalf of a third party) the procedure is as follows:
1) In those cases in which the user indicates that they wish to contract as a third party representative, they are asked about their relationship with the owner. 2) Once the information is obtained, the identification data of the representative is requested, and all the data of the owner necessary to formalize the contract. Likewise, a photocopy of the NIF is required, both of the representative and the represented party. 3) It is also required to present an authorization document completed and signed by both interested parties (representative and owner).
4. External Sales Forces:
In the case of contracts made by external sales forces (trade fair stands, shopping centers and home visits, provided there is a prior request from the interested party), the identification data of the representative will be collected in the contract, also requesting the data of the holder necessary to formalize the contract. In the contract, it is expressly specified that the representative declares to have sufficient powers to sign the contract on behalf of the client who is responsible for informing of all the conditions thereof. On the other hand, a photocopy of the representative’s NIF is required.
Subsequently, an audio verification of the contract is recorded where the representative is indicated on two occasions, the fact that he acts on behalf of the holder of the supply and the relationship-kinship that binds them is confirmed.
Therefore, to prove the representation, the contracting book is formalized where the representative declares to have sufficient powers to sign the
contract on behalf of the client who is responsible for informing of all the conditions of this. Likewise, a copy of the representative’s NIF is provided.
In this regard, it is requested to provide, in addition to all the information that it deems appropriate for the purposes of documenting the procedure, the following:
1. Copy of the documents (model forms, contracts, telephone arguments, etc.) used to collect the personal data of the owner and the third party who acts representing him, indicating the channel or channels for which each one is used.
1. Telephone Channel:
1. – CAC INBOUND
The data collection is carried out in the system of each of the providers, following the order that corresponds according to the type of client, contracted product or campaign.
Documents:
1. Sales data template (Evidence 1)
2. Express Consent Sales CAC representative (Evidence 2) Evidence 2 contains the following:
“[XXXXXX] we are going to record your agreement. Okay?
It is [hh: mm] of the day [dd] of [mm] of [20XX], and Mr./Mrs. [Name and surname] with ID [ID number], as [husband / wife / child / attorney / representative ] and in representation of the holder [name and surname / company name] with ID / CIF [DNI / CIF number] telephone [telephone] and email [email] has called and accepts EDP’s offer for the address [address of supply] consisting of [plan conditions -dto. in the light-] for [CUPS LUZ: ES…] on the current EDP price of electricity [power price (€ / kW month) and energy term price (€ / kWh)] and / or [plan conditions -dto. in gas] for [GAS CUPS: ES…] and current EDP gas price [price term availability (€ / month) and term energy price (€ / kWh)]; and / or It works [annual price of the service, conditions of the promotion plan works].
[If the collection date is not chosen] The payment method chosen is [direct debit in your current account / in the account …] and it will be charged on the date indicated on the invoice.
[If the collection date is chosen] The payment method chosen is [direct debit in your current account / in the account …] and it will be charged on a specific date, the days [DD] of the month. In that case, the payment period may be less than or greater than the 20 days established in the regulations “.
“On behalf of your client, and after passing an analysis of the risk of the operation, we will take the necessary steps to activate the access contracts, at which point the new contract will come into force, the previous one being terminated.
The contract / s will have a duration of 1 year, extendable for the same period unless it is reported in advance of 15 days. Are you satisfied with the above information and conditions of the contract (s)? [Yes / Ok].
In a few days you will receive the contract including a duplicate withdrawal document, of which you will only have to return one of the copies signed in the self-postage envelope, you do not need a stamp, which we will attach.
You have 14 calendar days to exercise your right of withdrawal. However, if you ask us, we can start the procedures now. In this case, if you subsequently withdraw from the contract, you must pay the amount corresponding to the supply period provided. Do you want your contract to be processed immediately? [OTHERWISE].
You will still receive an invoice from your current company for a period that is probably less than normal. From there, from the entry into force of the contract, you will receive the EDP invoice with all our advantages.
Your personal data and that of your client will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention, profiling based on customer and EDP information, as well as conducting personalized communications about products or services directly related to their contracts, being able to oppose them at any time “.
“Additionally, so that EDP can advise you with the best proposals:
Will you allow us to present your client with energy-related offers tailored to your profile after the end of the contract, or to send you information on non-energy products and services, Collaborating Companies or EDP at any time? [OTHERWISE]
Do you allow us to complete the commercial profile of your client with information from third party databases, in order to send you personalized proposals and the possibility of contracting or not contracting certain services? [OTHERWISE]
Your request has been registered with the code that I am going to indicate. If you wish, you can make a note of [COD. CIG] “.
2. – TELEMARKETING
The data collection is carried out in the system of each of the providers, following the order that corresponds according to the type of client, contracted product or campaign.
Documents:
1. Sales data template (Evidence 1)
2. Express Consent Sales representative TLMK (Evidence 3)
The text of evidence 3 is as follows:
“[Mr. Mrs. XXXXXX] to hire you I need to record your agreement, okay? [Yes].
Well, it is [hh: mm] on the [dd] day of [mm] of [20XX
[Mr./Mrs.] [Name and surname] with ID [ID number] as [husband / wife / child / attorney-in-fact / representative] and on behalf of the owner [name and surname / company name] with ID / CIF [number DNI / CIF], telephone [telephone] and email [email] accepts EDP’s offer for the address [supply address] consisting of for [CUPS LUZ: ES] on the current EDP price of electricity
[power price (€ / kW month) and energy term price (€ / kWh)] and / or [plan conditions – discount. in gas] for [GAS CUPS: ES] and price
Gas EDP in force [price term availability (€ / month) and term energy price (€ / kWh)]; and / or It works [annual price of the service, conditions of the promotion plan works]. The chosen form of payment is [direct debit in your current account / in the account] and it will be charged [on the date indicated
on the invoice / on A SPECIFIC DATE, THE DAYS (DD) OF THE MONTH. IN THIS CASE, THE PAYMENT PERIOD MAY BE LESS OR GREATER THAN THE 20 DAYS ESTABLISHED IN THE REGULATIONS]. In the name of his repre-
sitting down, and after passing an analysis of the risk of the operation, we will take the necessary steps to activate the access contracts, at which point the new contract will come into force, the previous one being terminated.
The contract / s will have a duration of 1 year, extendable for the same period unless it is reported in advance of 15 days.
Are you satisfied with the above information and conditions of the contract / s? ” [Yes / Ok]. “Thank you.”
In a few days you will receive the contract (including withdrawal document) in duplicate, of which you will only have to return one of the copies signed in the self-postage envelope, you do not need a stamp, which we will attach.
You have 14 calendar days to exercise your right of withdrawal in the way you deem appropriate. However, we can initiate the procedures during this period if you request it, in which case if you withdraw from the contract you must pay the amount proportional to the part of the supply loaned. Do you want your hiring to be processed immediately? [OTHERWISE]
You will still receive an invoice from your current company for a period that is probably less than normal. With the entry into force of the contract you will receive the invoice from EDP with all our advantages.
Your personal data and that of your client will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention , profiling based on customer and EDP information, as well as conducting personalized communications about products or services directly related to their contracts, being able to oppose them at any time.
Additionally, so that EDP can advise you with the best proposals:
Do you allow us to present energy-related offers to your client after the end of the contract, or to send you information at any time on products and services from the financial, insurance and automotive sectors, from Collaborating Companies or from EDP?
[OTHERWISE]
Do you allow us to complete the commercial profile of your client with information from third party databases, in order to send you personalized proposals and the possibility of contracting or not contracting certain services?
[OTHERWISE]
We remind you that you may exercise your rights of access, rectification, opposition, deletion, limitation and portability at any time, through any of the channels indicated in the General Conditions that you can consult on our website www.edpenergia.es.
[Only in case of gas contracting] “For your safety, we remind you of the legal obligation to collaborate with your Distribution Company by facilitating access to its facilities.”
In order to process your request we need you to confirm the acceptance of this offer that has the Code, please take note: “COD CIG”.
3. – LEADS
The data collection is carried out in the system of each of the providers, following the order that corresponds according to the type of client, contracted product or campaign.
Documents:
1. Sales data template (Evidence 1)
2. Express Consent Sales representative LEADS (Evidence 4) The content of evidence 4 is as follows:
“[Mr. Mrs. XXXXXX] to hire you I need to record your agreement, okay? [Yes].
Well, it is [hh: mm] of the day [dd] of [mm] of [20XX] and [Mr / Mrs] [name and surname] with DNI [DNI number] has requested the call from EDP and as [ husband / wife / child / attorney / representative] and on behalf of the owner [name and surname / company name] with ID / CIF [DNI / CIF number], telephone [telephone] and email [email] accepts EDP’s offer for the address [supply address] consisting of [plan conditions -dto. in the light for [LIGHT CUPS: ES ………… ..] on the current EDP price of electricity [power price (€ / kW month) and energy term price (€ / kWh)] and / or [plan conditions -disc. in gas] for [GAS CUPS: ES ……………………….] and current EDP gas price [price term availability (€ / month) and term energy price (€ / kWh)]; and / or It works [annual price of the service, conditions of the promotion plan works]. The payment method chosen is [direct debit in your current account / in the account ………] and it will be charged [on the date indicated on the invoice / on a specific date, the days (dd) of the month. in that case, the payment period may be less or more than the 20 days established in the regulations]. On behalf of your client, and after passing an analysis of the risk of the operation, we will take the necessary steps to activate the access contracts, at which point the new contract will come into force, the previous one being terminated.
The contract / s will have a duration of 1 year, extendable for the same period unless it is reported in advance of 15 days.
Are you satisfied with the above information and conditions of the contract / s? ” [Yes / Ok]. “Thank you.”
In a few days you will receive the contract (including withdrawal document) in duplicate, of which you will only have to return one of the copies signed in the self-postage envelope, you do not need a stamp, which we will attach.
You have 14 calendar days to exercise your right of withdrawal in the way you deem appropriate. However, we can initiate the procedures during that period if you request it, in which case if you withdraw from the contract you must pay the amount proportional to the part of the supply loaned. Do you want your hiring to be processed immediately? [OTHERWISE]
You will still receive an invoice from your current company for a period that is probably less than normal. With the entry into force of the contract you will receive the invoice from EDP with all our advantages.
Your personal data and that of your client will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention, profiling based on customer and EDP information, as well as conducting personalized communications about products. or services directly related to their contracts, being able to oppose them at any time.
Additionally, so that EDP can advise you with the best proposals:
Can we present you with energy-related offers tailored to your profile after the end of the contract, or send you information on non-energy products and services, Collaborating Companies or EDP at any time?
[OTHERWISE]
Do you allow us to complete the commercial profile of your client with information from third-party databases, in order to send you personalized proposals and the possibility of contracting or not contracting certain services? [OTHERWISE]
We remind you that you may exercise your rights of access, rectification, opposition, deletion, limitation and portability at any time, through any of the channels indicated in the General Conditions that you can consult on our website www.edpenergia.es.
2. Web: The option of contracting with a representative is not offered.
3. Dealers:
In the case of EDP’s own commercial offices, the data is collected in the system of each of the suppliers, following the order that corresponds according to the type of client, contracted product or campaign.
Documents provided:
1. Sales data template (Evidence 1)
2. Representative management authorization template (Evidence 5)
Regarding the content of evidence 5, the document contains three different boxes. The first one indicates that “the HOLDER (D. ,,,, DNI or CIF) in his own name or on behalf of the company.” In the second box it is indicated that “AUTHORIZES (D. ,,,, DNI… or CIF) to carry out the management of (indicates 4 possibilities: registration / cancellation, change of ownership, change of direct debit, and / or other formalities ) and the box next to each of them must be marked. In the third box “SIGNATURE” is collected and the spaces corresponding to the place, date (day, month and year) and space for the signature of the authorizing and authorized are left.
The following legend is then highlighted with a red background:
“NOTE: TO BE VALID, THIS AUTHORIZATION MUST BE PRESENTED ACCOMPANIED BY A PHOTOCOPY OF THE HOLDER’S AND THE AUTHORIZED’S ID. WHEN IT IS AN AUTHORIZATION GRANTED BY A REPRESENTATIVE OF THE TYPE SA, SL, AIE, UTE, CB, COMMUNITY OF OWNERS, FOUNDATIONS, SCHOOLS, …, IN ADDITION, A PHOTOCOPY OF THE POWER OF ATTORNEY WILL BE REQUIRED “.
The following text follows;
“Interested parties are informed that the personal data provided in this form will be treated as data controller by EDP ENERGÍA,
SAU and EDP COMERCIALIZADORA, SAU so that they can be used to process the authorized management.
The personal data that you provide us will be used, in the manner and with the limitations and rights recognized by the General Data Protection Regulation (EU) 2016/679.
Interested parties whose data is subject to treatment may exercise their rights of access, rectification, deletion, portability, limitation and opposition to the processing of these data, proving their identity, by email addressed to cclopd@edpenergia.es or by writing to the person responsible for the Treatment to the address Plaza del Fresno, 2 – 33007 Oviedo (Asturias). Likewise, you may contact the EDP Data Protection Officer, at the same postal address or by e-mail dpd.es@edpenergia.es, in the event that you understand that any of your rights related to the protection of data, or where appropriate, file a claim with the Spanish Agency for Data Protection ”
4. External Sales Forces:
In the case of external sales forces (trade fair stands, shopping centers and home visits, provided there is a prior request from the interested party), the Data collection is done on a paper stub. This data is digitized in the Channel Management Tool (HGC).
For verification, data collection is done on the verification provider’s system.
Documents:
5. Sales checkbook (Evidence 6)
6. Sales data template (Evidence 1)
7. Verification script (Evidence 7)
With regard to evidence 6, which the defendant calls the sales receipt, the document, under the title “contract for the supply of energy and / or services”, contains three boxes on its first page.
The first contains spaces to fill in the data related to the supply point (address, electricity cup, gas cup) and separately boxes to mark the contracting of a light + gas contract or individually any of the two services. There are also spaces to fill in the data of the contract holder (name, surname, telephone and email) and data of the representative (name, NIF and address and several boxes are included to mark that the representative is a representative as spouse / partner registered, ascendant / descendant or attorney-in-fact) under such boxes a text indicates that “it declares to have sufficient powers to sign this contract on behalf of the client who is responsible for informing of all the conditions thereof.”
Below this box is the following legend; “The customer contracts, for the supply indicated, the supply of gas with EDP Comercializadora, SAU and the supply of electricity and / or complementary services with EDP Energía, SAU, (hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) in accordance with the Specific Conditions set out below and the General Conditions in the annex.
The client requests that the provision of supply / supplies and / or services begin during the withdrawal period contemplated in the general conditions. ”
In the second box entitled specific conditions of the contract and in which, separately depending on whether it is gas or electricity, certain information on rates is contained and in which there are spaces to be filled in and boxes to mark relative to the services that are contracted, it appears both in the gas part as well as in the electricity part, a box that must be marked to indicate that the owner is changed. A space is also included to fill in the data related to the current account to direct debit charges (this space is common to all contracted services)
Below this box is the following text: “EDP reserves the right to renounce this contract if the actual data of the supply do not conform to those declared by the client at the time of contracting.” Next there is a box to mark that “The client expressly declares to know and accept the previous Specific Conditions.” And another to mark that “The client declares to have been informed and received the annex with the General Conditions, which he accepts.” It is added below that “The client, if he / she had the status of consumer, has the RIGHT TO WITHDRAWAL from this contract if it had been formalized remotely or outside the marketer’s establishments as indicated in the general conditions and acknowledges that it has been delivered the corresponding withdrawal document to the effect.” Below is a box to mark that “The client declares to have received the withdrawal document and to have been informed of it.”
In the third box, under the heading CUSTOMER / REPRESENTATIVE, after noting that the information related to data protection can be read on the back, it allows you to mark the following consents:
I consent to the processing of my personal data once the contractual relationship has ended, to carry out commercial communications adapted to my profile of products and services related to the supply and consumption of energy. Likewise, I consent to the aforementioned treatments during the term and after the end of the contract, on non-energy products and services, both from the EDP Group companies and from third parties.
I consent to the processing of my personal data for the preparation of my commercial profile with information from third party databases, for the adoption, by EDP, of automated decisions in order to send personalized commercial proposals, as well as to allow, or not, the hiring of certain services.
On the back of the first page there is a section, entitled “Basic Information on Data Protection”: which contains the following:
” Personal data will be processed by EDP COMERCIALIZADORA, SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as Data Controllers, for the maintenance, development, compliance and management of the contractual relationship, fraud prevention, profiling based on information provided by the Client and / or derived from the provision of the service by EDP, as well as sending commercial communications, relating to products and services related to the supply and consumption of energy, maintenance of facilities and equipment, and which may be personalized at based on your Customer profile, as reported in the General Conditions, being able to oppose the sending of commercial communications at any time. Additionally, the Client gives his explicit consent for the processing of personal data collected on the front. Without prejudice to the consents given, the client may exercise, at any time, their rights of access, rectification, opposition, deletion, limitation and portability, through any of the channels indicated in the General Conditions. ”
The following information regarding the protection of personal data is contained in the general conditions part:
“ LOPD Purposes of the processing of personal data. In accordance with the provisions of current regulations, the client is informed that all the information provided in this contract is necessary for the purposes of its formalization. Said data, in addition to those obtained as a result of the execution of the contract, will be processed by EDP COMERCIALIZADORA, SAU, with address at c / General Concha, 20, 48001, Bilbao and by EDP ENERGIA, SAU with address at Plaza del Fresno, 2 -33007, Oviedo in its capacity as Data Controllers, in order to manage, maintain, develop, complete and control the contracting of electricity and / or gas supply and / or complementary services of and / or gas and / or complementary services for review and / or technical assistance and / or points program, and / or service improvement, to carry out fraud prevention actions, as well as profiling, personalized commercial communications based on information provided by the Client and / or derived from the provision of the service by EDP and related to products and services related to the supply and consumption of energy, maintenance of facilities and equipment. These treatments will be carried out in strict compliance with current legislation and insofar as they are necessary for the execution of the contract and / or the satisfaction of the legitimate interests of EDP, provided that other rights of the client do not prevail over the latter.
Provided that the client has explicitly accepted it, their personal data will be processed, even after the contractual relationship has ended and as long as there is no opposition to said treatment, to:
(I) The promotion of financial services, payment protection services, automotive or related and electronic, own or third parties, offered by EDP and / or participation in promotional contests, as well as for the presentation of commercial proposals related to the energy sector after the end of the contract, (II) The elaboration of commercial profiles of the Client by means of the aggregation of the databases of third parties, in order to offer the Client personalized products and services, thus improving the client’s experience, (III) The adoption of automated decisions, such as allowing the contracting, or not, of certain products and / or services based on the Client’s profile and particularly, on data such as the history of defaults, the history of contracting, permanence, locations, data consumption, types of devices connected to the energy network, and similar data that allow to know in greater detail the risks associated with the contra tation. (IV) Based on the results obtained from the aggregation of the indicated data, EDP may make personalized offers, and specifically aimed at achieving the contracting of certain products and / or services from EDP or third-party entities depending on whether the client is so You have consented to it or not, being in any case data processed whose age will not exceed one year. In the event that said process is carried out in an automated way, the client will always have the right to obtain human intervention from EDP, admitting the challenge and, where appropriate, evaluation of the resulting decision.
Categories of processed data
By virtue of the contractual relationship, EDP may process the following types of personal data: (I) Identifying data (name, surname, DNI, postal address, email address, supply point, etc.), (II) Codes or User and / or Client identification codes, (III) Personal characteristics data (date of birth, sex, nationality, etc.), (IV) Social circumstances data (hobbies, lifestyle, marital status, etc.) , (V) Data on energy consumption and life habits derived from these, (VI) Economic, financial, solvency and / or insurance data.
Personal data will be kept during the validity of the contractual relationship and at most, during the limitation period of the corresponding legal actions, unless the Client authorizes its treatment for a longer period, applying organizational and security measures from the beginning of the treatment. to ensure the integrity, confidentiality, availability and resilience of personal data
Communications and recipients of personal data.
All personal data derived from the provision of the service and those obtained by virtue of this contract may be communicated to the following entities:
1. The corresponding distribution company, producing with it a permanent exchange of information for the adequate provision of the service, including the request for access to its network, the readings (which in the case of remote-managed meter will be hourly) and / or consumption estimation, supply quality control, request for supply cuts, power modifications, etc.
2. The Organizations and Public Administrations that by Law correspond.
3. Banks and financial entities for the collection of services rendered.
4. Other companies of the business group, solely for internal administrative purposes and the management of the products and services contracted.
5. National equity solvency and credit services (Asnef-Equifax,
…) To which in case of non-payment, without just cause by the Client, the debt may be communicated, as well as fraud prevention services, with the sole purpose of identifying erroneous or fraudulent information provided during the process of hiring.
6. EDP providers necessary for the proper fulfillment of contractual obligations, even those that may be located outside the European Economic Area, in which case the international transfer of data is duly adequate.
Rights of the data holder
The client will have at all times the possibility of exercising the following rights freely and completely free of charge:
1. Access your personal data that is processed by EDP.
2. Rectify your personal data that are processed by EDP that are inaccurate or incomplete.
3. Delete your personal data that is processed by EDP
4. Limit the treatment by EDP of all or part of your personal data.
5. Oppose certain treatments and automated decision-making of your personal data, requiring human intervention in the process, as well as to challenge the decisions that are finally adopted by virtue of the processing of your data.
6. Port your personal data in an interoperable and self-sufficient format.
7. Withdraw at any time, the consents previously granted.
In accordance with current regulations, the user can exercise their rights by requesting it in writing, and together with a copy of a document certifying identity, at the following postal address: Plaza del Fresno, 2, 33007 Oviedo or in the email cclo- pd@edpenergía.es
Likewise, you can contact the EDP data protection officer at the following postal address Plaza del Fresno, 2, 33007 Oviedo or by email dpd, es @ edpenergía.es, in the event that you understand that any of the your rights related to data protection, or where appropriate, file a claim with the Spanish Agency for Data Protection, at the address Calle de Jorge Juan, 6, 28001. Madrid ”
Evidence 7 refers to a sales process with express online verification. SCRIP VERIFIER-AGENT
Part 1 (Agent call to number *** PHONE.1 or *** PHONE.2 )
VERIF – EDP Verifications, good morning. Can you tell me your phone number to verify?
AGE – Good morning, my phone is XXXXX. VERIF-I proceed to issue the outgoing call.
Part 2 (Outgoing call from the verifier to the agent’s phone)
VERIF: Good morning, can you tell me ID ?. XXXXX Can you tell me your name and surname and collaborating company? If the tool returns the data of the collaborator (and it is active) we will check if they match, if so we continue, in case they do not match we will request the data / s that do not match again to reconfirm the discrepancy, if it continues we will indicate: “We cannot carry out the verification, the data you provide us is inconsistent”). In the event that the tool does not return anything to us, we will ask you again for your ID and if it still does not appear, we will indicate: “We cannot carry out the verification, your company has not accredited you.”
VERIF- Can you tell me the name, surname and ID of the signer? XXXXX How many contracts have you signed? XXXX (maximum 6 contracts per call) made at the EDP Stand in CC XX / at the collaborator’s store XX
VERIF – Is the signer the owner of the contracts? In case of being the owner, request the contact telephone number and province. If you sign as a representative, request the name, surname and ID of the holders (maximum 3) and contact telephone number and main province of each holder.
VERIF-Can you tell me the phone number of the signer to carry out the verification? XXXXX
VERIF-I proceed to issue the call to start the verification. Part 3 (Outgoing call from verifier to verification phone)
VERIFY the CUSTOMER- Good morning, I am XXXX from the company *** EMPRESA.1 collaborator of EDP. For security reasons I inform you that this call is being recorded, can you confirm that it is SIGNING NAME with DNI XXXX and that you have just signed XX contracts at the EDP stand / collaborator’s store (in case of
sign as indicating representative “on behalf of name-surname HOLDER DNI) Yes / No . What relationship-kinship do you have with the owner? (This question is not asked when the owner is a company).
– Tenant, I have the rented house. Request that it happen to the agent and indicate that it is not possible for a tenant to sign as a representative. KO verification.
-Family or attorney-in-fact: continue verification.
Perfect, please pass me on to the agent to take some information and perform the verification, thank you.
2. Description of the procedures enabled through each of the contracting channels so that a third party can prove the representation of a holder when signing a contract with EDP COMERCIALIZADORA, SAU
1. Telephone Channel:
1. – CAC INBOUND
Recording of the legal text where the representative confirms the data provided by the represented party.
2. – TELEMARKETING
Recording of the legal text where the representative confirms the data provided by the represented party and durable support via sms / email where the representative confirms said data again.
3. – LEADS
Recording of the legal text where the representative confirms the data provided by the represented party and durable support via sms / email where the representative confirms said data again.
Additionally, in the pilot test of this channel, another sms / email is sent to the client informing of the representative’s action.
2. Web: The option of contracting with a representative is not offered.
3. Dealers:
In the case of EDP’s own commercial offices, an express authorization document is requested to be completed and signed by both interested parties (representative and owner) containing the data of both persons and copies of their NIFs.
4. External Sales Forces:
In the case of external sales forces (trade fair stands, shopping centers and home visits, provided that there is a prior request from the interested party), the collection, the contracting stub where the representative declares to have sufficient powers to sign the contract on behalf of the client who is responsible for informing of all the conditions of this.
Likewise, the verification recording is available and kept where the data of the represented party is confirmed with the representative, as well as the relationship / kinship that unites them.
3. Specification of the procedure followed by EDP COMERCIALIZADORA, SAU to store the evidence that proves the capacity of representation of the third party in the procedures in which this type of contracting is carried out, indicating the channel or channels for which each one is used.
1. Telephone Channel:
1. – CAC INBOUND
The recording is stored linked to the business management system of Contacts where the request is recorded.
2. – TELEMARKETING
The recording and the durable medium are stored in the Canales commercial management system.
3. – LEADS
The recording and the durable medium are stored in the Canales commercial management system.
2. Web: The option of contracting with a representative is not offered.
3. Dealers
In the case of EDP’s own Commercial Offices, the authorization document is stored linked to the Contacts commercial management system where the request is registered.
4. External Sales Forces:
The contracting stub and the recording of the verification call are stored digitally in the Canales commercial management system.
For its part, the paper copy is sent to the supplier entrusted by EDP with the custody of said documents.
4. Attach models and / or examples of type evidence collected by virtue of the procedure followed in section 2.3.
5. Telephone Channel:
1. – CAC INBOUND
An example is provided with the recordings (Evidence 8) It is an audio recording of a service contract in a specific case carried out through representation. Its content is the same as in evidence 2.
2. – TELEMARKETING
Examples of recordings and durable supports are provided (Evidence 9 and 10, respectively). Evidence 9 consists of an audio recording of the contracting of services with a client representative. Reproduces the content of evidence 3. Evidence 10 is a document with the following text: “Confirmation of acceptance of communication by sms:
On 2019-04-26 15:50:06 an SMS was sent from the phone number
*** PHONE. 3 with the text:
EDP Offer : *** OFFER.1 Please reply with a YES to this SMS to accept and activate discounts. Thanks. Details: http://edpconfirma.es/OOUSEAVSXK to the recipient phone number
*** PHONE . 4.
This message was answered with the notification ID OOUSEAVSXK, on 2019-04-26 15:50:46 and with the text: Yes, which we accept as valid for the processing of the product offered in the document shown below. Personal data of the contractor and of the offer and the following information are indicated below: Your personal data will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention, profiling based on customer information and of EDP, as well as the realization of personalized communications about products or services directly related to their contracts, being able to oppose them at any time.
We remind you that you can exercise your rights of access, rectification, opposition, deletion, limitation and portability at any time, through any of the means indicated in the General Conditions that you can consult on our website www.edpenergia.es. ”
3. – LEADS
Examples are provided with recordings and durable media (Evidence 11, 12, and 13, respectively)
6. Web: The option of contracting with a representative is not offered.
7. Dealers:
Regarding own Commercial Offices, a model of the authorization document completed by the representative in favor of the represented is attached (Evidence 14).
8. External Sales Forces:
With respect to the evidence generated by external sales forces, a model of the contracting book is attached where the representation (Evidence 15) is collected, as well as the recording in which it is confirmed, as well as the relationship-kinship that them links (Evidence 16).
THIRD. – Information on the number of contracts signed in 2018 and 2019 by third parties on behalf of the owners of the services (natural persons) with distinction of: 3.1. By virtue of which representation is supported (power, degree of kinship, etc.) 3.2. Procedure or formula for accreditation of the representation followed. 3.3. Recruitment channel for telephony, internet, own distributors or subcontractors, sales force with own or subcontracted home visits, etc. …)
In relation to the request for information regarding the number of contracts signed in 2018 and 2019 by third parties on behalf of individuals, the AEPD is informed of the following information regarding each of the channels:
9. Telephone Channel: 11656
1. – CAC INBOUND
Channel Year Representation No. Contracts
2018 CAC Relationship 1,346
2018 CAC No kinship 394
2019 CAC Relationship 983
2019 CAC No kinship 278
A.2 – TELEMARKETING Channel Year
Representation
No. Contracts
2018 TELEMARKETING Relationship 2,865
2018 TELEMARKETING No kinship 82
2019 TELEMARKETING Relationship 1,201
2019 TELEMARKETING No kinship 42
A.3 – LEADS Channel Year
Representation
No. Contracts
2018 LEADS Relationship 5,518
2018 LEADS No kinship 849
2019 LEADS Relationship 6,127
2019 LEADS No kinship 1,160
2.
3. Web: Hiring with a representative is not contemplated.
11. Distributors (own commercial offices):
Channel Year Representation No. Contracts
2018 OOCC Relationship 194
2018 OOCC No kinship 67
2019 OOCC Relationship 174
2019 OOCC No kinship 78
12. External Sales Forces: (trade fair stands, shopping centers – home visit)
Channel Year Representation No. Contracts
2018 FVE Relationship 10,758
2018 FVE No kinship 118
2019 FVE Relationship 1,556
2019 FVE No kinship 58
FIFTH : In writing dated May 29, 2020, sent on June 1, 2020, a new request for information is made to EPD COMERCIALIZADORA, SAU requesting the one listed below:
13. Copy of the content included in the Registry of Treatment Activities (article 30 of the RGPD) in relation to the personal data processing activities carried out in the context of contracting services with EDP COMERCIALIZADORA, SAU
14. Copy of the content included in the Risk Analysis or Assessment carried out by the entity in compliance with article 32 of the RGPD regarding the processing of personal data carried out in the context of contracting services with EDP COMERCIALIZADORA, SAU
15. Among the information previously provided by the entity to the AEPD, registered with number 001390/2020, it is specified on a recurring basis (see evidence 2, 3, 4, 6, 10, 12, 14, 15) that the personal data will be treated for the set of purposes described, in addition to by EDP COMERCIALIZADORA, SAU, by another legal entity (EDP ENERGIA, SAU). The following information is requested in this regard:
1. Reason that justifies that both entities process the personal data collected.
2. Detail of the circumstances that condition, if any, that the treatments carried out on specific personal data are carried out by one or another entity.
3. Detail, where appropriate, the procedures and mechanisms used to guarantee the separation of personal data processed by one entity and another so that each one only has the possibility to process what corresponds to it based on the legitimate purpose pursued at any given time. .
SIXTH: On June 17, 2020, this Agency has a written entry from EDP COMERCIALIZADORA, SAU in which the following is stated regarding the last question raised in the request of this Agency referred to in the previous point:
“THIRD.- Among the information previously provided by the entity to the AEPD, registered with number 001387/2020, it is specified on a recurring basis (see evidence 2, 3, 4, 6, 10, 12, 14, 15) that Personal data will be processed for the set of purposes described, in addition to EDP COMERCIALIZADORA, SAU, by another legal person (EDP ENERGIA, SAU). The following information is requested in this regard:
4. Reason that justifies that both entities process the personal data collected.
5. Detail of the circumstances that condition, if any, that the treatments carried out on specific personal data are carried out by one or another entity.
As these two questions are directly related to each other, a joint answer is given to them.
In relation to the evidence provided and that corresponds to the supports used to carry out the contracting through the different channels, reference is made to both EDP COMERCIALIZADORA and EDP ENERGÍA SAU (EDP ENERGÍA), due to the fact that the The company with which the services are contracted will be one or the other depending on the product and / or service requested, and it is highly probable that the same client, when requesting the contracting of the electricity and gas supply, is contracting with both companies at the same time.
For this reason, the “dual” contract has been drawn up and structured in such a way that a client can obtain discounts or additional advantages by contracting both energies with two companies of the same business group, and in order to
keep the discounts on each of the energies and derived information up to date, it is necessary for both companies to know if the energy initially contracted with the other Group company remains active in order to be able to correctly maintain and manage the discounts / advantages applied.
For this reason, and in order to provide the maximum possible transparency to a process carried out eminently in writing, such as the contracting of energy services, it is for which the clause on data protection informs that the Personal data provided during the contracting process will be processed by both entities, always respecting the functions of each one in accordance with the contract signed in each case and particularly the type of energy services that are finally contracted.
On the other hand, and regardless of the foregoing, we inform that Agency that the existence of two companies within the Group with the role of trading entities is due to a merely formal matter, a consequence of the corporate structure and shareholding composition of the companies. companies acquired by the EDP Group at the time of its establishment in Spain, but which does not correspond to the operational functioning of said marketers, given that only one of them, EDP COMERCIALIZADORA, currently has employees and management and operational capacity . In this way, in practice, all the treatments are carried out by said entity, either as the person responsible for the treatment or as the person in charge of the treatment of EDP ENERGÍA.
Additionally, it should be noted that the EDP Group had planned the corporate reorganization of EDP COMERCIALIZADORA and EDP ENERGÍA and the adaptation of its corporate structure with that of its actual operation and business operations. Said reorganization has currently been affected by a TOTAL sale process in which both companies are immersed, and which, if it materializes, could alter or terminate said integration.
6. Detail, where appropriate, the procedures and mechanisms used to guarantee the separation of personal data processed by one entity and another so that each one only has the possibility to process what corresponds to it based on the legitimate purpose pursued at any given time. .
As already stated, all users with access to the system are employees of EDP COMERCIALIZADORA.
In this way, EDP agents access the personal data of the clients of said entity as data controllers or, they have access to the personal data of EDP ENERGÍA clients, as Treatment Manager, in compliance of the provision of EDP ENERGÍA customer management services entrusted to EDP COMERCIALIZADORA, being managed as the two different roles they occupy by virtue of the contractual regulations that we make available to this Agency. ”
Along with this response, an extract from the Treatment Activities Register is provided, which includes the records related to the activities carried out in the field of contracting products and / or services and the risk analysis carried out regarding the
treatments that are carried out in the context of contracting products and / or services.
The risk analysis is contained in an Excel document, it does not contain a date or signature. 15 risk factors are listed; 1. Commercially sensitive information, 2. Commercial Communications, 3. Data origin (external or internal source), 4. Data transfers. 5, Treatment Managers. 6. International transfers. 7. Scoring / Profiling activities. 8. Automated decisions. 9. Systematic monitoring of headlines. 10. Special categories of data. 11. Large-scale data processing.
12. Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders. 14. Application or use of innovative technologies.15. Unavoidable treatment / Restriction of exercise rights or access to service. Regarding the potential assessment of inherent risk, the risk scale has 4 levels: low, with a rating from 0 to 12; average score from 13 to 25; high from 26 to 38 and very high from 39 to 51. The valuation or weight given to each of the risk factors is from 1 to 4. In the risk analysis, a yes or no for each of the 15 risk factors listed above. The sum of the weight attributed to each of the factors for each channel determines the inherent risk. The inherent risk result is medium in all contracting channels, except for web channels and external forces through home visits where the inherent risk result is low. Risk correction measures are not indicated.
SEVENTH: Information is obtained on the volume of sales of the entity, the results of the turnover during the year 2019 being 989,491,000 euros. The capital according to the information obtained from the Mercantile Registry is 1,487,895 euros.
Information is obtained on the number of clients of the entity. According to the supervision report of the changes of marketer, corresponding to the first quarter of 2019, of the National Commission of Markets and Competition, the number of supply points of the entity as of March 31, 2019, corresponding to the domestic sphere, it amounted to 893,736, constituting 11.4% of the total gas sector in the domestic sphere.
EIGHTH: On July 16, 2020, this Agency has written a letter from EDP COMERCIALIZADORA, SAU stating that “In the framework of the above-referenced procedure, EDP was required by the AEPD to clarify, among other things, certain information related to the contracting procedures implemented in EDP carried out with the intervention of a third party authorized by the owner, as well as addressing the suggestion made in previous procedures communicated by the AEPD in which it was suggested to carry out modifications in the way in which this is carried out type of hiring.
16. That, for all the above, EDP has reviewed the procedure to be followed in contracting by third parties on behalf of the owner, in order to strengthen said procedure and reduce the risks of possible identity theft carried out in bad faith by the contracting party in this type of processes, taking into account, additionally, the particular needs identified as a result of the state of alarm decreed last March and which has necessarily required that all contracts be carried out in a remote manner.
17. That in order to inform the AEPD of the specific actions that are being carried out in relation to this matter by EDP, in compliance with its duty of proactive compliance (accountability), we enclose the “Procedure for contracting by third parties on behalf of the owner ”, so that they have visibility about the modifications that are being implemented in said processes in order to attend to their request in this regard, as well as to show EDP’s proactivity regarding its suggestion of adaptation of said process.”
The following aspects are detailed in three sections below: purpose, contracting procedure with third parties and data and interests of those affected.
In the first section, called purpose after exposing the situation, it states the following proposal: “A contracting procedure that, through a correct and safe use of technology, facilitates the contracting of EDP services by clients through a third party that acts under a mandate in the terms of Title IX of the Fourth Book of the Civil Code, protecting in any case the rights of the client and agent over their personal data, which will only be treated according to an adequate legitimation basis and in compliance with the principles of the RGPD, ensuring that they are informed about the treatment and that they can exercise their rights at all times, as well as act in case of identifying any irregular action. ”
In the second section relating to the contracting procedure with third parties, it distinguishes the procedure followed with a proxy with written authorization from that followed with a proxy with verbal authorization. In the first case, the following steps are indicated: the agent is informed, the data and authorization are collected and it is contracted on behalf of the client. In the case of the agent with verbal authorization, the steps to be followed are the following: EDP proceeds to inform the agent and collect the data, to contract by the agent on behalf of the client, send the client of information on the hiring and the possibility of the client to disavow the hiring.
Regarding the information to the agent and the collection of the data, it consists, as stated, in the following:
• Services offered and explained
• Information is provided on the need to collect certain data for contracting, as well as the use that will be made of them and the place where more information can be obtained in this regard.
• The data of the agent and the client are requested
• The agent provides EDP with his own data and that of the client and confirms that he is empowered to negotiate and sign the contract on behalf of and on behalf of the client.
• The contract includes all the information required by the applicable regulations and in relation to the processing of personal data derived from the hiring.
Regarding the contracting by the agent on behalf of the client, it differentiates the contracting in own commercial offices and outside the commercial establishment, in which the information is collected in the contract and is delivered in durable or digital support to the agent and the contracting remotely (by phone)
distinguishing between incoming calls to EDP’s CAC, in which the conversation is recorded, or outgoing calls (telemarketing, issuance of calls by EDP providers) in which the conversation is recorded, and the contract is sent on a durable medium to the agent. clarifies that conversations are recorded after having previously informed the user that the conversation is going to be recorded.
The following is indicated with respect to the step related to sending the client information on the hiring.
-Once the contract is formalized by the agent, when there is no written authorization, it is sent to the client, by email or SMS, depending on the communication channel available in each case, a communication that includes : o Confirmation of the contract made through its agent, including the agent’s data o Link to URL to access the contract signed by the agent on his behalf (with guarantees of content integrity and accreditation of the exact date of completion) where You can exercise your right to disallow the contracting in a simple and intuitive way (with a single click) View, print, or download the contract and withdrawal document
The contract includes all the information on the treatment of customer data by EDP, in addition to the details of the contracted services.
It clarifies that the contracting procedure based on double authentication factor has been designed taking into consideration the procedure approved by the National Markets and Competition Commission for carrying out portability and contracting in the telecommunications sector, a very similar sector in terms of that the contracting procedure refers to.
The communication is carried out through a trusted third party who certifies the sending of the SMS / mail in the following way:
-SMS message:
EDP XXXXXXXX. NAME REP LAST NAME REP has contracted energy / services on your behalf. Before 14 days you can disallow it. Details: https://edpcontrato.es/VER/JAOCOARGPG
-E-MAIL Message:
SUBJECT: Hiring of NAME TIT SURNAME TIT with EDP
Hello, we inform you that NAME REP LAST NAME REP has made the XXXXXXXX contract related to your energy supply / services on your behalf. You have 14 days to disallow such management.
See details at: https://edpcontrato.es/VER/JAOCOARGPG
The step related to the “Possibility for the client to reject the contract” consists of the following:
A link is sent to the client, through which they access a portal from which they are allowed to:
• View contract with the possibility of downloading or printing it or
• Disallow the hiring with a single click. Evidence is generated that guarantees the traceability of the action (exact moment of the performance, as well as the integrity of the associated evidence) or
• Download the withdrawal document.
Regarding the third section, data and interests affected, the following is indicated:
It has been determined that to achieve the purpose of the treatment, the treatment of the following categories of personal data is essential:
-With written authorization
Customer data: Identification (includes copy of DNI), Contact, Contracted services, Bank details, Supply point data
Mandatory data: Identification (includes copy of DNI), Relationship with the owner (yes / no), Contact
• With verbal authorization:
Customer data: Identification, Contact, Contracted services, Bank details, Supply point data.
Mandatory data: Identification, Relationship with the owner (yes / no), Contact.
NINTH: The website indicated in evidence 3 and 4 (www.edpenergia.es) is accessed in order to download the General Contract Conditions.
The procedure followed to download the document that includes the General Contracting Conditions, as stated in the diligence of the acting inspector, has been the following:
-Access through the internet browser to the address https: //www.edpenergia.es/es/
• Introduction in the search engine of the text page itself: “General Conditions”
-The website shows, under the following address: https: //www.edpenergia.es/es/buscadorGeneral.do?tiposBusqueda=C%7CM
% 7CD & idMenuSegmento = 18 & textBusqueda = Conditions + General, 2 tabs one called related information and another Documents.
-Select the “Documents” tab of the Search Results. This offers a total of 78 results, the third of which corresponds to the “General contracting conditions”.
-The “General contracting conditions” are selected and a new browser window automatically opens pointing to the following internet address: https: //www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales – de-contratacion.pdf
-Download the document
The content of the general conditions in the “LOPD” section coincides with the one transcribed as evidence 6, with the same title of the LOPD within the general conditions, in the fourth number of this Agreement for the initiation of sanctioning procedure.
TENTH: On July 31, 2020, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the entity EDP COMERCIALIZADORA, SAU, in accordance with the provisions of article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of this Data (General Data Protection Regulation, hereinafter RGPD ), for the alleged violation of article 25 of the RGPD, typified in article 83.4.a) of the aforementioned Regulation; for the alleged infringement of article 6 of the RGPD typified in article 83.5.a) of the aforementioned Regulation; for the alleged infringement of article 22 of the RGPD, typified in article 83.5.b) of the aforementioned Regulation; and for the alleged infringement of article 13 of the RGPD, typified in article 83.5.b) of the aforementioned Regulation, determining that the penalty that may correspond would amount to a total of 3,500,000.00 euros, without prejudice to what results from The instruction.
ELEVENTH: Once the aforementioned start-up agreement was notified , the investigated entity presented on August 4, 2020 a letter in which it requested an extension of the term in order to present allegations. Once the extension of the term was granted, allegations were presented on 08/24/2020, which are mainly the following:
FIRST: ALLEGED BREACH OF THE PRINCIPLE OF PRIVACY BY DESIGN IN THE PROCESSES OF CONTRACTING THROUGH A REPRESENTATIVE.
The AEPD intends to justify the initiation of this sanctioning file in the alleged absence of documentation that has never been requested. In this regard, it should be noted that EDP COMERCIALIZADORA has a risk identification, analysis and management methodology, both to identify inherent risks, and specifically to assess the need to carry out Impact Assessments, it alleges that it includes as an annex the supporting documentation that amply proves that EDP COMERCIALIZADORA fully and fully complies with these obligations and that is specified in the following: – “Risk Analysis Methodology and Performance of Impact Assessments” – “Record of Treatment activities and evaluation of risks of the treatments related to the contracting of EDP COMERCIALIZADORA “-” Evaluation of Privacy Impact: Channel of Leads to Convert by Telemarketing “-” Evaluation of Privacy Impact: Telemarketing to clients for upselling or recovery of abandonments “-” Impact Evaluation of Privacy: CAC Channel to Clients Or Potential Clients (Inbound) ”-“ Evalua Impact of Privacy: OOCC Channel to clients or potential clients (Reactive sale) ”-“ Evaluation of Privacy Impact: Third-party stores channel for sale to potential clients (Reactive sale) ”-“ Evaluation of Privacy Impact: Sales forces external through stands at fairs and shopping centers (reactive sales) ”-“ Privacy Impact Assessment: Treatment activity: Carrying out B2C Customer Scoring prior to hiring ”.
Likewise, and as a consequence of the measures adopted as a result of the recommendations derived from the risk analysis and impact evaluations carried out by EPD comercializadora, a large number of procedures have been developed by the DPD to comply with the data protection obligations since the design and by default that are provided as Annex 2: Specifically, the following procedures related to Privacy are included in this Annex 2
from Design and by Default, which are part of EDP COMERCIALIZADORA’s Data Protection Governance, Risks and Regulatory Compliance System: • Data Protection Methodology from Design and by Default from EDP • Operational Instruction Privacy By Design and Privacy by Default of the commercial area • Form for characterization and registration of treatment activities for the analysis of Privacy by Design and Privacy by Default • Flow chart of the Privacy By Design and Privacy by Default process.
It is really striking that the AEPD gives the relevance it gives to the specific fact that EDP COMERCIALIZADORA had not taken into account in its risk analysis, the specific analysis of the risks associated with the possibility of contracting through a representative, when the AEPD itself, in its own “Practical Guide for Risk Analysis in the processing of data subject to the RGPD” (published on its website (https: //www.aepd.es/sites/default/files/2019-09/guiaanalisis-de- Riesgos- rgpd.pdf) does not include any direct or indirect reference to the need to assess the specific risk in relation to data processing, whether in contracts or in other processes, carried out by authorized third parties.
Second, it alleges that all the data processing carried out by EDP COMERCIALIZADORA were analyzed to verify their degree of compliance with the obligations related to RGPD, proposing measures for their correct adaptation, regardless of whether it was necessary to carry out evaluations of impact or not. Delving into the specific risk related to contracting carried out through third parties, it should be noted that the content of the analyzes carried out was updated at the time, taking into account the considerations that the AEPD has transferred to EDP COMERCIALIZADORA in the administrative procedure related to this matter which began at the end of 2019 and which, we understand, is the cause of the sanctioning procedure in which we find ourselves at the moment. Indeed, as it has already been possible to state within the framework of said sanctioning procedure previously initiated by the AEPD, the contracting processes through authorized third parties had not been identified by EDP COMERCIALIZADORA as an inherent risk factor that was relevant, having note that: 1) The practically non-existence of claims by clients in relation to this reason. 2) EDP COMERCIALIZADORA did not have, up to now, any disciplinary proceedings opened for this cause.
3) The contracting carried out through a third party as a verbal agent is expressly recognized in the Civil Code of 1889.
Although the potential risks identified by the AEPD are perfectly possible, the probability of materialization of said risks, in the specific case of EDP COMERCIALIZADORA, was practically nil and therefore its diligence, with regard to the risk analysis , has been amply accredited. Specifically, this fact is based on the very low number of complaints for this reason that EDP COMERCIALIZADORA has received. In effect, there is only one (1) claim regarding a total of 33,848 contracts made, as stated in the information provided in the file itself, which we understand, that as surely the AEPD will agree with EDP COMERCIALIZADORA, in terms probabilistic, it could be considered a value that, objectively, does not require an independent and detailed assessment.
Affirms that the possibility of entering into a contract between two parties through the intermediation of a third party is an exclusive matter of Civil Law, so the need, or not, of formalities associated with the accreditation of representation must be governed by the provisions of the Civil Code and, where appropriate, in the provisions of the consumer protection regulations. In this regard, the requirement by the AEPD that the representation alluded to by the representative be recorded in a medium that allows its accreditation could be considered logical in an isolated interpretation of the data protection regulations, but it loses meaning when it is put into context with the rest of the legal system, more specifically, with the provisions of the Civil Code, which contemplates, among others, the possibility of contracting by representative included in article 1259, or the figure of the “mandate”, regulated in articles 1709 to 1739 l himself and stating that “the contract of mandate is forcing a person to provide any service or do something for or commission of another” and for which complete freedom is allowed so, stating that “The mandate can be express or tacit” and that, likewise, “acceptance can also be express or tacit, the latter deduced from the acts of the agent.” In this case, it does not seem that such broad freedom of form is compatible with obtaining evidence of the existence of the representation or mandate, beyond the representations of the agent, protected by good contractual faith. Likewise, it is not understandable that a separate consent is required for the processing of your data or a confirmation of the order by the principal, since this would imply distorting the representation, since it would be absurd for the person designated to enter into a contract In favor of a third party, he cannot provide the data of the person on whose behalf he acts, or that the latter’s separate confirmation is necessary to authorize said communication, since the need to address the represented person directly would make the intervention of the representative useless, since the itself would be meaningless.
Likewise, and in relation to the possibility that the represented party may provide additional consents to the contracting itself, it should be noted that this possibility may well have been specifically authorized by the represented party, but since the same freedom of form governs for the granting of this power (which the norm does not require in any case to be provided in writing), nor is its reliable accreditation required at the time of hiring . In this regard, it should be noted that to date there have been no cases in which any type of incident related to the granting of said consents has been reported by those represented.
Regarding other risks identified by the AEPD, it must be indicated that the risk of identity theft is very low, since the representative identifies himself personally by reliable means when the contracting is in person and providing the data of his ID when it does it at a distance. However, as the AEPD knows the risk theory well, it does not hold that the existence of a low risk can be considered a non-existent risk. In this sense, the risks of identity theft do not differ from those that correspond to contracting in their own name, since the same checks are carried out to avoid this, based on the risks and threats detected in relation to each form of hiring. Therefore, it cannot be taken for granted that this risk has not been taken into account by EDP COMERCIALIZADORA, nor that measures have been taken to mitigate it, as will be explained below
in the explanation of the hiring procedure. On the other hand, with regard to potential economic damages, although this is a question more linked again to the civil scope of contracting than to the protection of personal data, it must be indicated that in the cases in which it occurs The cancellation of the contracts for any reason, EDP COMERCIALIZADORA assumes the costs of the services provided, so that there would be no economic damage for the affected party, proof of this is that EDP COMERCIALIZADORA has not received any claim for the assumptions so far damages and losses wielded by the AEPD
Regarding the way in which the contracting is carried out, as already stated and stated both in the information made available to that Agency and in the Factual Background of the Initiation Agreement, the contracting of the services is preceded by a series of guarantees that allow to identify the author of the contracts, following the usual practices in the entire sector of contracting of supply services and by companies of what is known as “Utilities”, both in person and remotely, this information being recorded, so that In the event of any incident, there is evidence of who the person who has made the contract is. Contrary to the insignificance that the AEPD intends to grant to the statement of the representative, perfectly identified, about his condition as representative of the person in whose name he contracts, it must be pointed out that this manifestation has binding legal consequences, which, as has already been stated, are subject to regulation and are expressly recognized by our Legal System, and they imply responsibilities, both from a civil and criminal point of view, so it is not a “mere manifestation”, as the AEPD calls it. in the Basis of Law of its writing of initiation of the sanctioning procedure, but it is a legal act, such as the owner’s own consent, defined by the RGPD itself as a “manifestation of will”. Consequently, it does not seem that legally discrimination of the relevance of some manifestations over others can be defended, due to the fact that they are included or not within a specific regulation, or expressed in one way or another. Likewise, as stated in the Factual Background, although later it seems to be obviated in the Basis of Law, in all cases in which the contracting is carried out remotely it is indicated that: “The holder of the contract, for informational purposes, is sent in duplicate, with a stamped envelope, the contractual documentation in compliance with the provisions of the consumer and user protection regulations ”. That is why, in any case, the owner has the possibility of knowing the terms in which the contracting has been carried out.
Notwithstanding all the above, as a result of the sanctioning procedures opened in 2019, and following the criteria transferred by the AEPD in the resolution of PS / 0025/2019 (do not sign on the day of the presentation of this brief, as it is appealed ) EDP COMERCIALIZADORA has proceeded to identify the risk related to the intervention of third parties in contracting, making the corresponding detailed analysis of this issue and proposals for improvement have been prepared, in order to comply with the AEPD considerations so that in the contracting procedures, the person in whose name it is contracted is always informed. The proposed contracting protocol has been made known to the AEPD on July 16, 2020 and registration number
025308/2020, presented in any case before receiving the written Agreement for the Initiation of Sanctioning Procedure, being a Request for information with a common number for EPD ENERGÍA and EDP COMERCIALIZADORA without the AEPD having ruled on it with the corresponding legal valuation report, as requested, in order to implement a system that is fully in accordance with the criteria and interpretations of the AEPD, limiting itself up to now to including in the Initiation Agreement sent to EDP COMERCIALIZADORA certain considerations in relation to with the same. Specifically, the doubts raised in relation to the proposed procedure, which we understand are the only ones that the AEPD has, are the following: 1) It is not clarified if it applies to all contracting channels, including the Leads sub-channel to which it is not done. no reference; 2) Situations are not contemplated in which the represented person cannot be informed by the indicated means (email or SMS); 3) The client is not informed of the consents given by the representative for other treatments with purposes other than the contracting of the service requested during the contracting process, nor of the possibility of revoking such consents. 4) no effective dates for the implementation of this procedure are indicated.
Again, incomprehensibly, instead of requesting additional information from EDP COMERCIALIZADORA in relation to the proposed procedure, the AEPD opts to negatively interpret the information whose content is not clear to it. However, and as we understand that the will of the AEPD, like that of EDP COMERCIALIZADORA, is to achieve a procedure that allows not only to comply with the different contracting modalities provided for in the Civil Code, recognized by the consumer authorities and the courts. competent in contractual matters, but also to the considerations of the AEPD, below, we proceed to clarify what we understand would be the only doubts of the AEPD in relation to the modifications to the contracting procedure sent: 1) The proposed procedure will apply to all the contracting channels with which EDP COMERCIALIZADORA works, including the “Leads” and any others that EDP COMERCIALIZADORA implements in the future. 2) Regarding the doubt raised about what would happen in the event that the contracting person does not have any of the means provided to carry out the confirmation of the contracting (email or SMS), indicate that the alternatives they will be: a. Make it the owner himself b. Presenting written authorization and a copy of the ID of the representative and represented 3) Regarding the consents granted and the possibility of revoking them, it should be noted that the communication gives access to the contractual documentation, where each of the consents are recorded. The user, once this information is known, has the possibility of modifying them. However, as a result of the comment of the AEPD in which it questions the validity of the authorization of the representative for the authorization of additional consents to the hiring, EDP COMERCIALIZADORA proposes to allow the representation only for this purpose and will obtain the additional consents directly from the headline. 4) As for the implementation date, it depends precisely on the opinion that the AEPD expresses about this procedure, since it would not make sense to start it if the supervisory authority considers that it does not meet its criteria for considering it a procedure adequate, taking into account the economic costs associated with this implementation, in addition to the time and dedication resources necessary for the deployment of these measures.
It is alleged that the alleged breach of the obligations of article 25 RGPD, and the consequent quantification of the possible sanction to impose on my client derived from said alleged breach, lack any basis for consideration. In addition, and, in any case, the quantification of said possible sanction lacks any hint of being proportionate.
SECOND. – ALLEGED BREACH IN RELATION TO THE CONSENT PROVIDED BY THE INTERESTED PARTY .
It alleges that it is interested in stating that the treatment related to the creation of a commercial profile based on the information of third parties for the submission of advertising information is not, in practice, being carried out, nor at the date of issuance of these allegations, nor prior to them. Therefore, the treatment that could potentially have been carried out has not taken place in any case, at any time, so that, even though it may be questioned from the point of view of the other requirements of the RGPD, it is not possible to attribute EDP COMERCIALIZADORA Unlawful conduct that may be punishable derived from the mere obtaining of consents related to data processing that, to date, has been non-existent and therefore has not generated the alleged damage to the fundamental rights of the citizens wielded by this Agency. The commission of the reference infringement, regulated in article 83.5 (a) RGPD and in 72.1.b) of the LOPDGDD, necessarily requires that a treatment has actually been caused and that it has not been identified or not the adequate legitimation base has been regularized, by stating: “1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, infractions that entail a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will prescribe after three years: (… ) b. The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679 ”.
In relation to informed consent, in the Agreement for the Initiation of Sanctioning Procedure to consider that the consent required is invalid, it is based on the consideration that the information provided to the interested party is not sufficient, as it is not indicated, nor what bases third parties will be consulted, nor what type of data will be collected, so that the interested party is completely unaware of what he is consenting to. And it is appreciated that a single consent is obtained for two different purposes. In this regard, it is alleged that the information is provided in accordance with the good practices enunciated by the AEPD itself and ratified by the LOPDGDD, so that it is transferred to the interested parties through the double layer system, so that the interested party can reinforce the information provided through the consultation that appears in it, through the different mechanisms that are granted for this purpose (informative locution, back of the physical document or EDP COMERCIALIZADORA website.
In relation to the absence of clear identification of the sources of third parties or the categories of data, it should be noted that said information can be derived from the information provided to the client in the first layer (by clearly identifying that the treatment will be carried out with sources of third parties) as well as in the second layer, the content of which is contained in the section called “general conditions of the contract”,
whose content indicates: “(II) The elaboration of commercial profiles of the Client by means of the aggregation of EDP’s databases with data from third-party databases, in order to offer the Client personalized products and services, thus improving the Customer experience. (III) The adoption of automated decisions, such as allowing the contracting, or not, of certain products and / or services based on the Client’s profile and particularly, on data such as the history of non-payments, the history of contracting, permanence , locations, consumption data, types of devices connected to the energy network, and similar data that allow to know in greater detail the risks associated with contracting. (iv) Based on the results obtained from the aggregation of the indicated data, EDP may make personalized offers specifically aimed at obtaining the contracting of certain EDP products and / or services. ” As reflected in the cited text, EDP COMERCIALIZADORA has identified in ample detail the types of data that are processed for the detailed purposes, the sources consulted for this being an obvious derivation of the above.
The indication made about obtaining third-party sources is, therefore, sufficient content for the user to be fully aware that their authorization will mean the possibility that the authorized entity can obtain said information. It should be remembered that there is no legal requirement that, at the time of collecting the data of the interested party, the questioned information must be directly contemplated in the consent requested. In other words, since the data source is the interested party, it is only up to the Entity to inform in accordance with the provisions of article 13 RGPD, a provision that does not establish, in any of its precepts, the obligation to identify neither the source nor the typology of the data. Only in the event that such treatment had been carried out, the Entity should have reported such extremes, since only at that time would the provisions of article 14 RGPD apply. Given the non-materialization of said enrichment, this information was not transferred to the interested party, and no data other than those provided or generated during the contractual relationship between the parties did not appear in EDP COMERCIALIZADORA’s databases. In addition, it should be noted that, in the case of obtaining data from a third party, it would be the one who, in its capacity as transferor of the data, would be obliged to legitimize the communication of the data on the basis of the consent of the interested party. , without prejudice that EDP COMERCIALIZADORA would also do it, in compliance with its obligation to provide information once data has been obtained from a third party in accordance with the provisions of the RGPD. In this sense, this situation could only occur if the interested party, exercising their right to dispose of the data and with full awareness of it, had expressed their authorization for their personal data to travel to another company, such as EDP. COMMERCIALIZADORA, who could only make use of them, in the event that they had also expressed their consent, by marking the box or expressly indicating that “Yes” in case of telephone.
On the other hand, in relation to the alleged accumulation of treatment purposes, by stating that the interested party would authorize the sending of advertising and, secondly, the use so that EDP COMERCIALIZADORA can assess the viability of the hiring by said user. In relation to this point, we must
state that the assessment made by the AEPD starts from an erroneous premise, considering that they are two differentiated treatments, in a case in which it is clear that it is a single purpose, such as the generation of a commercial profile, whose use is limited to two contexts linked to each other: (i) the first, to carry out the assessment of the possibility of contracting and, (ii) the second, to issue the corresponding commercial offers to the user in question. In this way, both assumptions are necessarily interrelated, since there is no doubt that it would be meaningless to design a customer profile, based on the data provided by the user and those derived from the service provided, for the referral of a commercial offer that was sent to an interested party who did not comply with the internal parameters of the Entity to carry out a contract at the time of their request. In relation to this aspect, it is well known by this company that the RGPD requires that the consents collected be specific, as well as it is the unanimous criterion of the control authorities to point out that the grouping of purposes related to each other, as would happen in this Of course, it has full place in said concept, without such grouping giving rise to the consideration, per se, that consent has not been specifically obtained. In this area, the approach on which the AEPD maintains the breach attributed to EDP COMERCIALIZADORA, obviates the regulation established by the LOPGDD, in which article 6.2 states that: “2. When it is intended to base the treatment of the data on the consent of the affected person for a plurality of purposes, it will be necessary to state specifically and unequivocally that said consent is granted for all of them. ” In light of the above, there is an evident specific regulation that enables the grouping of purposes that the AEPD is now questioning.
As an additional matter, it is indicated by this Agency that the consent obtained is not in accordance with the regulations, considering that it is not explicit, but obtained in the same way as a general consent, although the reasons for the reasons are not clearly identified. which would not meet the criteria issued. For these purposes, the inclusion of the analyzed consent is carried out in a separate context from the acceptance of the contract itself, so that it is either collected in a box in those contexts in which there is documentary support for it, or in an informative phrase that is read and that must be expressly ratified by the interested party to understand that it has been provided In this regard, in the absence of clarity in the regulations on the ways that will allow determining that a consent deserves the consideration of explicit (understood as consent reinforced to that already required by the RGPD), in the aforementioned Guideline 5/2020 various nuances are mentioned that help in this clarification. It follows that, in addition to complying with the requirements defined in article 7 of the RGPD, the validity of an explicit consent does not require the attention of exact requirements, and can be valid both in written documents and in telephone recordings. At this point, it is interesting to emphasize an essential issue: although there is neither a legal precept nor an opinion from the control authorities that clearly determine the requirements to consider that the consent obtained is explicit, nor the differences that correspond to the consent “Regular”, yes that is attributed to EDP COMERCIALIZADORA, and to any other entities that act as data controllers, the task of defining at its own discretion in which situations this requirement will be understood to have been fulfilled. Said casuistry cannot but cause a serious legal uncertainty, which in the assumption that concerns us is not solved, not even with the justification that
It is stated in the writing of the Agreement to initiate the sanctioning procedure, since at no time is it clearly stated which factor, element or action has not been executed by EDP COMERCIALIZADORA, to determine that its conduct has been unlawful and that it deserves a similar sanction magnitude. Accordingly, the request to the client for an obvious action, such as the verbal indication that he does consent or the marking of a box, the content of which clearly states the purposes for which the data will be used, which is unrelated to any other acceptance and that it is not subject to other purposes, it must be considered as an explicit consent in order to comply with the obligation imposed by the data protection regulations. In view of the aforementioned points, EDP COMERCIALIZADORA complies with all the legally required requirements, from which it must necessarily be concluded that the Entity’s work to collect the client’s consent, explicitly, has been rigorously attended . It is proof of this that, both in the telephone channels, and those in which they are carried out in writing, obtaining consent is carried out differently from the contracting itself, it is stated that it is additional to it and it is understood collected, only, in cases in which the client ticks the box or clearly states that he consents. From all this it is only possible to conclude that the consent collection process has been carried out in light of the criteria required by the applicable regulations, being therefore in accordance with the Law.
Thus, the process of obtaining consents that EDP COMERCIALIZADORA has been using is not something new for the AEPD, who has had the opportunity to analyze it prior to the beginning of this sanctioning file, in those files (information requirements and / or procedures sanctioners) opened due to a claim from a user. Within the framework of these, the AEPD had full knowledge of the contracting process and the type of consents that were collected from the interested parties, as the contracts had been provided by EDP COMERCIALIZADORA as evidence of compliance. It goes without saying that the final result of both turned out to be that of the filing of the same (see the claims with reference E / 00915/2019, which was not even admitted for processing, and the file E / 02714/2019), without being made additional assessments on compliance with the regulations, which only delves into the confusion that this party has in the face of the very serious accusations made against EDP COMERCIALIZADORA by this Agency.
Additionally, and without prejudice to the arguments presented, the presumption made in the Agreement for the Initiation of Sanctioning Procedure draws attention, in which the assessment related to the infractions is carried out taking as a premise a double attribution: (i) the first, derived of the absence of adequate information and, (ii) the second, as a consequence of the execution of a non-consensual treatment. For these purposes, it should be noted that, even if the information provided to the interested party is considered to be deficient, this fact cannot lead to the determination of an infringement of article 6 of the RGPD, since the treatment that would be carried out takes as a starting point the proper legitimizing base. Thus, the definition made by EDP COMERCIALIZADORA regarding the legal basis that would allow it to process the data for the purposes that have already been mentioned, would strictly adhere to the corresponding legitimacy. In other words, EDP COMERCIALIZADORA carries out the necessary actions to obtain the corresponding consent
of the interested party, granting him the possibility of granting it or not, voluntarily, by marking the box provided or expressly indicating in the cases that these are collected by means of a telephone call. For all these reasons, a conduct that could be legally reprehensible to EDP COMERCIALIZADORA cannot be appreciated, given that it has rigorously subscribed to the terms required by the regulation, when proceeding to request the interested party an express, free, unequivocal and unconditional action of will to another end. And for this reason it is not possible to impute to my client the commission of any infringement of those typified in article 83.5.a) RGPD, in relation to its article 6.
THIRD. – ALLEGED BREACH IN RELATION TO THE PROCESSING OF DATA RELATING TO AUTOMATED DECISIONS AND PREPARATION OF CUSTOMER PROFILES.
Third, the Agreement for the Initiation of Sanctioning Procedure, establishes in its Law Foundation IV a series of alleged breaches linked to the apparent lack of observance by EDP COMERCIALIZADORA of the obligations derived from the provisions of article 22 of the RGPD, regarding the consideration by the AEPD of the existence of an impediment, obstruction or repeated failure to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679 in relation to automated decisions and the elaboration of customer profiles, typified in article 83.5.b) RGPD and, classified as a very serious breach for the purposes of prescription in article 72.1.k) of the LOPDGDD. Specifically, the AEPD maintains that: 1) EDP COMERCIALIZADORA does not grant users the possibility to exercise their right to not be subject to automated decisions, as well as does not grant the user the proper information regarding this right, 2) The user is unaware the possibility of refusing the adoption of this type of decision. In this way, the sanction proposed by the AEPD is based on the fact that the information that is provided by EDP COMERCIALIZADORA to the owners of the data is insufficient and imprecise, without prejudice to the fact that it is recognized by the AEPD that EDP COMERCIALIZADORA facilitates and makes available to users documents with information regarding compliance with data protection regulations, both at the time of contracting, and on a durable medium at the end of the contract.
In the first place, regarding the information provided by EDP COMERCIALIZADORA in relation to the legitimizing basis (consent in the case at hand) we must emphasize that the information that is provided to users regarding the treatments that, being additional to the contracting itself, requires the consent of the user, is duly provided to the users. Specifically, in the so-called Evidence 6 presented by EDP COMERCIALIZADORA during the substantiation of the informative file for which this sanctioning file brings cause, the following boxes are reflected within the supply contract model: “You can read the information related to the treatment
of your personal data on the back. ☐ I consent to the processing of my data
personal once the contractual relationship has ended, to carry out commercial communications adapted to my profile of products and services related to the supply and consumption of energy. Likewise, I consent to the aforementioned treatments during the term and after the end of the contract, on products and services not
energy, both from EDP Group companies and from third parties. ☐ I consent to the processing of my personal data for the preparation of my commercial profile with information from third party databases, for the adoption, by EDP, of automated decisions in order to send personalized commercial proposals, as well as to allow , or not, the contracting of certain services ”In this case, and expanding information regarding the treatment of user data in the general conditions, we find the following information; “Provided that the client has explicitly accepted it, their personal data will be processed, even after the contractual relationship has ended and as long as there is no opposition to said treatment, for: (I) The promotion of financial services, protection services of payments, automotive or related and electronic, own or third parties, offered by EDP and / or participation in promotional contests, as well as for the presentation of commercial proposals related to the energy sector after the end of the contract, (II) Profiling Customer’s business by adding third-party databases, in order to offer the Customer personalized products and services, thus improving the customer’s experience, (III) Automated decision-making, such as allowing contracting, or not , of certain products and / or services based on the Client’s profile and particularly, on data such as the history of defaults, the history orico of contracting, permanence, locations, consumption data, types of devices connected to the energy network, and similar data that allow to know in greater detail the risks associated with the contracting. (IV) Based on the results obtained from the aggregation of the indicated data, EDP may make personalized offers, and specifically aimed at achieving the contracting of products and / or services from EDP or third-party entities depending on whether the client does so. has consented or not, being in any case data processed whose age will not exceed one year. In the event that said process is carried out in an automated way, the client will always have the right to obtain human intervention from EDP, admitting the challenge and, where appropriate, evaluation of the resulting decision.
From said fragments, it can only be concluded that (i) both for the elaboration of profiles, and for the treatment of data adopting automated decisions, EDP COMERCIALIZADORA requests the explicit and specific consent of the user, without it being possible to interpret that the adoption of automated decisions is treated under another legitimate basis, as well as that (ii) the information related to the elaboration of profiles and automated decisions, complies with the requirements of article 13 of the RGPD, since it informs about the existence of automated decisions, including the elaboration of profiles and provides significant information on the logic applied, as well as the importance and expected consequences of said treatment for the interested party . For all this and taking into account the first aspect raised by the AEPD regarding the alleged breach committed by EDP COMERCIALIZADORA in relation to the information provided to users to obtain specific consent, there is no interpretation regarding the lack of information and treatment confused by EDP COMERCIALIZADORA, which includes the information corresponding to the specific treatments, providing all the information required in the RGPD.
Second, in relation to the information provided to data holders regarding the exercise of rights, it should be noted that EDP
COMERCIALIZADORA expressly informs users in the information it provides them of their specific right to “oppose” to “the adoption of automated decisions of their personal data, requiring human intervention in the process, as well as to challenge the decisions that are finally adopted. by virtue of the processing of your data “In this sense, the AEPD considers that EDP COMERCIALIZADORA fails to comply with its obligation to inform the owners of the data by the mere fact that the information provided does not expressly and literally show the right to “Revoke consent”, appearing in its place the verb that grants the right of the owners of the data to “oppose” to “the adoption of automated decisions of their personal data, requiring human intervention in the process, as well as to challenge the decisions that are finally adopted by virtue of the processing of your data ”. We are sure that the semantic and technical nuance associated with both verbs “opposition” and “revocation”, both the experts that the AEPD has, as well as those that EDP COMERCIALIZADORA has, are capable of differentiating them from each other, and determining what is It deals with two legal concepts, but that Agency will also agree with us, that the average user (a concept widely used by that Agency throughout the procedure at hand) will hardly be able to differentiate between these concepts. In the case at hand, what is really important is the effect that the user’s request has in practice, which, in short, is the one that is relevant to the owner of the data, and that generates positive or negative effects on their fundamental rights, this being what the RGPD really protects, and not the use of one verb or another, even more so when they can be used as synonyms.
In this case, the only thing that is intended to use in the information provided to users the term “opposition” with respect to automated decisions, is to provide the user with a clear, concise and transparent understanding of the information that is made available to them. provision, and facilitating, in the event that the request of said interested party conforms to the normatively demanded requirements, the exercise of the different rights. Thus, according to the definition contained in the Dictionary of the RAE, revoke means “to leave without effect”; and oppose, “put something against something else to prevent its effect”, so that except for those who have knowledge in the matter and can appreciate the nuance that differentiates one and the other, the truth is that, for the purposes of most of population, both terms would be synonymous and would mean, in practice, the same thing.
Notwithstanding the foregoing, we must highlight, due to the relevance that this has in this claim, the information contained in Clause 16 of the General Contracting Conditions, regarding data protection. In said clause, in the section corresponding to “Rights of the owner of the data”, express reference is made to the possibility of revoking the consent that they had previously granted, thus, it is expressly indicated “(VII) Withdraw, at any time, the consents granted ”.
It refers to its internal procedure, and states that therefore, not only users are informed at all times of the possibility of revoking the consents granted, but that EDP COMERCIALIZADORA itself, as an internal procedure and in order that those who in charge of managing the requests have the necessary knowledge in relation to the different possibilities, expressly express said right, regardless of the
technical term used, since the main purpose is to inform and that the user knows the possibility of not being the subject of automated decisions. Thus, the internal procedure referenced above even includes response models in order to be able to deal with the different requests in general. All this, without prejudice to the fact that each of the requests is treated in a particular way and in accordance with the specific circumstances that affect the specific case, and the adaptation of said response model is necessary depending on the specific casuistry of each request. The procedure related to the management and answering of the exercise of rights is provided as Annex 3.
In view of the foregoing, the AEPD attends to the lack of knowledge of the average user, as an argument to consider the informative clauses as not very transparent, an aspect that it nevertheless considers substantially essential since it only relates the opposition of the interested party as a valid exercise. Taking into account that the right related to not being the subject of automated decisions is independently and expressly included in the general contracting conditions, requiring, where appropriate, the explicit and specific consent of the user, and being the same duly informing specifically , as justified by the evidence provided, as well as the possibility of opposing being the subject of automated decisions, it is surprising that the AEPD considers that EDP COMERCIALIZADORA does not comply with article 22 RGPD for not offering the client the possibility to “revoke consent” literally, that is, strictly formal and semantic aspect, that an average user without knowledge in the matter does not have the capacity to understand the difference with the word “opposition”, understanding that Agency that it is not valid to report the possibility of “opposing”, as a synonym, to said treatment, which is what e effectively carried out by EDP COMERCIALIZADORA .
In line with the foregoing, it should be noted that EDP COMERCIALIZADORA, in no case has denied the exercise of rights that have not been requested / drafted with a precise character, directing the request to the user in case of doubt, so that it can be resolved efficiently, satisfactorily and without delay.
Likewise, as has already been stated in previous points, in relation to automated decisions, the client is offered the possibility of obtaining human intervention, admitting challenge and, where appropriate, evaluation of the resulting decision, which is why, in addition to inform about the possibility of not being the object of automated decisions, the client is empowered as an alternative to human intervention. For all the above, it cannot be reasonably interpreted that the owner of the data may, even remotely, ignore the possibility or right that their data is not subject to automated decisions, nor that EDP COMERCIALIZADORA places limitations, or does not make available to said interested parties the necessary mechanisms to be able to make the request, being able at any time to “oppose” said treatment, or better said, “revoke” the consent given for the adoption of such decisions, as well as to request human intervention , which on the other hand, in the case of EDP COMERCIALIZADORA always occurs, because although the consultation of the information is automated, the final decision is made by an employee after analyzing its content. It is provided as Annex 4, by way of example, exercises of right of opposition and of
revocation of consent that has been processed during the last year, for the purposes that the AEPD can know, first-hand, what type of rights are exercised by the holders, in what modality they are received, as well as specifically how they are duly attended by part of EDP COMERCIALIZADORA.
Furthermore, and in order to address the true scope of the alleged infringement, despite the fact that EDP COMERCIALIZADORA includes the possibility of profiling and adopting automated decisions, the only profiling carried out is related to the qualification of customers in the matter. prevention of fraud, treatment for which there is legal authorization and is based on the legitimate interest of EDP COMERCIALIZADORA, in order to safeguard the good future of the contracts made by EDP COMERCIALIZADORA, as well as to prevent customers, whose sole purpose is consume the energy service without paying the bills, become part of the customer portfolio. Notwithstanding the foregoing, the owners of the data are informed that said profiling is reviewed and finally processed by EDP COMERCIALIZADORA staff, which is why it cannot be considered as an automated decision in itself, taking into account the literal wording in this regard. of the concept established by the authorities. In other words, there is no data processing based on automated decisions, nor is there any manifestation about such treatments, since outside of those strictly necessary to continue with the service and those provided by law, they are not carried out, which is why, Not only can it not be considered that there is a breach of article 22 of the RGPD, since the requirements set out by the regulations are met, but there are not, nor can there be data owners who may have been affected by said treatments, so we We refer to the broad jurisprudence previously enunciated in this section as it is fully applicable to the case at hand.
This is enough so that there is no basis whatsoever in order to impute to my represented infraction any of those typified in article 83.5.b) RGPD in relation to its aforementioned article 22, however, for dialectical purposes and in the unlikely event that If the commission of said infringement could be considered proven, we state the following in relation to the amount of the sanction provided for said alleged infringement in the Agreement to Start the sanctioning procedure.
Thus, in relation to the quantification of the specific sanction for the alleged breach of article 22 RGPD, after assessing the aspects set out in this section, and taking into account the evaluative criteria set out in the RGPD used to graduate the alleged infringement, it must be said in First, that in its writing the AEPD limits itself to stating some aggravating factors that it considers applicable, without displaying the slightest activity to substantiate why, which apart from assuming a total lack of motivation, implies an added difficulty to the right of defense of EDP COMERCIALIZADORA.
Notwithstanding the foregoing, the criteria by which it is understood that the aggravating factors considered by the AEPD would not occur in this specific case are set out below, beyond the fact that, as it has been justified, there is no breach of its obligations by part of EDP COMERCIALIZADORA, insofar as the regulatory requirements do not occur, insofar as EDP COMERCIALIZADORA does not carry out the treatment subject to the sanction, this being an essential requirement for the application of the sanction to be accommodated. After
assess the aspects set out in this section, and taking into account the evaluation criteria set out in the RGPD;
“The nature, seriousness and duration of the infringement” taking into account the same criteria “the nature, purpose of the treatment operation in question as well as the number of affected parties and the level of damages they have suffered; ” As stated in this section, the information provided to users does not constitute an infringement, since there is no breach on the part of EDP COMERCIALIZADORA, being even more decisive than the number of people affected by the treatments related to profiling and processing. Automated decision-making is null and therefore the damages that may have been caused are non-existent. Likewise, since it does not suppose an illegal action, nor has it materialized, it is not possible that it has been delayed in time, which is why, and taking into account the specific circumstances, when it comes to qualifying the potential administrative fine to impose, it would suppose a mitigating criterion.
In any case, it should be remembered that in order to qualify as aggravating the damages caused to those affected, in addition to materializing, they must be accredited and demonstrated, an aspect that in no case has been proven, or exposed in the Start-up Agreement Penalty Procedure.
“The intentionality or negligence appreciated in the commission of the offense;” As can be seen from these allegations, neither EDP COMERCIALIZADORA has had any intention of violating data protection regulations, nor causing damage or harm to any user, nor has there been any negligence in its action. Furthermore, there is no evidence that there may be negligence, much less intentionality on the part of EDP COMERCIALIZADORA, which is why the potential applicable penalty should be reduced.
“The high link between the activity of the offender and the processing of personal data;” The main activity of EDP COMERCIALIZADORA is not based on the processing of personal data, but on the supply of energy, assuming the link of the activity with the performance of the treatment in question, minimal. Reason why, said aspect would appear as mitigating, reducing the potential applicable sanction.
“The continuing nature of the offense;” “High volume of data and processing that constitutes the object of the file;” and “High number of interested parties;” As in other criteria indicated individually, these three criteria are subsumed with the one raised in the first place, and from article 83.2 a) of the RGPD, so their evaluation must be carried out together with the one indicated and, therefore, not suppose an additional aspect to the aforementioned for the calculation of the potential applicable sanction.
In order to complete the evaluation criteria, the following should be mentioned:
“C) any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties;” As has been proven, the internal procedures under which EDP COMERCIALIZADORA acts, both in relation to the exercise of rights, the protocol of action related to the qualification of the user for fraud prevention purposes, include the fundamental characteristics to attend to all types of exercise of rights and the characteristics related to the assessed treatment of qualification of the
user for the necessary fraud prevention. Therefore, taking into account that these procedures are part of EDP COMERCIALIZADORA’s measures and proactive attitude, in no case could the omission of actions or passivity of EDP COMERCIALIZADORA be interpreted.
“E) any previous infringement committed by the person in charge or the person in charge of the treatment;” It should be noted that EDP COMERCIALIZADORA has not been claimed, nor has it been subject to sanction by said precepts at any time, so there are no procedures or previous sanctions, moreover, as we have already stated in previous points, EDP COMERCIALIZADORA has been implementing new measures to alleviate any potential compromised situation, always acting diligently.
In this case, not only is the grounds set out in the Initiation Agreement to interpret an infringement of article 22 of the RGPD -related to automated individual decisions, including profiling-, but also the amount proposed for the alleged infringement, which It amounts to 1,000,000 euros, it is the point that has most surprised this part. All this because:
1. EDP COMERCIALIZADORA has not been sanctioned, has not been involved in any procedure for infringement of article 22 of the RGPD nor has it received any claim in relation to an alleged infringement of this precept,
2. in the history of procedures published by the AEPD itself, there are no sanctions covered by non-compliance with the aforementioned normative precept.
In other words, not only is there no record in which EDP COMERCIALIZADORA has been a party, but there are also no prior sanctions by the Control Authority that have been based on the violation of article 22 of the RGPD. Therefore, the fact that the infringement is considered very serious and the proposed sanction amounts to said high amount, requires that it be thoroughly substantiated, since it escapes any criteria followed up to now by the AEPD.
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; From the beginning of the information file that causes this procedure, EDP COMERCIALIZADORA has acted in a collaborative and proactive manner, providing at all times the information and documentation requested by the AEPD in a timely manner. Reason why, said aspect would appear as mitigating, reducing the potential applicable sanction. Finally, and by way of conclusions, the Initiation Agreement is neither duly substantiated, nor motivated in accordance with the provisions of the regulations, the decision to impose an administrative fine, and much less, a fine with the proposed amount, as well as consider EDP COMERCIALIZADORA as an infringing subject of the claims included in the Agreement, since as we have indicated in this section, the arguments put forward by the AEPD to sanction under the legal precept contained in article 22 of the RGPD and 72.1 k) of the LOPDGDD , they are not given.
In this sense, in addition to informing in accordance with the applicable regulations, and also granting users the possibility of exercising their rights, EDP
COMERCIALIZADORA does not carry out treatments based on automated decisions outside of what is strictly necessary to carry out fraud prevention. Reason for which neither the alleged infringement has been committed, nor are there sufficient arguments to consider the precepts mentioned in this section to be infringed. Furthermore, throughout this procedure, the existence of an infringement due to breach of article 22 of the RGPD has not been evidenced, nor has the seriousness, nor the criteria that allow setting such a high amount of sanction to the present assumption, have been fully substantiated.
FOURTH.- ALLEGED BREACH IN RELATION TO THE DUTY OF TRANSPARENCY.
The AEPD, in its Agreement to Initiate Sanctioning Procedure, attributes to EDP COMERCIALIZADORA the violation of Article 13 of the RGPD, assuming a breach of the duty of information that is its own as the data controller, typified in article 83.5.b) and qualified as mild for the purposes of prescription in article 74.a) of the LOPDGDD. Specifically, it considers the existence of said infringement due to:
3. lack of information to the interested parties of the possibility of accessing the information required in article 13 of the RGPD.
4. The web address provided does not lead directly to the information required in accordance with article 13 of the RGPD, without allowing immediate access to the information, nor is access easy for anyone. EDP COMERCIALIZADORA has no other choice but to state, again, and as it has done and demonstrated in the rest of the alleged breaches alleged by this Agency, that it cannot share the assessments made by the AEPD, so the following will be identified the reasons why it understands that indeed, EDP COMERCIALIZADORA fully complies with the requirements demanded by the data protection regulations in terms of transparency in relation to the information provided to the holders of personal data in the contracting processes.
With regard to the CAC inbound channel, on which it is stated that the information provided is incomplete, it must be indicated that as they are incoming calls, it exists when the call starts, before the recording starts – and regardless of the management that is intended. make who calls the entity’s customer service department-, a telephone announcement where they are informed, among other aspects, of the rights of the interested parties, as well as where to find additional information, in such a way that users receive this information whenever they call, which not only means that this information is provided to them in the call in which they are going to contract the supply, but also when they are already customers and are going to carry out any procedure (be it a query, request a change capacity, make a payment, request a fractionation or file a claim).
In this sense, it should be noted that the RGPD itself expressly provides in point 13.4 that: “The provisions of sections 1, 2 and 3 will not be applicable when and to the extent that the interested party already has the information.” Therefore, customers receive all the required information in a first information layer
verbal, which can be completed by accessing the EDP COMERCIALIZADORA website or directly in the call itself, depending on the management carried out.
Thus, this information is provided in layers, distinguishing on the one hand the layer
1. “This call can be recorded. The data you provide us will be processed by EDP Energía, SAU and / or EDP Comercializadora, SAU for the management of your request or inquiry. You can exercise the rights of access, rectification, deletion, opposition, limitation and portability at any time. Consult the Privacy Policy on our website edpenergia.es or press 0 ”
And on the other, layer 2, which collects the information in a more detailed way, which is activated automatically if the user dials 0, following the instructions of the first layer: “The use of this TELEPHONE CHANNEL does not oblige the user to provide any information about himself. However, to use certain services or access certain content, users must first provide some personal data. In the event that the user provides personal information, we inform you that the data will be processed by EDP Energía, SAU and EDP Comercializadora, SAU, with registered office in Oviedo, Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively , hereinafter “EDP”, as data controllers, as established by the General Data Protection Regulation ((EU) 2016/679), hereinafter “RGPD”, and its implementing regulations.
Specifically, your data may be processed, when the user so requests, to manage the attention and follow-up of the requests and inquiries made through the website, as well as to carry out surveys and participate in sweepstakes, games and promotions. . The requested data will be mandatory and limited to those necessary to proceed with the provision and / or management of the requested service, which will be conveniently informed at the time of collecting your personal data. In case of not providing them or not providing them correctly, the service will not be able to be provided.
In these cases, the user guarantees that the personal data provided is true and is responsible for communicating any changes to them.
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration in it, the data processing carried out is based on the legal relationship derived from your request.
The processing of data for conducting surveys is based on the legitimate interest of EDP in order to improve the quality of the services provided to customers and / or users, being able to oppose such processing at any time, without affecting the legality of the treatments carried out previously.
In no case may personal data corresponding to third parties be included in the forms contained in the TELEPHONE CHANNEL, unless the applicant had previously obtained their consent in the terms required by article 7 of the RGPD, responding exclusively to the breach of this obligation and any other regarding personal data.
The personal data of the users registered on the website may be transferred to the Public Administrations that by law correspond, to other companies of the business group for internal administrative purposes, and to the providers of the person responsible for the treatment necessary for the adequate fulfillment of the contractual obligations. .
Personal data will be kept for the duration of your supply contract with EDP, in all other cases, for the time necessary to answer your requests or to analyze the content of your responses to surveys. Once the contractual relationship is completed, your requests answered or your responses analyzed, as appropriate in each case, your personal data will be erased, keeping the rest of the information anonymized for statistical purposes only. Notwithstanding the foregoing, the data may be kept for the period established to comply with the legal obligations to maintain the information and, at most, during the limitation period of the corresponding legal actions, and the data must be kept blocked during the aforementioned period. prescription. After this period, the data will be deleted.
In application of the provisions of article 32 of the RGPD, EDP undertakes to comply with the security obligations of the data provided by users, seeking to establish all the technical means at its disposal to avoid loss, misuse, alteration, access not authorized and theft of the data that the user provides through it, taking into account the state of technology, the nature of the data provided and the risks to which they may be exposed. Notwithstanding the foregoing, the user must be aware that the security measures in the TELEPHONE CHANNEL are not impregnable.
EDP will treat the user’s data confidentially, at all times, keeping the mandatory duty of secrecy over them, in accordance with the provisions of the applicable regulations.
The user can exercise their rights of access, rectification, deletion, opposition, limitation and portability, as well as the revocation of the consents previously granted, in the legally established terms, communicating it in writing to EDP, at the following address: Communication Channel LOPD, Plaza del Fresno, nº2, 33007 Oviedo. Likewise, you can exercise these rights by sending an email with your personal data to cclopd@edpenergia.es. In both cases, a photocopy of the holder’s ID or document proving their identity must be attached. Likewise, you may contact the EDP Data Protection Officer, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by e-mail dpd.es@edpenergia.es, in the event that you understand any violation of your rights related to data protection, or where appropriate, file a claim with the Spanish Agency for Data Protection at the address Calle de Jorge Juan, 6, 28001 Madrid ”
Next, it is indicated by that Agency that “The provisions of article 11.1 of the LOPDGDD are not complied with in the other two telephone channels (Telemarketing and Leads), nor is the interested party informed that they can access all the information required in accordance with to article 13 RGPD in the electronic address indicated ”. However, such a statement is made after reproducing the AEPD the texts in which the clients are informed of the identity of the person responsible for the treatment, the purposes of the treatment, as well as the rights they can exercise and the website where they can obtain additional information. Therefore, it does not seem that such a statement corresponds to the reality of the facts, so we understand that the Agency will be pleased to modify and eliminate this alleged breach in its proposal for resolution.
The analysis continues, referring to the general contracting conditions to which the information refers, indicating that those hosted on the web are not easily accessible. In this regard, it is interesting to specify that:
5. Article 11 of the LOPGDD refers to the fact that this information must be provided to the interested party “indicating an electronic address or other means that allows simple and immediate access to the rest of the information” and that, in this case, as informed to the interested in the locution, after contracting a copy of the contract is sent which, obviously, includes the general contracting conditions, so direct access to said information is provided. Additionally, this information is available on the web at all times.
6. Faced with the alleged difficulty alluded to by the AEPD to find the aforementioned general conditions, the fact that, as exemplified, a simple search is enough to access them directly, using the search engine available on the website. Performing the search for “contracting conditions” or “general contracting conditions”, the documents relating to the general contracting conditions that are applicable in Spanish, Galician, Catalan, and Basque are published as first results, leaving clearly identified the documentation that refers directly to the document in PDF format, as evidenced in the following address: https: //www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales – de-contratacion.pdf
7. Regarding the fact that “it is required to search in the general conditions (which include numerous aspects related to contracting) the information related to data protection”, it must be made clear that the general conditions are composed of four pages, of which practically one of them is dedicated, exclusively, to providing information on the processing of personal data carried out by EDP COMERCIALIZADORA, as we are sure that the AEPD has been able to verify during the procedure of preparing its proposal writing of sanction.
In relation to this alleged breach, it is worth mentioning the guidelines provided by the Article 29 Working Group, in which it recommends including access to information related to the processing of personal data through means in which the interested party can immediately recognize where and how to access this information, (direct links or in the form of an answer to a question in natural language, in the frequently asked questions section, or pop-up windows).
However, it also states that “depending on the circumstances of data collection and processing, a data controller could be forced to use additional data. […] ”. Other possible ways of transmitting information to data subjects derived from the following environments other than personal data could include the following modes, listed below, applicable to the relevant environments. a) On paper, for example, when entering into contracts by postal means: written explanations, brochures, information in contractual documents, cartoons, infographics or flow charts; b) By telephone: verbal explanations directly by a person to allow a conversation and the answer to questions, or automated or pre-recorded information with the possibility of hearing additional more detailed information;
The Article 29 Working Group only and exclusively provides this information as a recommendation, without in any case being considered a bad practice,
nor of course a regulatory breach the fact of publishing through a simple method, which taking into account that the service requires the conclusion of a contract, the essential method and format and therefore that prevails in this case is the as indicated in the GT29’s own guidelines, through the medium on paper and by telephone. All this, without prejudice to keeping accessible through the web for all those interested who decide to make and attend to the content in an intuitive and simple way and without prejudice to the obligation to deliver in durable medium all the contractual information both with the previous information, as with the contract itself. In this sense, we can see that the possibility of linking “immediately” is susceptible to being interpreted.
The AEPD itself on its website makes it the interested party who must “hit” or “find out” which of the treatments included in the entity’s activity register are those that really affect their relationship with the AEPD, since the purposes They are included within the description of each one of them and not in the privacy policy that is accessed.
Regarding the identity of the person responsible for the treatment, the information already provided after the request for additional information of June 3, 2020 in which EDP COMERCIALIZADORA was required, for this purpose, within the Information Request E / 05549/2019 in which it was explained that the fact that information from both entities is included is due to the fact that the services that will be requested by the interested party (gas and / or electricity) cannot be known prior to contracting, nor, therefore , by which of the companies they will be provided, so this can only be specified when said services are identified by the client himself. It is highly probable that the same client, when requesting the contracting of the electricity and gas supply, is contracting with both companies.
For this reason, the so-called “dual” contract has been drawn up and structured so that a client can obtain discounts or additional advantages by contracting both energies with two companies of the same business group, and in order to keep the discounts updated in each one of the energies (electricity and gas) and derived information, it is necessary for both companies to know if the energy initially contracted with the other Group company remains active in order to maintain and correctly manage the discounts / advantages applied.
As a result of the foregoing, the clause on data protection informs that the personal data provided during the contracting process may be processed by only one of the entities or both entities, depending on the type of energy services that are contracted. Therefore, there is no inconsistency, but the explanation about who is the specific person responsible for the treatment in each case is literally contained in the first section of the contract, in which the parties are identified, as stated in the Evidence 6 provided in the response to the Information Request made to this company during the processing of the aforementioned informative file for which this sanctioning file brings cause: “The client contracts, for the supply indicated, the supply of gas with EDP Comercializadora, SAU and the supply of electricity and / or complementary services with EDP ENERGIA, SAU, (hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) in accordance with the Specific Conditions set out below and the General Conditions in annex . ”
Therefore, customers know which company will process their data depending on the requested supply (electricity or gas), something that we understand is perfectly clear and is derived both from the explanations of the sales agents, as well as from the literal wording of the first clause of the contract. In case of being both services, the data will be processed by both entities.
To date, neither in the field of data protection, nor in relation to any of the regulations applicable to the regulated sectors of electricity or gas, or those referring to the defense of consumers, has there been any request for additional information, claim, or complaint in this regard, neither by the consumers themselves, nor by the multiple regulators that control and supervise the activity of the trading companies, so it seems clear that the information provided does not generate problems for customers , nor to other regulators in the country, rather than to the AEPD itself.
Additionally, we reiterate two essential aspects in the operations of the sector in which EDP COMERCIALIZADORA carries out its activity, the exposure of which was contemplated in the information previously sent: 1) The existence of two companies within the Group with the role of marketing entities is This is due to a merely formal matter, a consequence of the corporate structure and shareholding composition of the companies acquired by the EDP Group at the time of its establishment in Spain, but which does not correspond to the operational functioning of said marketers, given that only one of the they, EDP COMERCIALIZADORA, currently has employees and management and operational capacity. Thus, in practice, all processing is carried out by said entity, either as the data controller or as the data controller of EDP COMERCIALIZADORA.
8. The EDP Group had planned the corporate reorganization of EDP COMERCIALIZADORA and EDP ENERGIA and the adaptation of its corporate structure with that of its actual operation and business operations. Said reorganization has currently been affected by a TOTAL sale process in which both companies are immersed, and which, if it materializes, could alter or terminate said integration.
For all the above, it is understood that transparency is perfectly justified in relation to how the information is provided, as well as the fact that it is perfectly understandable for the average customer.
The AEPD continues its analysis referring to the purposes and legitimizing bases of the treatment. In the first place, reference is made to those informed treatments whose legitimizing basis is the contract itself -existing contractual relationship- or the legitimate interest of the company.
In this regard, it is stated that “It is not easy for anyone, without knowledge of the subject of data protection, to differentiate which treatments derive from the contract and which are based on the legitimate interest of the person in charge”. This assessment is debatable, since it may be evident to anyone that treatments such as “manage, maintain, develop, complete and control the contracting of electricity and / or gas supply and / or complementary services of and / or
gas and / or complementary services of revision and / or technical assistance and / or points program, and / or improvement of the service ”are closely related to the execution of the contract, the others being assignable to legitimate interest. In this regard, we can contrast this information with that provided by the AEPD itself regarding its treatments when these have different bases of legitimation, as is the case of the so-called “HR Management”, published on its website (https: // www. aepd.es/es/laagencia/transparencia/otro-tipo-de-informacion/registro- activities-treatmentaepd / gestion-hr), in whose information it can be seen that various bases of legitimation are identified, without indicating what specific purpose it is refers to each one of them.
Therefore, although this part has nothing to object to the fact that the AEPD’s criterion may represent a good practice with regard to the level of transparency, it seems that considering the fact of not having reached this level of ordering of the information, it cannot be considered a breach of the rule, especially if we take into account that not even the body that issues the transparency guidelines (and that is now proposing a penalty of nothing more and nothing less than one million euros for this reason), has considered necessary such a distinction on its website, as has been duly evidenced.
Regarding the alleged omission by EDP COMERCIALIZADORA to report “what is the legitimate interest attributed to the person in charge”, it should be noted that they are clearly exposed and set in relation to the purposes pursued, that is: fraud prevention and marketing, in relation to the sending of personalized commercial communications. In these cases, it is obvious that there is an identification between the purpose reported and the self-interest pursued, so making a separate allusion to the latter would be redundant.
Similarly, by way of illustration, it should be noted that EDP COMERCIALIZADORA’s direct competitors use information formulas similar to those implemented in my represented company, without any proceedings against them having been known to date.
On the other hand, the high number of requests for rights received in the channels provided for this show that clients perfectly understand the content of the information and the rights that assist them, and are perfectly clear about what they want to achieve with their request. and EDP COMERCIALIZADORA, executes these requests in all cases, always with a marked character of compliance with the regulations and protection of the fundamental rights of users.
Regarding the need to report on the weighting carried out to assess whether the legitimate interest is preponderant in this case, it is relevant to mean that these two cases have been addressed by the legislator himself, which in Recital 47 of the RGPD expressly refers to the possibility of carrying out these treatments based on the legitimate interest of the person responsible for the treatment.
Specifically, it provides that: “the processing of personal data strictly necessary for the prevention of fraud also constitutes a legitimate interest of the person responsible for the treatment in question. Data processing
personal data for direct marketing purposes can be considered done for legitimate interest ”.
The AEPD itself has also ruled on the latter in its report 195/2017 stating that “if the data came only from the information available to the entity in relation to the products or services contracted by the client, without it being completed with that originating from other different sources, certainly the conduct of the entity, consisting of carrying out a profiling for the referral of offers of products or services to its clients, would prove to be less invasive of the rights and interests of the clients, being able in in this case, consider the applicability of the provisions of article 6.1 f) of the General Data Protection Regulation ”.
Therefore, in both cases the weighting of the legitimate interest has already been carried out, both by the legislator and by the Control Authority and, therefore, the reason given by the GT29 to recommend its publication so that those affected can present A claim before said authority when “they doubt whether the weighting examination has been carried out fairly” would be meaningless in this case, and where appropriate, such claim should be raised before the Court of Justice of the European Union itself, in order to to examine the legality of the provision introduced in the RGPD, or where appropriate, before the control authority itself and / or competent national courts. In any case, the WG29 itself identifies this possibility as a good practice and, as stated in the report itself, its objective is “to indicate the approach that, in the opinion of the WG29, those responsible for the treatment must assume in terms of acting with transparency” . It is not, therefore, a legal obligation whose defective compliance may lead to a penalty, as is already the case with many other issues that the AEPD is trying to sanction in this procedure, lacking the most minimal principles of classification, guilt and evidence, these facts that never cease to amaze us in what we understand to be an action that should be subject to full and rigorous compliance by the sanctioning Administration.
The AEPD continues its analysis referring to the treatments for which consent is requested, assessing that their understanding is not easy for a person without specialized knowledge. However, it offers no explanation for reaching that conclusion (beyond a vague reference to point four).
Against the criteria of the AEPD, we understand that the information is given in simple language, understandable for anyone. The information contained in this second layer must be related to the requested consents.
The first consent states: “I consent to the processing of my personal data once the contractual relationship has ended, to carry out commercial communications adapted to my profile of products and services related to the supply and consumption of energy. Likewise, I consent to the aforementioned treatments during the term and after the end of the contract, on non-energy products and services, both from the companies of the EDP Group and from third parties. ”
In the second layer, this information is expanded indicating which are the sectors to which the third parties belong to which communications can be sent “(I) The promotion of financial services, payment protection services, automotive or
related and electronic, own or third parties, offered by EDP and / or participation in promotional contests, as well as for the presentation of commercial proposals related to the energy sector after the end of the contract. ”
As can be seen, not a single technical term is used that makes it difficult to understand these texts, and the conditions of consent are completely clear.
The second consent requested says: “I consent to the processing of my personal data for the elaboration of my commercial profile with information from third party databases, for the adoption, by EDP, of automated decisions in order to send commercial proposals personalized, as well as to allow, or not, the contracting of certain services. ”
In the second layer the content of this consent is detailed indicating: (II) the possibility of processing personal data of third parties to be added to their profile (III) the contractual information used by EDP COMERCIALIZADORA in the elaboration of the profile (IV) the detail of the purposes of the aggregation of this information.
Finally, the rights of the interested parties are reported in the event that automated decision-making occurs in these processes. Therefore, the clear objective of EDP COMERCIALIZADORA is to allow the interested parties to have a detailed knowledge of the uses for which consent is requested, in the absence of any will or intent to hide the information. Likewise, the AEPD points out that there is an absence of clarity in the information provided relative to the aggregation of information from third parties, as it is not distinguished if it refers to the purpose related to point (II) (the possibility of processing personal data of third parties to be added to your profile) or to (III) (the contractual information used by EDP COMERCIALIZADORA in the preparation of the profile). In this regard, it seems obvious that the word aggregation is sufficiently concise, and refers to the sum of both pieces of information. The word add is commonly used on a daily basis and, according to the RAE, it means: “to join or join some people or things to others.” In this case, it is clearly inferred from the context that it would be a matter of combining the data that EDP COMERCIALIZADORA already has, with those that it could obtain from third parties.
Beyond this, the specific information whose understanding may be complex is unknown, since no clarification is provided in this regard. EDP COMERCIALIZADORA has tried at all times to use clear and understandable language and there are no technicalities that could complicate the reading of the text, something that seems that the AEPD now considers a negative action that penalizes the good faith of EDP COMERCIALIZADORA in relation to compliance with the normative.
Finally, the AEPD refers to the information regarding the exercise of rights, regarding which, as in the previous cases, the information provided in this regard does not seem to be sufficient for the AEPD either. Thus, under the heading “Rights of the owner of the data” EDP COMERCIALIZADORA informs that: “The client will have at all times the possibility of exercising the following rights freely and completely free of charge: i) Access to their personal data that are treated by EDP. ii) Rectify your personal data that are processed by EDP that are inaccurate or incomplete. iii) Delete your personal data that are processed by EDP. iv) Limit EDP’s treatment of all or part of its
personal information. v) Oppose certain treatments and automated decision-making of your personal data, requiring human intervention in the process, as well as to challenge the decisions that are finally adopted by virtue of the processing of your data. vi) Port your personal data in an interoperable and self-sufficient format. vii) Withdraw at any time, the consents previously granted.
In accordance with current regulations, the user can exercise their rights by requesting it in writing, and together with a copy of a reliable document of identity accreditation, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by e-mail cclopd @ edpenergia.es
Likewise, you may contact EDP’s data protection officer at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by e-mail dpd.es@edpenergia.es, in the event that you understand any violation of your rights related to data protection, or, where appropriate, file a claim with the Spanish Agency for Data Protection at the address Calle de Jorge Juan, 6, 28001 Madrid. ”
The AEPD considers insufficient the mention made by EDP COMERCIALIZADORA regarding the possibility of opposing “certain treatments” without specifying one by one which treatments we are referring to, insofar as the AEPD states that “it must be clear to the interested party which they are the treatments that can be objected to ”.
This party does not share this assessment, since this supposed obligation that the AEPD highlights and seems to impose on EDP COMERCIALIZADORA is not required by the RGPD, nor does it have any legal support, which, as that Agency well knows, is a “sine qua non” condition for power to sanction-
. Moreover, and for the sake of completeness, this part would like to emphasize once again that the formula used by EDP COMERCIALIZADORA is precisely the one recommended by the AEPD itself in its multiple guides and tools related to the duty of information in accordance with the RGPD, and even in the AEPD’s own website, something that, again, does not cease to surprise this party, since that Agency considers an infringement of the RGPD, proposing for said infringement a penalty of one million euros, for an alleged breach in relation to a certain practice that she recommends doing. Along these lines, it should be noted
1. The Guide for the fulfillment of the duty to inform, in which the following example is reflected
2. 2) The FACILITA Tool, of the AEPD, intended for entities to carry out the adaptation in accordance with the RGPD, including the informative clauses in accordance with the applicable regulations (fictitious data have been included):
3. Report on privacy policies on the internet. Adaptation to the RGPD, where the AEPD itself sets out as a valid example to adapt the privacy policy to the RGPD.
4. The privacy policy of the AEPD does not include the alleged information that is now required from EDP COMERCIALIZADORA, and includes formulas such as “when appropriate”
Consequently, EDP COMERCIALIZADORA cannot be criticized for not including information that is not even indicated as good practice in the guides prepared for the adequate fulfillment of its obligations by those responsible for the treatment, and that not even the AEPD itself complies in its Privacy Policy and other information clauses used on its website.
Nor does it seem to make sense to refer to “It is imprecise to indicate that the interested party can oppose the automated decision-making of their personal data. It is obvious that the information provided using the word “oppose” is understood as a right both when the treatment is legitimized in a legitimate interest and in a consent (in any case it is informed of the possibility of opposing the consents granted at any time) . The proof is that, when exercising their rights, the interested parties rarely use any of these terms and limit themselves to requesting the “cancellation” or directly requesting that their data be stopped using their data for certain purposes, without using such formalities. as has been evidenced in this procedure through the contribution of innumerable examples.
Additionally, this party is interested in showing once again that the AEPD has had the opportunity to analyze both the general contracting conditions and the information provided in the different contracting processes available to EDP COMERCIALIZADORA during the different information requirements and in its case sanctioning procedures that the AEPD has initiated so far, without the AEPD having so far ruled on possible breaches of the duty of transparency, having proceeded to the filing of multiple files in which this documentation was subject to review by the AEPD .
Therefore, having made this information known to the AEPD and having been analyzed by it, without having ruled against it, EDP COMERCIALIZADORA continued to use these documents and procedures in the legitimate confidence that this was adjusted to regulatory requirements, to the extent that the AEPD, having access to and first-hand knowledge of these alleged breaches, did not at any time indicate to EDP COMERCIALIZADORA that there was any irregularity, now proposing a penalty of one million euros for a alleged non-compliance, of which he would have known years ago, but which he no longer considered not to sanction but not even to warn EDP COMERCIALIZADORA. In this sense, it should be noted that the purpose of this control authority is none other than to guarantee compliance with the regulations, so in the absence of legal justification that motivates the opening of Sanctioning Procedure on aspects that were previously known and even subject to a file, the imposition of a sanction of the amount that is exposed can not be later imposed.
As a conclusion of all the above, it cannot be interpreted that EDP COMERCIALIZADORA fails to comply with its duties set forth in article 13 of the RGPD.
In relation to the weighting of the sanction proposed by the AEPD, as in the previous points, after assessing the aspects set out in this section, and taking into account the evaluation criteria related by the AEPD, although,
Without having justified the reason why they are included, the comments regarding their possible attendance are included below.
“The nature, severity and duration of the infringement” to which the RGPD itself continues with “taking into account the nature, purpose of the treatment operation in question, as well as the number of interested parties affected and the level of damage and damages they have suffered; ” As stated in this section, the information provided to users complies with the legal requirements throughout the contracting process and even afterwards, without therefore interpreting that there is a breach by EDP COMERCIALIZADORA. Likewise, as has been stated in the previous points, in order to qualify as aggravating the damages caused to those affected, in addition to materializing, they must be accredited, an aspect that has not been proven in this Procedure.
“The intentionality or negligence appreciated in the commission of the offense;” The alleged inaccuracies in the information provided by EDP COMERCIALIZADORA do not imply any breach of the regulations, therefore, in any case, some improvement in the way in which this is reflected could be recommended, but nothing more. The intention of informing those affected of all aspects related to the processing of their personal data in a transparent way has been proven, so in no case is it possible to speak of intention to breach the rule, much less negligent or malicious behavior.
“The high link between the activity of the offender and the processing of personal data;” As indicated, this is an ambiguous factor. The great deployment of means carried out by EDP COMERCIALIZADORA must be taken into account to allow the information to be provided to all interested parties through all the channels through which it is possible to collect personal data.
“The continuing nature of the offense;” “High volume of data and processing that constitutes the object of the file;” and “High number of interested parties;” As in other criteria indicated individually, these three criteria are subsumed with the one raised in the first place, and from article 83.2 a) of the RGPD, so their evaluation must be carried out together with the one indicated and, therefore, not suppose an additional aspect to the aforementioned for the calculation of the potential applicable sanction.
“The condition of a large company of the responsible entity and its volume of business.” As already stated, this is not an evaluation factor for the amount of the sanctions. Consequently, EDP COMERCIALIZADORA cannot be sanctioned for complying with its duty of transparency, much less in the amount proposed in the Agreement to Initiate Sanctioning Procedure to which we reply in this letter.
FIFTH.– ON THE AGREEMENT TO START THE SANCTIONING FILE AND THE ASSESSMENT OF THE POSSIBLE SANCTION. LEGAL FOUNDATION AND PROPORTIONALITY OF THIS.
9. BREACH OF THE PRINCIPLE OF INTERDICTION OF ARBITRARITY .
In relation to this principle, we must attend to two specific questions:
1. The recommendations and publications of the AEPD,
2. The amounts of the sanctions that have taken place in similar previous cases.
In the first place, certain practices recommended and even applied by the AEPD regarding the collection of consent and the information to be provided to the interested parties, have served in this case to argue and motivate the alleged infractions committed by EDP COMERCIALIZADORA.
These criteria are reflected both in the way of jointly compiling the purposes whose legitimating basis is the consent of the user, as stated in the Second Allegation, and in the presentation of the information regarding the exercise of rights of the interested parties collected in the Fourth Claim. These aspects, which a priori the AEPD recommends and puts into practice, considering them as examples that conform to the applicable regulations, are used as infringing elements to justify the alleged breach of different legal precepts by EDP COMERCIALIZADORA.
All this and said in strict defense terms, not only implies that the AEPD considers insufficient what the Authority itself has incorporated in its informative clauses, resulting therefore, said insufficient information in accordance with the RGPD, but that the fact of modifying the criterion adopted invalidating aspects without motivation or justification, implies a clear situation of legal insecurity, contrary to the constitutional principle of interdiction of arbitrariness contained in article 9.3 of the Spanish Constitution; A principle that implies that the authorities cannot make arbitrary decisions, understood as those that imply an infringement of the principle of equal treatment of the administered before the application of the law and the objectively determined rules.
Second, the amounts of the previous sanctions in similar factual cases are not comparable to those proposed in this case.
Specifically, we must bring up the Sanctioning Procedure PS / 00097/2019, directed against the entity of the same business group, EDP ENERGÍA, in which, after having analyzed the contracting system and the information provided to each of the intervening parties The file of the file is issued to both the representative and the represented party, thus validating all the documents that accompanied the procedure, that is, the documentation related to the contracting process.
Likewise, it should be noted that, last March 2019, EDP ENERGIA also received a file of actions for the information request E / 04707/2018, initiated after a complaint filed by Mr. *** AAA . In this case, the AEPD resolves that it is not appropriate to process the claim received, considering, therefore, the contracting procedure and documentation provided, in accordance with the Law.
As in the first section of this point, the proposed sanctions, carried out without motivation or due justification, go against legal certainty, a constitutional principle contained in article 9.3 of the Spanish Constitution, as well as against the principle of foundation legal. In other words, any decision made by the AEPD must be objective, well-founded and typified.
In this sense, it is worth mentioning the Sentence of the Supreme Court of the 3rd Administrative-Contentious Chamber, 3rd Section, Judgment of May 13. 2015, Rec. 28/2013, in which the interested party, appeals in cassation, exposing, among other allegations, the infringement of the principles of interdiction of arbitrariness, security
legal and equality established in articles 9.3 and 14 CE, pursuant to article
88.1.d) LJCA and the Court uphold said motivation. From said resolution, the following should be highlighted:
“C) The constitutional requirement of the reasons for the judgments, contained in article 120.3, in relation to 24.1, of the Constitution, appears justified, without more than underlining the ends to which it tends to achieve, which, above all, aspires to make clear the submission of the Judge or Court to the rule of Law and contributes to achieving the conviction of the parties in the process about justice and the correction of a judicial decision, facilitating the control of the sentence by the Superior Courts, and operates as a guarantee or preventive element against arbitrariness.
d) The amplitude of the reasons for the judgments has been qualified by the doctrine of the Constitutional Court, indicating that it does not authorize to demand an exhaustive and detailed judicial reasoning of all the aspects and perspectives that the parties may have of the matter to be decided, but that those judicial decisions that are supported by reasons that make it possible to know what the essential legal criteria founding the decision must be considered sufficiently motivated, that is, the “ratio decidendi” that it has determined (Constitutional Court judgments 14 / 1991,28 / 1994,145 / 1995 and32 / 1996, among many others). This has been recognized by the Constitutional Court itself when it refers to the fact that an exhaustive or exhaustive examination of the arguments of the parties is not necessary, and when it even allows argumentation by reference to reports or other resolutions. The Judgment of the Constitutional Court nº 122/94 of April 25, affirms that this right to motivation is satisfied when the judicial resolution explicitly or implicitly contains reasons or elements of judgment that allow knowing the criteria that support the decision. ”
As a result of the above, it should be noted that the AEPD identifies as an example of a sanction, the Sanctioning Procedure with file number PS / 0025/2019, a file that is in contentious proceedings and therefore, does not become firm. Therefore, it cannot be considered a file that affects the diligence operated by EDP COMERCIALIZADORA, nor can it be considered as a precedent, since said sanction is not yet final. After analyzing the foregoing, as well as the doctrine and jurisprudence set out in this section, it can only be concluded that we are faced with a series of proposals for administrative sanctions, the motivation of which is separated from the interpretation recently made by this Agency. For this reason, it must be understood that the situation caused generates damages derived from the lack of legal certainty, the motivation of which is set out in the following sections.
10. LACK OF PROPORTIONALITY At this point, it should be remembered that the principle of proportionality is a general principle of law. Reason why, the AEPD must take into account this principle both when determining the evaluation criteria, as well as when determining the applicable sanction, a principle that, as can be seen from the procedure, from the beginning of the investigation and that is in the strictest sense of defense, it has not been applied by the AEPD in the Agreement to Start the Penalty Procedure.
It should be noted in this section that the sanctioning capacity of the AEPD is limited by the principle of proportionality, a limitation set out in article 29 of Law 40/2015, of the Public Sector Legal Regime (hereinafter, “LRJSP”) . This requires that any sanction be suitable, necessary and adequate to the seriousness of the act constituting the offense. Therefore, we remember the criteria
evaluators collected throughout the writing, as well as the following fragments of article 83.2 of the RGPD that applies jointly.
“K) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.”
In this regard, of the aforementioned few or non-existent claims in relation to the alleged breaches, it can only be interpreted that EDP COMERCIALIZADORA complies in a general and majority way with the requirements set out in the RGPD, a criterion that must be taken into account as mitigating a potential applicable sanction.
In the first place, with respect to the alleged infringement of article 25 of the RGPD, the AEPD seems to intend to sanction, assuming the lack of legally required documentation, without the Authority itself having required it. For this reason, the AEPD in the sanction proposed in the writing of the Agreement for the Initiation of Sanctioning Procedure, is based on a fiction, since the reality of the situation is that the documents on which the absence or inaccuracy is alleged comply with all the associated obligations to the protection of data from the design and by default, having, as stated in the corresponding point, the risk analysis and pertinent impact evaluations, including all the corrective measures, having followed both the analyzes and the plans inmates with the criteria indicated by the AEPD.
For this reason, the proposed sanction is not only disproportionate according to what is stated in this document, but it is not applicable to the facts before which we find ourselves.
Secondly, as indicated in the second allegation, the alleged infringement of article 6 of the RGPD, EDP COMERCIALIZADORA has not carried out any treatment related to the performance of profiling and its subsequent use for commercial purposes, nor has it provided insufficient information regarding the identification of the person in charge, being the same reflected at the contractual and informative level both in the first layer, as in the second, aspect that in any case would affect the provisions of article 13 of the RGPD. Furthermore, as we have stated above, the collection of the purposes jointly, when they are subject to the same legitimizing basis, is approved by the AEPD itself.
Therefore, the proposed sanction is disproportionate and contrary to the legal system since neither the existence of any infraction has been justified, nor has the treatment in question been carried out.
Likewise, as we have already stated above, the AEPD, up to now, has not sanctioned any file based on the violation of article 22 of the RGPD, thus requiring a detailed and justified review and substantiation, so that the proposed sanction is not considered disproportionate.
Finally, based on the provisions of the fourth claim regarding the violation of article 13 of the RGPD and in relation to the provisions of this section, the information collected and provided to the interested parties complies with the legal requirements, and is not punishable. in no case the non-implementation of the recommendations that the AEPD intends to impose on EDP COMERCIALIZADORA, as well as aspects that even despite being defended and applied by the AEPD itself,
these are currently arguments to justify the non-existent infringement by EDP COMERCIALIZADORA of its duty of information.
Therefore, as evidenced and detailed throughout this document, EDP COMERCIALIZADORA complies with both the requirements set out by the applicable regulations, as well as what is indicated by the guides and legal texts published by the AEPD itself.
Likewise, the AEPD considers EDP COMERCIALIZADORA as an entity with great business value, assuming said volume to be a relevant aspect when raising the penalty, without proving, however, that the business value is sufficient for the penalties to be widely high, can be considered as proportional.
Likewise, as has been explained in each point, each and every one of the alleged infringing actions have mitigating factors that seem to have not been taken into account, since they only consider criteria that, in addition to being reflected independently of what is collected in the articles itself increases the amount of the potential sanction to be imposed.
These aspects show the total disproportion and arbitrariness of the proposed sanctions, without there being any basis in the Initiation Agreement that allows the AEPD to motivate the proposed amounts, nor the reasons why the same facts that until now had not been nor even sanctioned by the Control Authority previously – infringement of article 22 of the RGPD-, thus departing from the considerations of other procedures, as well as the evaluative criteria to determine unmotivated and disproportionate amounts.
For this reason, the proposed sanction would not have to be applied, since there is no infringement, nor any breach, nor does it meet the criteria protected by the principle of proportionality.
Added to the above, in the Judgment of October 15, 2012 (JUR / 2012/353649), appeal 180/2010, the Chamber, applying the principle of proportionality, addressed the lack of accreditation of the effects of the conduct as a reducing criterion of the sanction, indicating the essential nature of the principle, allowing the Chamber to eliminate or reduce the sanction imposed:
“As the appellant points out, it is not proven that the anticompetitive conduct had any effect on the market, since the appealed resolution does not reason what the effect on consumers or users in this case was public hospitals (…) In Spain , the Supreme Court has recognized the capacity of the jurisdictional body to rectify the graduation of the sanctions imposed by the Court for the Defense of Competition. Thus, in the judgment of March 5, 2001, May 24, 2004, June 12, 2006, and February 14, 2007, it states that “the aforementioned principle of proportionality or individualization of the sanction to adapt it to the seriousness of the fact, make the determination of the sanction a regulated activity and, of course, it is possible in the jurisdictional venue not only the confirmation or elimination of the sanction imposed but its modification to reduction “or in the judgment of October 8, 2001” there is no excess in the exercise of jurisdiction but observance without more than the constitutional mandates
referring to the right to judicial protection (article 24.1) and the control of the legality of the administrative action (8 article 106.1), when the court, analyzing one of the reasons for challenging the administrative act, such as the resolution of the Court of Defense of Competition, decides which is the appropriate sanction in application of this principle of proportionality and of the provisions that the legal norm has established for this purpose “.
In this sense, it is also worth mentioning the Judgment of the TSJA resolving through appeal number 795/2003:
“The principle of proportionality has served in jurisprudence as an important control mechanism by the Courts of the exercise of the sanctioning power of the Administration when the norm establishes several possible sanctions for an offense or indicates a quantitative margin for the establishment of the financial penalty. The principle of proportionality or the criminal principle of individualization of the sanction to adapt it to the gravity of the fact and the personality of the author, make the determination of the sanction a regulated activity. The Supreme Court has been repeatedly maintaining the appropriateness of specifying the administrative sanctions in contemplation of the offense committed, graduating them with the appropriate criterion of proportionality based on the organizing principles of the sanctioning law, weighing for this purpose the concurrent circumstances in the constitutive act of the sanctioned infraction, corresponding to the jurisdictional activity, as stated in the judgment of September 26, 1990, not only the power to subsume the offender’s conduct in a certain legal type, but also to adapt the sanction to the act committed, since in both cases it is the application of legal criteria set out in the written norm and deductible from the principles that inform the sanctioning legal system, such as those of congruence and proportionality between the offense and the sanction. ”
In short, analyzing each of the alleged infractions that are attributed to my client, it cannot but be interpreted that there is an absolute disproportionality in the interpretation made by the AEPD in this Agreement for the Initiation of Sanctioning Procedure, not only because it lacks motivation to at the time of considering the alleged infringement committed, but due to the fact that the proposed sanctions escape any criteria previously assessed by the AEPD itself. And for this reason, the correction by the AEPD corresponds at least, in case of not considering the due cancellation and filing of the actions, thus assuming a substantial reduction of each potential infraction to its minimum degree, even reaching the warning, for there is no non-compliance, lack of motivation and disproportionality.
11. DUPLICITY OF SANCTIONS AND COMPLIANCE WITH THE “NE BIS IN IDEM ” PRINCIPLE
An aspect is derived from the Agreement to Initiate Sanctioning Procedure that has been pointed out at various points in these allegations thereto, and whose relevance cannot be ignored. Thus, the infractions that are indicated are reiterations of the same facts, whose estimation would cause a notorious duplication in the sanctions imposed, either because they address circumstances previously examined by the AEPD or because it estimates the multiple concurrence of infractions on the same fact .
In the first place, this Agency has pointed out the concurrence of an infringement derived from the provisions of article 25 of the RGPD when estimating that the appropriate actions have not been carried out, referring to the adequacy of the procedures that are implemented for contracting. by third parties. Without prejudice to the arguments that have been made in the corresponding First allegation, to which we refer for brevity, it is relevant to note that the assessment of the commission of infringement derives from events that, prior to it, have been previously analyzed by the AEPD. This has meant that, taking into account the concurrent casuistry in the same, this was sanctioned in a procedure that, to date, has been appealed.
From the foregoing, it should necessarily be inferred that the imposition of the infringement causes the production of new facts that motivate the imposition of the proposed sanctions. Well, this is not the casuistry that concerns us either, as there have been no new claims or circumstances that have led the AEPD to this Agreement for the Initiation of Sanctioning Procedure. Certainly the imposition of the sanction that is proposed would suppose that, in the face of a fact that has been evaluated and solved or punished by the corresponding authority, it is again examined from the same perspective or, on the contrary, that, in the absence of materialization of said risk, said sanction would be imposed from conducts that could potentially give rise to a breach, but whose production is, to date, non-existent.
Second, the AEPD makes use of different normative precepts to sanction the same act, since it simultaneously constitutes the commission of three offenses, although each of them is based on the breach of the duty of information regulated in article 13 of the RGPD
In this sense, as has already been advanced in the previous allegations, although the Agreement for the Initiation of Sanctioning Procedure starts from the applicability of three different offenses, corresponding to articles 6, 13 and 22 of the RGPD, all of them are based on the information deficient and the user’s ignorance of the object of the consent request. Thus, the argumentation that he sets out to substantiate his consideration regarding obtaining insufficient consent, indicates that: “It is considered that the consent thus given is not adjusted to the provisions of the RGPD and the LOPDGDD. Consent with deficient information is requested, as neither what third-party databases are going to be consulted nor what type of data are going to be collected is indicated, so that the interested party is absolutely unaware of what they are consenting to. Nor is it determined who will be responsible for the treatment, a generic reference is made to EDP, without the client who has contracted a service only with one of the two entities (EDP COMERCIALIZADORA SAU or EDP ENERGIA, SAU) knowing if it is
Consenting that such treatments are carried out by both entities or only the one of which you are a client. Nor is it clear what type of services will be allowed to hire or not. Such deficiencies do not allow the interested party to know the consequences of their decision and thus assess the convenience of giving their consent or not. ” (Page 50 of the Agreement to Initiate Sanctioning Procedure).
In the same way, regarding the alleged infringement of article 22 RGPD, relative to the commission of automated decisions, the AEPD in its own written Agreement of
Initiation of Sanctioning Procedure, after collecting the aspects related to the processing of data in which there are automated decisions, collects the following: “From all this it can be concluded that the consent given for such purposes is not in accordance with the provisions of article 4.7 of the RGPD as long as it is not duly informed in general, the specific information requirements established in article 13.2 for automated decisions are not fulfilled and it is not specific. The absence of such requirements determines that it is not valid so that the treatments based on it lack legitimacy, thus contravening the provisions of articles 6 and 22 of the RGPD. ” (Page 52 of the Agreement to Initiate Sanctioning Procedure).
In light of the foregoing, each insufficiency mentioned cumulatively leads to the potential breach of article 13 of the RGPD, regarding the duty of information.
For these purposes, the presentation made by that Agency of two infractions derived from the absence of sufficient legitimation basis as it is not informed consent and, simultaneously, another infraction due to the lack of transparency in the law is not admissible in Law. the information provided. In this regard, it is well known by the AEPD that our jurisprudence has reiterated on many occasions as a fundamental principle of Law, that the same act cannot be sanctioned twice.
The application of this principle non bis in idem supposes a manifest impossibility of imposing two or more administrative sanctions, for the same fact, provided that a factual identity occurs, is attributed to the same subject and they are imposed on the basis of a common foundation as regards the protected legal asset.
Therefore, there is no doubt that, if the AEPD’s assessment of the commission of an infringement by EDP COMERCIALIZADORA of the facts set forth in relation to the aforementioned articles is applicable, it will require the necessary concurrence of applicable laws. In this sense, it is essential to bring up the provisions of article 29.5 of the LRJSP, which states that: “When the commission of an offense necessarily results in the commission of another or others, only the penalty corresponding to the offense must be imposed. more serious committed. ”
Without prejudice to the scarce jurisprudence derived from said precept, as a result of its previous regulation (Royal Decree 1398/1993, of August 4, which approves the Regulation of Procedure for the Sanctioning Power), our Courts have preached that, in order to the assessment of the aforementioned contest, the regulations
“(…) Demands, for the application of the media contest, a necessary derivation of some offenses with respect to the others and vice versa” (Supreme Court Judgment of February 8, 1999).
In application of said precept, there are favorable judgments of the Contentious-Administrative Chamber of the National High Court that, in analysis of the matter at hand, stated that: “In accordance with this, this Chamber considers that in the present case There is a direct connection between the violation of article 6 (processing of personal data without the consent of the affected party) and the violation of articles 4.3 (processing of inaccurate data), both of the LOPD. Connection that is highlighted by the fact that the treatment of the complainant’s data without his consent is carried out only in the communication by letter (of the information about the movements of the Cortefiel POS) to his old address, which it is
which gives rise to the complaint presented by him, and which, since it was not corrected (precisely because said incorrect treatment had no economic or accounting reflection in said Bank), is maintained in the different communications by letter made. That is, as indicated by the plaintiff in the lawsuit, it turns out that the treatment that has consisted, exclusively, of improperly including some data of the affected party in an operation report that does not refer to him, can only occur without his consent. Therefore, the non-consensual treatment of data in article 6.1 LOPD necessarily derives from the improper or erroneous treatment of the same (Art 4.3). The aforementioned article 4.4 of the Regulation for the exercise of the sanctioning power is therefore applicable to the case. which, as both offenses are of equal severity, it is appropriate to impose a single penalty 60,101.21 Euros, which is considered to be in this case the one corresponding to the violation of the principle of non-consensual treatment, in which it would be embedded or subsumed the infringement of the data quality principle, both of article 44.3.d) LOPD. ” (Judgment of November 19, 2009, rec 338/2009)
In light of this, even though the precepts of the regulations preceding the RGPD were applicable and encompassed a differentiated scenario, there is no doubt that the National Court appreciated the appropriateness of estimating the concurrence of infractions on the basis of a contest medial between the infractions contemplated in the data protection regulations, when necessarily the commission of one requires the production of the other. In this regard, said Hearing states that, since there is only one action from which two offenses could be derived, only the most serious can be taken into account. In the same way as in the aforementioned case, in which the improper obtaining of a data necessarily caused an inaccurate data processing, in the case at hand, the consideration by this AEPD of an illegitimate obtaining by not complying with the defined principles by the RGPD to determine that consent is informed and unequivocal, it must be subsumed in the assessment relevant to the duty to inform, in no way allowing the double assessment indicated in the sanction proposal. Therefore, as has been established by the AEPD in this procedure, it is not possible to apply different regulatory precepts (articles 6, 22 and 13 of the RGPD) independently, to sanction a potential infraction directly related to the fulfillment of duty. of information, and in any case the penalties proposed in the Penalty Procedure Agreement must be eliminated.
12. LACK OF EVIDENCE FOR THE IMPUTATION OF THE INFRINGEMENT AND CORRESPONDING IMPOSITION OF THE SANCTION.
It is necessary to bring up the inquisitive or dominant officiality principle in the administrative procedure, which implies that it is the administrative authority that is obliged to proceed to the verification of the alleged facts through the ex officio practice of the pertinent evidence, thus prevailing the principle of material truth. Thus, in the administrative procedure it is an essential requirement that all the statements made be submitted to the confrontation with the facts, falling on the competent authority to accredit them, in order to guarantee the legal security required with the sole objective of complying for the purposes of Public Administration .
Likewise, it is pertinent to point out the provisions of article 53 of Law 39/2015 of October 1, on the Common Administrative Procedure of Public Administrations,
regarding the presumption of innocence and the non-existence of responsibility until the contrary is proven.
Furthermore, reference should be made to the Constitutional Court Sentence 76/1990, of April 26, 1990, Rec / 695/1985, which defines the scope and respect for the presumption of innocence in the sanctioning procedure and which indicates the following: “Indeed, it cannot raise any doubt that the presumption of innocence governs without exceptions in the sanctioning system and must be respected in the imposition of any sanctions, be they criminal, administrative in general or tax in particular, since the exercise of ius puniendi in its various manifestations is conditioned by art. 24.2 CE to the game of evidence and to a contradictory procedure in which their own positions can be defended. In this sense, the right to the presumption of innocence entails: that the sanction is based on acts or probative means of charge or incriminating the reproached conduct; that the burden of proof rests with the accuser, without anyone being obliged to prove their own innocence; and that any insufficiency in the results of the tests, practiced, freely assessed by the sanctioning body, must be translated into an acquittal.
Likewise, we cannot affirm that the evidentiary activity carried out by the Administration can be considered chargeable, and, in the event that this body so considers it, (STS of December 18, 2000- RJ 2000/92) it has remained fully disproved through the statements made by this party, as well as through the documents attached to this application.
In the same way, the jurisprudential line followed by the Constitutional Court in its judgment of February 20, 1989, in relation to the principles and guarantees of the criminal judicial procedure applicable to the administrative sanctioning procedure, must be highlighted, which indicates “Our doctrine and jurisprudence criminal law have been holding that, although both may consider as manifestations of a generic favor rei, there is a substantial difference between the right to the presumption of innocence, which develops its effectiveness when there is an absolute lack of evidence or when the evidence does not meet the guarantees procedural and the jurisprudential principle in dubio pro reo that belongs to the moment of the evidentiary assessment or appraisal, and that has to judge when, there is that indispensable evidentiary activity, there is a rational doubt about the real concurrence of objective and subjective elements that make up the type criminal in question ”
Regarding these criteria, the Spanish Agency has ruled, agreeing on the file of actions (E / 04684/2017) and stating the following literally:
“(…) For this reason, it is obligatory to review in relation to the principle of presumption of innocence that, due to its specialty, the inspiring principles of the criminal order are applicable to Administrative Penalty Law, with some qualification, but without exceptions, resulting clear the full virtuality of this principle of presumption of innocence. In this sense, the Constitutional Court, in Sentence 76/1990, considers that the right to the presumption of innocence implies “that the sanction is based on acts or probative means of the charge or incriminating the reproached conduct; that the burden of proof rests with the accuser, without anyone being obliged to prove their own innocence; and that any insufficiency in the result of the tests carried out, freely assessed by the sanctioning body, must be translated into a
acquittal ”. In accordance with this approach, it must be taken into account that only natural and legal persons who are responsible for them by way of fraud or fault may be sanctioned for acts constituting an administrative offense ”(…) Ultimately, the application of the principle of presumption of innocence prevents the imputation of an administrative offense when the existence of a proof of charge has not been obtained and verified to accredit the facts that motivate this imputation. (…)
Finally, review the Judgment dated May 25, 2001, issued in a contentious-administrative appeal by this National High Court, at number 29/2000, it pronounces on the imposition of a sanction based on a presumption made by the Agency , and rules that “(…) the Chamber, as we have now reasoned, from the assessment of the evidence in the administrative file reaches the conclusion that this integrating fact of the type has not been duly accredited, that is, it is not proven that the Bank will deliver to Mr. … the respective extract, raising this concrete fact serious doubts, in front of the demandable certainty ”. And it concludes by stating that without denying that the events could have occurred as indicated by the complainant, neither can the possibility that the statement was not delivered to the husband by the Bank, but that he obtained it taking advantage of a home visit or through the action of some familiar, said that in terms of pure hypothesis ”.
In this same sense, the Superior Court of Justice of Madrid ruled in Sentence of 02/21/2001, in which it states that “The only evidence of the charge, from which the APD infers the responsibility of the appellant, is the fact that that it was the ex-husband of Dña … who supplied the lawyer with said extract that was provided to the incident of modification of measures, and it must be agreed with the appellant that the possession of the extract, in the opinion of this Chamber, is insufficient circumstantial evidence to destroy his presumption of innocence since, certainly, said extract could reach the possession of D … through channels other than its direct delivery by the bank, so that none of these hypotheses is proven, this reasonable doubt about The way in which the ex-husband obtained the statement of the complainant’s account must always operate for the benefit of the sanctioned, proceeding, consequently, to estimate his claim to annul the sanction imposed p or lack of sufficient proof of the appellant’s participation in the delivery of the bank statement to a person other than the account holder ”In short, appreciating the various criteria that the competent body in terms of data protection has taken into account to the When carrying out the file of actions in those cases in which it is considered that there is a lack of evidence and in which the outlined jurisprudential lines have been followed, this part considers that the legal guarantees that any procedure must not have been protected respect.
13. LACK OF LEGAL FOUNDATION
As we have stated throughout this writing, the alleged infractions committed by my client, have not taken place, so it has not materialized, nor is there any possibility that EDP COMERCIALIZADORA has infringed the aforementioned articles following what was alleged by the AEPD in the Agreement to Initiate Sanctioning Procedure.
It should be noted that any sanctioning procedure and, where appropriate, the resulting sanction, must be motivated, grounded, and even more decisive, it must comply with the due principle of legality, typicity. As a result of this aspect, the Sentence of the Superior Court of Justice of Catalonia, number 870/2019, Rec: 454/2016 is brought up, from which we extract the following:
“The due effectiveness of the principle of typicity in administrative sanctioning matters whose requirement certainly derives from our sanctioning administrative order, also in tax matters, as a manifestation of the formal and material guarantees that are contained in the constitutional principle of sanctioning legality ex article 25.1 of the Constitution, and which previously included article 129 of the already repealed Law 30/1992, of November 26, on the legal regime of public administrations and the common administrative procedure, additionally applicable to this case for temporary reasons (and today article 27 of Law 40/2015), as well as in this specific tax order, article 178 of Law 58/2003, General Tax, taking into account the implicit content of the aforementioned constitutional precept (article 25.1 of the Constitution), despite its notable laconism (Constitutional Court ruling number 34/1996, of March 11), which has highlighted the so-called material guarantee of the principle of legality (among others, and since the judgment of the Constitutional Court 42/1987, of April 7, the judgments of the Constitutional Court 3, 11, 12, 100 and 101/1988, of 8 June, 161, 200 and 219/1989, of December 21, 61/1990, of March 29, 207/1990, of December 17, 120 and 212/1996, 133/1999, of July 14, 142 / 1999, of July 22, and 60 and 276/2000, of November 16), which is identified with the traditional principle of typicity of administrative offenses and sanctions and which requires a prior and certain normative determination of the specific conduct or conducts that by action or omission are deemed to constitute a fault or an administrative offense, with the prohibition of any analogical or extensive interpretation in malam partem (Constitutional Court ruling 125/2001, of June 4, quoting the Constitutional Court rulings 81/1995, of June 5, 34/1996, of March 11, 64 / 2001, of March 17, and 113/2002, of May 9), being likewise well-established jurisprudential doctrine that teaches that in the exercise of its administrative sanctioning power the acting sanctioning administration does not respond, properly, to the exercise of a Administrative power of essence or discretionary tendency but predominantly regulated for the application to each specific case of the sanctioning normative framework pre-established with a general character in the applicable sanctioning legal system, which implies, from the outset, the requirement of the necessary adequacy and rigor in the qualification of the imputed facts and in their punctual and adequate inclusion in the type of offense legally defined for their correction, in such a way that the opposite, certainly, would be a determining factor of violation of the subjective fundamental right already mentioned and recognized by the current law. Constitutional text ex article 25.1 of the Constitution (sentence s of the Constitutional Court 77/1983, of October 3, and 3/1988, of January 21), which, because it is susceptible to constitutional protection, would lead to an eventual administrative sanctioning action that violates the same in the defect of nullity of full right previously provided for by article 62.1. a) of the repeated Law 30/1992, applicable to the case for temporary reasons (today article 47.1. a) of Law 39/2015) ”
For greater abundance, article 89 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, which collects the
following: 1. The investigating body will resolve the completion of the procedure, with the filing of the proceedings, without the need to formulate the resolution proposal, when in the procedural instruction it becomes clear that any of the following circumstances concur: a) The non-existence of the facts that could constitute the offense. b) When the facts are not proven. c) When the proven facts do not manifestly constitute an administrative offense. d) When the person or persons responsible do not exist or have not been able to be identified or they appear exempt from responsibility. e) When it is concluded, at any time, that the infringement has prescribed. In the present case, both a), b) and c) concur, which is why, therefore, it would not be possible to continue with the sanctioning procedure initiated, having to resolve in its case the file of the actions, a request that we present before the AEPD on a repeated basis, since, as evidenced in this document, neither the offending acts have been committed, nor are the alleged infringing conducts duly substantiated, nor the interpretation and sanctions proposed by the AEPD are motivated.
TWELFTH: Once the allegations made by EDP Comercializadora, SAU regarding the agreement to initiate the reference procedure have been received, noting that the document attached thereto called “annexes 1, 2 and 4” states that “given the technical limitations of the electronic office for the presentation of the content of annexes 1, 2 and 4, these are presented by means of a link to a folder ”, indicating a link to a website and a password, by writing, dated October 3, 2020, is granted a period of 5 business days to present the documentation that appears in said document in the Registry of this Agency through the Electronic Headquarters, for the purpose of registering the documentation presented, its origin and its integrity.
On October 8, 2020, the following documents are presented through the Registry of this Agency:
Appendix 1:
Annex 1.a) Risk analysis methodology and implementation of Days
Annex 1.b) RAT contracting EDPC
Annex 1.c) RAT Risk Assessment- EDPC Contracting
Annex 1.e) Impact Assessments – Risk Assessments
Annex 1.f) Impact evaluations – Reports
Appendix 2:
Methodology_Privacy by Design by Default of EDP
Operating Instruction Privacy by Design & Privacy by Default
Privacy by Design & Privacy by Default form
Privacy By Design Procedure Flowchart.
Annex 4:
Examples of requests for the exercise of rights.
Regarding these documents:
A risk analysis methodology is provided, whose version history dates to version 1.0 on 11/24/2017, indicating in the revision notes that it is an “initial version-working document” and version 1.1 is dated 11/11. 05/2108 indicating the revision notes “revision prior to the application of the RGPD”. There is no record of any subsequent review having been carried out. Various annexes are provided, the date of which does not appear, specifically these annexes are the following: 1.b) RAT contracting EDPC
Annex 1.c) RAT Risk Assessment- EDPC Contracting
Annex 1.e) Impact Assessments – Risk Assessments
Annex 1.f) Impact evaluations – Reports
The document contained in annex 1.b RAT, EDPC contracting, whose date does not appear, includes a treatment purpose not included in the Register of treatment activities sent to this Agency on June 17, 2020. Specifically, said treatment that now included has the following content:
Responsible: EDP Comercializadora SAU
Purpose of the treatment: “Scoring of customers in the B2C segment prior to hiring”,
Description: “Scoring clients in the B2C segment prior to contracting according to the internal outstanding debt and information from solvency files (ASNEF).”
Category of data holders: “Clients and potential clients.”
Category of personal data processed: “Identifying data and economic data.” Legal basis for carrying out the treatment: “Satisfaction of legitimate interests.” Period of conservation of personal data: “5 years from the end of the contractual relationship. The certain, expired and enforceable debt derived from the execution of the contract will be maintained until its cancellation or the statute of limitations of the pertinent legal recovery actions. ”
Data transfers (data recipients, other than those in charge of the treatment): “ASNEF is jointly responsible for the treatment, according to the agreement signed with ASNEF.”
Categories in charge of treatment: The box has no content. International data transfer: No
Annex 1.c) under the name “RAT Risk Assessment- EDPC Contracting”, whose date is not reflected in the document either, contains a risk analysis, in matrix form, equal to the one presented on June 17, 2020, Although two columns have been added under the title “treatment requires PIA”, the two entitled “No. of EDP-W29 criteria”, the first indicates a number that seems to correspond to its title and the second indicates the need to carry out an impact assessment. In said matrix there is also a new treatment whose purpose is the “Scoring of customers in the B2C segment prior to hiring.”
Various documents entitled impact evaluations are provided, the date of which is also not recorded, these impact evaluations are the following:
-Risk assessment of B2C clients prior to hiring, in which, among other threats, the following are indicated:
– “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated properly”, whose probability is set as high, with an impact classified as
very high and resulting in inherent risk High. Regarding the controls implemented against this threat, it is stated that “the legal basis of the treatment is to satisfy a legitimate interest (fraud prevention)”.
– “At the time of data collection, the minimum information provided to the person is not provided or no information is provided.” In this case, it is considered that “neither the probability nor the impact” apply, nor is there an inherent risk, the controls being the “Data Protection clause included in the contract signed with the client with all the information required by the RGPD” and the “information provided to the client prior to carrying out the scoring process”
-Evaluation of channel leads to be converted by telemarketing
-Evaluation of risks Telemarketing upselling and abandonments
-CAC channel risk assessment to clients or potential clients (inbound)
-OOCC Channel Evaluation of clients and potential clients
• Risk assessment of third-party stores for sale to potential customers.
In all these impact evaluations, threats are considered among many others, those related to the fact that “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated adequately” and “at the time of data collection it was not the minimum expected information is provided to the person or no information is provided ”In both cases the probability is valued as high, the impact as very high and the inherent risk high. The controls adopted are mentioned, referring to the legitimizing basis of the treatment in the first case and “Data Protection clause included in the contract signed with the client with all the information required by the RGPD” in the second. Among the controls underway for both threats in all channels, except in the OOCC channel, are described, “the implementation of a new contracting procedure through a representative, incorporating the sending of an SMS / Email message through which it is facilitated the basic information necessary in terms of data protection to the contract holder. ”
The date on which the ongoing actions were incorporated into the corresponding impact evaluations is not stated.
THIRTEENTH : On 03/11/2021, a resolution proposal was issued as follows:
FIRST: That the Director of the Spanish Data Protection Agency sanction the entity EDP COMERCIALIZADORA, SAU, for an infringement of article 25 of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of prescription in article 73.d) of the LOPDGDD, with a fine in the amount of
500,000 euros (five hundred thousand euros).
SECOND: That the Director of the Spanish Data Protection Agency sanction the entity EDP COMERCIALIZADORA, SAU, for an infringement of article 13 RGPD, typified in article 83.5.b) and classified as mild for the purposes of prescription in the Article 74.a) of the LOPDGDD, with a fine in the amount of
1. euros (one million euros).
THIRD: That, due to lack of evidence, in application of the principle of presumption of innocence, the infractions of the provisions of articles 6 and 22 of the RGPD are declared not attributable to EDP COMERCIALIZADORA, SAU.
FOURTEENTH : The entity EDP COMERCIALIZADORA, SAU was notified of the aforementioned resolution proposal, said entity submitted on 03/15/2021 a letter requesting an extension of the deadline to formulate allegations. Once the extension of the term was granted, on 04/07/2021 a written statement of allegations was received by this Agency, in which it is requested that the file of the sanctioning procedure be agreed or, alternatively, the substantial reduction of each proposed sanction to its minimum amount or its replacement even, by the warning, in its case. It bases its requests on the considerations summarized below:
ACQUISITION OF THE COMPANY OBJECT OF THE SANCTIONING RECORD. With
Preliminary character and for clarification purposes, EDP COMERCIALIZADORA informs this Agency that, on December 1, 2020, Total Gaz Electricité Holdings France (“Total Group”) acquired 100% of the shares of EDP COMERCIALIZADORA. As a consequence of the above, the website www.edpenergia.es has been migrated to a new transitory domain (www.edp-residencialbytotal.es) and the email accounts that were previously under the domain @ edpenergia.es.
FIRST.- ALLEGED BREACH OF ARTICLE 25 OF THE RGPD:
1. The contracting process through a representative is in accordance with the regulations:
Here are reiterated the arguments presented in the allegations to the proposed resolution, relating to the freedom of form of the mandate contract in accordance with the provisions of the civil code, in particular it insists that “In this case, it does not seem that so broad freedom of form is compatible with obtaining evidence of the existence of the representation or mandate, beyond the representations of the agent, protected by good contractual faith. Likewise, it is not understandable that a separate consent is required for the processing of your data or a confirmation of the order by the principal, since this would imply distorting the representation, since it would be absurd for the person designated to enter into a contract In favor of a third party, he cannot provide the data of the person on whose behalf he acts, or that the latter’s separate confirmation is necessary to authorize said communication, since the need to address the represented person directly would make the intervention of the representative useless, since the itself would be meaningless. ( the underlining is from the entity that makes the allegations)
Likewise, and in relation to the possibility that the represented party may provide additional consents to the contracting itself, it should be noted that this possibility may well have been specifically authorized by the represented party, but as the same freedom of form governs the granting of this power (which the norm does not require in any case to be in writing), nor is its reliable accreditation required at the time of hiring ”.
Certainly, article 1725 of the Civil Code provides that the third party can request the agent to give him knowledge of his powers to determine if the contract is within their perimeter or if he is assuming the risk that the principal does not subsequently ratify the performance of the agent. But this regulation translates into a burden for the president, not for the third party, since the interests that are being safeguarded are those of the latter, and not those of the president nor those of the principal. Therefore, for the third party, it is optional to ask the president to give him knowledge of the powers with which he claims to act.
In the view that the AEPD manages in the Resolution Proposal, this obligation would be aimed, however, not to protect the interest of the third party regarding the object of the contract made by the agent, but to preserve the interest of the principal in relation to to the legitimacy of the agent to express the will of the principal regarding the processing of their personal data by the third party. However, this consequence cannot be extracted from the Civil Code regulation regarding the mandate contract, in which – as we have just seen – the interest to be protected with the display of powers of the agent is strictly that of the third party, and not that of the principal, which, in the Civil Code scheme, is safeguarded through the power of ratification, the granting of which or not always remains in the hands of the principal.
Thus, the risks referred to in the Proposal for Resolution (“various risks may be generated and may be mentioned, as an example, the one consisting of a data processing of the represented party without legitimation, the risk of identity theft or economic damages or of another type that may be caused to the interested party ”) are not such: in the event that the agent has exceeded the exercise of the mandate, the principal will not be bound by that action, except for his subsequent ratification, from which no damage may be really suffer unless you accept – expressly or tacitly – what the president did a posteriori
From here on, and as optional power of the third party that contracts with the agent, if and how the third party exercises that power depends on their will and the circumstances of the contract. In this sense, the fact that when hiring EDP COMERCIALIZADORA’s own commercial offices through the channel, the representative requires an accreditation of their status as such, does not prove absolutely nothing, unlike what the Resolution Proposal says. Given that EDP COMERCIALIZADORA, as a third party that contracts with the authorized party, has the power to carry out this verification or not, whoever does it on some occasions and not on others, or whoever does not carry it out in the same way in all contracting channels, It is not the source of any obligation – which is not imposed by law or by contract – but rather a simple manifestation of the exercise of a permit.
At the doctrinal and jurisprudential level, the exercise of personality rights through voluntary representation is admitted, in particular when it comes to articulating ad hoc authorization for specific acts of interference1. This possibility should be understood as reinforced when the mandate to exercise a personality right is linked to the power of attorney to enter into a contract, of which said exercise is a conditioning or complementary element. Thus, the agent or representative of an artist mandated to enter into a service lease on behalf of his client to perform in a concert hall or
to record a disc, it appears commonly mandated to authorize the organizer of the spectacle or the record company for the use of the voice and image of the artist.
Similarly, those authorized to contract with EDP COMERCIALIZADORA on behalf of another person, appear first as mandated subjects for the conclusion of the supply contract, and concomitantly, because it is a factor inherent to the contracting itself, they are also mandated to authorize the use and processing of the personal data of its clients. In this sense, it is necessary to emphasize that there is no doubt that the processing of the principal’s data that is necessary for the execution of the contract to which the principal becomes a party must be considered a fully lawful treatment in light of article 6.1. b) of the RGPD.
But in addition, as long as it is possible to establish that the agent has the legitimacy to make all the pertinent decisions within the framework of the contracting process for which he has been empowered, the consent that said agent provides on the processing of data of the represented party and that EDP COMERCIALIZADORA collected for one or more specific purposes within the framework of the contracting process, allows the processing of the data thus obtained ex article 6.1.a) of the RGPD or any other basis of legitimacy to be considered equally lawful. And the thing is, whoever hires on behalf of another – once it is assumed that he acts in such a condition – must be able to give the same consents regarding personal data as the interested party himself if he were to enter into the contract, and this regardless of whether the contract it is held on-site in a commercial office as if it were held by telephone.
It must be concluded, contrary to what the AEPD indicates in the Proposal for Resolution, that:
2. EDP COMERCIALIZADORA is not obliged to carry out with the authorized third parties that contract through the telephone channel or external sales forces any verification on the existence and scope of their mandate, nor a fortiori that verification has to be analogous to the one that may be carried out with those who contract through their own commercial offices;
3. (ii) in the power to contract the service through an authorized third party resides the power to provide the consents inherent to the contracting process, including those related to the processing of personal data;
4. and (iii) the legality of the treatment by EDP COMERCIALIZADORA of the personal data of those who contract with it through an authorized third party cannot be questioned, either through its own commercial offices or through the telephone channel or through external sales forces, for the simple fact of having contracted through an authorized third party, while the legal basis for the processing of personal data of a person acting through representation should be the same as when acting on their own Name.
5. EDP COMERCIALIZADORA has correctly assessed the real risks and implemented the appropriate mitigating measures.
It reiterates that the risk assessments provided in this procedure are in accordance with the data protection regulations and the AEPD guidelines, in force in the
timing of the analysis, and identify the real risks applicable to the different contracting processes.
The AEPD, in its Resolution Proposal, alludes to some hypothetical or theoretical risks that it also cites as a mere example and of which it does not offer further detail or explanation.
As explained in the previous point and in the Allegations to the Initiation Agreement, these risks are non-existent or lack a sufficient entity for their consideration. Thus, it can be affirmed against the list contained in the Proposal for Resolution –without exhaustive character since the AEPD list is merely an example–, among others: (i) that there is no risk of identity theft as long as there is representation and mandate, (ii) that there is no economic damage for the interested parties as the cost is assumed by EDP COMERCIALIZADORA in any case; or (iii) that there is no risk of a lack of legitimation basis as EDP COMERCIALIZADORA can assume, in accordance with the aforementioned civil legislation and in accordance with the legal framework applicable to these contracts, the existence of authorization to the agent for the treatment of data and (iv) that, in the event of excess, the principal’s interests are safeguarded by his right to ratify or not what the agent has acted outside the limits of the mandate.
For this reason, EDP COMERCIALIZADORA has correctly evaluated the real risks inherent to the different contracting channels in accordance with a solid legal analysis – and backed by doctrine and jurisprudence – of the figure of the mandate in the Spanish legal system and has implemented the appropriate mitigating measures in relation to such risks. The risk analysis carried out is, therefore, coherent and was carried out in accordance with the legal institute of the civil mandate and its jurisprudence.
To the extent that the coherence of the analysis carried out has been proven, the AEPD must assess the analysis in accordance with these consolidated civil criteria or, if on the contrary the AEPD considers that a different legal criterion should be adopted and contrary to that of civil regulations and its established jurisprudence, must in some way substantiate its legal basis in order to allow EDP COMERCIALIZADORA to understand and defend it. In any case, the interpretation of the mandate by EDP COMERCIALIZADORA in accordance with the regulations, jurisprudence and civil doctrine
-including that relating to personality rights- must be interpreted in good faith and excludes any culpability on your part.
6. Recruitment through a representative constitutes a very minority proportion of the total contracts carried out by EDP COMERCIALIZADORA.
It is essential to point out that contracting through a representative constitutes a minority part of the total contracting carried out by EDP COMERCIALIZADORA. Specifically, of the total contracts that EDP COMERCIALIZADORA carried out in 2019, less than 13% correspond to contracts through representatives of which less than 1.8% the representative and the represented person would not have a family relationship.
Therefore, when the AEPD states that the contracting procedure of EDP COMERCIALIZADORA violates the principle of data protection from the design, it does so erroneously, in strict defense terms, as if the contracting procedure in its entirety violated said principle . Furthermore, when it comes to quantifying the sanction, the AEPD refers to the global billing volume of EDP COMERCIALIZADORA to quantify it, when it should exclusively take into account, and where appropriate, the billing data (volume) generated by the eventual breach alleged – relating exclusively to hiring by representation.
Also, take into account that, in any case, the AEPD could have invoked article 83.2.k) of the RGPD and article 76.2. (C) of the LOPDGDD (“the benefits obtained as a result of the commission of the offense” ) to graduate the proposed sanction. Therefore, in the hypothetical and eventual case that article 25 of the RGPD is considered to have been violated, the maximum business volume obtained by EDP COMERCIALIZADORA to take into account should be approximately 2,550,000 euros, which is the amount obtained “as a result of the [eventual] infringement ”, that is, in the hiring by representation, and not in the global hiring. In this sense, the annual business volume of contracting through a representative would represent 0.26% (approximately) of the total annual business volume of the entire portfolio of EDP COMERCIALIZADORA clients. Likewise, the sanction that this Agency proposes to impose on EDP COMERCIALIZADORA for this infringement presupposes 20% of the turnover of the contracting through a representative. Given that the profit is much lower than the turnover, the proposed sanction would be disproportionate in relation to it.
In an administrative procedure of a sanctioning nature, counting as the AEPD did with objective and sufficient quantifying criteria in relation to the (marginal) volume represented by the representation, compliance with the principles of proportionality of the sanction and legality is especially relevant and should, therefore, have taken into account: (i) That the part that corresponds to the procedures of contracting by representation is a small and very limited part of the global contracting procedure of EDP COMERCIALIZADORA, and, therefore, the scarce magnitude of the contracting that the use of this type of contracting has in EDP COMERCIALIZADORA, being a minority type of contracting. In addition, as stated in the information provided in this procedure, there is a single claim before the Agency during the years 2018-2019 (with respect to a total of 33,848 contracts made through a representative), which reflects the scarce relevance and materialization of the risks attributed by the AEPD to the contracting process implemented by EDP COMERCIALIZADORA.
That the proposal for the sanction of the AEPD of five hundred thousand (500,000) euros has been made in the Proposal for Resolution erroneously due to attending a factor not foreseen in the regulations (the volume of business and the condition of a large company) and for taking into account account of the volume of contracting and the global benefits of EDP COMERCIALIZADORA -which include both direct contracting (majority) and contracting by representation (minority) -, which has nothing to do “the benefits obtained as a result of the commission of the infringement” which expressly refers to article 83.2.k) of the RGPD and article 76.2. (c) of the LOPDGDD -the
Which would represent 0.26% of the business volume-. Therefore, in a subsidiary way and in the hypothetical case that the AEPD questions the validity of the civil mandate for the contracting procedures and declares the infringement committed, the quantification of the possible sanction should be significantly corrected to take into account the real volume of business generated by contracting by representation exclusively.
All of the above makes clear the disproportionality of the sanction proposed in the Proposal for Resolution
Lastly, and without prejudice to the foregoing, despite the fact that EDP COMERCIALIZADORA does not consider that its action deserves any legal reproach, in response to the suggestions made by the AEPD, EDP COMERCIALIZADORA informs the AEPD that it has proceeded to reinforce the process of contracting through a representative in line with the protocol that was already provided to the AEPD on July 16, 2020. This protocol, which was submitted to the AEPD on a voluntary basis and before the start of this sanctioning procedure, was precisely intended to Collaborate with this Agency to reach an agreed procedure in matters of representation and that satisfies the proposals that the AEPD may have.
In the Allegations to the Initiation Agreement, EDP COMERCIALIZADORA also responded to the doubts raised by the AEPD regarding its content and implementation and confirmed that it is a procedure with double verification by SMS and in compliance with the best market standards. For these purposes, the AEPD must take into account: (i) that EDP COMERCIALIZADORA proactively contacted the AEPD in July 2020, without success, to present a new protocol that proposed changes to the proxy contracting procedure. Far from being considered, as the Resolution Proposal does, negatively and against EDP COMERCIALIZADORA, that proactivity as a sign of acknowledgment of guilt -the lawfulness arguments have already been stated previously-, the cooperation proposal with the AEPD should be valued as a sign of good faith and of EDP COMERCIALIZADORA’s firm commitment to complying with data protection regulations and improving its processes, as well as a mitigating circumstance in the graduation of the sanction (article 83.2.f) of the RGPD);
7. that despite not obtaining a response other than the opening of this procedure, EDP COMERCIALIZADORA in light of the comments of the AEPD in the Initiation Agreement and the Proposal for Resolution, has eliminated from its contracting procedure by representation the possibility of requesting consents for marketing and commercial purposes referred to by the AEPD on pages 112, 113 and 114 of the Proposal. Attached as Documents No. 1 and No. 2 example of contract and voice-over script for the telephone channel evidencing this elimination. To the extent that EDP COMERCIALIZADORA has adopted measures to adjust its procedure to the AEPD’s proposals, this circumstance, in accordance with article
83.2.c) of the RGPD must also be considered as a mitigating circumstance for the graduation of an eventual sanction, and
8. that EDP COMERCIALIZADORA confirms to the AEPD that the new protocol -with the content communicated in July 2020- is already implemented for all channels
hiring, since last January . The contract protocol for the aforementioned representative is attached again to this document as Document No. 3.
In document number 1 under the title durable support, a company as a trusted third party certifies that the data included in the document are those that appear in its record of processes and electronic communications. Such data is the sending of an e-mail with an associated URL, in relation to a contract, informing the recipient that a person has made the contract related to their supply of energy / services on their behalf. The contract is provided as an attached document, in which there are no references to consents for the sending of commercial communications or for the realization of profiling, and the general contracting conditions.
Document 2 has the following content:
Registration (representative) ML – Spanish
“[XXX] we are going to record your agreement. It is [hh: mm] on the [dd] day of [mm] of [20XX]. [Name and surname] with ID [ID number], as [husband / wife / child / attorney / representative] and on behalf of the owner [name and surname / company name] with ID / CIF [DNI / CIF number] telephone [telephone] and email [email] accepts the offer of EDP Residencial for the address [address of supply] which consists of [plan conditions -dto. on electricity-] for [LIGHT CUPS: ES…] over the current EDP Residential price of electricity [power price (€ / kW month) and energy term price (€ / kWh)] and / or [plan conditions – gas discount] for [GAS CUPS: ES…] and current EDP Residential gas price [price term availability (€ / month) and term energy price (€ / kWh)] ; and / or It works [annual price of the service, conditions of the promotion plan works].
[If the collection date is not chosen] The payment method chosen is [direct debit in your current account / in the account …] and it will be charged on the date indicated on the invoice.
[If the collection date is chosen] The payment method chosen is [direct debit in your current account / in the account …] and it will be charged on a specific date, the days [DD] of the month. In this case, the payment period may be less than or greater than the 20 days established in the regulations “.
On behalf of your client and after passing an analysis of the risk of the operation, we will take the necessary steps to activate the access contracts, at which point the new contract will come into force.
The contract (s) is / are not permanent and will have a duration of one year, extendable for the same period unless it is reported in advance of 15 days. Are you satisfied with the above information and conditions of the contract / s? [Yes / Ok]. Thank you.
In a few days, your client will receive the contract (including withdrawal document) in duplicate, of which you will only have to return one of the copies signed in the self-postage envelope, you do not need a stamp, which we will attach.
Your client has 14 calendar days to exercise their right of withdrawal. However, if you request it, we can start the procedures now. In that case, if you subsequently withdraw from the contract, you must pay the amount corresponding to the supply period provided. Do you want your hiring to be processed immediately? [OTHERWISE]
With the entry into force of the contract, your client will receive the invoice from EDP Residencial with all our advantages.
Your personal data and that of your client may be processed by EDP Residencial for the management of its contracts, fraud prevention, profiling based on customer information and EDP Residencial, sending personalized communications about related products or services, as well as participating in draws, promotions and quality surveys, being able to object at any time.
[Read only to legal entities that call on behalf of a business] In addition, so that we can advise you with the best proposals: • Do you allow us to present your client with energy-related offers after the end of the contract, or send you information on products and non-energy services, typical of Collaborating Companies? [YES / NO] • Do you allow us to complete the commercial profile of your client with information provided by third parties, to send you personalized proposals? [OTHERWISE]
Shortly, the Distributor’s technicians will contact you [remember that you must give them the Individual Gas Installation Certificate, when they begin to register]. [Altas Gas] For your safety, we remind you of the legal obligation to collaborate with your Distribution Company, facilitating access to its facilities. This request has been registered with the code [we indicate the code] ”
THIRD.- ALLEGED BREACH OF ARTICLE 13 OF THE RGPD
1. Regarding the information provided in the CAC Inbound Channel.
It indicates that it provides information regarding the processing of personal data through a system based on various layers. Thus, it reiterates that in all incoming calls a voiceover is automatically reproduced that informs the following: “This call can be recorded. The data you provide us will be processed by EDP Energía, SAU and / or EDP Comercializadora, SAU for the management of your request or inquiry. You can exercise the rights of access, rectification, deletion, opposition, limitation and portability at any time. Consult the Privacy Policy on our website edpenergia.es or press 0 ”
It indicates that the address provided to users has been updated in the locution, currently indicating edp-residencialbytotal.es/privacidad, so that, if the user types that address in the browser, they access -directly and easily- to the information related to data protection.
The interested party can consult the second layer through the privacy policy of the website or by pressing 0. In this case, a voiceover is reproduced whose content is as follows:
“The use of this TELEPHONE CHANNEL does not oblige the user to provide any information about himself. However, to use certain services or access certain content, users must first provide some personal data. In the event that the user provides personal information, we inform you that the data will be PS / 00037/2020 Statement of allegations to the Proposed Resolution 15/37 treated by EDP Energía, SAU and EDP Comercializadora, SAU, with registered address social en Oviedo, Plaza del Fresno 2, 33007 and NIF A33543547 and A95000295 respectively, hereinafter “EDP”, as data controllers, as established by the General Data Protection Regulation ((EU) 2016/679), hereinafter “RGPD”, and its implementing regulations.
Specifically, your data may be processed, when the user so requests, to manage the attention and follow-up of the requests and inquiries made through the website, as well as to carry out surveys and participate in sweepstakes, games and promotions. .
The requested data will be mandatory and limited to those necessary to proceed with the provision and / or management of the requested service, which will be conveniently informed at the time of collecting your personal data. In case of not providing them or not providing them correctly, the service will not be able to be provided.
In these cases, the user guarantees that the personal data provided is true and is responsible for communicating any changes to them.
In the case of the procedures processed through the TELEPHONE CHANNEL and the registration in it, the data processing carried out is based on the legal relationship derived from your request.
The processing of data for conducting surveys is based on the legitimate interest of EDP in order to improve the quality of the services provided to customers and / or users, being able to oppose such processing at any time, without affecting the legality of the treatments carried out previously.
In no case may personal data corresponding to third parties be included in the forms contained in the TELEPHONE CHANNEL, unless the applicant had previously obtained their consent in the terms required by article
7 of the RGPD, responding exclusively to the breach of this obligation and any other in terms of personal data.
The personal data of the users registered on the website may be transferred to the Public Administrations that by law correspond, to other companies of the business group for internal administrative purposes, and to the providers of the person responsible for the treatment necessary for the adequate fulfillment of the contractual obligations. .
Personal data will be kept for the duration of your supply contract with EDP, in all other cases, for the time necessary to answer your requests or to analyze the content of your responses to surveys. Once the contractual relationship is completed, your requests answered or your responses analyzed, as appropriate in each case, your personal data will be erased, keeping the rest of the information anonymized for statistical purposes only. Notwithstanding the foregoing, the data may be kept for the period established to comply with the legal obligations to maintain the information and, at most, during the limitation period of the corresponding legal actions, and the data must be kept blocked during the aforementioned period. prescription. After this period, the data will be deleted.
In application of the provisions of article 32 of the RGPD, EDP undertakes to comply with the security obligations of the data provided by users, seeking to establish all the technical means at its disposal to avoid loss, misuse, alteration, access not authorized and theft of the data that the user provides through it, taking into account the state of technology, the nature of the data provided and the risks to which they may be exposed. Notwithstanding the foregoing, the user must be aware that the security measures in the TELEPHONE CHANNEL are not impregnable.
EDP will treat the user’s data confidentially, at all times, keeping the mandatory duty of secrecy over them, in accordance with the provisions of the applicable regulations.
The user can exercise their rights of access, rectification, deletion, opposition, limitation and portability, as well as the revocation of the consents granted
previously, in the legally established terms, communicating it in writing to EDP, at the following address: LOPD Communication Channel, Plaza del Fresno, nº2, 33007 Oviedo. Likewise, you can exercise these rights by sending an email with your personal data to cclopd@edpenergia.es. In both cases, a photocopy of the holder’s ID or document proving their identity must be attached.
Likewise, you may contact the EDP Data Protection Officer, at the following postal address: Plaza del Fresno, 2 33007 Oviedo or by e-mail dpd.es@edpenergia.es, in the event that you understand any violation of your rights related to data protection, or where appropriate, file a claim with the Spanish Data Protection Agency at the address Calle de Jorge Juan, 6, 28001 Madrid “.
In the contracting process, the following is reported again: “Your personal data and that of your client will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention, profiling based on information of the client and EDP, as well as the realization of personalized communications about products or services directly related to their contracts, being able to oppose them at any time ”.
Therefore, it is not possible to blame those interested in incoming calls for a lack of information, since the information referred to in the first informational layer (ie, the one provided at the beginning of each call) complies with the necessary information of article 11 of the LOPDGDD (that is, identity of the person in charge, treatment purposes and possibility of exercising rights) and a direct and simple means is provided to access the rest of the information (by accessing the website or pressing 0). It is important to note that the speech of the first informational layer is automatically reproduced at the beginning of each of the incoming calls and, therefore, it is mandatory to listen to all interested parties who make a call. For this reason, all interested parties have already been informed about the possibility of exercising their rights and how to access the rest of the information about the processing of their data before reaching the contract. Likewise, before hiring, EDP COMERCIALIZADORA reminds the interested parties – through a second locution – of some of the basic information on data protection.
In accordance with article 13.4 of the RGPD, the obligation to inform does not apply to the extent that the interested party already has the information; In the present case, taking into account that the initial speech is reproduced automatically in each call, it is sufficiently proven that any interested party who contacts EDP COMERCIALIZADORA through the CAC Inbound Channel receives the information regarding the protection of personal information. In this sense, the Article 29 Group (currently known as the European Data Protection Committee) indicates in its Guidelines on transparency under Regulation (EU) 2016/67 (“Transparency Guidelines”) that it should be understood that the article 13.4 of the RGPD is applicable in those cases in which the information had been provided, for example, in the previous six months. Regarding the CAC Inbound Channel, not only would a time clearly less than 6 months have passed, but the period of time can be measured in minutes, so it is clear that the interested party knows, knows and perfectly remembers the information on protection of data without it being necessary to reiterate this information
2. Regarding the information provided in the Telemarketing and Leads channels
It indicates that this Agency questions the means to access the second information layer (ie, the General Conditions available on the edpenergia.es website) is “simple and immediate”
It indicates that EDP COMERCIALIZADORA has accredited the following in this procedure: • First, the information on data protection (i) is clearly identified within the general contracting conditions of EDP COMERCIALIZADORA (in section 16 and entitled LOPD) and
9. It occupies one of the four pages of the document in length, so its location is not lost for the interested party.
Inform this Agency that it has created a separate document that contains, exclusively, the data protection information of the general contracting conditions, which is easily accessible through the website itself and at the following address: www.edp- residentialbytotal.es/rgpd ; and that also, the general contracting conditions continue to include the clause relating to the processing of personal data, so that the interested party has various means through which they can access the information easily.
Second, it alleges that the way in which the information on the second information layer can be provided can be diverse and, as such, has been recognized by the data protection authorities. As indicated in the Arguments to the Initiation Agreement, when the contracting occurs, the general contracting conditions are sent -where the specific clause on data protection is included-; therefore, making this information available through the website should be understood as an alternative and complementary system.
In this sense, the Transparency Guidelines expressly indicate that “when the first contact with an interested party is by telephone, this information [first informational layer] could be provided during the call with the interested party and he could receive the rest of the information required pursuant to article 13 or 14 by another additional means, for example, by sending you a copy of the privacy policy by email or a link to the online privacy statement / notice of the person in charge ”.
In accordance with the criteria of the competent authorities, including the AEPD, EDP COMERCIALIZADORA would not have committed an infringement of the duty of transparency, while the complete information on data protection (with the content required by the regulations) is contained within the general conditions of contracting that are sent to the interested party after contracting. The Transparency Guidelines also indicate that, depending on the circumstances of the data collection and processing, a data controller could be forced to additionally use other possible ways to transmit the information to the interested parties applicable to the relevant environments always that the information of the first informative layer is transmitted in the first mode
used to communicate with the interested party. For this reason, EDP COMERCIALIZADORA complies with its obligation of transparency by providing the information in the first informational layer by telephone and the second informational layer in writing (either a physical or electronic document). Likewise, it is important to point out that the most transparent and ideal way for the interested party to receive information about the processing of their personal data is by including it together with the information about the contracting of services, as this is the circumstance with which it is related. the processing of your data and is, in addition, a document that the interested party will keep during their contractual relationship with EDP COMERCIALIZADORA.
10. Regarding the content of the information provided by telephone and in the general conditions:
o Specification of the person responsible for the treatment:
The AEPD questions the clarity with which the interested party knows which entity acts as data controller, however, as evidenced in the general contracting conditions of EDP COMERCIALIZADORA (provided as evidence 6) of this procedure, the client is informed about the identity of the person responsible for the treatment through the privacy policy in relation to the contracting conditions:
Privacy policy: “the data will be processed by EDP Comercializadora SAU and EDP Energía SAU”.
Specific conditions of the contract:
“The customer contracts, for the supply indicated, the supply of gas with EDP Comercializadora, SAU and the supply of electricity and / or complementary services with EDP ENERGIA, SAU, (hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) in accordance with the Specific Conditions set out below and the General Conditions in the annex ”.
As explained in the allegations to the Initiation Agreement, information on both entities is included insofar as, depending on the service requested by the interested party (gas and / or electricity), one or the other entity (or both in case the interested party hires both services). Therefore, the interested party -which has full capacity to contract and, therefore, it is assumed that he should be able to understand the terms and conditions that govern said contracting, is aware at all times that, depending on the contracting of the supply service gas and / or electricity, your data will be processed by one or both entities.
o Purposes and bases of legitimation
It is alleged that neither article 13 of the RGPD nor any other legal precept requires that the privacy policy list each purpose, specifically indicating the basis of legitimacy that is applicable. Even so, as regards the treatments subject to consent, it is expressly indicated what they are. In any case, as already indicated in the Arguments to the Initiation Agreement, in the case of the bases of legitimation of “contractual performance” and “legitimate interest”, it is evident to any person who hires EDP’s supply services
COMMERCIALIZER that the treatments closely linked to the execution of the contract such as “manage, maintain, develop, complete and control the contracting of electricity and / or gas supply and / or complementary and / or gas services and / or complementary revision services and / or technical assistance and / or points program, and / or improvement of the service ”find their basis of legitimacy in the execution of the contract, being the other treatments assignable to the legitimate interest (for example, carrying out actions to prevent fraud or the sending of commercial communications). The legitimate interests are clearly exposed and put in relation to the purposes that are pursued (that is, fraud prevention and marketing, in relation to the sending of personalized commercial communications) and since there is an identification between the informed purpose and the own interest pursued, making a separate allusion would be redundant.
o Profiling
It is stated in the allegations that in the Resolution Proposal, the AEPD considers that, in relation to the “profiling”, it is not clear what is its purpose or the legitimate interest that supports the treatment. In this sense, the AEPD states in the Proposed Resolution the following: “In this case, in the opinion of this Agency, the information requirements described above are not met. EDP COMERCIALIZADORA, SAU, limits itself to informing about the “creation of profiles”, but does not offer information on the type of profiles that are going to be made, the specific uses to which these profiles are going to be destined or the possibility that the interested party may exercise the right of opposition in application of article 21 of the RGPD. ” However, profiling is associated with the sending of personalized commercial communications: “they will be treated (…) for the purpose of (…) profiling, personalized commercial communications based on information provided by the Client and / or derived from the provision of the service by the Marketer (s) and related to products and services related to the supply and consumption of energy, maintenance of facilities and equipment ”.
Although the wording could have included “for the sending of” (that is, that the text was “as well as the creation of profiles for the sending of personalized commercial communications based on information provided by the Client (…)”), that The absence should not be understood as that EDP COMERCIALIZADORA violates article 13 of the RGPD.
o Exercise of rights:
It is alleged that in the opinion of the AEPD, the treatments to which the right of opposition applies should be expressly indicated. However, as already stated in the Allegations to the Initiation Agreement, the obligation to detail the specific treatments to which the interested party has the right to oppose is not only not an obligation contained in the RGPD, the LOPDGDD or any other applicable regulations , but also that the AEPD in its guides and tools (among others, the Guide for the fulfillment of the duty to inform2 or the Facilita3 tool) does not indicate that the information clauses on the right of opposition must specify the treatments to which the right applies. opposition, not even as an example of good practice. In any case, EDP COMERCIALIZADORA expressly indicates that the interested party may oppose some voluntary treatments such as, for example,
promotion, profiling, automated decision-making and commercial offers.
It points out that the proposed resolution indicated that: “It is imprecise to indicate that the interested party can oppose the adoption of automated decisions regarding their personal data. These can only be carried out by the person in charge in the cases provided for in article 22 of the RGPD, based in the present case on the consent of the interested party, so he must be able to know that he can revoke the consent given for the adoption of such decisions. at any time, without prejudice to the fact that they are also informed of the rights conferred by article 22 to the interested parties. ” It is alleged that the semantic and technical nuance associated with the terms “opposition” and “revocation” in the context of the exercise of rights cannot have an impact on the interested party, since with both terms the user achieves the same objective, which is that a treatment specifically identified in the policy stops occurring.
Furthermore, the term used by EDP COMERCIALIZADORA (opposition) in the context of this type of treatment is understood in the regulations and by the market itself in a broader way – and therefore more guaranteed – since it allows the user to eliminate a treatment whether based on consent, is based on legitimate interest.
o Consent-based treatments:
The AEPD considers that the information on the treatments subject to consent is not completely clear. However, this party cannot agree with this interpretation for the following reasons:
In the first place, the AEPD questions that in point (IV) it is not clear with respect to which data the phrase “the results obtained from the aggregation of the indicated data” refers and argues the existence of confusion as to whether the aggregated data are those referred to in point (II) and / or in point (III). However, as stated in the Allegations to the Initiation Agreement, from reading it is clear that “the results obtained from the aggregation of the indicated data” refers to the data indicated above, that is, the data referred to in point ( II) and (III), since it is evident that the use of the anaphoric term “indicated” refers to the data referred to in the previous points.
Second, the AEPD states that the difference in the processing of advertising data from this point with the previous points is not evident. However, the difference is clear:
The advertising treatment derived from point (I) refers to offers of “financial services, payment protection services, automotive or related and electronic, own or third parties, offered by EDP and / or participation in promotional contests, as well as for the presentation of commercial proposals related to the energy sector after the end of the contract ”, that is to say, services offered by EDP COMERCIALIZADORA not related to the contracted services but to the energy sector or other sectors such as finance or the automotive sector and also of a generic type – not personalized;
point (II) refers to “personalized products and services”, that is, offers adapted to the customer’s commercial profile; Y
point (IV) refers to “making personalized offers, specifically aimed at obtaining the contracting of certain products and / or services from EDP or third parties
entities ”, that is, to the realization of personalized offers with a specific objective of achieving the sale of certain products or services, being the personalization not only with respect to the client but also with respect to the specific service or product offered.
The AEPD’s criticism of the granularity offered by EDP COMERCIALIZADORA cannot be understood in the light of its own recommendations and those of the European Data Protection Committee, which ask for precisely such detail and granularity.
FOURTH.- COOPERATION AND PROACTIVE ATTITUDE OF EDP COMERCIALIZADORA.
EDP COMERCIALIZADORA is studying and analyzing the implementation of the appropriate measures in order to adopt and adapt to the recommendations, best practices and the criteria established by the AEPD both in this procedure and in its guides and publications (in addition to the improvements already implemented referred to above), in order to improve all its data protection policies, clauses and general conditions through which it is informed about the processing of the personal data of its clients and potential clients
FIFTH.- BREACH OF THE PRINCIPLE OF INTERDICTION OF ARBITRARITY.
It is noted that certain recommended practices (and even applied by the AEPD in its own privacy policies) have served in this case to argue and motivate the alleged infringements committed by EDP COMERCIALIZADORA (for example, the presentation of information regarding the exercise of rights of the interested parties included in the Second Allegation). These aspects that, a priori, the AEPD recommends and puts into practice, considering them examples that are adapted to the applicable regulations, are used as infringing elements to justify the alleged breach of different legal precepts by EDP COMERCIALIZADORA.
SIX.- LACK OF GUILT IN THE ACTION OF EDP COMERCIALIZADORA-
By virtue of all the foregoing, the actions of EDP COMERCIALIZADORA cannot be considered guilty in the eventual commission of the administrative offenses in matters of data protection that are imputed to it. In the administrative sanctioning sphere, it is not enough that the conduct is typical and unlawful (which in this case, it is not either), but it is also an inescapable requirement that the person be guilty, that is, a consequence of an action or omission attributable to the person responsible for fraud. or inexcusable guilt, without any kind of objective liability that exempts the Administration from fully certifying the requirement of guilt or intentionality in the commission of the offense. (Judgments of the Supreme Court of July 9, 1994, May 16, 1995, December 12, 1995, January 12 and 19, 1996, April 15, 1996, among many others.)
It should also be mentioned that the appreciation of the subjective element of the offense is determined by the degree of predictability that the affected subject had that his conduct could be considered typical and unlawful and, therefore, liable to be sanctioned. The subjective element of guilt can only occur when, in view of the existing situation at the time of the conduct, the subject could reasonably anticipate that he was committing an offense. Sentences of the Hon. Third Chamber of the Supreme Court of May 8, 2003 – ref. Aranzadi RJ 4209—, of July 7, 2003 – ref. Aranzadi RJ 5832—, and of January 28 and 27, 2010 – ref. Aranzadi RJ 1362 and 1357.
Likewise, the doctrine of the contentious-administrative courts has excluded the concurrence of the essential guilty element when the subject who has objectively committed the offense has acted based on a reasonable interpretation of the legal system.
A reasonable interpretation of the applicable regulations, even when it is not finally considered correct by the courts, excludes guilt, especially in those cases in which the applicable legal regulations are not clear or univocal.
SEVENTH.- SUBSIDIARLY, THE PROPOSED SANCTIONS ARE MANIFESTLY DISPROPORTIONATE AND ATTENUATING CIRCUMSTANCES SHOULD APPLY.
In short, analyzing each of the alleged infractions that are attributed to EDP COMERCIALIZADORA, it cannot but be interpreted that there is an absolute disproportionality in the interpretation made by the AEPD in the Proposal for Resolution, not only because it lacks motivation when considering committed the alleged infringement, but due to the fact that the proposed sanctions escape any criteria previously assessed by the AEPD itself. In this sense, it should be added that the amounts of previous sanctions imposed in similar factual cases are not comparable to those proposed in this case.
Mitigating circumstances must be applied: In effect, any sanction imposed on EDP COMERCIALIZADORA would have to be set in accordance with articles 83.2 of the RGPD and 76.2 of the LOPDGDD, which contemplate relevant instruments for the Administration to adjust the proportionality of the sanctions. In the present case, as stated in the Arguments to the Initiation Agreement, the following mitigating circumstances concur, which are summarized here:
o The nature, seriousness and duration of the infringement: according to article 83.2.a) of the RGPD, the appreciation of this circumstance must take into account “the nature, scope or purpose of treatment” (…) and “the level of the damages they have suffered ”. In this sense, what is attributed to EDP COMERCIALIZADORA is the need to improve some aspects of its data protection policies, without in any case the texts used so far being understood to have generated a high level of damages. Likewise, the treatments provided for in these policies – which are known to the interested parties – are not particularly sensitive, neither because of the type of data processed nor because of the characteristics of the treatment activities. Therefore, it is not only not appropriate to consider as
circumstance aggravating the nature of this offense, but rather, the foregoing must be considered as a mitigating circumstance applicable to this procedure.
o The intentionality or negligence in the infringement: EDP COMERCIALIZADORA has not shown any intention or negligence. The AEPD, in its Resolution Proposal, indicates that “the defects indicated in the information provided show EDP COMERCIALIZADORA’s lack of diligence in complying with its transparency obligations.” Therefore, what this Agency seems to refer to is the absence of all the diligence that, according to said Authority, would be expected from EDP COMERCIALIZADORA. However, it does not seem that said statement can be understood as “intentionality or negligence” in its actions, since, as has been stated in the Arguments to the Initiation Agreement and in these allegations, EDP COMERCIALIZADORA has carefully observed the guidelines, guidelines and tools made available by the AEPD itself and the European Data Protection Committee to comply with their data protection obligations. For this reason, EDP COMERCIALIZADORA’s diligence must be taken into account as a mitigating circumstance.
o The high link of the offender’s activity with the performance of personal data processing: EDP COMERCIALIZADORA is dedicated, as stated by the AEPD in the Resolution Proposal, to the supply of gas, an activity that is not intensive in the processing of personal data and Although it is true that the development of EDP COMERCIALIZADORA’s activity involves the processing of personal data, this is instrumental without its activity being based on the exploitation of personal data. In this sense, the low involvement of EDP COMERCIALIZADORA’s activity in the processing of personal data should be considered a mitigating circumstance.
o Any measure taken to alleviate damages: as has been made known to the AEPD, EDP COMERCIALIZADORA is immersed in the review and improvement of its procedures and clauses in order to adapt and implement the recommendations made by this Agency , avoiding any type of damage or harm to the interested parties. Proof of this is that some of the recommendations of this Agency are already implemented, such as improving access to information on data protection, which is already available at the address edp-residencialbytotal.es/rgpd as well as the new protocol of contracting through a representative, which was already contributed to the procedure on July 16, 2020 and has already been implemented last January.
o Degree of cooperation with the authority: EDP COMERCIALIZADORA has shown from the beginning of this procedure a completely collaborative attitude with the AEPD, as has been accredited in this letter. More complete information in relation to the cooperation shown by EDP COMERCIALIZADORA is provided in the Allegations to the Initiation Agreement.
o Data categories and affectation of the rights of minors: the data being processed are not special categories of data and the rights of minors have not been affected (EDP COMERCIALIZADORA clients are always of legal age with the capacity to contract) .
Continued nature of the infringement: as has been proven, EDP COMERCIALIZADORA, from the moment it became aware of the improvements that, in the opinion of the AEPD, could be adopted in its policies, it has proceeded to analyze its texts and procedures. Therefore, it cannot be understood that it is a continuous infringement, although this Agency must understand that in complex corporate groups the processes of change and adaptation of procedures cannot be done immediately. However, this does not mean that the alleged infringement that is imputed should be understood as “continuing”.
o Status of a large company and its business volume: the fact that EDP COMERCIALIZADORA is considered a large company cannot be used as an aggravating circumstance as it is not a circumstance provided for in either the RGPD or the LOPDGDD. In addition, in this sense, the Supreme Court (judgment of November 4, 2015, appeal 100/2014) has stated in recent but consolidated jurisprudence that “it is not feasible, in any case, to presume malicious conduct for the mere fact of special circumstances surrounding the taxpayer (economic importance, kind of advice he receives, etc.) (…). [T] he cannot do the public power, without violating the principle of culpability that derives from the Art. 25 CE [see, for all, the Judgment of this Section of June 6, 2008 (rec. cas. for the unification of doctrine no. 146/2004), FD 4], is to impose a sanction on a taxpayer (or confirm it in the administrative or judicial appeal phase) due to its subjective circumstances -even if it is a legal person, has great economic means, receives or may receive the most competent advice and is habitually or exclusively dedicated to the activity taxed by the incu standard mplida ”. For this reason, it is not legal or constitutional to assess the condition of a large company as an aggravating circumstance. Likewise, the AEPD also refers to “its business volume” (a fact that is not considered as an aggravating circumstance either in the RGPD or in the LOPDGDD). When quantifying the sanction, the AEPD refers to the global billing volume of EDP COMERCIALIZADORA to quantify it, when it should exclusively take into account, and where appropriate, the billing data generated by the eventual alleged breach -in the case of the Article 25 of the RGPD, relating exclusively to contracting by representation. In this sense, the AEPD, in its investigation within the framework of the procedure, requested and obtained specific data on the volume of contracting by representation and the tiny part that corresponds in the overall activity of EDP COMERCIALIZADORA, and should in any case have been taken into account in the Motion for Resolution, which has not happened. Likewise, as indicated in the First Claim, the business volume derived from contracting with a representative represents approximately 0.26% of the global business volume. For its part, with regard to the sanction associated with the alleged violation of article 13 of the RGPD, the AEPD should not have taken into account the global billing of its activity either.
Benefits obtained as a consequence of the infringement: the alleged commission of the alleged infringement has not generated any type of direct or indirect economic benefit to EDP COMERCIALIZADORA. In any case, if this Agency considers otherwise, the benefit should be calculated according to the criteria that have been indicated in the First Claim, taking into account that the volume of business derived from contracting through a representative, represents only 0, 26% of the global business volume and that the proposed penalty (500,000 euros) is a disproportionate amount in relation to the benefits obtained
. • High volume of data and treatments: contrary to what this Agency indicates in its Proposal for Resolution, the alleged infractions that are attributed to EDP COMERCIALIZADORA do not affect “all the data processing carried out by the entity EDP COMERCIALIZADORA SAU”, but only to treatments related to clients. In fact, the AEPD itself recognizes in the section relating to “High number of interested parties” that “[t] he infringement affects all clients who are natural persons of the entity”, but does not indicate any other group of interested parties. Likewise, with regard to contracting by third parties on behalf of the owner, it is relevant to note that such contracting only affects 0.26% of EDP COMERCIALIZADORA’s business volume, so it is evident that the volume of data and treatments affected is minimal. For this reason, the small number of treatments affected, and especially in relation to contracting through a representative, must be taken into account as a mitigating circumstance.
o Recent acquisition of EDP COMERCIALIZADORA: as we have indicated in the Preliminary argument of this writing, EDP COMERCIALIZADORA has recently been acquired by the Total Group. By virtue of article 76.2.e) of the LOPDGDD, in conjunction with article 83.2.k) of the RGPD, this part understands that this circumstance must be taken into consideration when, where appropriate, modulate and mitigate the potential sanction – sanction that in any case this part understands that it is not applicable-. Although the aforementioned provision includes the cases in which the structural modification is a merger by absorption, in application of the principle of teleological interpretation, its regulation must be extended to other structural modifications carried out after the commission of the offense and that have as a consequence the imposition disproportionate and burdensome penalties to the new entity that did not commit the initial offense.
Of the actions carried out in this procedure and of the documentation in the file, the following have been accredited:
PROVEN FACTS
1. It appears in the file that EDP COMERCIALIZADORA uses the following channels to formalize the contracting of its services :
1. Telephone Channel, with partial or definitive closure of the contracting process by means of a telephone call. It includes the following subchannels:
CAC Inbound: Call reception, from customers to EDP. In general, they are already EDP customers who are identified from the beginning of the call through a security protocol, although calls from potential customers can also be received.
Telemarketing: Issuance of calls, from EDP to their own databases and to clients for upselling or abandonment recovery. The telephone number that appears in the client’s file is used to make the call, and that has been provided by said person previously.
LEADS: Issuance or reception of calls, about users who have expressed an interest in any platform or website (raffles, promotions, offer comparators, blogs, advertising agencies, etc.) leaving their basic data to be contacted or contacting themselves at the phone number shown to them. Normally, these users do not yet have active contracts with EDP .
2. Web channel, with closure using a digital form. The user accesses through a website and starts a completely online hiring process, without interaction with agents.
3. Distributors, with face-to-face or digital closure of the contracting process, including:
EDP’s own Commercial Offices. Usually already EDP clients who come proactively to the branch, although they can also be potential clients.
Third-party stores (eg *** STORE.1 ). In general, new customers who come to make their purchases and are interested in EDP’s offer.
4. External Sales Forces, with in-person closing of the contracting process, including:
Stands at Fairs, Shopping Centers, etc. In general, new clients who attend these events or places and are interested in EDP’s offer.
Home visits with prior request. Clients or potential clients who have provided their data and consent to receive proposals from an EDP agent at home.
2. The contracting procedures implemented in those cases in which the contracting is carried out by a third party on behalf of the owner are the following:
1. Telephone channels:
1. – CAC INBOUND 1) When the user indicates that he wishes to contract as a representative, he is asked about his relationship with the owner and if he has the authorization of said person. 2) Once the previous point has been confirmed, identification data of the representative are requested, and all the data of the owner necessary to formalize the contract. 3) Finally, the Express Consent of the representative is read and recorded in audio. 4) The contract holder, for informational purposes, is sent in duplicate, with a franked envelope, the contractual documentation in compliance with the provisions of the consumer and user protection regulations.
2. – TELEMARKETING 1) When the user indicates that he wishes to contract as a representative, he is asked about his relationship with the owner. 2) Once the previous point has been confirmed, identification data of the representative are requested, and all the data of the owner necessary to formalize the contract. 3) The Express Consent of the representative is then read and recorded in audio. 4) Finally, durable support is sent to the telephone / sms provided by the representative, and confirmation is awaited. 5) The owner of the contract, for informational purposes, is sent by
duplicate, with a stamped envelope, the contractual documentation in compliance with the provisions of the consumer and user protection regulations.
3. – LEADS 1) When the user indicates that he wishes to contract as a representative, he is asked about his relationship with the owner. 2) Once the previous point has been confirmed, identification data of the representative are requested, and all the data of the owner necessary to formalize the contract. 3) The Express Consent of the representative is then read and recorded in audio. 4) Durable support is then sent to the phone / sms provided by the representative, and confirmation is awaited.
5) The contract holder, for informational purposes, is sent in duplicate, with a franked envelope, the contractual documentation in compliance with the provisions of the consumer and user protection regulations. 6) In this channel, due to the contracting method and the characteristics of the clients who use it, communication via SMS or e-mail to the represented is underway, as a pilot test (in cases of non-relationship with the representative to study their effectiveness and responsiveness.)
B. Distributors:
In the case of contracts made in EDP’s own Commercial Offices (in other people’s stores there is no possibility of contracting in the name and on behalf of a third party) the procedure is as follows:
1) In those cases in which the user indicates that they wish to contract as a third party representative, they are asked about their relationship with the owner. 2) Once the information is obtained, the identification data of the representative is requested, and all the data of the owner necessary to formalize the contract. Likewise, a photocopy of the NIF is required, both of the representative and the represented party. 3) It is also required to present an authorization document completed and signed by both interested parties (representative and owner).
C. External Sales Forces:
In the case of contracts made by external sales forces (trade fair stands, shopping centers and home visits, provided there is a prior request from the interested party), the identification data of the representative will be collected in the contract, also requesting the data of the holder necessary to formalize the contract. In the contract, it is expressly specified that the representative declares to have sufficient powers to sign the contract on behalf of the client who is responsible for informing of all the conditions thereof. On the other hand, a photocopy of the representative’s NIF is required.
Subsequently, an audio verification of the contract is recorded where the representative is indicated on two occasions, the fact that he acts on behalf of the holder of the supply and the relationship-kinship that binds them is confirmed.
To prove the representation, the contracting book is formalized where the representative declares to have sufficient powers to sign the contract on behalf of the client who is responsible for informing of all the conditions of this. Likewise, a copy of the representative’s NIF is provided.
3. The record shows that the documentation used by EDP COMERCIALIZADORA, SAU to prove the representation of the owner when signing a contract is the following:
1. Telephone Channel:
In the three subchannels of the telephone channel (evidences 2, 3 and 4, CAC Inbound, Telemarketing and Leads channels respectively), the representative is requested, during the recording of the contracting procedure, to confirm the following aspects: of his identity and ID, of his performance on behalf of the owner, of the relationship with the represented (as husband, wife, child, attorney, representative); of the identity (name, surname, DNI) of the represented, and of telephone and email. The supporting documentation of the representation of the contract holder consists of the recordings in which the representative makes the aforementioned confirmations. In the case of telemarketing and LEADS channels, an SMS / email is also sent to the representative with the following text “EDP Offer: Please, answer with a YES to this SMS to accept and activate discounts.” (evidences 10 and 12).
2. Distributors: In the case of EDP Comercializadora DP’s own commercial offices, an express authorization document containing the data of both persons and copies of their NIFs is requested to be completed and signed by both interested parties (representative and owner).
In the channel own commercial offices (evidence 5) the representation is accredited by means of a document called “representative management authorization template”, in it the owner (identified with his name and ID or CIF), in his own name or on behalf of the company authorizes the Representative also identified with his name and ID to carry out different procedures (registration / cancellation, change of ownership, change of direct debit and / or other procedures) and must be indicated in the box next to each one of them which or which are the authorized procedures. Said document requires the signature of the authorizer and the authorized person. Likewise, said document contains the following warning “TO BE VALID, THIS AUTHORIZATION MUST BE PRESENTED ACCOMPANIED BY A PHOTOCOPY OF THE ID OF THE HOLDER AND THE AUTHORIZED. WHEN IT IS AN AUTHORIZATION GRANTED BY A REPRESENTATIVE OF THE TYPE SA, SL, AIE, UTE, CB, COMMUNITY OF OWNERS, FOUNDATIONS, SCHOOLS, IN ADDITION, A PHOTOCOPY OF THE POWER OF ATTORNEY WILL BE REQUIRED “.
3. External Sales Forces: In the case of external sales forces (trade fair stands, shopping centers and home visits, provided there is a prior request from the interested party), a document called a sales checkbook is used to prove the representation ( evidence 6). In said checkbook, there are spaces to fill in the data of the contract holder (name, surname, telephone and email) and data of the representative (name, NIF and address) and several boxes are included to mark that the representative is representative in his capacity. spouse / registered partner, ascendant / descendant or attorney-in-fact) under such boxes a text indicates that “it declares to have sufficient powers to sign this contract on behalf of the client who is responsible for informing all the conditions of the same. ” A verification recording is made where the data of the represented party is confirmed with the representative, as well as the relationship or kinship that unites them (evidence 16)
4. The evidence presented shows that the representatives are informed in the telephone contracting sub-channels that “On behalf of their client, and after passing an analysis of the risk of the operation, we will take the necessary steps to activate the access contracts, at the moment from which the new contract will come into force, the previous one being terminated. ”
5. It is clear that during the contracting process, in the telephone contracting channels, the representative is asked for consent on behalf of the represented party to carry out other treatments such as sending energy-related offers adapted to his profile after the end of the contract or sending him at any time, information on non-energy products or services of EDP companies or collaborators. (evidences 2, 3 and 4).
During this process, the consent of the representative on behalf of the represented is also requested to complete the commercial profile with information from third party databases, in order to send you personalized proposals and the possibility of contracting or not contracting certain services.
In the channel of external forces, the possibility of giving such consents is also foreseen. As evidence 6 shows under the heading CUSTOMER / REPRESENTATIVE, after noting that the information related to data protection can be read on the back, it allows the following consents to be marked, marking the joint box for each of them:
I consent to the processing of my personal data once the contractual relationship has ended, to carry out commercial communications adapted to my profile of products and services related to the supply and consumption of energy. Likewise, I consent to the aforementioned treatments during the term and after the end of the contract, on non-energy products and services, both from the EDP Group companies and from third parties.
I consent to the processing of my personal data for the preparation of my commercial profile with information from third party databases, for the adoption, by EDP, of automated decisions in order to send personalized commercial proposals, as well as to allow, or not, the hiring of certain services.
6. Evidence 2, 3 and 4 show that the following information is provided to the representative during the telephone contracting process: “Your personal data and those of your client will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention, profiling based on customer and EDP information, as well as making personalized communications about products or services directly related to their contracts, being able to oppose them at any time “.
In the telemarketing and leads channel evidences 3 and 4 the following is added: “We remind you that you can exercise your access rights at any time, rectification, opposition, deletion, limitation and portability, through any of the channels indicated in the General Conditions that can be consulted on our website www.edpenergia.es. ”
This information does not appear in evidence 2 corresponding to the CAC inbound channel.
In the own offices channel, the information provided is the following (evidence 5) “Interested parties are informed that the personal data provided in this form will be treated as data controller by EDP ENERGÍA, SAU and EDP COMERCIALIZADORA, SAU so that they can be used to process the authorized management. The personal data that you provide us will be used, in the manner and with the limitations and rights recognized by the General Data Protection Regulation (EU) 2016/679.
Interested parties whose data is subject to treatment may exercise their rights of access, rectification, deletion, portability, limitation and opposition to the processing of these data, proving their identity, by email addressed to cclopd@edpenergia.es or by writing to the person responsible for the Treatment to the address Plaza del Fresno, 2 – 33007 Oviedo (Asturias). Likewise, you may contact the EDP Data Protection Officer, at the same postal address or by e-mail dpd.es@edpenergia.es, in the event that you understand that any of your rights related to the protection of data, or where appropriate, file a claim with the Spanish Agency for Data Protection ”
In the External Forces Channel, the sales stub provides the following information. On the back of the first page there is a section, entitled “Basic Information on Data Protection”: which contains the following:
“Personal data will be processed by EDP COMERCIALIZADORA, SAU and EDP ENERGÍA, SAU (hereinafter, jointly, EDP) as Data Controllers, for the maintenance, development, compliance and management of the contractual relationship, fraud prevention, profiling based on information provided by the Client and / or derived from the provision of the service by EDP, as well as sending commercial communications, relating to products and services related to the supply and consumption of energy, maintenance of facilities and equipment, and which may be customized based on your profile Customer, as reported in the General Conditions, being able to oppose at any time the sending of commercial communications. Additionally, the Client gives his explicit consent for the processing of personal data collected on the front. Without prejudice to the consents given, the client may exercise, at any time, their rights of access, rectification, opposition, deletion, limitation and portability, through any of the channels indicated in the General Conditions. ”
The following information regarding the protection of personal data is contained in the general conditions part:
“LOPD Purposes of the processing of personal data. In accordance with the provisions of current regulations, the client is informed that all the information provided in this contract is necessary for the purposes of its formalization.
Said data, in addition to those obtained as a result of the execution of the contract, will be processed by EDP COMERCIALIZADORA, SAU, with address at c / General Concha, 20, 48001, Bilbao and by EDP ENERGIA, SAU with address at Plaza del Fresno, 2 -33007, Oviedo in its capacity as Data Controllers, in order to manage, maintain, develop, complete and control the contracting of electricity and / or gas supply and / or complementary and / or gas and / or complementary services review and / or technical assistance and / or points program, and / or service improvement, for the performance of fraud prevention actions, as well as profiling, personalized commercial communications based on information provided by the Client and / or derived from the provision of the service by EDP and related to products and services related to the supply and consumption of energy, maintenance of facilities and equipment. These treatments will be carried out in strict compliance with current legislation and insofar as they are necessary for the execution of the contract and / or the satisfaction of the legitimate interests of EDP, provided that other rights of the client do not prevail over the latter.
Provided that the client has explicitly accepted it, their personal data will be processed, even after the contractual relationship has ended and as long as there is no opposition to said treatment, to:
(I) The promotion of financial services, payment protection services, automotive or related and electronic, own or third parties, offered by EDP and / or participation in promotional contests, as well as for the presentation of commercial proposals related to the energy sector after the end of the contract, (II) The elaboration of commercial profiles of the Client by means of the aggregation of the databases of third parties, in order to offer the Client personalized products and services, thus improving the client’s experience, (III) The adoption of automated decisions, such as allowing the contracting, or not, of certain products and / or services based on the Client’s profile and particularly, on data such as the history of non-payments, the history of contracting, permanence, locations, data consumption, types of devices connected to the energy network, and similar data that allow to know in greater detail the risks associated with the contra tation. (IV) Based on the results obtained from the aggregation of the indicated data, EDP may make personalized offers, and specifically aimed at achieving the contracting of certain products and / or services from EDP or third-party entities depending on whether the client is so You have consented to it or not, being in any case data processed whose age will not exceed one year. In the event that said process is carried out in an automated manner, the client will always have the right to obtain human intervention from EDP, admitting the challenge and, where appropriate, evaluation of the resulting decision.
Categories of processed data
By virtue of the contractual relationship, EDP may process the following types of personal data: (I) Identifying data (name, surname, DNI, postal address, email address, supply point, etc.), (II) Codes or User and / or Client identification codes, (III) Personal characteristics data (date of birth, sex, nationality, etc.), (IV) Social circumstances data (hobbies, lifestyle, marital status, etc.) , (V) Data on energy consumption and life habits derived from these, (VI) Economic, financial, solvency and / or insurance data.
Personal data will be kept during the validity of the contractual relationship and at most, during the limitation period of the corresponding legal actions, unless the Client authorizes its treatment for a longer period, applying organizational and security measures from the beginning of the treatment. to ensure the integrity, confidentiality, availability and resilience of personal data
Communications and recipients of personal data.
All personal data derived from the provision of the service and those obtained by virtue of this contract may be communicated to the following entities:
1. The corresponding distribution company, producing with it a permanent exchange of information for the adequate provision of the service, including the request for access to its network, the readings (which in the case of remote-managed meter will be hourly) and / or consumption estimation , supply quality control, request for supply cuts, power modifications, etc.
2. The Organizations and Public Administrations that by Law correspond.
3. Banks and financial entities for the collection of services rendered.
4. Other companies of the business group, solely for internal administrative purposes and the management of the products and services contracted.
5. National equity solvency and credit services (Asnef-Equifax,
…) To which in case of non-payment, without just cause by the Client, the debt may be communicated, as well as fraud prevention services, with the sole purpose of identifying erroneous or fraudulent information provided during the contracting process.
6. EDP providers necessary for the adequate fulfillment of contractual obligations, including those that may be located outside the European Economic Area, in which case the international transfer of data is duly adequate.
Rights of the data holder
The client will have at all times the possibility of exercising the following rights freely and completely free of charge:
1. Access your personal data that is processed by EDP.
2. Rectify your personal data that are processed by EDP that are inaccurate or incomplete.
3. Delete your personal data that is processed by EDP
4. Limit the treatment by EDP of all or part of your personal data.
5. Oppose certain treatments and automated decision-making of your personal data, requiring human intervention in the process, as well as to challenge the decisions that are finally adopted by virtue of the processing of your data.
6. Port your personal data in an interoperable and self-sufficient format.
7. Withdraw at any time, the consents previously granted.
In accordance with current regulations, the user can exercise their rights by requesting it in writing, and together with a copy of a reliable document of identity accreditation, at the following postal address: Plaza del Fresno, 2, 33007 Oviedo or by email cclopd@edpenergía.es
Likewise, you can contact the EDP data protection officer at the following postal address Plaza del Fresno, 2, 33007 Oviedo or by email dpd, es @ edpenergía.es, in the event that you understand that any of the your rights related to data protection, or where appropriate, file a claim with the Spanish Agency for Data Protection, at the address Calle de Jorge Juan, 6, 28001. Madrid ”
7. It is clear that the number of contracts signed in 2018 and 2019 by third parties on behalf of individuals is as follows:
1. Telephone Channel:
A.1 – CAC INBOUND
Channel Year Representation No. Contracts
2018 CAC Relationship 1,346
2018 CAC No kinship 394
2019 CAC Relationship 983
2019 CAC No kinship 278
A.2 – TELEMARKETING
Channel Year
Representation
No. Contracts
2018 TELEMARKETING Relationship 2,865
2018 TELEMARKETING No kinship 82
2019 TELEMARKETING Relationship 1,201
2019 TELEMARKETING No kinship 42
A.3 – LEADS
Channel Year
Representation
No. Contracts
2018 LEADS Relationship 5,518
2018 LEADS No kinship 849
2019 LEADS Relationship 6,127
2019 LEADS No kinship 1,160
2. Web: Hiring with a representative is not contemplated.
3. Distributors (own commercial offices):
Year Channel Representation No. Contracts
2018 OOCC Relationship 194
2018 OOCC Unrelated 67
2019 OOCC Relationship 174
2019 OOCC Unrelated 78
4. External Sales Forces: (trade fair stands, shopping centers – home visit)
Channel Year Representation No. Contracts
2018 FVE Relationship 10,758
2018 FVE No kinship 118
2019 FVE Relationship 1,556
2019 FVE No kinship 58
8. It is clear that on July 16, the AEPD had a written entry from EDP Comercializadora SAU stating that “it has reviewed the procedure to be followed in contracting by third parties on behalf of the owner, in order to strengthen said procedure and reduce the risks of possible identity theft carried out in bad faith by the contracting party in this type of process, taking into account, additionally, the particular needs identified as a result of the state of alarm decreed last March and which has necessarily required that all contracts be carried out in a non-presential way.
That in order to inform the AEPD of the specific actions that are being carried out in relation to this matter by EDP, in compliance with its duty of proactive compliance (accountability), we enclose the “Procedure for contracting by third parties on behalf of the owner ”, so that they have visibility about the modifications that are being implemented in said processes in order to attend to their request in this regard, as well as to show EDP’s proactivity regarding its suggestion of adaptation of said process.” This procedure is detailed below.
9. EDP COMERCIALIZADORA SAU, provides in response to the request made by this Agency within the framework of the research activities, an extract from the Registry of Treatment Activities that includes the records related to the activities carried out in the field of contracting products and / or or services and the risk analysis carried out regarding the treatments carried out in the context of contracting products and / or services.
The risk analysis is contained in an Excel document, it does not contain a date or signature. 15 risk factors are listed; 1. Commercially sensitive information, 2. Commercial Communications, 3. Data origin (external or internal source), 4. Data transfers. 5, Treatment Managers. 6. International transfers. 7. Scoring / Profiling activities. 8. Automated decisions. 9. Systematic monitoring of headlines. 10. Special categories of data. 11. Large-scale data processing. 12. Data interconnections / Big Data. 13. Minor Data / Vulnerable Holders.
14. Application or use of innovative technologies.15. Unavoidable treatment / Restriction of exercise rights or access to service. Regarding the potential assessment of inherent risk, the risk scale has 4 levels: low, with a rating from 0 to 12; average score from 13 to 25; high from 26 to 38 and very high from 39 to 51. The valuation or weight that is given to each of the risk factors is from 1 to 4. In the risk analysis, a yes or no for each of the 15 risk factors listed above. The sum of the weight attributed to each of the factors for each channel determines the inherent risk. The inherent risk result is medium in all contracting channels, except for web channels and external forces through home visits where the inherent risk result is low. Risk correction measures are not indicated.
These documents are declared reproduced in this act for evidentiary purposes.
10. It is clear that to access the General Conditions, which are referred to in the telephone processes to obtain the rest of the information regarding the processing of personal data, the following process must be followed on the www.energía.es page :
-Access through the internet browser to the address https: //www.edpenergia.es/es/
• Introduction in the search engine of the text page itself: “General Conditions”
-The website shows, under the following address: https: //www.edpenergia.es/es/buscadorGeneral.do?tiposBusqueda=C%7CM
% 7CD & idMenuSegmento = 18 & textBusqueda = Conditions + General, 2 tabs one called related information and another Documents.
-Select the “Documents” tab of the Search Results. This offers a total of 78 results, the third of which corresponds to the “General contracting conditions”.
-The “General contracting conditions” are selected and a new browser window automatically opens pointing to the following internet address: https: //www.edpenergia.es/resources/doc/comercial/2019/09/10/condicionesgenerales – de-contratacion.pdf, where the document can be downloaded.
1. The following documents are provided in support of the allegations made: Annex 1.a) Methodology for risk analysis and implementation of Days
o Annex 1.b) RAT contracting EDPC
o Annex 1.c) RAT Risk Assessment- EDPC Contracting
o Annex 1.e) Impact Assessments – Risk Assessments
o Annex 1.f) Impact evaluations – Reports
Appendix 2 :
Methodology_Privacy by Design by Default of EDP
Operating Instruction Privacy by Design & Privacy by Default
Privacy by Design & Privacy by Default form
Privacy By Design Procedure Flowchart.
Annex 4:
– Examples of requests for the exercise of rights.
The Risk Analysis Methodology and implementation of DPIAS (DATA PRIVACY ASSESSMENTS) contains a history of versions on its first page, the date of the initial version being 11/24/2017 and the last one being the revision date of 05/11/2018. prior to the applicability of the RGPD. It is accompanied by various annexes whose date does not appear.
The document contained in annex 1.b RAT, EDPC, whose date does not appear, includes a treatment purpose not included in the Register of treatment activities sent to this Agency on June 17, 2020. Specifically, said treatment that now included has the following content:
Responsible: EDP Comercializadora SAU
Purpose of the treatment: “Scoring of customers in the B2C segment prior to hiring”,
Description: “Scoring clients in the B2C segment prior to contracting according to the internal outstanding debt and information from solvency files (ASNEF).”
Category of data holders: “Clients and potential clients.”
Category of personal data processed: “Identifying data and economic data.” Legal basis for carrying out the treatment: “Satisfaction of legitimate interests.” Period of conservation of personal data: “5 years from the end of the contractual relationship. The certain, expired and enforceable debt derived from the execution of the contract will be maintained until its cancellation or the limitation period of the pertinent legal recovery actions. ”
Data transfers (data recipients, other than those in charge of the treatment): “ASNEF is jointly responsible for the treatment, according to the agreement signed with ASNEF.”
Categories in charge of treatment: The box has no content. International data transfer: No
Annex 1.c) under the name “RAT Risk Assessment- EDPC Contracting”, whose date is not reflected in the document either, contains the risk analysis, in matrix form, equal to the one presented on June 17, 2020, with the same content, although two columns have been added under the title “treatment requires PIA”, the two entitled “No. of EDP-W29 criteria”, the first indicates a number that seems to correspond to its title and in the second, the need for an impact assessment is indicated. In said matrix there is also a new treatment whose purpose is the “Scoring of customers in the B2C segment prior to hiring.”
Various documents entitled impact evaluations are provided, the date of which is also not recorded, these impact evaluations are the following:
-Risk assessment of B2C client scoring prior to hiring, in which, among other threats, the following are indicated:
– “the basis that legitimizes the treatment is not adequate, is illegal or has not been formulated properly”, whose probability is set as high, with an impact rated as very high and resulting in the inherent risk High. Regarding the controls implemented against this threat, it is stated that “the legal basis of the treatment is to satisfy a legitimate interest (fraud prevention)”.
– “At the time of data collection, the minimum information provided to the person is not provided or no information is provided.” In this case, it is considered that “neither the probability nor the impact” apply, nor is there an inherent risk, the controls being the “Data Protection clause included in the contract signed with the client with all the information required by the RGPD” and the “information provided to the client prior to carrying out the scoring process”
-Evaluation of channel leads to be converted by telemarketing
-Evaluation of risks Telemarketing upselling and abandonments
-CAC channel risk assessment to clients or potential clients (inbound)
-ChannelOOCC evaluation of clients and potential clients
• Risk assessment of third-party stores for sale to potential customers.
In all these impact evaluations, threats are considered among many others, those related to the fact that “the basis that legitimizes the treatment is not adequate, it is illegal or it has not been formulated properly ”and“ at the time of data collection, the minimum expected information is not provided to the person or no information is provided ”In both cases the probability is valued as high, the impact as very high and the inherent risk high. The controls adopted are mentioned, referring to the legitimizing basis of the treatment in the first case and “Data Protection clause included in the contract signed with the client with all the information required by the RGPD” in the second. Among the ongoing controls for both threats in all channels, except in the OOCC channel, are described “the implementation of a new contracting procedure through a representative, incorporating the sending of an SMS / Email message through which it is facilitated the basic information necessary in terms of data protection to the contract holder. ”
The date on which the ongoing actions were incorporated into the corresponding impact evaluations is not stated.
These documents are declared reproduced in this act for evidentiary purposes.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and The Free Circulation of this Data (General Data Protection Regulation, hereinafter RGPD) recognizes each Control Authority, and as established in articles 47, 48, 64.2 and 68.1 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to initiate and resolve this procedure.
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, in the alternative, by the general rules on administrative procedures. ”
II
Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (Regulation General Data Protection, hereinafter RGPD), under the heading “Definitions”, provides the following:
“2)” treatment “: any operation or set of operations carried out on personal data or sets of personal data, either by procedures
automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of enabling access, collation or interconnection, limitation, deletion or destruction ” .
7) “controller” or “controller”: the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of processing; if the law of the Union or of the Member States determines the purposes and means of the treatment, the data controller or the specific criteria for their appointment may be established by the Law of the Union or of the Member States ”
Article 24.1 of the RGPD provides regarding the responsibility of the person responsible for the treatment that “Taking into account the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity for the rights and freedoms of people physical, the data controller will apply appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation. Said measures will be reviewed and updated when necessary . ”
In the present case, it is established that EDP COMERCIALIZADORA, SAU is responsible for the data processing, referred to in the factual background of this agreement to initiate the sanctioning procedure, since, according to the definition of article 4.7 of the RGPD, it is who determines the purpose and means of the treatments carried out for the purposes indicated in the documentation provided regarding the contracting of their services, therefore, in their capacity as responsible for the treatment, they are obliged to comply with the provisions of the transcribed art 24 of the RGPD and especially regarding the effective and continuous control of “appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation”
Likewise, article 25. 1 of the RGPD establishes that “ Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity that the treatment for the rights and freedoms of natural persons, the person responsible for the treatment will apply, both at the time of determining the means of treatment and at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymisation, conceived to apply in a way effective data protection principles, such as data minimization, and integrate the necessary guarantees in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties. ”
For these purposes, the provisions of the following RGPD recitals are taken into account:
1. “The responsibility of the person responsible for the treatment for any personal data processing carried out by himself or on his own must be established. In particular, the controller must be obliged to apply timely and effective measures and must be able to demonstrate the conformity of the processing activities with this Regulation, including the effectiveness of the measures. These measures must have take into account the nature, scope, context and purposes of the treatment as well as the risk to the rights and freedoms of natural persons. ”
2. ” The risks to the rights and freedoms of natural persons, of varying severity and probability, may be due to the processing of data that could cause physical, material or immaterial damages, particularly in cases in which the treatment may give rise to to problems of discrimination, identity theft or fraud, financial losses, damage to reputation, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other significant economic or social damage; in the cases in which the interested parties are deprived of their rights and freedoms or are prevented from exercising control over their personal data; In cases where the personal data processed reveal ethnic or racial origin, political opinions, religion or philosophical beliefs, union membership and the processing of genetic data, data related to health or data on sexual life, o convictions and criminal offenses or related security measures; in cases where personal aspects are evaluated, in particular the analysis or prediction of aspects related to job performance, economic situation, health, personal preferences or interests, reliability or behavior, situation or movements, in order to create or use personal profiles; in cases in which personal data of vulnerable persons is processed, in particular children; or in cases where the treatment involves a large amount of personal data and affects a large number of interested parties. ”
3. “The probability and severity of the risk to the rights and freedoms of the interested party must be determined with reference to the nature, scope, context and purposes of the data processing. The risk must be weighed on the basis of an objective assessment by which it is determined whether the data processing operations pose a risk or whether the risk is high. ”
Consequently, the data controller must carry out an analysis of the risks that the data processing carried out may have for the rights and freedoms of natural persons, implementing the appropriate technical and organizational measures to apply the principles of data protection. and integrate the necessary guarantees in the treatment in order to comply with the requirements of the RGPD, having to be able to demonstrate that the treatment is in accordance with the provisions of the aforementioned standard.
The principles of data protection are included in article 5 of the RGPD, the first of which should be highlighted here regarding the legality of the treatment. In accordance with article 5.1.a of the RGPD “Personal data will be: a) processed in a lawful, loyal and transparent manner in relation to the interested party (” lawfulness, loyalty and transparency “). The second number of article 5 provides that “The data controller will be responsible for complying with the provisions of section 1 and capable of demonstrating it (” proactive responsibility “).”
The legality of the treatment implies that the personal data can only be processed by the person responsible for the treatment when any of the legitimizing bases listed in article 6 of the RGPD concur.
Taking into account the documentation provided by the person responsible for the treatment, it should be noted that the contracting of gas services by EDP, COMERCIALIZADORA, SAU can be carried out through different channels, these being the following:
A- Telephone, which includes the following sub-channels: CAC Inbound, Telemarketing and Leads.
1. Web channel.
2. Distributors, which includes EDP’s own Commercial Offices and third-party stores.
3. External Sales Forces, which can be: Stands at Fairs, Shopping Centers, etc., or home visits with prior request.
According to said documentation, the contracting of the service can be carried out with a customer representative, except when it comes to the web channel and the sub-channel for third-party stores in which it is not allowed. The examination of the procedures for contracting the service described by the person in charge and the documentation provided show that when the contracting of the service is carried out through a representative, the latter is not required to accredit the representation that he claims to hold. This absence of accreditation has a single exception when the service is contracted in the sub-channel of its own commercial offices in which a document accrediting the authorization granted for contracting by the represented party is obtained together with the presentation of their ID (evidence 5) .
In this way, to the extent that a procedure has not been implemented that allows proving the representation of whoever makes a contract on behalf of a third party, various risks may be generated, being able to be mentioned, as an example, the one consisting of a treatment of Data of the represented without legitimacy, the risk of identity theft or economic or other damages that may be caused to the interested party as a result of the change of company supplying the service with the consequent cancellation of the original contract or the change of ownership of the contract or the modality of the contract with the supply company, without the interested party having consented to such changes.
Second, in the documentation provided, it is observed that in the telephone contracting channel (CAC inbound, Telemarketing and leads subchannels) together with the contracting of the service, consent is requested to carry out other treatments, such as sending offers related to energy adapted to the client’s profile after the end of the contract or the submission at any time of information on non-energy products or services of collaborating companies or EDP. This request is made to the representative as is clear from the very literality of the text of the evidence 2, 3 and 4 sent, according to which the latter is asked: “Can you allow us to present to your represented energy-related offers adapted to your profile? after the end of the contract, or send you at any time information on non-energy products and services, Collaborating Companies or EDP? ” (Evidence 2)” Do you allow us to present your client with energy-related offers after the end of the contract, or to send you at any time information on products and services from the financial, insurance and automotive sectors, from Collaborating Companies or from EDP? ” (evidence 3). “May we present you with energy-related offers tailored to your profile after the end of the contract, or send you information on non-energy products and services, Collaborating Companies or EDP at any time? (evidence 4).
In none of the three cases, as can be inferred from the analysis of the procedures followed by the person in charge in the contracting processes, is it requested proof that the representative has been authorized to give such consent on behalf of the represented party.
Nor is it proven that the representative has been authorized by his client to consent to the processing of data for advertising purposes referred to above, if he does so, when the contracting process is carried out through the channel of commercial offices owned by EDP COMERCIALIZADORA, SAU since such possibility is not contemplated in the document presented as evidence 5, which contains the authorizations for various treatments by the representative, and it must be taken into account that it must, where appropriate , it is a specific mandate without being deduced from a general authorization for other treatments.
In the case of contracting through the external forces channel, evidence 6, which the person in charge calls the sales book, contains, in the box entitled “client / representative”, a box to consent to the processing of personal data, in the following terms: “I consent to the processing of my personal data once the contractual relationship has ended, to carry out commercial communications adapted to my profile of products and services related to the supply and consumption of energy. Likewise, I consent to the aforementioned treatments during the term and after the end of the contract, on non-energy products and services, both from the companies of the EDP Group and from third parties. ” In said contract or sales receipt, as it has been called by the person in charge, it also appears, after the spaces for the representative’s data, that he “declares that he has sufficient powers to sign this contract on behalf of the client to whom he is responsible for informing of all the conditions of the same. ” Neither in this contracting procedure an accreditation of the representation that is said to hold to contract or give consent for other treatments on behalf of the represented is required, the representation being merely declared by the representative.
Neither in these cases has a procedure been implemented that allows proving that the representative had the authorization of the represented party to consent to such treatments, producing the risk of processing the data of the represented party without legitimation, leaving the latter exposed to the reception of publicity even after completion the contractual relationship. In the case of the external sales forces channel, the risk is increased, since the contract is not even sent to the principal, but the copy is given to the representative who is responsible for informing the principal.
Thirdly, it is observed in the documentation in this procedure that, at the time of contracting through the telephone channel, in all sub-channels, the representative is requested permission to “complete the business profile of the represented with information on bases from third parties, in order to send you commercial proposals and the possibility of contracting or not certain services ”(evidence 2, 3 and 4). As in the previous case, it is not proven that the representative is authorized by the represented to consent to such treatment.
The same can be said when the consent for this treatment is given by the representative in the channel of their own commercial offices, since it does not appear in the document that reflects the authorizations granted to the representative (evidence 5), specific authorizations so that the representative gives his consent for such treatments.
In the case of the external forces channel, in the so-called sales checkbook, a box appears to give consent, which is formulated as follows: “I consent to the processing of my personal data for the preparation of my commercial profile with information from databases of third parties, for the adoption, by EDP, of automated decisions in order to send personalized commercial proposals, as well as to allow, or not, the contracting of certain services. ” Likewise, accreditation of the authorization of the represented party is not required to give consent to these treatments, considering that their declaration in this regard is sufficient. On the other hand, as was previously shown, the risk for the principal increases since the sales receipt (evidence 6) shows that a copy of the document is delivered to the representative who is responsible for informing the principal. .
Nor in these cases has a procedure been implemented that allows proving that the representative had the authorization of the represented party to consent to such treatments, leaving the interested party exposed to profiling with information from third party databases or automated decisions being made. regarding him without having consented.
In the allegations to the agreement to initiate this procedure, it was stated that the freedom of form in the manner established in the Civil Code for the mandate contract is incompatible with obtaining evidence of the existence of the representation or mandate, beyond the representations of the agent, protected in good contractual faith. However, as this Agency has indicated in the resolution proposal, nothing prevents one of the parties to a contract from requiring the person acting as agent of the other party to accredit the representation that it claims to hold, proof of this is that EDP COMERCIALIZADORA, SAU itself requires it in its contracting procedure in the channel of its own commercial offices, requiring the representative a document certifying the authorization granted for contracting by the represented party signed by both, which must be accompanied by the DNI of both the representative as represented. It is now alleged by said entity that it is not obliged to carry out with authorized third parties that contract through the telephone channel or external sales forces any verification on the existence and scope of its mandate, on the basis that the possibility of verifying the The powers of the principal constitute a burden for the agent, not for the third party, since the interests to be safeguarded, within the framework of civil law, are those of the agent, and not those of the agent or the principal. It is also alleged that the power to contract the service through an authorized third party resides the power to provide the consents inherent to the contracting process, including those related to the processing of personal data.
This Agency cannot share such arguments, the personal data protection regulations focus on the protection of this right of the interested parties, so that their data can only be processed when there is a legitimation, without which it cannot be carried out. no data processing. In the case that concerns us, the legitimation may derive from the existence of a contract or the provision of a consent for certain treatments, so that if the contract is made by a third party on behalf of the interested party or such consents are provided by a third party On behalf of the interested party, the data controller must act diligently to verify that indeed whoever claims to be authorized to act on behalf of another is indeed so and that this authorization extends not only to the performance of a contract, but to the provision of consents. for other different data processing that is requested during the hiring process. In the latter case, the existence of such authorization by the interested party to consent to treatments on their behalf can be doubted even more, taking into account that the consent requests for the sending of commercial communications and the realization of profiling are made during the telephone contracting process, unexpectedly, so that it is difficult to think that the represented has previously authorized the representative to give such consents. In the same way, it is doubtful that in a hiring process in the external forces channel, which should be remembered refers to hiring at trade fair stands or shopping centers, there is a prior authorization to consent to treatments on behalf of the represented party, since such The request is also made during the contracting process, increasing the risk for the interested party as the contract is not even sent, but a copy is given to the representative who is responsible for informing the represented party.
In this way, the first of the risks to be assessed is precisely the legitimacy for each treatment, and in particular, and in the case of acting through a representative, the risks that the data subject has for the data processing without due legitimation, in in the event that the representative lacks the power to allow such processing.
The risk analysis initially presented does not consider the risks mentioned above, limiting itself to mentioning commercial communications and scoring / profiling as risks, risks that are not even considered for the external sales force channel. The risk analysis presented with the allegations to the initiation agreement does not contemplate such risks either, being substantially the same as the previous one, including only two columns that under the same heading “No. EIPD-WP29 criteria” indicate in one of them the supposed number of criteria and the need to carry out a DPIA.
Several impact evaluations are provided with the allegations to the initiation agreement, one for each of the sales channels, in which the following two are considered as threats, among others: “the basis that legitimizes the treatment is not adequate , is illegal or has not been formulated properly “and” at the time of data collection the minimum information provided to the person is not provided or no information is provided “In both cases the probability is valued as high, the impact as very high and inherent risk as high. The adopted controls are mentioned, which with respect to the first threat are constituted by the reference to the legitimizing basis of the treatment and in the case of the second one, indicates the following as adopted control: “Data Protection clause included in the contract signed with the client with all the information required by the RGPD”. Among the ongoing controls for both threats in all channels, except in the OOCC channel to clients or potential clients, are described, “the implementation of a new contracting procedure through a representative, incorporating the sending of an SMS / Email message to through which the basic information necessary in terms of data protection is provided to the contract holder. ” The date on which this ongoing action was incorporated into the impact evaluations does not appear.
EDP COMERCIALIZADORA, SAU alleges that the AEPD intends to justify the initiation of this sanctioning proceeding in the alleged absence of documentation that has never been requested. And it points out that it has a risk identification, analysis and management methodology, both to identify the inherent risks, and specifically to assess the need to carry out Impact Assessments, including as an annex the supporting documentation that amply proves that it fully complies and fully with these obligations.
In this regard, it should be taken into account that the obligations established in articles 24 and 25 of the RGPD do not constitute mere formal obligations, but as indicated in article 24 “the person in charge will apply appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with these Regulations. ” And article 25 also reiterates that ” the person responsible for the treatment will apply, both at the time of determining the means of treatment and at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymisation, designed to effectively apply the principles of data protection, such as minimizing data, and integrating the necessary guarantees in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties . “It is also a dynamic obligation, each modification of the technical and organizational measures must also be subject to a risk analysis to determine if said modification is suitable to effectively apply the principles of data protection and integrate the necessary guarantees in the treatment.
In the present case, regardless of when the implementation of this new contracting procedure through a representative has been included in each Impact Assessment among the ongoing controls, since said date does not appear, it is not until July 16, 2020 in which a letter is presented to this Agency stating that “it has reviewed the procedure to be followed in contracting by third parties on behalf of the owner, in order to strengthen said procedure and reduce the risks of possible identity theft carried out from bad faith by the contracting party in this type of process, taking into account, additionally, the particular needs identified as a result of the state of alarm decreed last March and which has necessarily required that all contracts be carried out in a remote manner.
That in order to inform the AEPD of the specific actions that are being carried out in relation to this matter by EDP, in compliance with its duty of proactive compliance (accountability), we enclose the “Procedure for contracting by third parties on behalf of the owner ”, so that they have visibility about the modifications that are being implemented in said processes in order to respond to your request in this regard, as well as to demonstrate EDP’s proactivity regarding its suggestion to adapt said procedure. ” Said letter did not indicate the date of implementation of such measures.
In the allegations to the start-up agreement of EDP COMERCIALIZADORA SAU, it is stated that “the proposed contracting protocol has been made known to the AEPD on July 16, 2020, presented in any case before receiving the writing of the Start-up Agreement of Sanctioning Procedure, being a Request for information with a common number for EPD ENERGÍA and EDP COMERCIALIZADORA without the AEPD having ruled on it to date with the corresponding legal assessment report, as requested, in order to implement a system that was fully in accordance with the criteria and interpretations of the AEPD, limiting itself up to now to including certain considerations in relation to it in the Initiation Agreement sent to EDP COMERCIALIZADORA. ” It also states that “As for the implementation date, it depends precisely on the opinion expressed by the AEPD on this procedure, since it would not make sense to start it if the supervisory authority considers that it does not meet its criteria for considering it an adequate procedure, taking into account the economic costs associated with this implementation, as well as the time and dedication resources necessary for the deployment of these measures. ”
In the allegations to the proposed resolution, it is indicated that the procedure was implemented in January 2021. It also adds that the possibility of requesting consents for marketing and commercial purposes to which it refers has been eliminated from its contracting procedure by representation. the AEPD, attached some documents to evidence this elimination. Without prejudice to the fact that this Agency values positively that the possibility of requesting such consents has been eliminated, the procedure followed in the telephone channels is surprising, in which the deletion consists of indicating “[Read only legal persons who call on behalf of a business] In addition, so that we can advise you with the best proposals: • Do you allow us to present your client with energy-related offers after the end of the contract, or send you information on non-energy products and services, belonging to Collaborating Companies? [OTHERWISE] •
Do you allow us to complete the commercial profile of your client with information provided by third parties, to send you personalized proposals? [OTHERWISE].” The data protection regulations do not protect legal persons, so it is alien to them that consent is requested to carry out a profiling of these with information provided by third parties to send personalized proposals. In any case, it is not indicated what treatment will be given to the authorizations provided by a representative of natural persons for the sending of commercial communications and the completion of profiles requested prior to the adoption of said measure. On the other hand, the risk analysis from which the modification of the contracting procedure derives or the justification on the suitability of the measures adopted to minimize them has not been provided. Reiterating the breach of the principle of proactive responsibility required by the Regulation.
All this goes to show that measures had not been adopted to verify the existence of authorization to contract or to provide on behalf of the represented party the consent for other treatments until January of this year in which a new procedure was implemented as set out, to verify the reality of the representation and the possibility of requesting the representative authorization to carry out treatments has been eliminated, without indicating from which date of data other than the contract such as the sending of commercial communications and the realization of commercial profiles, thus breaching the obligations established in article 25 that are not limited to formal aspects, but to the effective implementation of appropriate technical and organizational measures, measures that in turn, they must be subject to the corresponding risk analysis to determine their ability to achieve the desired result.
On the other hand, in relation to what was stated in the allegations to the initiation agreement, in which it was indicated that such measures had not been implemented while this Agency had not issued a legal report to evaluate them, as is the result of the provisions in The RGPD is responsible, in compliance with its obligations of proactive responsibility, who must implement the necessary technical and organizational measures, as expressed in articles 24 and 25 of the RGPD, or as indicated in the terms of recital 73 of the same. rule: “In particular, the controller must be obliged to apply timely and effective measures and must be able to demonstrate the conformity of the processing activities with this Regulation, including the effectiveness of the measures” and it is the controller who is responsible for assessing whether such measures are appropriate. Secondly, this Agency is not obliged to issue any legal report on such actions, which also, in the event that it could be issued voluntarily, is not binding, so it cannot be justified in the absence of a legal report from the AEPD. the breach of the obligations of the person in charge.
Likewise, in the allegations to the commencement agreement, EDP COMERCIALIZADORA indicated the application of the non bis in idem principle, considering that the present facts were sanctioned in a procedure that, to date, is under appeal. In this regard, it should be recalled that the ruling of the Constitutional Court 77/2010, of October 19, states with respect to said principle that “as we have affirmed the aforementioned triple identity of subject, fact and foundation” constitutes the presupposition of application of constitutional prohibition of incurring bis in idem, be it substantive or procedural, and delimits the content of the fundamental rights recognized in art. 25.1 CE, since these do not prevent the concurrence of any sanctions and sanctioning procedures, not even if they have by object the same facts, but these fundamental rights consist precisely in not suffering a double sanction and in not being subjected to a double punitive procedure, for the same facts and with the same foundation “Such allegation cannot be admitted, since it cannot be appreciate here that it is the same facts and grounds as in the procedure referred to by EDP COMERCIALIZADORA, SAU, since in e He himself was charged with an infringement of article 6.1 of the RGPD, for treating the claimant’s personal data without legitimacy.
Consequently, in accordance with the findings set forth, the aforementioned events constitute a violation of article 25 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the RGPD grants to the Spanish Agency for Data Protection.
III
The number 11 of article 4 of the RGPD defines consent as “ Any expression of free, specific, informed and unequivocal will by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data that concerns him. ”
For their part, articles 6 and 7 of the RGPD refer, respectively, to the “Legality of the treatment” and the “Conditions for consent”:
Article 6 of the RGPD. “1. The treatment will only be lawful if at least one of the following conditions is met:
1. the interested party gave their consent for the processing of their personal data for one or more specific purposes;
2. the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at his request of pre-contractual measures;
3. the treatment is necessary for the fulfillment of a legal obligation applicable to the person in charge of the treatment;
4. the treatment is necessary to protect vital interests of the interested party or of another natural person;
5. the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person responsible for the treatment;
6. The treatment is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that the interests or fundamental rights and freedoms of the interested party that require the protection of personal data do not prevail over said interests, in particular when the interested is a child.
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions.
1. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with regard to processing in compliance with paragraph 1, letters c) and e), setting more precisely specific processing requirements and other measures. that guarantee a lawful and equitable treatment, including other specific treatment situations in accordance with chapter IX.
2. The basis of the treatment indicated in section 1, letters c) and e), must be established by:
1. Union law, or
2. the law of the Member States that applies to the controller. The purpose of the treatment must be determined in said legal basis or, in relation to the treatment referred to in section 1, letter e), it will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred to the person responsible for the treatment. Said legal basis may contain specific provisions to adapt the application of the rules of this Regulation, among others: the general conditions that govern the legality of the treatment by the person in charge; the types of data being processed; the affected stakeholders; the entities to which personal data may be communicated and the purposes of such communication; the limitation of the purpose; the data retention periods, as well as the operations and treatment procedures, including the measures to guarantee a lawful and equitable treatment, such as those relating to other specific treatment situations in accordance with Chapter IX. The law of the Union or of the Member States shall fulfill an objective of public interest and shall be proportional to the legitimate aim pursued.
3. When the treatment for a purpose other than that for which the personal data was collected is not based on the consent of the interested party or on Union or Member State law that constitutes a necessary and proportional measure in a democratic society to safeguard the objectives indicated in article 23, paragraph 1, the data controller, in order to determine whether the processing for another purpose is compatible with the purpose for which the personal data was initially collected, will take into account, among other things:
1. any relationship between the purposes for which the personal data have been collected and the purposes of the further processing provided;
2. the context in which the personal data was collected, in particular with regard to the relationship between the data subjects and the controller;
3. the nature of the personal data, in particular when special categories of personal data are processed, in accordance with article 9, or personal data relating to convictions and criminal offenses, in accordance with article 10;
4. the possible consequences for the data subjects of the planned further processing;
5. the existence of adequate guarantees, which may include encryption or pseudonymisation ”.
Article 7 of the RGPD.
“1. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that he consented to the processing of their personal data.
1. If the consent of the interested party is given in the context of a written statement that also refers to other matters, the consent request shall be presented in such a way that it is clearly distinguishable from the other matters, in an intelligible and easily accessible way and using a clear and simple language. Any part of the declaration that constitutes an infringement of these Regulations will not be binding.
2. The interested party will have the right to withdraw their consent at any time. The withdrawal of consent will not affect the legality of the treatment based on the consent prior to its withdrawal. Before giving consent, the interested party will be informed of it. It will be as easy to withdraw consent as it is to give it.
3. When evaluating whether consent has been freely given, the fact that, among other things, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data, will be taken into account to the greatest extent possible. that are not necessary for the execution of said contract ”.
What is expressed in recitals 32, 40 to 44 and 47 of the RGPD is taken into account in relation to what is established in articles 6 and 7 above. From what is expressed in these recitals, the following should be highlighted:
(32) Consent must be given by means of a clear affirmative act that reflects a manifestation of free, specific, informed, and unequivocal will of the interested party to accept the processing of personal data that concerns him, as a written statement, including by means electronic devices, or a verbal statement. This could include checking a box on a website on the internet, choosing technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposed treatment of their personal information. Therefore, silence, checked boxes or inaction should not constitute consent. Consent must be given for all processing activities carried out for the same or the same purposes. When the treatment has several purposes, consent must be given for all of them. If the consent of the interested party has to be given as a result of a request by electronic means, the request must be clear, concise and not unnecessarily disturb the use of the service for which it is provided.
1. When the treatment is carried out with the consent of the interested party, the person responsible for the treatment must be able to demonstrate that he has given his consent to the treatment operation. In particular in the context of a written statement made on another matter, there must be guarantees that the data subject is aware of the fact that he gives his consent and the extent to which he does so. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071), a model declaration of consent previously prepared by the controller must be provided with an intelligible and easily accessible formulation that uses clear and simple language, and that it does not contain abusive clauses. For the consent to be informed, the interested party must know at least the identity of the person responsible for the treatment and the purposes of the treatment for which the personal data are intended. Consent should not be considered freely given when the interested party does not have a true or free choice or cannot deny or withdraw their consent without suffering any harm.
2. (…) It is presumed that consent has not been freely given when it does not allow the separate authorization of the different personal data processing operations despite being appropriate in the specific case, or when the fulfillment of a contract, including the provision of a service , is dependent on consent, even when it is not necessary for such compliance.
It is necessary to take into account, also what is established in article 6 of the LOPDGDD:
“Article 6. Treatment based on the consent of the affected party
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the consent of the affected party is understood to be any expression of free, specific, informed and unequivocal will by which he accepts, either through a declaration or a clear action. affirmative, the processing of personal data that concerns you.
2. When it is intended to base the treatment of the data on the consent of the affected person for a plurality of purposes, it will be necessary to state specifically and unequivocally that said consent is granted for all of them.
3. The execution of the contract may not be subject to the affected party consenting to the processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship ” .
In accordance with the above, data processing requires the existence of a legitimate legal basis, such as the valid consent of the interested party.
From the analysis of the gas service contracting procedures established by EDP COMERCIALIZADORA, SAU, it appears that in the contracting carried out through the telephone sub-channels (CAC Inbound, Telemarketing and Leads) the representative is requested permission to “complete the commercial profile represented with information from third-party databases, in order to send you commercial proposals and the possibility of hiring or not certain services ”(evidence 2, 3 and 4).
Evidence 2, 3 and 4 show that the following information is provided to the contractor: “ Your personal data and that of your client will be processed by EDP Comercializa- dor SAU and EDP Energía SAU for the management of their contracts, fraud prevention, performance of profiles based on customer and EDP information, as well as the realization of personalized communications about products or services directly related to their contracts, being able to oppose them at any time. “Your consent is then requested in the following terms:
” Additionally, so that EDP can advise you with the best proposals:
Do you allow us to complete the commercial profile of your client with information from third-party databases, in order to send you personalized proposals and the possibility of contracting or not contracting certain services? [OTHERWISE]”
Regarding the sales channel by external sales forces, in the Sales Book (evidence 6), there is the following consent request together with a box to check it:
“I consent to the processing of my personal data for the preparation of my commercial profile with information from third party databases, for the adoption, by EDP, of automated decisions in order to send personalized commercial proposals, as well as to allow , or not, the contracting of certain services. ”
It is considered that the consent thus given is not adjusted to the provisions of the RGPD and the LOPDGDD. Consent with deficient information is requested, as neither what third-party databases are going to be consulted nor what type of data are going to be collected is indicated, so that the interested party is absolutely unaware of what they are consenting to. Nor is it determined who will be responsible for the treatment, a generic reference is made to EDP, without the client who has contracted a service only with one of the two entities (EDP COMERCIALIZADORA SAU or EDP ENERGIA, SAU) knowing if he is consenting that such treatments are carried out by both entities or only the one of which you are a client. Nor is it clear what type of services will be allowed to hire or not. Such deficiencies do not allow the interested party to know the consequences of their decision and thus assess the convenience of giving their consent or not.
Likewise, a single consent is requested for two different purposes, although both are automated, one of them is to send personalized advertising and, the other, to give permission for the person responsible to determine whether or not to allow them to contract.
certain services, so that such consent cannot be considered to be specific in the terms of articles 4.11 and 6.1.a) of the RGPD and 6.1 of the LOPDGDD.
Regarding the automated decision regarding “whether or not to allow the contracting of a service”, the provisions of article 22 of the RGPD must also be taken into account, according to which:
” 1. Any interested party shall have the right not to be the subject of a decision based solely on automated processing, including profiling, which produces legal effects on him or significantly affects him in a similar way.
1. Paragraph 1 shall not apply if the decision:
1. It is necessary for the conclusion or execution of a contract between the interested party and a data controller;
2. is authorized by the law of the Union or of the Member States that applies to the controller and that also establishes adequate measures to safeguard the rights and freedoms and the legitimate interests of the data subject, or
3. It is based on the explicit consent of the interested party.
2. In the cases referred to in section 2, letters a) and c), the data controller shall adopt the appropriate measures to safeguard the rights and freedoms and legitimate interests of the interested party, at least the right to obtain human intervention by the controller. , to express their point of view and to challenge the decision.
3. The decisions referred to in paragraph 2 shall not be based on the special categories of personal data referred to in article 9, paragraph 1, unless article 9, paragraph 2, letter a) or g) applies, and measures have been taken adequate to safeguard the rights and freedoms and the legitimate interests of the interested party. ”
In accordance with the provisions of said precept, to the extent that automated decisions are going to produce legal effects on the interested party or are going to affect him in a significant way, the consent must be explicit, so that it cannot be obtained from the The same way as to obtain a general consent, having to be obtained in a reinforced way. To this must be added that article 13 of the RGPD in its letter f) requires that the interested party be provided with significant information about the logic applied, as well as the importance and expected consequences of said treatment for the interested party. This information is not provided which, in addition, may hinder the exercise by the interested parties of their rights and especially those expressly collected in art. 22 of the RGPD: right to obtain human intervention on the part of the person in charge, to express their point of view and to challenge the decision.
Alleges EDP COMERCIALIZADORA, SAU:
(I) that consent is provided based on the good practices enunciated by the AEPD and ratified by the LOPDGDD, so that it is transferred to the interested parties through the double layer system, it also alleges that with respect to the absence of identification of third party sources or from the data categories, such information can be derived from the information provided to the client in the first layer (by clearly identifying that the treatment will be carried out with third-party sources) and in the second layer, the content of which is contained in the section called “ general conditions of the contract ”, whose content indicates:“
(II) The elaboration of commercial profiles of the Client by means of the aggregation of EDP databases with data from third party databases, in order to offer the Customer personalized products and services, thus improving the Customer experience.
(III) The adoption of automated decisions, such as allowing the contracting, or not, of certain products and / or services based on the Client’s profile and particularly, on data such as the history of non-payments, the history of contracting, permanence , locations, consumption data, types of devices connected to the energy network, and similar data that allow to know in greater detail the risks associated with contracting. (iv) Based on the results obtained from the aggregation of the indicated data, EDP may make personalized offers specifically aimed at obtaining the contracting of certain EDP products and / or services. ”
It points out that, as reflected in the cited text, EDP COMERCIALIZADORA has identified in great detail the types of data that are processed for the detailed purposes, the sources consulted for this being an obvious derivation of the foregoing. Lastly, it alleges that the data subject being the source of the data, it is only up to the Entity to inform in accordance with the provisions of article 13 RGPD, a provision that does not establish, in any of its precepts, the obligation to identify either the source or the type of data. Only in the event that such treatment had been carried out, the Entity should have reported such extremes, since only at that time would the provisions of article 14 RGPD apply.
Said allegations cannot be shared, the double layer system is not foreseen in the LOPDGDD as a mechanism that may lead to a breach of the provisions of article 4.11 of the RGPD, according to which consent must be free, specific, informed and unequivocal. It is worth remembering here what was stated by the European Data Protection Committee in the document “” Guidelines 05/2020 on consent in accordance with Regulation 2016/679 “approved on May 4, 2020, which updates the Guidelines on consent by virtue of of Regulation 2016/679, adopted by the Article 29 Working Group and approved by the European Data Protection Committee at its first plenary meeting. Indicates said document in point 3.3.1. Minimum content requirements for consent to be “informed”:
“In order for consent to be informed, it is necessary to communicate to the interested party certain elements that are crucial to be able to choose. Therefore, the CEPD believes that at least the following information is required to obtain valid consent:
1. the identity of the person responsible for the treatment,
2. the purpose of each of the processing operations for which consent is requested,
3. what (type of) data is to be collected and used,
4. the existence of the right to withdraw consent,
5. information on the use of the data for automated decisions in accordance with article 22, paragraph 2, letter c), where relevant, and
6. information on the possible risks of data transfer due to the absence of an adequacy decision and adequate guarantees, as described in article 46. ”
In the present case, the identity of the person responsible for the treatment is not determined, since it is collected on behalf of EDP, it is a ambiguous information, since EDP COMERCIALIZADORA SAU’s client does not know if he is consenting to the data processing being carried out by EDP COMERCIALIZADORA SAU and EDP ENERGIA, SAU or only by the entity with which he is contracting. On the other hand, at no time are you informed of the third-party databases from which data will be obtained, not even in the second layer, making it unacceptable for the client to deduce it from the categories of data it deals with. Nor can it be admitted that only in the event that the treatment had been carried out should the interested party be informed of what data will be processed, since only in this case would Article 14 of the RGPD apply. On the contrary, it is essential that the interested party knows what types of data are going to be collected and used, so such information, this is the data from third-party databases that are going to be used and, obviously, what bases are those, is an element essential for the interested party to know what he is consenting to.
The allegations that the consent is specific cannot be shared because there is a single purpose, such as the generation of a commercial profile, the use of which is limited to two contexts linked to each other: (i) the first, to carry out the assessment of the possibility of contracting and, (ii) the second, to issue the corresponding commercial offers to the user in question. The consent requests to allow the completion of the commercial profile mention two different purposes, one the sending of personalized commercial proposals, described with this generic nature, which may include any commercial proposal not linked to their services and another, the possibility of contracting or not determined services, the latter entering, where appropriate, in the field of automated decisions.
Nor can it be admitted, as EDP COMERCIALIZADORA, SAU alleges, that the information related to the elaboration of profiles and automated decisions, complies with the requirements of article 13 of the RGPD, since it informs about the existence of automated decisions, including the elaboration of profiles and provides significant information on the logic applied, as well as the importance and expected consequences of said treatment for the interested party.
In this sense, it is necessary to take into account the provisions of the Guidelines on automated individual decisions and profiling for the purposes of Regulation 2016/679 adopted by the Working Group on Data Protection of article 29 on October 3, 2017, revised by last time and adopted on February 6, 2018 and approved by the European Data Protection Committee in its first plenary meeting, which refers to the significant information on the logic applied in the following terms:
” Significant information on” applied logic ”
The growth and complexity of machine learning can make it difficult to understand how an automated decision-making or profiling process works. The controller must find simple ways to inform the data subject about the underlying logic or criteria used to reach the decision. The GDPR requires the controller to provide meaningful information about the applied logic, not necessarily a complex explanation of the algorithms used or the disclosure of the entire algorithm.
However, the information provided must be sufficiently exhaustive so that the interested party understands the reasons for the decision.
Example
A data controller uses the credit rating to evaluate and reject an individual’s loan application. The rating may have been provided by a credit reference body, or it may have been calculated directly from information held by the data controller.
Regardless of the source (information about the source must be provided to the interested party under article 14, paragraph 2, letter f), when the personal data has not been obtained from the interested party), if the data controller relies on This qualification must be able to explain to the interested party said qualification, as well as the reasons for it.
The controller should explain that this process helps you make fair and responsible loan decisions. It should also provide details about the main characteristics considered when making the decision, the source of this information and the relevance. This may include, for example: • the information provided by the data subject in the application form; o information on the behavior of the accounts, including arrears in payments; and • information from official public records, such as information on fraud or insolvency records. Likewise, the controller must include information to warn the data subject that the credit rating methods used are periodically checked to ensure that they remain fair, effective and impartial. The person in charge of the treatment must offer contact information so that the interested party requests the reconsideration of the rejected decisions, in accordance with the provisions of article 22. ”
Said document also points out regarding the «Importance» and «expected consequences» that “This term suggests that information should be provided on the planned or future treatment, and on how the automated decision may affect the interested party. In order for this information to be meaningful and understandable, real and tangible examples of the kind of possible effects must be provided. ”
In the present case, in the opinion of this Agency such requirements are not met: it is not reported what type of products or services it will allow to contract, the logic to apply to make said decision is not indicated, limiting itself to indicating that it will use a set of data that “allows to know in greater detail the risks associated with contracting”, therefore not knowing what type of products or services can be allowed to contract or the logic to apply for making said decision. its importance or the expected consequences.
On the other hand, this Agency does not share the allegation that there is a media contest between these violations and the violation of article 13 of the RGPD. In this regard, it is worth citing the judgment of July 16, 2019 of the National High Court, which states that “Thus, regarding the existence of a media contest between the two offenses, which would determine the imposition of a single sanction, this Chamber has repeatedly declared (judgments of January 29 and June 24, 2014 (appeal 562/12 and 141/2013), among others, that both offenses are independent and there is no medial relationship that is intended between both, but that: «[…] they can be carried out with absolute independence, as they present their own substantivity and are autonomous from each other, given that they protect different data protection principles, in one case the unequivocal consent that all personal data processing requires (article 6.1 LOPD), and, in another, the quality of said personal data (article 4.3 LOPD), in order to safeguard the power of disposal of the owner thereof, which integrates the fundamental right to data protection (…) D the A.
In the same way, it must be considered that the three infractions of article 6, 13 and 22 of the RGPD are independent infractions, in this sense it must be taken into account that information constitutes an essential element of consent, in accordance with the provisions of article 4.11 of the RGPD, being determinant of its existence, so that its absence will result in the consent being invalid, thus being able to violate both article 6 and, where appropriate, 22 when the treatment is based on the explicit consent of the interested party. On the other hand, there is a principle of general transparency with respect to all the processing carried out by the interested party and that is reflected in the provisions of articles 12 to 14. In this way, it may be the case that cases occur, in the that in addition to the non-existence of informed consent, the principle of transparency is violated in general for all the treatments carried out by the interested party, thus violating the provisions of articles 12 to 14, without this implying a medial contest of infringements.
EPD COMERCIALIZADORA, SAU alleges that the treatment related to the creation of a commercial profile based on the information of third parties for the submission of advertising information is not, in practice, being carried out, not even at the date of issuance of these allegations , nor prior to them. It also alleges that, despite the fact that EDP COMERCIALIZADORA includes the possibility of profiling and adopting automated decisions, the only profiling carried out is the one related to the qualification of clients in terms of fraud prevention, treatment for which there is legal authorization and It is based on the legitimate interest of EDP COMERCIALIZADORA, in order to safeguard the good progress of the contracts made by EDP COMERCIALIZADORA, as well as to prevent customers, whose sole purpose is to consume the energy service without paying the bills, from becoming part of the client portfolio. Notwithstanding the foregoing, the owners of the data are informed that said profiling is reviewed and finally processed by EDP COMERCIALIZADORA staff, which is why it cannot be considered as an automated decision in itself, taking into account the literal wording in this regard. of the concept established by the authorities. In other words, there is no data processing based on automated decisions, nor is there any manifestation about such treatments, since outside of those strictly necessary to continue with the service and those provided by law, they are not carried out, which is why, Not only can it not be considered that there is a breach of article 22 of the RGPD, since the requirements set out by the regulations are met, but there are not, nor can there be data owners who may have been affected by said treatments.
The purpose of this procedure at this point is the examination of consent for the enrichment of profiles with third-party databases for the purpose of sending advertising communications and possible automated decisions that produce legal effects or significantly affect the interested party and that also have as base the consent of the same. Therefore, the profiling carried out for the prevention of fraud, which EDP COMERCIALIZADORA SAU bases on the legitimate interest, neither with regard to its legitimacy nor in relation to whether automated decisions are produced in based on said profiling.
The procedure instruction has not made it possible to verify that EDP COMERCIALIZADORA, SAU has carried out profiling incorporating data from third party databases or data processing based on automated decisions that produce legal effects or significantly affect the interested party who has consented to such processing, such as and as requested during the hiring process.
This Agency considers that in the event that the treatments mentioned in the previous paragraph are intended to be carried out, they should comply with the expressed demands and the requirements that allow it to be considered that the consent has been validly given and that all the Requirements required in accordance with article 22 of the RGPD.
Consequently, it is deemed appropriate that due to lack of evidence, taking into account the principle of presumption of innocence expressly set forth for disciplinary administrative procedures in article 53.2.b) of Law 39/2015, of October 1, on Common Administrative Procedure of the Public Administrations, which recognizes the interested party the right ” To the presumption of non-existence of administrative responsibility until the contrary is proven”, the violation of the provisions of articles 6 and 22 is not considered attributable to EDP COMERCIALIZADORA, SAU. as possible infractions in the agreement to initiate this sanctioning procedure.
IV
Article 12.1 of the RGPD provides that “ The person responsible for the treatment will take the appropriate measures to provide the interested party with all the information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the treatment, in the form concise, transparent, intelligible and easily accessible, with clear and simple language, in particular any information directed specifically to a child. The information will be provided in writing or by other means, including, if applicable, by electronic means. When requested by the interested party, the information may be provided verbally as long as the identity of the interested party is proven by other means. ”
Articles 13 and 14 list the categories of information that must be provided when personal data is obtained from the interested party and when personal data has not been obtained from the interested party, respectively.
When personal data is collected directly from the interested party, the information must be provided at the same time that data collection takes place.
It has article 13 of the RGPD “Information that must be provided when personal data is obtained from the interested party
2. When personal data relating to him are obtained from an interested party, the person responsible for the treatment, at the moment in which these are obtained, will provide all the information indicated below:
1. the contact details of the data protection officer, if applicable;
2. the purposes of the treatment to which the personal data are destined and the legal basis of the treatment;
3. when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the controller or a third party;
4. the recipients or categories of recipients of the personal data, if applicable;
5. where appropriate, the intention of the person in charge of transferring personal data to a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of the transfers indicated in articles 46 or 47 or the Article 49, paragraph 1, second subparagraph, reference to adequate or appropriate guarantees and the means to obtain a copy of these or the fact that they have been provided.
2. In addition to the information mentioned in section 1, the data controller will provide the interested party, at the time the personal data is obtained, the following information necessary to guarantee fair and transparent data processing:
1. the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this period;
2. the existence of the right to request the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to data portability;
3. when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting the legality of the treatment based on consent prior to its withdrawal;
4. the right to file a claim with a supervisory authority;
5. if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data;
6. the existence of automated decisions, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the applied logic, as well as the importance and expected consequences of said treatment for the interested party.
3. When the person responsible for the treatment plans the subsequent processing of personal data for a purpose other than that for which they were collected, he will provide the interested party, prior to said further processing, information about that other purpose and any additional pertinent information in accordance with the section two.
4. The provisions of sections 1, 2 and 3 will not be applicable when and to the extent that the interested party already has the information. ”
Article 14
” Information to be provided when personal data has not been obtained from the interested party
1. When the personal data has not been obtained from the interested party, the person responsible for the treatment will provide the following information:
1. the contact details of the data protection officer, if applicable;
2. the purposes of the treatment to which the personal data are destined, as well as the legal basis of the treatment;
3. the categories of personal data in question;
4. the recipients or categories of recipients of the personal data, if applicable;
5. where appropriate, the intention of the person in charge of transferring personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of the transfers indicated in articles 46 or 47 or article 49, paragraph 1, second subparagraph, reference to adequate or appropriate guarantees and the means to obtain a copy of them or to the fact that they have been provided.
2. In addition to the information mentioned in section 1, the data controller will provide the interested party with the following information necessary to guarantee fair and transparent data processing with respect to the interested party:
1. the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this period;
2. when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person responsible for the treatment or of a third party;
3. the existence of the right to request the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, and to oppose the treatment, as well as the right to data portability;
4. when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting the legality of the treatment based on consent before withdrawal;
5. the right to file a claim with a supervisory authority;
6. the source from which the personal data come and, where appropriate, if they come from publicly accessible sources;
7. the existence of automated decisions, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and expected consequences of said treatment for the interested party.
3. The data controller will provide the information indicated in sections 1 and 2:
1. within a reasonable period, once the personal data has been obtained, and at the latest within one month, taking into account the specific circumstances in which said data is processed;
2. if the personal data are to be used for communication with the interested party, at the latest at the time of the first communication to said interested party, or
3. if it is planned to communicate them to another recipient, at the latest when the personal data is communicated for the first time.
4. When the data controller plans the further processing of personal data for a purpose other than that for which it was obtained, it will provide the interested party, prior to such further processing, information on that other purpose and any other pertinent information indicated in the section two.
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that:
1. the interested party already has the information;
2. The communication of said information is impossible or involves a disproportionate effort, in particular for the treatment for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and guarantees indicated in article 89, section 1, or to the extent that the obligation mentioned in section 1 of this article may make it impossible or seriously impede the achievement of the objectives of such treatment. In such cases, the person in charge will adopt adequate measures to protect the rights, freedoms and legitimate interests of the interested party, including making the information public;
3. the obtaining or communication is expressly established by the law of the Union or of the Member States that applies to the person responsible for the treatment and that establishes adequate measures to protect the legitimate interests of the interested party, or
4. when personal data must remain confidential on the basis of an obligation of professional secrecy regulated by the law of the Union or of the Member States, including an obligation of secrecy of a statutory nature.
For its part, article 11, numbers 1 and 2 of the LOPDGDD provides the following: “ Article 11. Transparency and information to the affected party 1. When the personal data are obtained from the affected party, the person responsible for the treatment may comply with the established duty of information in Article 13 of Regulation (EU) 2016/679, providing the affected party with the basic information referred to in the following section and indicating an electronic address or other means that allows easy and immediate access to the rest of the information.
2. The basic information referred to in the previous section must contain, at least: a) The identity of the person responsible for the treatment and their representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679. If the data obtained from the affected party were to be processed for profiling, the basic information will also include this circumstance. In this case, the affected party must be informed of his right to oppose the adoption of automated individual decisions that produce legal effects on him or significantly affect him in a similar way, when this right concurs in accordance with the provisions of article 22 of the Regulations. (EU) 2016/679 “.
In relation to this principle of transparency, what is expressed in Recitals 39, 58, 60 and 61 of the RGPD is also taken into account.
(39) “All processing of personal data must be lawful and fair. For natural persons, it must be completely clear that personal data concerning them is being collected, used, consulted or otherwise processed, as well as the extent to which said data is or will be processed. The principle of transparency requires that all information and communication regarding the processing of such data be easily accessible and easy to understand, and that simple and clear language be used. This principle refers in particular to the information of the interested parties about the identity of the person responsible for the treatment and the purposes of the same and to the information added to guarantee a fair and transparent treatment with respect to the affected natural persons and their right to obtain confirmation and communication. of the personal data that concern them that are object of treatment. Individuals must be aware of the risks, rules, safeguards and rights related to the processing of personal data as well as how to enforce their rights in relation to the treatment. In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, to ensure that their retention period is limited to a strict minimum. Personal data should only be processed if the purpose of the processing could not reasonably be achieved by other means. To ensure that personal data is not kept for longer than necessary, the data controller must establish deadlines for its deletion or periodic review. All reasonable steps must be taken to ensure that inaccurate personal data is rectified or deleted. Personal data must be treated in a way that guarantees adequate security and confidentiality of personal data, including to prevent unauthorized access or use of said data and the equipment used in the treatment ”.
(58) “The principle of transparency requires that all information addressed to the public or the interested party be concise, easily accessible and easy to understand, and that a clear and simple language be used, and also, where appropriate, be displayed. This information could be provided in electronic form, for example, when directed to the public, through a website. This is especially pertinent in situations in which the proliferation of agents and the technological complexity of the practice make it difficult for the interested party to know and understand whether, by whom and for what purpose, personal data concerning him or her are being collected, such as in the case of online advertising. Since children deserve specific protection, any information and communication that affects them treatment must be provided in clear and simple language that is easy to understand. ”
1. “The principles of fair and transparent treatment require that the interested party be informed of the existence of the treatment operation and its purposes. The data controller must provide the interested party with any additional information necessary to guarantee fair and transparent treatment, taking into account the specific circumstances and context in which the personal data are processed. The interested party must also be informed of the existence of profiling and the consequences of such elaboration. If personal data is obtained from data subjects, they must also be informed of whether they are obliged to provide it and of the consequences if they do not do so. Said information can be transmitted in combination with standardized icons that offer, in an easily visible, intelligible and clearly legible way, an adequate overview of the planned treatment. Icons presented in electronic format must be machine readable. ”
2. “Information on the processing of their personal data must be provided to the interested parties at the time they are obtained from them or, if they are obtained from another source, within a reasonable period of time, depending on the circumstances of the case. If the personal data can be legitimately communicated to another recipient, the data subject must be informed at the time they are communicated to the recipient for the first time. The person in charge of the treatment that plans to process the data for a purpose other than that for which it was collected must provide the interested party, before said further treatment, information about that other purpose and other necessary information. When the origin of the personal data cannot be provided to the interested party due to various sources have been used, general information should be provided. ”
Examining the information offered by EDP COMERCIALIZADORA, SAU, it is observed that it does not meet the requirements of article 13 of the RGPD.
3. In the first place, when contracting is carried out through the CAC Inbound, Telemarketing and Leads subchannels, the information is provided by telephone in the following way, as can be seen from the evidence provided:
In the CAC Inbound channel the following is indicated to whoever makes the contracting by phone: “Your personal data and those of your client will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention, profiling based on information from the client and EDP, as well as the realization of personalized communications about products or services directly related to their contracts, being able to oppose them at any time. “(Evidence 2, CAC Inbound channel contracting.)
In the Telemarketing and Leads contracting sub-channels, in addition to the information that appears in the previous paragraph, the following information is added: “We remind you that you may exercise your rights of access, rectification, opposition, deletion, limitation and portability, through any of the channels indicated in the General Conditions that can be consulted on our website www.edpenergia.es. ” (evidences 3 and 4)
Said information is not in accordance with the provisions of article 13 of the RGPD in relation to the provisions of article 11 of the LOPDGDD, thus in the first case the information is incomplete since during the contracting process in the Canal CAC Inbound is not informed of the possibility of exercising the rights established in articles 15 to 22 of the RGPD, nor is it indicated who hires an electronic address or other means that allows simple and immediate access to the rest information.
It is alleged that at the beginning of the call the following phrase is heard “This call can be recorded. The data you provide us will be processed by EDP Energía, SAU and / or EDP Comercializadora, SAU for the management of your request or inquiry. You can exercise the rights of access, rectification, deletion, opposition, limitation and portability at any time. Consult the Privacy Policy on our website edpenergia.es or press 0 ”Also consider that according to article 13.4 of the RGPD, the obligation to inform does not apply to the extent that the interested party already has the information and that in the case taking into account that the initial announcement is reproduced automatically in each call, it is sufficiently proven that any interested party who contacts EDP COMERCIALIZADORA through the CAC Inbound Channel receives the information regarding protection of personal data Such allegations cannot be shared, in the opinion of this Agency, information is provided in a fragmented and dispersed way that does not comply with the provisions of articles 13 of the RGPD and 11 of the LOPDGDD, as well as in the initial statement that is alleged to be listen in any case, when the call is initiated, the interested party is informed of the processing of their data with the generic purposes of “managing the request or consultation”, they are informed of the possibility of exercising the rights recognized by the RGPD and You are directed to the privacy policy on the website or you are instructed to dial 0. In that second speech, the purposes are extended to conducting surveys and participating in sweepstakes, games and promotions, without, on the other hand, On the other hand, the legal basis for participation in raffles, games and promotions is reported, but does not contain any reference to purposes other than those mentioned in this paragraph.
In the information that is provided to you in the framework of the telephone contracting in the CAC Inbound channel, according to evidence 2, other different purposes are listed, only reference is made to the possibility of opposing personalized communications about products or services directly related to the contracts, and the interested party is not directed to the General Contracting Conditions, which would contain, apart from the deficiencies that this Agency has observed in them, the specific information related to such purposes.
It is not in accordance with the possibility of informing by layers, that the interested party must go to different phrases to know the basic information referred to in article 11 of the LOPDGDD, so that the interested party must deduce from a first phrase that he can exercise rights other than that of opposition to commercial communications, the only one of which you are informed at the time of hiring. On the other hand, none of the aforementioned phrases refers the interested party to the general contracting conditions where the information required in accordance with article 13 regarding the aforementioned purposes during the contracting on the CAC In- bound channel can be found, but rather refer generically to the privacy policy of the website, which does not include that specific information.
On the other hand, the electronic address indicated in evidence 3 and 4, within the framework of telephone contracting in the Telemarketing and Leads channels, does not allow easy and immediate access to the rest of the information, violating This is what is foreseen in article 11.1 of the LOPDGDD. The examination of the search process for the General Conditions (as documented in the ninth number of the events) shows that the address provided does not lead directly to the information required in accordance with article 13 of the RGPD, but to the website of the interested party, where a search must be carried out that, in addition, yields various similar results and requires a search in the general conditions (which include numerous aspects related to contracting) for information on data protection, Therefore, it cannot be considered that such an electronic address allows immediate access to such information, nor is access easy for anyone.
It is alleged by EDP comercializadora that to find the aforementioned general conditions, a simple search is enough to access them directly, using the search engine available on the website. By searching for “contracting conditions” or “ general contracting conditions ”, the documents relating to the general contracting conditions are published as the first results.
Such allegation cannot be shared, even using the page’s own search engine the information is not directly accessible, as is demonstrated in the search process documented by this Agency. In this regard, it should be recalled that the “Guidelines on transparency under Regulation 2016/679″, adopted on 11/29/2017 and revised on 04/11/2018. ” approved by the European Data Protection Committee in its first plenary meeting, they state that “Both articles 13 and 14 refer to the obligation by which the data controller “Provide all the information indicated below” to the interested party. The key word in this expression is “will facilitate.” This means that the data controller must take active measures to provide the information in question to the interested party or actively direct the interested party to its location (eg, through a direct link, the use of a QR code, etc. .). The interested party should not have to actively seek mind the information covered by such articles among other information, such as the conditions of use of a website or an application . ” On the other hand, although this Agency values positively that a direct access to the information required by article 13 of the RGPD has been created, this does not invalidate the fact that until its creation, after the proposed resolution, access the information lacked that element of immediacy and simplicity required by article 11 of the LOPDGDD.
It is also alleged that an infringement of the duty of transparency was not committed, as the complete information on data protection (with the content required by the regulations) is contained within the general conditions of con- treatment that are sent to the interested party after hiring. This argument cannot be shared, the information must be provided to the interested party at the time the data is obtained, without being able to defer that moment to the reception of the contract. Article 13 of the RGPD determined in the first paragraph when to provide information to the provide that ” when obtained from a third party data personal concerning him responsible for the treatment, at the moment these are obtained , will provide all the information indicated below: (…) ”, (the underlining is from the AEPD). The LOPDGDD allows said information to be provided in layers, providing the interested party during the data collection with basic information, the content of which determines, and allowing to indicate an electronic address or other means that allows simple and immediate access to the rest of the information. . The element of immediacy is essential to comply with article 13 of the RGPD, so that providing the information days later when a contract is received, does not comply with the requirement to provide the information that according to said precept must be communicated “at the time when obtain ”the data of the interested party.
In this same sense, the aforementioned “Guidelines on transparency under Regulation 2016/679” state that “ Regardless of the formats used in this tiered approach, the WG29 recommends that the first“ level ”(that is, , the main way by which the controller interacts for the first time with the interested party) usually transmits the most important information (mentioned in section 36), namely the details of the purposes of the treatment, the identity of the controller and the existence of the rights of the interested party, together with information on the greatest impact of the treatment or treatment that could surprise the interested party. For example, when the first contact with an interested party is by telephone, this information could be provided during the call with the interested party and the latter could receive the rest of the information required under article 13 or 14 by other means. additionally, for example, by sending you a copy of the privacy policy by email or a link to the online privacy statement / notice of the controller. ” These means, email or link to the privacy statement, also affect this element of immediacy, which allows compliance with the provisions of article 13.
In this regard, the considerations included in the opinion of the Council of State on the preliminary draft of the Organic Law on Data Protection must be taken into account.
of a personal nature, in which the following was indicated regarding the information by layers:
“(…) If the information is provided in another format, or through different“ layers ”, the principle of transparency will not be violated, but the person in charge must assess whether the principle has been adequately complied with or if some type of measure is required. additional protection of rights, (…) ”. And it added “(…) Notwithstanding the foregoing, it should be remembered that article 13 requires that all the information that must be provided to the interested party is provided at the time the personal data being processed is obtained. Despite the direct applicability of this provision of the Regulation, it would be convenient for Article 12 of the preliminary draft to specify that this “layered” information method cannot in any case imply a delay in the supply of information considered “non-basic”.
4. On the other hand, with regard to the information provided both by telephone (evidences 2, 3, and 4) and in the general conditions (evidence 6 and the general conditions document of the website), the following is observed :
1. Regarding the person responsible for the treatment, it is indicated in evidences 2, 3, 4 and 5 that the data will be “processed by EDP Comercializadora SAU and EDP Energía SAU” which does not necessarily correspond to the entity with which it is contracting, all Whenever only the energy service or only the gas service is contracted, the person responsible will be one or the other, without the interested party being correctly informed in such cases about who is responsible for the treatments. The same reproach can be made to the information provided in the general conditions in which it is indicated “Said data, in addition to those obtained as a result of the execution of the contract, will be processed by EDP COMERCIALIZADORA, SAU, with address at c / General Concha, 20, 48001, Bilbao and by EDP ENERGIA, SAU with address at Plaza del Fresno, 2 -33007, Oviedo in their capacity as Data Controllers. ”It is also imprecise information, since one or the other entity will be responsible depending on of the contracted service or, where appropriate, each of the entities for the respective treatments derived from the contract and the possible consents granted, without this information being clear to the client. To this imprecision in the determination of the person in charge, there is added that of referring generically to EDP in the rest of the information provided, so that the interested party does not know in the case of other treatments which is the responsible entity.
In this regard, EDP COMERCIALIZADORA, SAU alleges that the customer is informed about the identity of the data controller through the privacy policy in relation to the contracting conditions : Privacy policy: “the data will be processed by EDP Comercializadora SAU and EDP Energía SAU ”. Specific conditions of the contract: “The customer contracts, for the supply indicated, the supply of gas with EDP Comercializadora, SAU and the supply of electricity and / or complementary services with EDP ENERGIA, SAU, (hereinafter jointly and / or individually, as appropriate, referred to as “EDP”) in accordance with the Specific Conditions set out below and the General Conditions in the annex ”. Therefore, the interested party -which has full capacity to contract and, therefore, it is assumed that he should be able to understand the terms and conditions that govern said contracting, is aware at all times that, depending on the contracting of the gas and / or electricity supply service, your data will be processed by one or both entities.
This allegation cannot be shared by this Agency, from what was affirmed by EDP COMERCIALIZADORA, SAU, it can only be admitted that what the client knows is the entity with whom he has contracted the services, but not the person responsible for the different treatment of data that may be made, since as stated above, in other evidence and in the contracting conditions themselves, it is stated that both entities are responsible for data processing (evidence 2.3 and 4 and 5) and the generic EDP formula is used that understands both.
Regarding other explanations by EDP COMERCIALIZADORA, SAU such as the absence of activity of one of the entities and the possible sale to third parties, already carried out as stated, do not justify the inaccuracy of the information, since it is contracted in the name of two different entities, regardless of whether one is active or not, an aspect that is irrelevant from the point of view of data protection, since said entity continues to act as data controller .
2. Regarding the purposes and legitimizing bases of data processing, the following general conditions are indicated “manage, maintain, develop, complete and control the contracting of electricity and / or gas supply and / or complementary services of and / o gas and / or complementary services for review and / or technical assistance and / or points program, and / or service improvement, to carry out fraud prevention actions, as well as profiling, personalized commercial communications based on information provided by the Client and / or derived from the provision of the service by EDP and related to products and services related to the supply and consumption of energy, maintenance of facilities and equipment. Said treatments will be carried out in strict compliance with current legislation and insofar as they are necessary for the execution of the contract and / or the satisfaction of EDP’s legitimate interests, provided that other rights of the client do not prevail over the latter. ”
This Agency considers that it is not easy for anyone, without knowledge of the subject of data protection, to differentiate which treatments derive from the contract and which are based on the legitimate interest of the person in charge. Nor is it indicated what is the legitimate interest that the person in charge attributes to himself. It is essential for the exercise of the rights of the interested parties to know the legal basis on which the treatment is based, in particular to be able to exercise their right to oppose the treatment when it is based on the legitimate interest of the person in charge in accordance with the provisions of article 21 of the GDPR.
In this sense, the Guidelines on Transparency under Regulation (EU) 2016/679, adopted on November 29, 2017 by the Article 29 Working Group, state that “The specific interest in question must be identified for the benefit of the interested party. . As a matter of good practice, the data controller may also provide the data subject with the information resulting from the ‘weighting examination’ that must be carried out in order to be able to benefit from the provisions of Article 6 (1) (f) , as a lawful basis for the treatment, prior to any collection of the personal data of the interested parties. To avoid information fatigue, this can be included within a tiered privacy statement / notice (see section 35). In any case, the position of the WG29 is that the information addressed to the interested party must make it clear that he or she can obtain information from
Read the weighting test upon request. This is essential for transparency to be effective when stakeholders have doubts as to whether the weighting test has been carried out fairly or wish to make a complaint. ”
This Agency does not share the argument that neither article 13 nor any other legal precept requires that the privacy policy list each purpose, specifically indicating the basis of legitimation that results from application, the very wording of article 13 requires that it be inform the interested party of “the purposes of the treatment to which the personal data are intended and the legal basis of the treatment”, that is, the use of the singular makes it clear that the legal basis of each treatment must be indicated. Transparency is closely linked to the legality of the treatment, article 5.1.a) of the RGPD indicates as one of the principles related to the treatment the principle of legality, loyalty and transparency. The legal basis determines the legality of the treatment, so the person in charge must inform the interested party in each case that there is an appropriate legal basis to carry out said treatment in accordance with article 6 of the RGPD, without it being admissible for the interested party have to interpret the privacy policy to determine what may be the legitimizing basis for each treatment.
This Agency also does not agree with the allegation that “for any person it may be evident that treatments such as“ manage, maintain, develop, fulfill and control the contracting of electricity and / or gas supply and / or complementary services of and / or gas and / or complementary services of revision and / or technical assistance and / or program of points, and / or improvement of the service ”are closely related to the execution of the contract, the others being assignable to legitimate interest.
In this regard, it is worth recalling what is stated in the aforementioned “Guidelines on transparency under Regulation 2016/679”. They analyze the scope to be attributed to the transparency elements established in article 12 of the RGPD, according to which the data controller will take the appropriate measures to “provide the interested party with all the information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 regarding the treatment, in a concise, transparent, intelligible and easily accessible form, with a clear and simple language ”, which must be related to what is expressed in Considering 39 of the aforementioned Regulation. From what is stated in said Guidelines, the following should be highlighted at this time: “The requirement that the information be“ intelligible ”means that it must be understandable to the average member of the target audience. Intelligibility is closely linked to the requirement to use clear and simple language. A data controller acting with proactive responsibility will know the people about whom it collects information and can use this knowledge to determine what that audience is likely to understand… ”. In the present case, the services provided by EDP COMERCIALIZADORA, SAU are aimed at all citizens, so it cannot be presumed that anyone can understand when it comes to one legal basis or another. In this sense, the allegations themselves indicate that their clients do not distinguish between opposition and revocation of consent, which shows that, in general, they lack technical knowledge on the matter and cannot distinguish between different legal bases. , which involve the exercise of rights in a different way.
Regarding the information on the legitimate interest attributed to the person in charge, EDP COMERCIALIZADORA alleges that they are clearly exposed and put in relation to the purposes pursued, that is: prevention of fraud and marketing, in relation to the sending of personalized commercial communications. In these cases, it is considered obvious that there is an identification between the purpose reported and the self-interest pursued, so making a separate allusion to the latter would be redundant.
This allegation cannot be admitted, within the treatments indicated by EDP whose basis, as indicated in its allegations, is its legitimate interest, mention is made of “profiling” for which neither the legitimate interest nor the purpose is indicated.
In this sense, the Guidelines of the Working Group of Article 29 on automated individual decisions and profiling for the purposes of Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, state the following: following:
“The transparency of the treatment is a fundamental requirement of the GDPR.
The profiling process is usually invisible to the data subject. It works by creating derived or inferred data about people (“new” personal data that has not been directly provided by the data subjects themselves). People have different levels of understanding and it can be difficult for them to understand the complex techniques of automated profiling and decision-making processes. ”
“Taking into account the basic principle of transparency underpinning the GDPR, data controllers must ensure that they clearly and easily explain to people how profiling or automated decisions work.
In particular, when the processing involves decision-making based on profiling (regardless of whether they fall within the scope of the provisions of article 22), the user must be made aware of the fact that the processing has specific purposes. purposes of both a) profiling and b) adoption of a decision based on the profile generated
Recital 60 establishes that providing information about the preparation of profiles is part of the transparency obligations of the data controller according to article 5, paragraph 1, letter a). The interested party has the right to be informed by the data controller, in certain circumstances, about their right to oppose the «profiling» regardless of whether individual decisions have been made based solely on automated processing of the data. The basis for profiling ”.
“The data controller must explicitly mention to the interested party details about the right of opposition according to article 21, sections 1 and 2, and present them clearly and apart from any other information (article 21, section 4).
According to article 21, paragraph 1, the interested party may object to the processing (including profiling) for reasons related to their particular situation. Those responsible for the treatment are specifically obliged to offer this right in all cases in which the treatment is based on article 6, paragraph 1, letters f) “.
In this case, in the opinion of this Agency, the information requirements described above are not met. EDP COMERCIALIZADORA, SAU, is limited to reporting on the “Profiling”, but it does not offer information on the type of profiles to be made, the specific uses to which these profiles are to be put or the possibility that the interested party can exercise the right of opposition in application. of article 21 of the RGPD.
The claim that profiling is associated with the sending of personalized commercial communications cannot be accepted here. As indicated when determining the purposes in the first paragraph of the general conditions, the following are listed: “manage, maintain, develop, complete and control the contracting of electricity and / or gas supply and / or complementary services of and / or gas and / or complementary services for review and / or technical assistance and / or points program, and / or service improvement, to carry out fraud prevention actions, as well as profiling, personalized commercial communications based on information provided by the Client and / or derived from the provision of the service by EDP and relating to products and services related to the supply and consumption of energy, maintenance of facilities and equipment ”, clearly separating the purpose of making profiles of that of sending commercial communications.
In the same way, as evidenced by evidence 2, 3 and 4 during the telephone contracting process by means of a representative, the latter is informed that: “Your personal data and that of your client will be processed by EDP Comercializadora SAU and EDP Energía SAU for the management of their contracts, fraud prevention, profiling based on customer and EDP information, as well as making personalized communications about products or services directly related to their contracts, being able at any time oppose them. “Likewise, it is informed regarding the realization of profiles as a treatment or treatments that are different and separate from the sending of personalized communications about products or services directly related to the contracts, as evidenced by the use of the conjunctive phrase “as well as”.
In any case, even if it could be taken for granted that the intention of EDP COMER- CIALIZADORA, SAU was to link both purposes, the way in which the information is given infringes the principle of transparency, as stated in recital 60 “ The principles of fair and transparent treatment require that the interested party be informed of the existence of the treatment operation and its purposes. The data controller must provide the interested party with any additional information necessary to guarantee fair and transparent treatment, taking into account the specific circumstances and context in which the personal data are processed. The interested party must also be informed of the existence of profiling and of the consequences of such elaboration. ”
1. The general conditions also provide the following information regarding the treatments based on the consent of the interested party:
“Provided that the client has explicitly accepted it, their personal data will be processed, even after the contractual relationship has ended and as long as there is no opposition to said treatment, to:
(I) The promotion of financial services, payment protection services, automotive or related and electronic, own or third parties, offered by EDP and / or participation in promotional contests, as well as for the presentation of commercial proposals related to the energy sector after the end of the contract, (II) The elaboration of Commercial profiles of the Client through the aggregation of third-party databases, in order to offer the Client personalized products and services, thus improving the client’s experience, (III) The adoption of automated decisions, such as allowing contracting, or no, of certain products and / or services based on the Client’s profile and particularly, on data such as the history of defaults, the history of contracts, permanence, locations, consumption data, types of devices connected to the energy network, and similar data that allow to know in greater detail the risks associated with the hiring. (IV) Based on the results obtained from the aggregation of the indicated data, EDP may make personalized offers, and specifically aimed at achieving the contracting of certain products and / or services from EDP or third-party entities depending on whether the client is so You have consented to it or not, being in any case data processed whose age will not exceed one year. In the event that said process is carried out in an automated way, the client will always have the right to obtain human intervention from EDP, admitting the challenge and, where appropriate, evaluation of the resulting decision.
Nor is it easy for anyone without specialized knowledge to understand what type of processing is going to be carried out on the basis of consent, in particular the wording of point IV is not clear at all: it is unknown what data it refers to. with “the results obtained from the aggregation of the indicated data” which could be both those contained in number III above and those obtained from third party databases or all of them. The purpose of the treatment seems to indicate that these are advertising treatments different from those indicated in the first two numbers, without the difference being evident with respect to them. On the other hand, the last paragraph of this point IV is not understandable, when mentioning the rights that article 22 of the RGPD recognizes to the interested parties when automated decisions are adopted that produce legal effects on them or significantly affect them in a way. Similary.
The allegations offer an explanation about the purposes of the different treatments and the data to be processed that seek to clarify these aspects, however, it is not in them where such points should be clarified but rather it is the information provided to the interested party that must be clear and understandable for the latter, breaching the information provided, in the opinion of this Agency, the provisions of article 12 of the RGPD.
2. The general conditions inform as follows regarding the rights of the interested party:
“Rights of the data owner
The client will have at all times the possibility of exercising the following rights freely and completely free of charge:
1. Access your personal data that is processed by EDP.
2. Rectify your personal data that are processed by EDP that are inaccurate or incomplete.
3. Delete your personal data that are processed by EDP.
4. Limit the treatment by EDP of all or part of your personal data.
5. Oppose certain processing and automated decision-making of your personal data, requiring human intervention in the process, as well as contesting the decisions that are finally adopted by virtue of the processing of your data.
6. Port your personal data in an interoperable and self-sufficient format.
7. Withdraw at any time, the consents previously granted. ”
Although this information includes all the rights that the RGPD grants to the interested party, it must be adapted to the specific treatments carried out by the person in charge. As indicated in the aforementioned Guidelines on Transparency under Regulation (EU) 2016/579: “This information must be specific to the processing scenario and include a summary of what the right implies and how the interested party can act. to exercise it, as well as any limitation to the right. ”
The allegation that the obligation to detail the specific treatments to which the interested party has the right to oppose cannot be accepted, not only is it not an obligation included in the RGPD, the LOPDGDD or any other applicable regulations, but also The AEPD in its guides and tools (among others, the Guide for the fulfillment of the duty to inform2 or the Facilita3 tool) does not indicate that the informative clauses on the right of opposition must specify the treatments to which the right applies. opposition. Here, it should be reiterated what is stated in the Guidelines of the Working Group of Article 29 on automated individual decisions and profiling for the purposes of Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, which indicate what following:
“The data controller must explicitly mention to the interested party details about the right of opposition according to article 21, sections 1 and 2, and present them clearly and apart from any other information (article 21, section 4).”
Therefore, it is not enough to mention the right to oppose “certain treatments”, but it must be informed that these treatments, in this case, are those that the person in charge bases on article 6.1.f), that is, in the existence of a prevailing legitimate interest over the interests, rights and freedoms of the interested party, and it must be clear to the interested party which are these treatments against which they can exercise their right of opposition.
Nor can it be shared that this interpretation violates the principle of interdiction of the alleged arbitrariness when EDP COMERCIALIZADORA considers that the presentation of information regarding the exercise of rights, as presented in its information, constitutes a recommended and even applied practice. by the Spanish Agency for Data Protection in its privacy policy. In this regard, it should be taken into account that this Agency does not carry out treatments based on the provisions of article 6.1.f, in particular those related to direct marketing.
It is imprecise to point out that the interested party can oppose the adoption of automated decisions regarding their personal data. These can only be carried out
by the person in charge in the cases provided for in article 22 of the RGPD, based in the present case on the consent of the interested party, so that he must be able to know that he can revoke the consent given for the adoption of such decisions at any time, without prejudice to the fact that the interested parties are also informed of the rights conferred by article 22.
The claim that the semantic and technical nuance associated with the terms “opposition” and “revocation” in the context of the exercise of rights cannot have an impact on the interested party, regarding this imprecision regarding the exercise of rights. , because with both terms the user achieves the same objective, which is that a treatment specifically identified in the policy stops being produced and that the term used by EDP COMERCIALIZADORA (opposition) in the context of this type of treatment is understood in the regulations and by the market itself in a broader way – and therefore more guaranteed – since it allows the user to eliminate a treatment whether based on consent or based on legitimate interest. The regulations are clear when defining both rights and when they can be exercised in articles 7 and
21.1.2 of the RGPD, which requires correlatively, that the interested party has knowledge of the legal basis of the treatment. Thus, the incorrect information provided on the exercise of rights of the interested party cannot be justified in a presumed greater guarantee for the interested parties.
Consequently, in accordance with the evidence presented, the facts described in this Legal Basis constitute a violation of the principle of transparency regulated in article 13 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation granted to the Spanish Agency for Data Protection.
V
In the event of an infringement of the provisions of the RGPD, among the corrective powers available to the Spanish Data Protection Agency, as the control authority, article 58.2 of said Regulation includes the following:
“2 Each supervisory authority shall have all the following corrective powers indicated below:
(…)
d) order the controller or processor that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period;
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case; ” .
According to the provisions of article 83.2 of the RGPD, the measure provided for in the letter
d) above is compatible with the sanction consisting of an administrative fine.
In the present case, the breach of the principle of privacy from the design established in article 25 of the RGPD, as well as the principle of transparency regulated in article 13 of the RGPD with the scope expressed in the previous Bases of Law, which implies the commission of individual offenses typified in articles 83.4 and 83.5 of the same rule as under the heading ” General conditions for the imposition of administrative fines” provides the following:
1. “Infringements of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of a maximum of 10 000 000 EUR or, in the case of a company, an amount equivalent to a maximum of 2% of the total global annual turnover of the previous financial year, opting for the one with the highest amount:
1. the obligations of the person in charge and the person in charge under articles 8, 11, 25 to 39, 42 and 43;
2. “Infringements of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of a maximum of 20,000,000 EUR or, in the case of a company, of an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the one with the highest amount:
b) the rights of the interested parties in accordance with articles 12 to 22; (…) ”.”
In this regard, the LOPDGDD, in its article 71 establishes that “The acts and conducts referred to in paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law ” .
For the purposes of the statute of limitations, articles 73 and 74 of the LOPDGDD indicate:
Article 73. Violations considered serious.
“ 1 Based on what is established in article 83.4 of Regulation (EU) 2016/679, infractions that imply a substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will prescribe after two years:
d) The lack of adoption of those technical and organizational measures that are appropriate to effectively apply the principles of data protection from the design, as well as the failure to integrate the necessary guarantees in the treatment, in the terms required by the article 25 of Regulation (EU) 2016/679. ”
Article 74. Infractions considered minor.
“The remaining infringements of a merely formal nature of the articles mentioned in sections 4 and 5 of article 83 of Regulation (EU) 2016/679 are considered minor and shall prescribe a year, in particular, the following: a) Failure to comply with the principle transparency of the information or the right to information of the affected for not providing all the information required by articles 13 and 14 of Regulation (EU) 2016/679 ”.
In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD must be observed, precepts that indicate :
“1. Each supervisory authority shall guarantee that the imposition of the administrative fines in accordance with this article for the infringements of this Regulation indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case, the following will be duly taken into account:
1. the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages that may have occurred. suffered;
2. the intent or negligence in the infringement;
3. any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties;
4. the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of articles 25 and 32;
5. any previous infringement committed by the person in charge or the person in charge of the treatment;
6. the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
7. the categories of personal data affected by the infringement;
8. the way in which the supervisory authority became aware of the infringement, in particular if the controller or the person in charge notified the infringement and, if so, to what extent;
9. when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or the person in charge in relation to the same matter, the fulfillment of said measures;
10. adherence to codes of conduct under article 40 or certification mechanisms approved under article 42, and
11. any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement. ”
For its part, article 76 ” Sanctions and corrective measures” of the LOPDGDD has:
“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of said article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
1. The continuing nature of the offense.
2. The linking of the offender’s activity with the processing of personal data.
3. The benefits obtained as a result of the commission of the offense.
4. The possibility that the affected person’s conduct could have led to the commission of the offense.
5. The existence of a merger by absorption process after the commission of the offense, which cannot be attributed to the absorbing entity.
6. The affectation of the rights of minors.
7. Have, when not mandatory, a data protection officer.
8. The submission by the person in charge or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party. ”
In this case, considering the seriousness of the violations found, the imposition of a fine is appropriate.
It is not possible to accept the request made by EDP COMERCIALIZADORA, SAU for other corrective powers to be imposed, specifically, the warning, which is intended for natural persons and when the sanction constitutes a disproportionate burden (considering 148 of the RGPD).
For the same reasons, and considering the criteria for graduation of the sanctions that are indicated below, the request for the imposition of a sanction in its minimum degree is also rejected.
In accordance with the transcribed precepts, in order to set the amount of the fine sanctions to be imposed in this case on EDP COMERCIALIZADORA, S.AU., as responsible for the infractions typified in article 83.4.a) and 83.5.b) of the RGPD, the fine that would correspond to be imposed for each of the offenses charged should be graduated as follows:
1. Infringement for breach of the provisions of article 25 of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of prescription in article
1. of the LOPDGDD:
The following factors are considered to be aggravating factors that reveal greater unlawfulness and / or culpability in the conduct of the entity EDP COMERCIALIZADORA, SAU:
The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operations in question: The infringement results from the absence of an effective implementation of technical and organizational measures to eliminate the risks generated by the contracting services and obtaining consent for other purposes when acting through a representative.
The intentionality or negligence appreciated in the commission of the offense. The deficiencies in such contracting procedures and obtaining consent for other purposes should have been noticed by an entity with the characteristics of EDP COMERCIALIZADORA, SAU and avoided when designing your processes.
The continuing nature of the offense. The infringement has its origin in an incorrect design of the contracting procedures through a representative, which have been used since at least 2018, without modifying them or implementing corrective measures until January of the current year in that a contract protocol was implemented through a representative.
The high link between the activity of the offender and the processing of personal data. The operations that constitute the business activity carried out by EDP COMERCIALIZADORA, SAU as a marketer of gas services to individuals involve personal data processing operations.
It cannot be considered as mitigating, as alleged by the person in charge, that the data processing is carried out in an instrumental way without its activity being based on the exploitation of personal data, in this regard it is taken into account that authorizations have been obtained of the representative on behalf of the represented to carry out advertising treatments of non-energy products or services of companies or collaborators of EDP COMERCIALIZADORA.
The condition of a large company of the responsible entity and its volume of business. According to the information obtained, the entity’s business volume was 989,491,000 euros in 2019.
It is alleged that being considered a large company or the volume of turnover are not circumstances foreseen as aggravating neither in the RGPD nor in the LOPDGDD.
Such allegation cannot be shared, article 83.1 of the RGPD provides that “Each control authority will guarantee that the imposition of administrative fines in accordance with this article for the infractions of this Regulation indicated in paragraphs 4, 5 and 6 are in each case individual effective, proportionate and dissuasive. ” Number 2 of said article establishes that when deciding to impose an administrative fine and its amount in each individual case, the following will be duly taken into account: (…) k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as benefits obtained or the losses avoided, directly or indirectly, through the infringement. ”
For these purposes, as an aggravating factor, it is worth taking into account the consideration of the entity as a large company, which is linked, among other aspects, to its turnover, to the extent that it has greater means to comply with the obligations imposed. by the GDPR.
High volume of data and processing that constitutes the object of the proceedings. The volume of contracts signed by third parties on behalf of individuals rose to 11,657 in 2019.
Any previous infraction committed by the person in charge or the person in charge of the treatment; EDP COMERCIALIZADORA has been sanctioned in file PS / 00025/2019 for the violation of article 6.1.b of the RGPD, for having contracted its services through an alleged representative whose status as such was not proven.
It is alleged by the person in charge that the AEPD refers to the global billing volume of EDP COMERCIALIZADORA to quantify the infringement when it should exclusively take into account, and where appropriate, the billing data generated by the eventual alleged breach -in the case of the article 25 of the RGPD, relating exclusively to contracting by representation, being the amount obtained by contracting by representation of approximately 2,550,000 euros.
In this regard, it should be taken into account that article 83.4 provides that “Violations of the following provisions shall be sanctioned, in accordance with section 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, a an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year ”, therefore this Agency understands that the total annual business volume is the one that operates as a limit of the amount of the infringement, and not the profit obtained , which constitutes one more aggravating element. In this regard, it should be taken into account that 2% of the turnover of said entity during 2019 represents a figure of 19,789,820 euros, so the amount in which the amount of the fine is valued, very far from such maximum amount, it is weighted.
On the other hand, said entity requests that the fact that special categories of data or data of minors are not treated as mitigating factors, in this regard it should be considered that the processing of such data may constitute an aggravating factor, but the The fact that such data is not processed in itself does not constitute a mitigating factor, without, on the other hand, the person responsible for the treatment justifying in any way why such circumstance should be taken into account in this sense.
Neither should the fact that the entity has been sold to another company be taken into account as a mitigating factor. Article 76.2.e) of the LOPDGDD states that “the existence of a merger process by absorption subsequent to the commission of the offense, which cannot be imputed to the absorbing entity ”. An analogical interpretation of this precept is intended here so that said circumstance is extended to other“ structural modifications ”made after the commission of the offense, an interpretation that cannot be admitted, when the LOPDGDD wants to refer to structural modifications in general it does so, while in the aforementioned provision it exclusively refers to the merger by absorption.
It alleges that the measures taken to mitigate the damages, such as the implementation of a new contracting protocol and the degree of cooperation with the administration and the degree of collaboration with the AEPD, should also be considered mitigating factors. These elements are taken into account so that no has made use of another of the corrective powers that this Agency can use, such as the imposition of measures in the terms provided in article 58.2 of the RGPD.
Considering the exposed factors, the value of the fine for the alleged offense is 500,000.00 euros.
2. Infringement for breach of the provisions of article 13 of the RGPD, typified in article 83.5.b) and classified as minor for the purposes of prescription in article
1. of the LOPDGDD:
The following graduation criteria are considered concurrent:
The nature, seriousness and duration of the offense: The deficiencies noted in the information provided to the interested parties affect substantive aspects of the principle of transparency.
It is alleged that the complaint is the need to improve some aspects of its data protection policies without in any case the texts used being understood to have generated a high level of damages, which should be considered as a mitigating factor. This allegation cannot be accepted, it is not a matter of simple defects in the information offered without major significance, said information violates fundamental aspects of the principle of transparency, as has been shown in this procedure.
The intentionality or negligence appreciated in the commission of the offense. The defects indicated in the information provided show EDP COMERCIALIZADORA, SAU’s lack of diligence in complying with the transparency obligations imposed by the RGPD.
The allegation that in its actions it has followed the guides and directives of the AEPD and the European Data Protection Committee cannot be shared, which shows its diligence, on the contrary, the fundamentals of law contain the many aspects in which the guidelines of the European Data Protection Committee have not been taken into account in its action.
The high link between the offender’s activity and the processing of personal data. The operations that constitute the business activity carried out by EDP COMERCIALIZADORA, SAU as a marketer of energy services involve personal data processing operations.
It cannot be considered as mitigating, as alleged by the person in charge, that the data processing is carried out in an instrumental way without its activity being based on the exploitation of personal data. As can be seen from the facts set forth in this procedure and from the general contracting conditions, consents are collected to carry out third-party advertising treatments in various sectors (financial, automotive payment protection and related, electronics …)
The continuing nature of the offense, interpreted by the National High Court as a permanent offense.
The condition of a large company of the responsible entity and its volume of business. According to the information obtained, the entity’s business volume was 989,491,000 euros in 2019.
Regarding the allegation that having the consideration of a large company or the volume of billing are not circumstances foreseen as aggravating neither in the RGPD nor in the LOPDGDD, this Agency reiterates in the aforementioned in the determination of the aggravating factors of the infringement of the Article 25 before the same allegation.
High volume of data and processing that constitutes the object of the file. The infringement affects all data processing carried out by the entity EDP Comercializadora SAU
High number of interested parties. The infringement affects all natural person clients of the entity. According to the supervision report of the changes of marketer, corresponding to the first quarter of 2019, of the National Commission of Markets and Competition, the number of supply points of the entity in the domestic sphere amounted to 893,736, constituting 11.4% of the total of the gas sector in this domestic sphere.
The allegation that it is not a high volume of processing cannot be accepted because it does not identify groups other than its clients. The high number of natural person clients of the responsible entity is sufficient element to consider this circumstance as an aggravating factor.
Regarding other factors that the controller considers to be taken into account as mitigating factors, such as the fact that special categories of data or data of minors are not processed or the sale of all the shares to another company, One can only refer to what was expressed by this Agency in the face of the same allegations in relation to the violation of article 25 of the RGPD.
It alleges that the measures taken to alleviate the damages should also be considered as mitigating measures, such as improving access to information on data protection, which is already available at the address edp- residencialbytotal.es/rgpd and the degree of cooperation with The authority. The alleged improvement affects only one of the defects indicated in relation to the transparency of the procedure, the positive assessment of which by this Agency cannot mitigate the sanction, taking into account that such measure has been taken once the present sanctioning procedure has been initiated.
Considering the exposed factors, the value of the fine for the alleged offense is 1,000,000.00 euros therefore, in accordance with the applicable legislation and the graduation criteria of the sanctions whose existence has been proven, assessed, the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST : IMPOSE the entity EDP COMERCIALIZADORA, SAU , with NIF A95000295 , for an infringement of article 25 of the RGPD, typified in article 83.4.a) and classified as serious for the purposes of prescription in article 73.d) of the LOPDGDD, a fine of 500,000 euros (five hundred thousand euros).
SECOND : IMPOSE the entity EDP COMERCIALIZADORA, SAU, for a violation of article 13 RGPD, typified in article 83.5.b) and classified as minor for the purposes of prescription in article 74.a) of the LOPDGDD, a fine of 1,000,000 euros (one million euros).
THIRD : DECLARE, for lack of evidence in application of the principle of presumption of innocence, not attributable to EDPCOMERCIALIZADORA, SAU ., The infractions of the provisions of articles 6 and 22 of the RGPD.
FOURTH : NOTIFY this resolution to EDP COMERCIALIZADORA SAU
FIFTH : Warn the sanctioned person that he must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account No. ES00 0000 0000 0000 0000 0000 , open to name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, SA. Otherwise, it will be collected in the executive period.
Once the notification has been received and once it is executed, if the date of execution is between the 1st and the 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or immediately thereafter, and if It is between the 16th and last days of each month, both inclusive, the payment term will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a period of one month from the day following notification of this resolution or directly administrative contentious appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29 / 1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final administrative resolution may be suspended provisionally if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Agency for Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. The documentation that proves the effective filing of the contentious-administrative appeal must also be transmitted to the Agency. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution, it would terminate the precautionary suspension.
