The AEPD considers that EDP ENERGIA, S.A.U has not adopted technical and organizational measures to verify whether a person who hires its services on behalf of another natural person has authorization to carry out the contracting. Nor has it adopted technical and organizational measures to verify whether, who acts on behalf of another natural person, is authorized by that person to consent to other processing of personal data on their behalf. These consents were requested during the hiring procedure, for two purposes: sending their own commercial communications and those of third parties and profiling with information from third party databases for automated decision-making in order to send personalized commercials proposals and to enable the contracting of certain services. Consequently, the AEPD concludes that EDP ENERGIA, S.A.U. has violated article 25 of the GDPR. In accordance with Article 83 (4) (a), a fine of 500,000 euros was imposed.
In addition, the AEPD considers that the document designed to supply information to data subjects does not provide enough information about the controller, the legal basis for processing not based on consent, the purposes of processing relating to profiling on the basis of legitimate interest, nor the possibility to object to processing activities that the controller bases on its legitimate interest. Moreover, in some procedures for contracting the company’s services (e.g., contracting by telephone) the form of access to all the information required under Article 13 is not simple and immediate. Consequently, the AEPD considers that Article 13 of the GDPR has been infringed. Pursuant to Article 83(5)(b) of the GDPR, a fine of 1,000,000 euros was imposed.
To read the full decision in Spanish, click here.
For further information, please contact the Spanish DPA: prensa@aepd.es
The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
