AEPD fines EDP Comercializadora

AEPD fines EDP Comercializadora, S.A.U 1.5 million euros

AEPD fines EDP Comercializadora, S.A.U 1.5 million euros for two violations of the GDPR. 

 

EDP Comercializadora, S.A.U, an electricity service provider in Spain has been fined for two violations of the GDPR. The company was found to lack sufficient technical and organizational measures to verify whether someone signing up for its services on behalf of another natural person is indeed authorised to do so, or authorised to process personal data on behalf of the other person. The AEPD also found that in some cases, the company was not providing data subjects with sufficient information related to the processing of their personal data, just by the nature of the informational document provided to data subjects, and the method of providing information. A total of 1.5 million euros in fines was imposed on the company for these violations, in accordance with GDPR Article 83. 

 

AEPD fines EDP Comercializadora, S.A.U €500,000 for a violation of article 25 of the GDPR. 

 

Article 25 (2) of the GDPR addresses the requirement for the implementation of appropriate technical and organisational measures for ensuring the protection of personal data, from the point of collection and throughout the use and storage of this personal data.In addition, the regulation states “In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.” EDP Comercializadora S.A.U was found to lack sufficient measures to avoid and mitigate the risks associated with the processing of personal data in instances where the service is being registered for by a third party. The company was found to lack the technical and organizational measures required to verify firstly, whether a third-party who hires its service on behalf of another natural person has authorization to perform this contracting, as well as whether they are authorized by that person to process personal data on their behalf. In accordance with article 83 (4) (a), the supervisory authority imposed a fine of €500,000 for this infringement. 

 

An additional 1 million euro fine was imposed by the AEPD. 

 

Article 13 of the GDPR outlines comprehensive and specific information to be provided to all data subjects at the point when personal data is collected from them. This information is all required to be provided by the data controller to every data subject from whom data is collected and processed. Upon review of the document provided to data subjects by the controller, EDP Comercializadora S.A.U, information was found to be lacking regarding the controller, the legal basis for processing not based on consent, the purposes of processing relating to profiling on the basis of legitimate interest, and the possibility to object to processing activities that the controller bases on its legitimate interest. In addition, in some of the company’s procedures, for example contracting the company’s services by telephone, the method of access to the information required by the data subject was not simple and immediate. For this, a fine of €1,000,000 was imposed by the AEPD. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

AEPD published guidelines

AEPD published guidelines on data protection and labor relations

AEPD published guidelines on data protection and labor relations in collaboration with the Ministry of Labor and the employers and trade union organizations. 

The AEPD published guidelines recently, aiming at offering a practical tool to aid public and private organizations in upholding their compliance with the legislation in place. The agency collaborated with the Ministry of labor and social economy and the employers and trade union organizations in order to prepare this guide. The guide is centered around compliance with the GDPR and the DPA with specific focus on updates regarding the rights of workers and the collection and use of their data by employers. This guide covers quite a range of issues including employee data protection within the organization and even employer access to social media profiles, internal whistleblowing and privacy for victims and alleged harassers in the workplace. 

The guidelines outline the general bases of legitimate data processing by employers.

The guidelines from the AEPD proposes the data protection rights to be upheld in a working environment. In the document the AEPD addresses the importance of applying the principle of data minimisation. An employment contract does not automatically give employers access to any and all personal information of employees, therefore these guidelines outline what information may or may not be necessary. The document sets the limits for the processing of data in the hiring process, as well as throughout the course of the employment contract. The AEPD explains that due to the duties of secrecy and security, personal data should only be known by the affected party and by those uses within the organization who have the power to use, consult or modify the data.

The AEPD suggests using the least invasive system possible for tracking employee working days. 

According to the guidelines published by the AEPD, with regards to tracking employee workdays, the least invasive system possible should be adopted. This information cannot be publicly accessible or located in a visible place. In addition, the data registered by these systems must not be used for any purposes other than the tracking of the working day. In the example of a worker who travels to perform their role, a working day tracker would be used for the sole purpose of recording when their workday begins and ends, and not to constantly monitor  their location. The processing of geolocation data requires a specific legal basis. 

The guidelines cover access by employers to social media profiles and data from wearable technology like smart watches. 

The AEPD explains that employees are not obligated to allow their employer to access or inquire into their social media profiles. This includes during the hiring process as well as for the execution of the employment contract. Even in cases where a candidate for employment has a social media profile that is publicly accessible, an employer may not process any data obtained in that way, unless there is a valid legal basis for it. In this case it will be necessary for the employer to inform the worker and to demonstrate what the legal basis is including its relevance to the performance of the role. 

The AEPD published guidelines on wearable devices, particularly on the monitoring of health data through devices like smart watches. In general this type of monitoring is prohibited for several reasons. This type of monitoring violates the principle of proportionality as it suggests the constant monitoring of special category data (health), and could allow employers to access data specific to health conditions and not exclusively the data assessing an individual’s ability to perform their job.

The AEPD published guidelines specific to internal whistleblowing and privacy for victims and alleged perpetrators. 

In instances of gender-based violence, or harassment, personal data, particularly identity is generally considered to be special category data. Sensitive data of this nature requires enhanced protection. According to the guidelines, an identification code should be assigned to the alleged victim as well as the alleged perpetrator in these cases. When it is necessary to process data for compliance to legal obligations, an employer may process data of a worker regarding their condition as it relates to gender-based violence or harassment. In cases of harassment at work, both the identity of the alleged harasser and the alleged victim of harassment must be protected. 

The guidelines state that the works council now has the right to information on the parameters of a company’s algorithms and artificial intelligence systems.

As the use of artificial intelligence becomes more prevalent, the guide includes groundbreaking information on the rights of the works council to be informed by companies, on the framework for any algorithms or AI systems used within their company. This includes explanations on profiles which could prossible affect access to, as well as conditions, and maintenance of employment. This condition was newly introduced into law (RD-law 9/2021), modifying the Workers’ Statute, and introducing an additional level of transparency to the process. 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and national data protection legislation in handling employee data? Aphaia provides ePrivacy, GDPR and data protection consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Record AEPD fine

Record AEPD fine imposed on Vodafone

Record AEPD fine imposed on Vodafone for violations of the GDPR as well as Spanish national regulations. 

 

Vodafone Spain has recently been hit with four fines, with a record total of €8.15 million for violations of the GDPR and Spanish national laws. The company has been found guilty of unlawful telemarketing and other data security violations. Over the last two years, some 200 million calls were made resulting in 191 complaints about the company’s practices regarding consent and data processing. 

 

Customers who had opted out of receiving communication were contacted by, or on behalf of the company. 

 

Several citizens who had opposed data processing for advertising were receiving calls and text messages, resulting in 191 complaints. As a result, the company’s headquarters were inspected in September of 2019. It was found that the phone company had not been continuously monitoring their data processor, and lacked the technical and organizational structure to ensure that it was avoiding making contact with citizens who had opted out of receiving communication for advertising purposes, or opted for erasure of their data entirely. The phone company was therefore found to have violated Article 28 of the EU GDPR by neglecting to continuously monitor the data processor in this case. 

 

The company was also found to have exported data without sufficient safeguards in place for international data transfers. 

 

The phone company’s infractions also included a violation of Article 44 of the GDPR, involving a transfer of data to a third country. It was found that data processors in the Republic of Peru had also engaged in advertising activity on behalf of Vodafone. This processor was not being continuously monitored, and the AEPD’s findings revealed that the company did not even have sufficient structures and safeguards in place to conduct this monitoring. 

 

This record AEPD fine included two fines for national laws in addition to the fines for EU GDPR violations. 

 

This total fine, which was imposed last month, consisted of two fines for violations of the EU GDPR and two fines for violations of Spanish national laws. The company was fined the sum of €6 million for violating both Article 28 and Article 44 of the EU’s GDPR collectively. In addition, the AEPD, based on its national competencies, fined another €2 million for the company’s violation of Spanish telecommunications and digital rights laws, and a smaller fine of €150,000 regarding a technical Spanish law governing the use of cookies. This total fine is a new record high for the AEPD, surpassing the €6 million fine imposed on Caixabank earlier this year. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Fine imposed by AEPD

Fine imposed by AEPD for GDPR violations

A 6 million euro fine was recently imposed on CAIXABANK by AEPD, the Spanish DPA for various breaches of the GDPR.

 

Late last month, the EDPB reported on a fine imposed by AEPD on Spanish multinational financial services company CAIXABANK, for GDPR violations. It was found that the company unlawfully processed clients’ personal data and failed to provide adequate information regarding the processing of personal data. For the former infringement, a fine of 4 million euros was imposed and for the latter, 2 million euros, which is AEPD’s largest cumulative fine to date.

 

The total fine imposed by AEPD included a 4 million eurodollar fine for a breach of Article 6 of the GDPR. 

 

CAIXABANK was found to be in violation of Article 6 of the GDPR, by their failure to provide any mechanism to collect consent from data subjects. As a result, the data subjects’ consent did not meet with all the elements of valid consent required for processing. The AEPD found that based on the company’s legitimate interest, processing activities were not sufficiently justified, neither was the relationship between the company’s activity and the processing of personal data. As a result of this breach, the AEPD imposed an administrative fine of 4 million euros, under GDPR Article 83 (5) a. 

 

CAIXABANK was fined 2 million euros for a breach of Articles 13 and 14 of the GDPR. 

 

CAIXABANK was also found to be lacking key information in a document meant to comply with Articles 13 and 14 of the GDPR. This document did not clearly outline the categories of personal data processed, nor the purposes for this processing of personal data. In addition, the document provided did not specifically outline the legal basis for the processing specific to their company’s legitimate interest. As a result the AEPD found them in violation of the aforementioned articles of the GDPR, resulting in a fine of 2 million euros, under Article 83 (5) b. 

 

The fine imposed by AEPD was decided upon based on several key factors. 

 

In deciding on an appropriate fine for the various breaches of the GDPR, AEPD considered certain aggravating factors of the violations found. In general the AEPD considered the nature, gravity and the duration of the specific infringements as well as the negligent character of those infringements. The fact that the company is a large enterprise and the rate of its turnover also played a key role in the amount that was fined. The AEPD considered the relationship between CAIXABANK’s activity and the processing of the personal data, as well as the benefits gained from the infringement and the categories of personal data affected. Additionally, the AEPD looked at the Degree of responsibility of the controller, considering the technical and organizational measures implemented pursuant to Articles 25 and 32 of the GDPR.

CAIXABANK has been ordered to bring its operations into compliance within 6 months. 

 

In addition to the administrative fines imposed by the AEPD, the financial services company has been ordered to bring its processing operations into compliance with Articles 6,13, and 14 of the GDPR within the next 6 months. This would mean providing an adequate mechanism for collecting customers’ valid consent and ensuring that only necessary personal information which is legally justified based on the company’s legitimate interest is processed. In addition, the company will need to ensure that this information, as well as the purposes of the processing, is clearly outlined in the document intended for compliance. 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.