Enérgya-VM is fined by the AEPD in Proceeding EXP202304117
The energy company Enérgya-VM has been sanctioned by the AEPD in Procedure EXP202304117 for breach of the principle of proactive responsibility (Article 5.2 of the RGPD) and breach of the principle of legality, fairness and transparency (Article 5.1.a) of the RGPD).
Enérgya-VM had contracted Nivalco's services consisting of commercial prospecting. However, Nivalco's customer recruitment work was irregular and it deceived customers in order to obtain Enérgya-VM's services without them being aware of it. Specifically, Nivalco recruited customers using data illegally extracted from Naturgy (breach of Article 5.1.a) of the GDPR). Enérgya-VM was warned of the irregularities in the processing of personal data carried out by Nivalco in its customer recruitment work, which led it to adopt some measures in the form of instructions and audits to its supplier, although the irregularities continued. In this regard, the AEPD considers it decisive that Enérgya-VM has not established adequate and effective controls over its data processor:
1) I do not carry out any risk analysis in relation to this processor.
2) failed to carry out an adequate control of the origin of the personal data.
3) did not establish a continuous and exhaustive control of the voice recordings of the contracting process provided by said supplier.
4) failed to articulate an effective control mechanism over the performance of its data processor despite evidence that it was not following its instructions.
5) had a reactive rather than proactive attitude.
Not only is it important to articulate the data processor contract in accordance with the provisions of the GDPR, but measures must also be taken to ensure that only the data processor that offers sufficient guarantees in terms of data protection is chosen, for example through the corresponding supplier approval procedure and its subsequent periodic risk analysis. In summary, case of non-compliance with GDPR, as a real example, Enérgya-VM sanctioned by AEPD.
