IBERDOLA CLIENTES, SAU – €100,000 Fine (Spain, 2021)

A former IBERDROLA client complained to the Spanish DPA (AEPD) that the electricity supply company did not respond to his requests to delete his personal data. The claimant moved house and informed the company of the change of address for notification purposes. Even so, the company continued to send letters to the previous address. The claimant, in the same letter notifying the change of address, requested the withdrawal of his details due to the cancellation of the service, which was not answered due to the error in updating the claimant's details mentioned above. Is the lack of updating personal data a breach of Article 5(1)(d)? Can this failure to update data result in a refusal to comply with Article 17 GDPR? The AEPD held that IBERDROLA had failed to update the customer's data and that this resulted in the inclusion of the complainant's data in a creditworthiness file and in a failure to comply with its obligations regarding the request for deletion of personal data. The application of the GDPR is determined because the maintenance of the incorrect address constitutes a continuous infringement that continues over time as long as the data quality problem, which caused the infringement in question, has not been remedied. Therefore, in the present case, there is an infringement of Article 5(1)(d) of the GDPR because no payment order was issued due to a data quality problem. The AEPD took into account the fact that it was a non-intentional, but significant negligent action (Article 83(2)(b) GDPR) and that basic personal identifiers were affected (Article 83(2)(g) GDPR). The economic volume of the company is also taken into account in the penalty scale.