CREATOR ENERGY. S.L. – €6,000 Fine (Spain, 2021)

A data subject filed a complaint with the Spanish DPA (AEPD) against an energy services provider. The controller had used the complainant's personal data to contract gas and electricity supplies, as well as a maintenance service called Servielectric Xpress, which were not requested by the complainant. The respondent entered into these contracts without the consent or knowledge of the data subject. The AEDP held that the controller had used the data subject's personal data to make them party to a contract without any legitimacy, as the data subject had not requested such services. Therefore, the contract was not valid, what implied that the controller had processed the data without any legal basis. The AEPD therefore argued that for the legal basis for the processing set forth in Article 6(1)(b) GDPR to be legitimate, the data must be provided by the data subject. The controller has the obligation to verify with due diligence that the data subject had actually provided their data, setting identification requirements, for example, as part of their accountability and proactive responsibility obligation. The DPA concluded that the controller had violated Article 6(1) GDPR for processing data without a legal basis, and thus fined the controller €6000. In the present case, the following were taken into account as aggravating circumstances: * the intentionality or negligence of the infringement (Article 83(2)(b) GDPR) * the impact on basic personal identifiers (Article 83(2)(g) GDPR)