Naturgy Enery Group S.A. – €80,000 Fine (Spain, 2022)

A customer (data subject) of Naturgy Energy Group, a gas and electricity supplier (controller) discovered that her email address registered with the controller had been changed by a third party. This third party also asked the controller to send him two of the data subjects invoices. After the data subject became aware of this change, she filed a complaint with the controller. However, the controller stated it did nothing wrong, as it asked the questions necessary according to its security policy. The third party identified himself as a relative of the data subject and provided the controller with the data subject's name, ID number, address, the last four digits of her bank account and her contract reference number. Therefore, the data subject filed a complaint with the DPA against the controller for changing her contract data without her consent, in particular her email address. The DPA stated that despite the security measures mentioned, the controller ended up sending two invoices to the email address of someone claiming to have some kind of relationship with the data subject. The DPA held that the controller therefore violated Article 5(1)(f) GDPR (principle of integrity and confidentiality). The DPA followed that the security measures in place were evidently not enough to prevent the events mentioned above. It held that the controller also violated Article 32 GDPR by failing to adopt the necessary security measures to guarantee the protection of the data subjects personal data. The DPA fined the controller €80,000: €50,000 for the violation of Article 5(1)(f) GDPR and €30,000 for the violation of Article 32 GDPR. The original fine of €80,000 was reduced to €48,000 due to voluntary payment and admission of responsibility.