HOLALUZ-CLIDOM S.A. – €70,000 Fine (Spain, 2023)

Holaluz is an electric power and gas commercialization company. It has three three channels for contracting: internet, telephone and commercial networks (with collaboration contracts). On July 28, 2021 four energy supply contracts were signed up through the collaborator BLANER ENERGY, S.L. for supply points associated with the data subject. On December 11, 2021 the data subject contacted Holaluz communicating the identity fraud suffered in order to contract with Holaluz, stating that it was not her who signed and subscribed to the agreement. On May 4, 2022, the data subject initiated a procedure at AEPD against Holaluz for unlawful data processing without her consent, based on the identity theft to contract with Holaluz for electricity contracts. Allegedly, based on the fraudulent contract between the data subject and Holaluz, the company proceeded with the cancellation of the energy contract the data subject had previously with another energy commercial company, Energía XXI, using her personal data without her consent. As a result, there was a discharge of electric energy supplies from one of her four properties subscribed to Energía XXI. In addition, the email address given in the contract did not actually belong to the data subject. Holaluz alleged that was unable to detect that the contracting had been signed without the consent of the data subject, considering that the collaborator appeared to be truthful in the contracting. Holaluz affirmed that it randomly performs a subsequent review of the contract made by new employees and that Blaner carries out its activities for them both directly or through “sub-agents”. They also confirmed the deletion of the data subject’s personal data from its database. AEPD concluded that Holaluz has registered the electric energy supplies of four properties from the data subject, using her personal data, without her consent and, based on that, the processing was unlawful. AEPD considered the fact that the data subject had p