Curenergía – €60,000 Fine (Spain, 2024)

On the 13 April 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, an electricity provider. The data subject had been a customer of the controller until 2021 and on the 12 April 2022 again wanted to register as a customer with the controller. The customer service team of the controller contacted the data subject to confirm his account and telephone number. The data subject alleged that the controller was still in possession of the data subject’s personal data such as his ID card number, his name and his address as he did not have to provide this data anew. After supplying data to the customer service team of the controller, the data subject received an email from the controller as well as another electricity company, the partner company of the controller, asking him to sign the attached pdf contract. The contract included personal data such as the data subject’s name, address and IBAN. The data subject therefore concluded that the controller had transferred personal data to its partner company without the data subject’s consent. After the submission of the complaint, the AEPD launched preliminary investigative procedures to clarify the facts of the case. The partner company submitted to the AEPD that the controller and itself do not maintain any sort of relationship in the processing of personal data and that each company solely processes the data of its own customers without there being any cross-over. However, both companies belong to the Iberdrola Group and use the same processor for their customer service. The partner company ensured that there is a system in place which identifies which customers belong to which company. The partner company further submitted that the customer service employee had made a mistake and sent the contract from the wrong company. Immediate steps were taken to cancel the contract with the partner company. The controller further submitted that they had responded to the data subjects email n