Silvanergia 2022, S.L – €3,000 Fine (Spain, 2025)

On 22 August 2023, a data subject filed a complaint with the DPA against Silvanergia 2022, S.L. (the controller). On 16 August 2023, an agent of the controller contacted the data subject, claiming to call on behalf of their energy provider, Bassols Energía, S.A. (Bassols), to update the electricity rate according to new government regulations. The agent asserted that they already possess the data subject’s data, requiring solely their confirmation by email. The referred data consisted of the data subject’s full name, ID number, address, Universal Supply Point Code numberThis is a unique code in Spain that identifies the household or business receiving energy. More information can be found here: https://www.endesa.com/es/te-ayudamos/sobre-tu-factura/que-es-el-cups, and 12 digits of their bank account. The controller sent an email to the data subject, reminding them of the pending signature to update the tariff. This contained a contract in the name of Bassols. The data subject refused to sign the contract once they noticed that the controller was not their electricity supply company, as they did not intend to enter into a new contract with the controller. The controller contacted the data subject again to ask why they had not signed the contract. In response, the data subject asked the controller how it obtained their data, in order to exercise their right to erasure (Article 17 GDPR). The controller replied that the data was obtained by third-party firms, despite the data subject denying that they had provided any of their data to them. The data subject tried to contact the controller again but discovered that the e-mail address and phone number of the controller were listed as nonexistent. The data subject then contacted Bassols and requested the deletion of their personal data. Bassols claimed that it had been a victim of identity fraud committed by the controller, as the contract received via email by the data subject was in the name of Bassols. During its in