AECORP 005, S.L. – €5,000 Fine (Spain, 2025)

On January 24, 2024, a data subject received a direct marketing call from AECORP 005 S.L. (a marketing company, the controller) falsely claiming to represent NATURGY (an energy company), and requesting a change in the data subject's electricity billing. During the call, they received an SMS with a link containing their phone number. NATURGY denied involvement, and the data subject refused the transaction. The controller acknowledged it conducted a marketing campaign through third party data providers, and the DPA confirmed the controller made the call without consent. The DPA found a violation of [https://www.boe.es/buscar/act.php?id=BOE-A-2022-10757#a6-8 Article 66(1)(b) of the national communications law (LGTEL)], as the controller carried out direct marketing calls without the consent of the data subject. The DPA stressed that users have the right to privacy in electronic communications and that companies must respect individuals’ control over their personal data. The purpose of [https://www.boe.es/buscar/act.php?id=BOE-A-2022-10757#a6-8 Article 66 LGTEL] is to protect users from intrusive commercial practices that disregard their privacy and control over commercial communications, ensuring that companies respect data subjects' rights. The DPA highlighted that a valid legal basis in accordance with Article 6(1) GDPR is essential for direct marketing calls to comply with [https://www.boe.es/buscar/act.php?id=BOE-A-2022-10757#a6-8 Article 66(1)(b) LGTEL]. In this case, the fact that a data subject had registered on the controller's website and accepted the privacy policy does not mean they provided the data or consented to the direct marketing calls. The DPA referred to EDPB GuidelinesEDPB, Guidelines 05/2020 on consent under Regulation 2016/679 (version 1.1), 4 May 2020. https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf. See margins 105-108. and stated that controllers must demonstrate valid consent before proce