The Spanish supervisory authority (AEPD) imposed a fine of EUR 100,000 on Comercializadora Regulada Gas & Power, S.A., which was subsequently reduced to EUR 60,000. The reason was the use of outdated customer data.
Comercializadora Regulada sent an electricity supply contract containing the customer’s current personal data to the customer’s old address. At this address lived a person for whom the customer had a court restraining order. This person thus came into possession of the customer’s new address.
Accordingly, the authority concluded that, although the complainant had indicated his new address at the time of registration, the online invoicing service offered by Comercializadora Regulada had been activated without updating the complainant’s address. The AEPD considered various aggravating factors, including: the company’s negligence and lack of greater diligence in the processing of personal data, and the nature of the company’s activity as a continuous and large-scale data processor.
In light of the above, the AEPD imposed a fine of €100,000 on Comercializadora Regulada for breach of Article 5(1)(d) of the GDPR. The AEPD pointed out that prior to the decision to impose the fine, Comercializadora Regulada acknowledged its responsibility for the infringement and made a voluntary payment, thus benefiting from a 40% reduction in the fine. Accordingly, the AEPD indicated in its reasoning for the decision that Comercializadora Regulada had paid a penalty of €60,000.