Spain: AEPD fines Iberdola Clientes €40,000 for GDPR violations
The Spanish data protection authority ('AEPD') issued, on 2 July 2020, a resolution ('the Resolution') in proceedings PS/00102/2020, fining Iberdola Clientes, S.A.U. €40,000 for violations of Article 5(1)(f) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Resolution outlines that an individual complained that a third party received his/her electricity bill, containing personal data such as their name, address, and bank account. In addition, the Resolution highlights that Iberdola Clientes was not able to guarantee adequate security measures while processing the data subject's personal data, in violation of the principles of integrity and confidentiality.
Lastly, the Resolution imposes a fine of €40,000, which was subsequently reduced to €24,000 as a result of Iberdola Clientes's voluntary payment.
You can read the Resolution, only available in Spanish, here.