The Spanish data protection authority ('AEPD') published, on 11 April 2022, its decision in Proceeding No. PS/00476/2021, fining Baser Comercializadora De Referencia, S.A. €150,000, for violations of Articles 6 and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.

Background to the decision

In particular, the AEPD noted that it had initiated an investigation, following a complaint by a customer of the company who had alleged that the contract was changed without their consent. In addition, the AEPD added that Baser Comercializadora claimed that it had received a call from a woman who claimed to live at the claimant's address and was able to provide details necessary to pass verification, which thereby resulted in the changes to the contract.

Findings of the AEPD

In this regard, the AEPD outlined that Baser Comercializadora violated Article 32 of the GDPR for the lack of adequate security procedures which allow for the proper verification of a customer. Furthermore, the AEPD noted that since Baser Comercializadora's security procedures require data such as names and surnames, telephone numbers, and addresses, such data may be available to third parties and used for fraudulent purposes. In addition, the AEPD noted that Baser Comercializadora modified the contract without the consent of the claimant, which implies a violation of Article 6 of the GDPR.

Outcomes

As a result of the violation, the AEPD imposed a fine of €150,000, €100,000 for the violation of Article 6 of the GDPR and €50,000 for the violation of Article 32 of the GDPR.

You can read the decision, only available in Spanish, here.