AEPD (Spain) - EXP202307472
Spanish DPA fines utilities company €220,000 for unlawful direct marketing and lack of consent
Summary
Spain's AEPD issued a €220,000 fine to GERSTERNOVA S.A., a utilities supplier, for processing a customer's personal data without valid consent or legal basis (Article 6(1) GDPR violation). The company conducted a direct marketing call via its processor and sent a contract containing the customer's personal data, ID information, contact details, and bank information without proper prior authorization. The DPA also found violations of Article 13 GDPR for failure to provide required information disclosures during the direct marketing call and held the controller responsible for ensuring its processor's compliance.
Full text
Help AEPD (Spain) - EXP202307472: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 11:26, 31 March 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators532 edits Tag: submission [1.0] (No difference) Latest revision as of 11:26, 31 March 2026 AEPD - EXP202307472 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 4(7) GDPR Article 6(1) GDPR Article 13 GDPR Article 28 GDPR Art. 48.1.b) LGTEL Type: Complaint Outcome: Upheld Started: 23.04.2023 Decided: Published: 26.03.2026 Fine: 220,000 EUR Parties: GERSTERNOVA S.A. Several National Case Number/Name: EXP202307472 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined a utilities company €220,000 for sending a data subject an energy supply contract following a direct marketing call. The company received the data from a processor without the data subject’s knowledge or consent. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts GERSTERNOVA S.A. (the controller) is a utilities supplier. The controller has a contract with Several (the processor) for the latter to carry out marketing, sale, contracting and renewal of products offered by the controller. A data subject received a direct marketing call from the processor (who did not state on behalf of which company they were calling), offering their energy services. The data subject later received an email from the controller, requesting the data subject to sign the contract to provide energy services. The contract contained personal data of the data subject, including their full name, ID information, contact information, as well as parts of their bank information and data related to their energy supply. The data subject brought a complaint to the DPA, on the basis that they had not provided their data to the controller or processor during the call. The controller argued that Several had acted as a separate controller in processing the data subject’s data. This included obtaining the data from the data subject (which were later provided to the controller), and calling the data subject. Finally, the controller argued that it was not aware of how the processor obtained the data subject’s information that was later included in the contract. Holding The DPA first noted that the contract establishes the companies’ roles as controller and processor. While the concepts must be interpreted objectively following EDPB Guidelines, the DPA stated that Several acted as a processor and not a controller, in accordance with Article 28 GDPR. This is because it was Gesternova who determined the means and means of processing, in accordance with Article 4(7) GDPR. The DPA found a violation of Article 6(1) GDPR. The DPA stated that the controller had the responsibility of implementing effective mechanisms to verify the lawfulness of the processing activities carried out in its name. Therefore, it could not claim to be unaware of the processing activities of the processor. This unlawfulness meant that the controller did not have a valid legal basis under 6(1) GDPR to process the data. The DPA also found a violation of Article 13 GDPR, as the controller did not meet its information obligations during the direct marketing call. The DPA stated that the controller failed to inform the data subject about the identity and contact details of the controller, the purposes and legal bases of the processing, or the data subject’s rights. In addition, the controller failed to ensure that the processor also complies with its information obligations. Finally, the DPA did not determine whether the controller violated Article 48(1)(b) of the national telecommunications law (related to unsolicited direct marketing calls), as the time limit to investigate such an infraction had already passed. The DPA fined the controller €220,000 in total: €20,000 for the violation of Article 13 GDPR and €200,000 for the violation of Article 6(1) GDPR. The DPA considered this a serious violation, as it concerned a lack of legal basis for processing and the principle of transparency. In addition, the DPA ordered the controller to bring its processing operations in line with the GDPR within six months, subject to fines for noncompliance. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/47 • File No.: EXP202307472 RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On April 23, 2023, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to GESTERNOVA, S.A., with Tax Identification Number A84337849 (hereinafter referred to as the respondent, GESTERNOVA, or Contigo Energía). The facts brought to the attention of this authority are: The complainant states that on April 12, 2023, they received a call from number ***PHONE.1 to number ***PHONE.2. In that call, a salesperson, who did not identify themselves by name or the company they represented, asked for the complainant using her full name and offered her an energy service. The complainant maintains that, after expressing her lack of interest, the salesperson replied that they would send the offer by email. She adds that the call lasted approximately 10 seconds and that she did not provide any information, so she does not understand how the salesperson could have obtained her email address. Subsequently, the complainant states that a few minutes later, at 6:38 p.m., she received an email with the subject line "REVIEW AND CONFIRM your information to contract electricity with Gesternova." In this email, signed by GESTERNOVA's Customer Service, a request code was assigned, and all of the complainant's personal data was included, among them their full name, address, and bank account number for direct debit payments, stating, "Below is a summary of the data you provided during the contracting process." The complainant states that this surprised them, as they had never provided this data nor maintained a business relationship with GESTERNOVA. The complainant indicates that the following day, April 13, 2023, at 2:30 p.m., they contacted GESTERNOVA at the customer service number indicated in the email (913575264). In a conversation lasting more than 28 minutes, they first spoke with an employee identified as A.A.A., who confirmed that the initial call had been made by a sales representative from SEVERAL ENERGY, S.L. (hereinafter referred to as Several), an external collaborating company of GESTERNOVA. According to A.A.A., GESTERNOVA "has no control over the actions of its external agents or collaborators." The complainant adds that they informed their contact that they had received an email from the address contratación@gesternova.com, bearing the company's logo and with all links redirecting to it, without the contact being able to explain how their personal and banking information was obtained. Subsequently, the complainant was transferred to another employee, who was also unable to clarify the origin of the data, although she canceled the pre-contract and assured them that she would escalate the complaint to provide a response. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/47 However, the complainant states that to date they have not received any further communication from GESTERNOVA. Furthermore, the claimant indicates that they are registered on the Robinson List and that they have subsequently called the original number (***PHONE.1) on several occasions, receiving the response that th