[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fye9Tt4zIyZls_tNgoiPMXq12JJPbEkTYmmxx0SMK2ts":3},{"article":4,"iocs":45},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":24,"category":25,"article_tags":29},"dfad7e86-82a2-402b-91e3-b2885b7b9e59","AEPD (Spain) - EXP202406239","aepd-spain-exp202406239-1ae5da","Show changes","Spain's Data Protection Agency (AEPD) has upheld a €1,000,000 fine against Iberdrola Clientes, S.A.U. for violating GDPR. The energy supplier failed to implement adequate security measures for customer identity verification via phone, allowing unauthorized changes to contact details using easily accessible static data.","Spain's AEPD fines Iberdrola Clientes €1M for inadequate customer identity verification.","Help AEPD (Spain) - EXP202406239: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:57, 4 March 2026 view sourceRp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators195 edits Tag: Visual edit← Older edit Latest revision as of 11:12, 8 July 2026 view source Nata (talk | contribs)3 editsTag: submission [1.0] Line 11: Line 11: |Original_Source_Name_1=AEPD|Original_Source_Name_1=AEPD |Original_Source_Link_1=https:\u002F\u002Fwww.aepd.es\u002Fdocumento\u002Fps-00459-2024.pdf|Original_Source_Link_1=https:\u002F\u002Fwww.aepd.es\u002Fdocumento\u002Freposicion-ps-00459-2024.pdf |Original_Source_Language_1=Spanish|Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES|Original_Source_Language__Code_1=ES Line 19: Line 19: |Original_Source_Language__Code_2=|Original_Source_Language__Code_2= |Type=Complaint|Type=Other |Outcome=Upheld|Outcome= |Date_Started=|Date_Started= |Date_Decided=|Date_Decided= |Date_Published=25.02.2026|Date_Published=29.04.2026 |Year=|Year= |Fine=1.000.000|Fine=1,000,000 |Currency=EUR|Currency=EUR |GDPR_Article_1=Article 5(2) GDPR|GDPR_Article_1=Article 24 GDPR |GDPR_Article_Link_1=Article 5 GDPR#2|GDPR_Article_Link_1=Article 24 GDPR |GDPR_Article_2=Article 24 GDPR|GDPR_Article_2=Article 32 GDPR |GDPR_Article_Link_2=Article 24 GDPR|GDPR_Article_Link_2=Article 32 GDPR |GDPR_Article_3=Article 32 GDPR|GDPR_Article_3=Article 32(1)(b) GDPR |GDPR_Article_Link_3=Article 32 GDPR|GDPR_Article_Link_3=Article 32 GDPR#1b |GDPR_Article_4=|GDPR_Article_4=Article 58(2)(d) GDPR |GDPR_Article_Link_4=|GDPR_Article_Link_4=Article 58 GDPR#2d |GDPR_Article_5=|GDPR_Article_5=Article 83(2) GDPR |GDPR_Article_Link_5=|GDPR_Article_Link_5=Article 83 GDPR#2 |GDPR_Article_6=Article 83(4)(a) GDPR |GDPR_Article_Link_6=Article 83 GDPR#4a |GDPR_Article_7= |GDPR_Article_Link_7= |GDPR_Article_8= |GDPR_Article_Link_8= |EU_Law_Name_1=|EU_Law_Name_1= Line 44: Line 50: |EU_Law_Link_2=|EU_Law_Link_2= |National_Law_Name_1=|National_Law_Name_1=Article 118 LPACAP |National_Law_Link_1=|National_Law_Link_1=https:\u002F\u002Fwww.boe.es\u002Fbuscar\u002Fact.php?id=BOE-A-2015-10565 |National_Law_Name_2=|National_Law_Name_2=Article 123 LPACAP |National_Law_Link_2=|National_Law_Link_2= |National_Law_Name_3=Article 28(1) LRJSP |National_Law_Link_3=https:\u002F\u002Fwww.boe.es\u002Fbuscar\u002Fact.php?id=BOE-A-2015-10566 |National_Law_Name_4=Article 48(1) LOPDGDD |National_Law_Link_4=https:\u002F\u002Fwww.boe.es\u002Fbuscar\u002Fact.php?id=BOE-A-2018-16673 |National_Law_Name_5=Article 63(2) LOPDGDD |National_Law_Link_5= |National_Law_Name_6=Article 76(2) LOPDGDD |National_Law_Link_6= |National_Law_Name_7= |National_Law_Link_7= |National_Law_Name_8= |National_Law_Link_8= |Party_Name_1=|Party_Name_1=Iberdrola Clientes, S.A.U. |Party_Link_1=|Party_Link_1=https:\u002F\u002Fwww.iberdrola.es\u002F |Party_Name_2=|Party_Name_2= |Party_Link_2=|Party_Link_2= |Party_Name_3= |Party_Link_3= |Appeal_To_Body=|Appeal_To_Body= Line 59: Line 79: |Appeal_To_Link=|Appeal_To_Link= |Initial_Contributor=RP|Initial_Contributor=Nata || }}}} The DPA fined an energy supplier €1,000,000 for failing to ensure appropriate security and accountability. When verifying the identity of customers via phone, it relied on weak, non-traceable checks and allowed unauthorised changes to customer contact details.The DPA rejected an energy company's internal appeal and upheld a €1,000,000 fine under [[Article 32 GDPR|Article 32 GDPR]], holding that a call centre identity verification protocol based on static, easily accessible customer data was inadequate. == English Summary ==== English Summary == === Facts ====== Facts === On 20 March 2024, the data subject filed a complaint with the Spanish Data Protection Agency (AEPD). The controller was IBERDROLA CLIENTES, S.A.U. (IBERCLI), an electricity retail company belonging to the Iberdrola Group.Iberdrola Clientes, S.A.U., an electricity retailer of the Iberdrola group (the controller), verified the identity of customers calling its call centres under an internal guide dated 19 March 2023. Under this protocol, a caller passed the identity check (PSI) by providing 4 out of 9 possible categories of data, such as surname, national ID number (DNI), contract reference, address, telephone number, e-mail address, bank account or supply point code (CUPS). The case concerned the use of an email address belonging to the data subject’s daughter in connection with the data subject’s electricity supply contract. On 22 November 2023, the electricity distributor sent a contractual communication to that email address. The data subject stated that neither they nor their daughter had ever provided that address to the controller.According to the controller, on 20 January 2023 the data subject called to request a copy of an invoice and provided an e-mail address, which the controller then linked to the contract as a permanent contact address. The e-mail address belonged to the data subject's daughter. No recording of the call was kept, nor any record of the data requested to verify the caller's identity. On 22 November 2023, the distributor of the group sent an e-mail concerning a request to modify the technical conditions of the data subject's contract to that address. On 17 January 2024, the distributor informed the data subject that the controller had provided the address. The data subject denied ever having given it as a contact address and filed a complaint with the DPA. The distributor informed the data subject that it had received the email address from the controller. The controller argued that, on 20 January 2023, the data subject had called its customer service to request a copy of an invoice and had provided the email address during that call. According to the controller, the caller passed its internal identity verification procedure (PSI control). The controller further stated that it was legally required to transmit customer data to the distributor under electricity market rules.The DPA initially declared the complaint inadmissible, but admitted it after the data subject successfully appealed that decision internally. On 17 January 2025, the DPA opened sanctioning procedure PS\u002F00459\u002F2024 against the controller for a violation of [[Article 32 GDPR]]. On 14 January 2026, the DPA imposed a fine of €1,000,000 under [[Article 83 GDPR#4a|Article 83(4)(a) GDPR]] and, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], ordered the controller to demonstrate within three months the adoption of security measures adequate to the risk, including protocols guaranteeing identity verification. The controller submitted a document dated 19 March 2023 that described its call centre identity verification protocol. The protocol allowed customer service agents to verify identity by requesting several categories of personal data. Once verification was considered successful, the agent could update the customer database, including contact details such as an email address.On 16 February 2026, the controller filed an internal appeal (recurso de reposición, file EXP202406239). It argued that (i) the DPA had ignored its submissions to the proposed resolution, causing a violation of its right to be heard and the nullity of the decision; (ii) the DPA had violated the presumption of innocence by imposing the fine without sufficient evidence or reasoning; (iii) the DPA had applied impermissible strict liability, since no intent or negligence had been established; (iv) the fine was disproportionate, in particular compared with a €500,000 fine imposed on a bank in file EXP202500113 for an incident the controller considered more serious; (v) the DPA had not considered mitigating factors; and (vi) the corrective measures had lost effect because, in the controller's view, the final resolution had not included them. However, the controller did not provide a recording or transcript of the alleged call of 20 January 2023. It also did not provide documentation showing what specific data had been requested for verification,","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202406239&diff=52120&oldid=50902","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-07-08T11:12:31+00:00","2026-07-08T12:00:33.27415+00:00",7,[18,21],{"name":19,"type":20},"Iberdrola","vendor",{"name":22,"type":23},"Iberdrola Clientes, S.A.U.","product","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":24,"icon":26,"name":27,"slug":28},null,"Policy","policy",[30,35,40],{"category":31},{"id":32,"icon":26,"name":33,"slug":34},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":36},{"id":37,"icon":26,"name":38,"slug":39},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":41},{"id":42,"icon":26,"name":43,"slug":44},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]