150 thousand euros fine for inadequate security
150 thousand euros fine for inadequate security
The AEPD has fined 150,000 euros to an electric energy supplier (BASER COMERCIALIZADORA DE REFERENCIA, S.A.) for not having an effective security protocol for making changes in the contracting of services, thus failing to comply with the Data Protection Regulations..
In this specific case, there was a change in the contracted power at the request of a third party, who did not have authorization from the service holder to make this change.
How could the service be changed without the owner’s consent?
The change in the service was successfully carried out thanks to the fact that the person who requested the change was the sister of the service holder, and had knowledge of certain personal data of the service holder in a natural way, such as the full name, ID number, telephone number and supply address.
Likewise, the company that supplied the electricity service did not apply an efficient security protocol that would make it possible to verify that the applicant was really the service holder.
Considerations of the AEPD
Despite the fact that the company supplying the electricity service maintained the fact that it applied its security measures, requesting various data such as the name of the holder, DNI, telephone number and address, the AEPD considered that the company should have used other verification methods to reliably corroborate the identity of the service holder.
Therefore, the penalty of 150,000 euros is based on non-compliance with two articles of the GDPR:
Article 6: Not having the owner’s consent to make the change in the service.
Article 32: Not having an efficient and adequate safety protocol for the treatment.
Recommendations to avoid being sanctioned
Any company in general, and energy marketing companies in particular, must design the technical and organizational security measures necessary to comply with the RGPD and LOPD, which would include:
Data Protection Officer (DPO)
Designate a Data Protection Delegate with obligatory nature before the AEPD Registry, in compliance with article 34.1 i) LOPDGDD.
Security Policy Design
With the advice of the DPD, a Security Policy will be drawn up and approved by the highest body of Administration and Management, which, among many other issues, will include the Customer Authentication Policy.
Training
Mandatory training of staff on the approved policies in particular and on data protection in general.
Business Adapter® at your service
If you are a customer and you are not sure about the correct application of the Customer Authentication measures and you want to contact your data protection officer or you are not yet a Business Adapter® customer and you want us to contact you to give you the necessary advice, call 96 131 88 04, write to the email info@businessadapter.es, or leave your message in this form:
[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be pleased to help you.[/su_button]