Details:
| Summary | The Spanish DPA has fined BASER COMERCIALIZADORA DE REFERENCIA, S.A., EUR 150,000. A customer of the company had filed a complaint with the DPA since their electricity supply contract was modified without their consent. This resulted in an increase in the electricity supply. In the course of its investigations, the DPA found that a fraudster had pretended to be the data subject by providing the name and ID number of the data subject. In this way, they were able to modify the data subject’s contract.
According to the DPA, the controller had not properly verified the identity of the fraudster before modifying the contract and, due to a lack of sufficient security measures, had not made sure that the inquirer was actually the data subject. |
| Link: | link |
| Related articles: | Art. 6 GDPR, Art. 32 GDPR |
| Type: | Insufficient legal basis for data processing |
| Fine: | EUR 150,000 |
| Sector | Transportation and Energy |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/