An individual contacted the DPC after an energy service provider further processed their personal data by sharing it with a third party (data processor), a debt collection agency. According to the individual, they had completed the contract with the service provider and had received their final invoice for the services provided. The individual disputed some of the charges on the invoice; however, they did not receive a response from the service provider and were subsequently contacted by a debt collection agency.

As part of the complaint handling process, the DPC contacted the service provider and questioned the lawful basis it was relying on under Article 6 of the GDPR for sharing the individual’s personal data the debt collection agency. The service provider stated that its lawful basis for processing the individual’s personal data was Article 6(1)(b) of the GDPR which states that processing shall be lawful if the ‘processing is necessary for the performance of a contract to which the data subject is party…’. The service provider further explained that the individual’s invoice dispute related to an ‘early exit fee’ which was applied to the invoice as the individual had cancelled the contract with the service provider prior to the agreed contract length. The service provider also advised that its terms and conditions stated that should a customer break the contract with the service provider, they would be charged an exit fee. The service provider further advised that the individual agreed to its terms and conditions when they registered with the service provider.

However, the service provider also informed the DPC that it had failed to record the individual’s dispute of the invoice. This failure to record the dispute resulted in the individual’s personal data being shared with a third party incorrectly. The service provider acknowledged that it had not followed its own internal procedures for dealing with disputed debts and that this was a result of human error.

Although the service provider would normally have a lawful basis for the processing of an individual’s personal data by sharing in the circumstances of this case, by not following the correct internal procedures, the service provider incorrectly processed the individual’s personal data by providing their details to the third party, the data processor.

Accordingly, the service provider failed to demonstrate its compliance with a key principle of the GDPR, processing personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, using appropriate technical or organisational measures, in accordance with Article 5(1)(f) of the GDPR (‘integrity and confidentiality’).

The service provider should have had regard to Article 25 of the GDPR (‘Data protection by design and default’), in ensuring that the appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed, are in fact followed by all staff members.

The DPC recommended to the service provider that where there is a live dispute on the account it should ensure that its staff are aware of the internal procedure to document the dispute so that accounts are not referred to a debt collection agency until the dispute is resolved or closed.