AEPD Resolution: EXP202406152

AEPD Reference Number: EXP202406152
Resolution Type: CADUCIDAD DE ACTUACIONES (Lapse of Proceedings)
Date Published: 10/01/2026
Sanction Procedure Number: AI-00244-2024
Fine Amount: €0

Full Description

The Incident: On March 13, 2024, a complainant filed a claim against Naturgy Iberia, S.A. alleging identity theft used to cancel electricity and gas supply contracts at properties she owned, without her consent.

What Naturgy Claimed Happened:

• On the disputed date, someone identifying themselves as the complainant contacted Naturgy's customer service requesting contract cancellations, claiming to be leaving the country
• The caller provided complete addresses, NIF, and critically, the last four digits of the bank account (obscured on invoices, known only to account holders)
• This information satisfied Naturgy's security verification protocols
• Later that same day, the real complainant called about paper invoices, and during the call was informed about the cancellation she hadn't requested
• Naturgy immediately attempted to reverse the cancellations once the mistake was discovered

The Fraud Scheme Naturgy Uncovered: The company investigated phone numbers that had contacted the complainant, discovering they did not belong to Naturgy or any authorized partner. Someone systematically:

1. Called the victim impersonating Naturgy about invoice delivery issues
2. Used the victim's complete personal data to fraudulently cancel contracts
3. Later contacted the victim again offering "help" to formalize contracts with a competing supplier

The AEPD's Decision: The Spanish Data Protection Agency declared the preliminary investigation proceedings LAPSED due to exceeding the 18-month maximum duration mandated by Article 67.2 LOPDGDD. The investigation period began June 4, 2024, when the claim was admitted, but no formal sanction procedure was initiated before the deadline expired.

This resolution provides critical lessons about procedural timelines and third-party fraud in data protection contexts:

1. The 18-Month Investigation Clock

Protocol: Data protection authorities have exactly 18 months from admitting a claim to either initiate formal sanction proceedings or close the investigation. After this deadline, proceedings automatically lapse.

For Companies: If you're under AEPD investigation and 18 months pass without formal charges, the investigation automatically terminates. However, this doesn't prevent the AEPD from opening new proceedings if additional evidence emerges.

2. Third-Party Identity Theft Defense

Naturgy's case demonstrates the third-party fraud defense:

When Identity Theft Occurs:

• Document your security verification procedures in advance
• Demonstrate that verification protocols were followed
• Investigate suspicious contact methods immediately
• Preserve evidence showing you were also a victim of fraud

Key Evidence: Naturgy provided proof that fraudulent calls came from numbers not associated with their organization or authorized partners.

3. The "Reasonable Security" Standard

Despite being a fraud victim, Naturgy's security protocol (asking for last 4 account digits) was reasonable given:

• These digits are obscured on invoices
• Only legitimate account holders should know them
• The caller provided complete, accurate identifying information

Action: Document why your security measures are "appropriate" for your risk level under Article 32 GDPR.

4. Swift Response to Suspected Fraud

Critical timeline management:

• Same-day discovery: Real complainant called, discrepancy identified
• Immediate action: Cancellation requests were reversed "immediately"
• Investigation: Company traced unauthorized phone numbers

Protocol: When fraud is detected, rapid response demonstrates good faith compliance and can limit liability.

5. Understanding Lapse vs. Dismissal

Important Distinction:

• Lapse (Caducidad): Proceedings terminated due to procedural time limits - NOT a judgment on merits
• Dismissal (Archivo): Authority reviewed the case and decided no infraction occurred

Business Impact: Lapse doesn't mean your conduct was lawful—it means the authority missed their deadline. The issue could theoretically be re-opened with new evidence or separate proceedings.

6. Administrative Coordination Failures

This case highlights resource allocation challenges within data protection authorities. The AEPD admitted the claim but failed to advance proceedings within the statutory period.

For Complainants: Procedural lapses don't vindicate the alleged violator's conduct—they reflect administrative delays. You may consider:

• Filing a new complaint if new evidence emerges
• Pursuing civil remedies independently

7. Fraud Prevention Protocols

Recommended Enhanced Measures:

• Multi-factor authentication for account changes
• Mandatory call-back verification to registered numbers
• Suspicious activity flags (e.g., major changes requested same day as routine inquiries)
• Customer notification systems for contract modifications

Summary of Business Risk

Zero Sanction - This case resulted in no fine because the proceedings lapsed procedurally, not because Naturgy was exonerated. Key takeaways:

1. Identity theft by sophisticated fraudsters does not automatically create GDPR liability if your security measures were reasonable and appropriate
2. Swift investigation and remediation when fraud is detected demonstrates accountability
3. Procedural time limits protect companies from indefinite investigations
4. Lapse ≠ Vindication: The AEPD made no finding on whether Naturgy violated GDPR—only that they missed their deadline to prosecute