At the beginning of this month, the Spanish Data Protection Agency ("AEPD") published an information note on the existence of fraudulent practices carried out by some companies offering data protection advisory services.
In the information note the AEPD warned Spanish companies of the existence of these fraudulent practices which consist of some companies fraudulently holding themselves out as the AEPD. The companies sent different writs to data controllers that pretend to be issued by the AEPD, using letterheads similar to the ones used by the DPA and also very similar logos to the ones used in the DPAs writs.
The writs have the same content as authentic AEPD communications to companies in respect of their compliance with Spanish data protection legislation, including warnings about the sanctions regime applicable to violations of the legislation. The fraudulent communications then include an offer for advisory services regarding compliance with the data protection legislation.
Through its information note, the AEPD has reminded companies that the agency does not issue this kind of writs requesting compliance in such general and broad terms and highlights the importance of double checking the origin of such writs and the identity of the sender of the communication. In any event, when receiving any kind of suspicious requests, the AEPD recommends contacting the relevant agency to ensure that it is actually the sender of the request or if the company is in receipt of a fraudulent communication. The AEPD also reminds companies that they are able to report any such fraudulent communications and may be able to bring legal proceedings if it is necessary.
Organisations should ensure that if they receive any communication purporting to be from the AEPD that it is genuine and should consider reporting any such communication if it is not.
A link to the Spanish DPA's information note is available here (Spanish).