Spanish DPA imposes fine of 1,500,000 euros on EPD Energía, S.A.U. for two infractions of the GDPR 

May 18, 2021

Source: European Data Protection Board

The AEPD considers that EDP ENERGIA, S.A.U has not adopted technical and organizational measures to verify whether a person who hires its services on behalf of another natural person has authorization to carry out the contracting. Nor has it adopted technical and organizational measures to verify whether, who acts on behalf of another natural person, is authorized by that person to consent to other processing of personal data on their behalf. These consents were requested during the hiring procedure, for two purposes: sending their own commercial communications and those of third parties and profiling with information from third party databases for automated decision-making in order to send personalized commercials proposals and to enable the contracting of certain services. Consequently, the AEPD concludes that EDP ENERGIA, S.A.U.  has violated article 25 of the GDPR. In accordance with Article 83 (4) (a), a fine of 500,000 euros was imposed.

In addition, the AEPD considers that the document designed to supply information to data subjects does not provide enough information about the controller, the legal basis for processing not based on consent, the purposes of processing relating to profiling on the basis of legitimate interest, nor the possibility to object to processing activities that the controller bases on its legitimate interest. Moreover, in some procedures for contracting the company’s services (e.g., contracting by telephone) the form of access to all the information required under Article 13 is not simple and immediate. Consequently, the AEPD considers that Article 13 of the GDPR has been infringed. Pursuant to Article 83(5)(b) of the GDPR, a fine of 1,000,000 euros was imposed.

To read the full decision in Spanish, click here.
For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.

Recent news

September plenary – adopted documents

During its September plenary, the EDPB adopted: Opinion 25/2022 regarding the European Privacy Seal (EuroPriSe ) certification criteria for the certification of processing operations by processors 19 September 2022 Publication Type: Opinion of the Board (Art. 64)...

read more

New EDPB opinion on certification criteria

During its latest plenary, the EDPB adopted its opinion on the EuroPrise certification scheme submitted to the Board by the German DPA of North Rhine Westphalia. This is the second EDPB consistency opinion on criteria for a nationwide certification scheme. The...

read more

Record fine for Instagram following EDPB intervention

Brussels, 15 September - Following the EDPB’s binding dispute resolution decision of July 28th, the Irish Data Protection Authority (DPA) has adopted its decision regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and has issued a record GDPR fine. The...

read more
Generated by Feedzy