GAOLANIA SERVICIOS, S.L. – €30,000 Fine (Spain, 2025)

On 29 March 2023, a data subject complained to the DPA, after their electricity provider had been changed without their consent. The data subject had not requested any switch and objected upon being notified. The controller, GAOLANIA SERVICIOS, S.L., initiated the change following a contract with a third party who provided a CUPS identifier. However, this identifier corresponded to the data subject’s electricity supply point. The controller failed to verify the accuracy of this information and proceeded with the switch. As a result, the controller processed the data subject’s personal data and changed their electricity provider, even though the data subject had no relationship with the controller First, the DPA held that the controller infringed Article 5 GDPR 1 d by failing to ensure the accuracy of personal data, as it relied on an incorrect identifier that led to the misidentification of the data subject. Second, the DPA found that the controller infringed Article 6 GDPR 1, since the processing lacked a legal basis. The data subject had neither consented nor entered into a contract with the controller. Third, the DPA emphasised that controllers must verify personal data before processing and cannot rely solely on information provided by third parties. The DPA imposed an administrative fine of €30,000, taking into account the negligent conduct and the impact on the data subject.