EDP Comercializadora, S.A.U. – €1,500,000 Fine (Spain, 2021)

€1,500,000Agencia Española de Protección de Datos4 May 2021Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

EDP Comercializadora was fined EUR 1.5 million in Spain for not informing customers about how their data was used and failing to verify if contract signers were authorized. This emphasizes the need for transparency and proper checks in data practices.

What happened

EDP Comercializadora processed personal data without informing customers and did not verify if representatives had authorization to act on behalf of others.

Who was affected

Customers whose data was collected without proper information and those whose contracts were signed by unauthorized representatives.

What the authority found

The Spanish authority found EDP Comercializadora violated GDPR by not providing required information to customers and not verifying representative authorizations.

Why this matters

This case highlights the importance of ensuring transparency in data practices and verifying authorizations. Businesses should ensure their data handling and contract processes comply with legal requirements to avoid fines.

GDPR Articles Cited

AI-verified

Art. 13 GDPR
Art. 25 GDPR
View original scraped data
Art. 13 GDPR
Art. 25 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll EDP Comercializadora, S.A.U. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Comercializadora, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.

Related Enforcement Actions (1)

Other enforcement actions involving EDP Comercializadora, S.A.U. in ES

Fine
Jan 2020· Agencia Española de Protección de Datos

The company processed personal data in connection with a gas contract without the consent of the applicant. The decision finds that the applicant rece...

€75K
Current
May 2021

Fine

€1.5M

Details

Fine Date

4 May 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€1,500,000

Enforcement Tracker ID

ETid-670

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. EDP Comercializadora, S.A.U. - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: