EDP Energía, S.A.U – €1,500,000 Fine (Spain, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Spain fined EDP Energía EUR 1.5 million for not properly informing customers about how their data was used. The company also failed to verify if people signing contracts on behalf of others were authorized to do so. This case highlights the importance of transparency and proper authorization in data handling.
What happened
EDP Energía processed personal data without informing customers and failed to verify if representatives had authorization to act on behalf of others.
Who was affected
Customers whose data was collected without proper information and those whose contracts were signed by unauthorized representatives.
What the authority found
The Spanish authority found EDP Energía violated GDPR by not providing required information to customers and not verifying representative authorizations.
Why this matters
This case underscores the need for businesses to ensure clear communication about data use and to verify authorizations when dealing with representatives. Companies should review their data handling and contract processes to avoid similar penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Spanish DPA (AEPD) has imposed a fine of EUR 1,500,000 on EDP Energía, S.A.U.. The decision follows, in particular, several complaints received for processing personal data without consent. As the DPA found, the controller had failed to inform data subjects in accordance with Art. 13 GDPR when collecting their data. This involved data subjects not being informed of their rights under Art. 15 GDPR - Art. 22 GDPR, and the contact details of the controller (e.g. its address) being incomplete. Besides, the company's business practice allowed it to conclude contracts with customer representatives instead of with the customers directly. In these cases, however, the data controller did not check whether there was actually an authorization to represent the data subjects. The DPA finds that the controller failed to implement a procedure to verify the authorization of the alleged representatives.The fine is composed proportionately of EUR 1,000,000 for a breach of Art. 13 GDPR and EUR 500,000 for a breach of Art. 25 GDPR.
Related Enforcement Actions (0)
No other enforcement actions found for EDP Energía, S.A.U in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
4 May 2021
Authority
Agencia Española de Protección de Datos
Fine Amount
€1,500,000
Enforcement Tracker ID
ETid-671
About this data
Cite as: Cookie Fines. EDP Energía, S.A.U - Spain (2021). Retrieved from cookiefines.eu
Last updated: