ENDESA ENERGÍA, S.A.U. – €6,100,000 Fine (Spain, 2023)

€6,100,000Agencia Española de Protección de Datos25 October 2023Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

ENDESA ENERGÍA, S.A.U. was fined EUR 6.1 million due to a serious security breach that exposed personal data of millions. The company failed to protect its systems and did not inform authorities or affected individuals quickly enough. This incident underscores the critical need for strong data security measures.

What happened

ENDESA ENERGÍA, S.A.U. experienced a security breach that led to unauthorized access to personal data.

Who was affected

Millions of individuals whose personal data, including names and bank details, were compromised in the breach.

What the authority found

The Spanish DPA ruled that the company did not implement adequate security measures and failed to notify about the breach in a timely manner.

Why this matters

This ruling stresses the importance of robust data security practices for companies. Businesses must prioritize protecting personal data and be prepared to act swiftly in the event of a breach.

GDPR Articles Cited

AI-verified

Art. 32 GDPR
Art. 33 GDPR
Art. 34 GDPR
Art. 44 GDPR
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR
Art. 33 GDPR
Art. 34 GDPR
Art. 44 GDPR

Original data from scraper before AI verification against source document.

Source verified 4 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll ENDESA ENERGÍA, S.A.U. actions
Full Legal Summary
Detailed

The Spanish DPA has fined ENDESA ENERGÍA, S.A.U. EUR 6,1 million due to a security breach resulting in unauthorized access to its systems. The controller had informed the DPA that certain Facebook ads had been placed offering the sale of login credentials for the Endesa platform, resulting in the compromise of data such as names, first names, ID numbers, telephone numbers, email addresses, postal addresses, bank account numbers, of millions of individuals. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such incidents. In addition, the controller failed to inform the DPA and the data subjects of the security incident in a timely manner. Finally, the DPA found that the controller did not implement adequate safeguards for the transfer of personal data to countries not covered by an adequacy decision of the EU Commission.

Related Enforcement Actions (0)

No other enforcement actions found for ENDESA ENERGÍA, S.A.U. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

25 October 2023

Authority

Agencia Española de Protección de Datos

Fine Amount

€6,100,000

Enforcement Tracker ID

ETid-2220

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. ENDESA ENERGÍA, S.A.U. - Spain (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: