ENERGYA VM GESTIÓN DE ENERGÍA, S.L. – €5,000,000 Fine (Spain, 2024)

€5,000,000Agencia Española de Protección de Datos6 February 2024Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Spain's data protection authority fined ENERGYA VM GESTIÓN DE ENERGÍA EUR 5 million for mishandling personal data during sales calls. This is significant because it shows that companies must ensure their contractors follow privacy laws. Businesses should conduct risk assessments to avoid similar penalties.

What happened

The Spanish DPA fined ENERGYA VM EUR 5 million for unlawful processing of personal data during sales calls made by a contractor.

Who was affected

Customers who were misled into providing personal data during sales calls were affected.

What the authority found

The DPA found that ENERGYA VM failed to comply with GDPR requirements by not assessing the risks of its contractor's data processing activities.

Why this matters

This case highlights the responsibility of companies to oversee their contractors' compliance with data protection laws. It serves as a warning for businesses to implement thorough risk assessments to protect customer data.

GDPR Articles Cited

AI-verified

Art. 5(1)(a) GDPR
Art. 5(2) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 5(2) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll ENERGYA VM GESTIÓN DE ENERGÍA, S.L. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) has fined ENERGYA VM GESTIÓN DE ENERGÍA, S.L. EUR 5 million following an investigation into unlawful personal data processing by Nivalco, a company contracted by Energya VM to make sales calls to customers. During these calls, customers were misled into providing additional personal data to conclude a new energy supply contract. The AEPD determined that Energya VM acted as the 'data controller' for the processing of this personal data, as it provided Nivalco with a sales script, thereby influencing the data processing. However, Energya VM failed to comply with GDPR requirements, particularly by not conducting a risk assessment for Nivalco's data processing activities

Related Enforcement Actions (0)

No other enforcement actions found for ENERGYA VM GESTIÓN DE ENERGÍA, S.L. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

6 February 2024

Authority

Agencia Española de Protección de Datos

Fine Amount

€5,000,000

Enforcement Tracker ID

ETid-2543

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. ENERGYA VM GESTIÓN DE ENERGÍA, S.L. - Spain (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: