EDP Solar Spain – €42,000 Fine (Spain, 2025)

Ecodes, here the processor, ran a solar neighbourhood project where 100 residents could take advantage of the solar energy generated on the roof of a municipal building in their area for a set monthly fee. In order to sign up to the project, interested individuals had to register on a website provided by EDP Solar, a solar panel provider and here the controller. The entered details were then sent to the Ecodes email account, here the processor, which selected eligible candidates and then sent their information to EDP Solar in order for them to be added to the participant list. The data subject was one of the participants in the project. The data subject had received an email to which a pdf had been attached which contained the following parts of personal data belonging to 99 different people: name, surname, ID numbers, mobile phone number, e-mail address, postal address, town and postcode and the individuals’ signatures. The data subjected contacted Ecodes informing them of the data breach and requesting Ecodes to restrict the excesive processing of personal data. Ecodes then sent the data subject an email explaining that the information had to be disclosed as the document sent was the contract on which the project was based. It explained that every participant had to be provided with a copy of the contract they had entered into. The data subject lodged a complaint with the Spanish DPA (Agencia Española de Protección de Datos – AEPD). The email had been sent from an Ecodes domain but at the bottom of the email, you could see the EDP logo and during the investigation, it was established that EDP Solar had instructed Ecodes to send the email. The investigation showed that the pdf file included several documents which were relevant to the contract such as the powers of attorney of each participant but also included the personal information listed above. The AEPD determined that EDP Solar acted as the controller and Ecodes as the processor as Ecodes had been instru