EDP Solar Spain – €42,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
EDP Solar Spain faced a fine for mishandling personal data during a solar energy project. They sent an email containing sensitive information of 99 people to a participant, which violated data protection rules. This case highlights the importance of protecting personal data when managing customer information.
What happened
EDP Solar Spain sent an email that included personal data of 99 individuals to a participant in a solar energy project without proper safeguards.
Who was affected
The affected individuals were 99 participants in a solar energy project whose personal information was improperly shared.
What the authority found
The Spanish data protection authority found that EDP Solar Spain failed to protect personal data, violating Article 5(1)(c) of GDPR.
Why this matters
This ruling emphasizes the need for companies to ensure that personal data is handled securely and shared only when necessary. Businesses should review their data handling practices to avoid similar violations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Ecodes, here the processor, ran a solar neighbourhood project where 100 residents could take advantage of the solar energy generated on the roof of a municipal building in their area for a set monthly fee. In order to sign up to the project, interested individuals had to register on a website provided by EDP Solar, a solar panel provider and here the controller. The entered details were then sent to the Ecodes email account, here the processor, which selected eligible candidates and then sent their information to EDP Solar in order for them to be added to the participant list. The data subject was one of the participants in the project. The data subject had received an email to which a pdf had been attached which contained the following parts of personal data belonging to 99 different people: name, surname, ID numbers, mobile phone number, e-mail address, postal address, town and postcode and the individuals’ signatures. The data subjected contacted Ecodes informing them of the data breach and requesting Ecodes to restrict the excesive processing of personal data. Ecodes then sent the data subject an email explaining that the information had to be disclosed as the document sent was the contract on which the project was based. It explained that every participant had to be provided with a copy of the contract they had entered into. The data subject lodged a complaint with the Spanish DPA (Agencia Española de Protección de Datos – AEPD). The email had been sent from an Ecodes domain but at the bottom of the email, you could see the EDP logo and during the investigation, it was established that EDP Solar had instructed Ecodes to send the email. The investigation showed that the pdf file included several documents which were relevant to the contract such as the powers of attorney of each participant but also included the personal information listed above. The AEPD determined that EDP Solar acted as the controller and Ecodes as the processor as Ecodes had been instru
Related Enforcement Actions (0)
No other enforcement actions found for EDP Solar Spain in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
14 January 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€42,000
GDPRhub ID
gdprhub-8753About this data
Cite as: Cookie Fines. EDP Solar Spain - Spain (2025). Retrieved from cookiefines.eu
Last updated: