Energya VM Gestión de Energía, S.L – €5,000,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Energya VM received several complaints from data subjects alleging they had been contacted by Nivalco, which offered energy services. The individuals making these calls had access to the customers' personal data. In response, Energya VM held a meeting with Nivalco to clarify the purpose of the calls and the discounts being offered. An internal audit revealed that most of the calls targeted customers who had canceled their agreements within the initial days of the contract. Under their contractual arrangement, Nivalco was responsible for promoting Energya VM’s services and managing a database containing the personal information of individuals and businesses for marketing purposes. Energya VM claimed it was not involved in compiling this database and only accessed personal data when an individual entered into an agreement for energy services. On May 9, 2023, the Spanish Data Protection Agency (AEPD) initiated an investigation into alleged violations of Article 5(2) GDPR and Article 5(1)(a) GDPR. Energya VM denied responsibility for Nivalco’s data processing practices, asserting that Nivalco independently obtained and managed the personal data and autonomously decided its use. Energya also argued that its lack of access to the database prevented effective supervision. However, during its investigation, the AEPD found that Energya VM had provided Nivalco with instructions regarding the processing of personal data, undermining Energya’s claims of non-involvement. Energya VM was deemed the data controller. The contractual relationship between Energya VM and Nivalco ended on May 28, 2020. The AEDP determined that Energya VM violated Article 5(1)(a) GDPR, as well as Article 5(2) GDPR. • Article 5(1)(a) GDPR: The facts indicate that the processing of personal data was neither lawful nor transparent, as Energya VM was aware that Nivalco was using the data in a manner that misled customers. Energya VM provided Nivalco with a sales script for the calls, which violated Arti
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Energya VM received several complaints from data subjects alleging they had been contacted by Nivalco, which offered energy services. The individuals making these calls had access to the customers' personal data. In response, Energya VM held a meeting with Nivalco to clarify the purpose of the calls and the discounts being offered. An internal audit revealed that most of the calls targeted customers who had canceled their agreements within the initial days of the contract. Under their contractual arrangement, Nivalco was responsible for promoting Energya VM’s services and managing a database containing the personal information of individuals and businesses for marketing purposes. Energya VM claimed it was not involved in compiling this database and only accessed personal data when an individual entered into an agreement for energy services. On May 9, 2023, the Spanish Data Protection Agency (AEPD) initiated an investigation into alleged violations of Article 5(2) GDPR and Article 5(1)(a) GDPR. Energya VM denied responsibility for Nivalco’s data processing practices, asserting that Nivalco independently obtained and managed the personal data and autonomously decided its use. Energya also argued that its lack of access to the database prevented effective supervision. However, during its investigation, the AEPD found that Energya VM had provided Nivalco with instructions regarding the processing of personal data, undermining Energya’s claims of non-involvement. Energya VM was deemed the data controller. The contractual relationship between Energya VM and Nivalco ended on May 28, 2020. The AEDP determined that Energya VM violated Article 5(1)(a) GDPR, as well as Article 5(2) GDPR. • Article 5(1)(a) GDPR: The facts indicate that the processing of personal data was neither lawful nor transparent, as Energya VM was aware that Nivalco was using the data in a manner that misled customers. Energya VM provided Nivalco with a sales script for the calls, which violated Arti
Related Enforcement Actions (0)
No other enforcement actions found for Energya VM Gestión de Energía, S.L in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
16 January 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€5,000,000
GDPRhub ID
gdprhub-8674About this data
Cite as: Cookie Fines. Energya VM Gestión de Energía, S.L - Spain (2024). Retrieved from cookiefines.eu
Last updated: