REPSOL COMERCIALIZADORA DE ELECTRICIDAD Y GAS S.L.U. – €1,380,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Repsol (the controller) is a Spanish multinational energy and petrochemical provider. The controller contacted a data subject regarding their next periodic and mandatory gas inspection. The data subject responded to clarify that their home had already gone through an inspection recently, and found out that there was another location registered under their name and ID that they were unaware of. In January 2022, the controller mistakenly included the personal data of the data subject in two contracts of another client. The controller included the data subject’s full name, but not their ID or bank account information (these corresponded to the other client). The controller then changed the contract information for both contracts in March 2022, but the data subject still received bills from the contract. The data subject filed a complaint to the DPA on 22 June 2022. The controller argued that there was no violation of the GDPR because it was a human error resulting from the complete similarity between the data subjects’ names. Furthermore, the controller argued that there was no violation of Article 32 GDPR, because it had appropriate technical and organisational measures in place at the time. The controller also stated that in the case the DPA found a violation, the statute of limitations will have passed. The DPA began the sanctioning procedure against the controller on 27 May 2024. The DPA first dismissed the argument on statute of limitations. According to the DPA, the statute of limitations (2 years) had not passed, because the data subject had received bills in July 2022 on the contract mistakenly attributed to them. The DPA found a violation of the principle of data accuracy (Article 5(1)(d) GDPR). The DPA considered that, while the names were similar, they were not exactly the same. Furthermore, other data such as their ID and bank account were different. The DPA stated that the incident could have been avoided if the controller had checked the all th
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Repsol (the controller) is a Spanish multinational energy and petrochemical provider. The controller contacted a data subject regarding their next periodic and mandatory gas inspection. The data subject responded to clarify that their home had already gone through an inspection recently, and found out that there was another location registered under their name and ID that they were unaware of. In January 2022, the controller mistakenly included the personal data of the data subject in two contracts of another client. The controller included the data subject’s full name, but not their ID or bank account information (these corresponded to the other client). The controller then changed the contract information for both contracts in March 2022, but the data subject still received bills from the contract. The data subject filed a complaint to the DPA on 22 June 2022. The controller argued that there was no violation of the GDPR because it was a human error resulting from the complete similarity between the data subjects’ names. Furthermore, the controller argued that there was no violation of Article 32 GDPR, because it had appropriate technical and organisational measures in place at the time. The controller also stated that in the case the DPA found a violation, the statute of limitations will have passed. The DPA began the sanctioning procedure against the controller on 27 May 2024. The DPA first dismissed the argument on statute of limitations. According to the DPA, the statute of limitations (2 years) had not passed, because the data subject had received bills in July 2022 on the contract mistakenly attributed to them. The DPA found a violation of the principle of data accuracy (Article 5(1)(d) GDPR). The DPA considered that, while the names were similar, they were not exactly the same. Furthermore, other data such as their ID and bank account were different. The DPA stated that the incident could have been avoided if the controller had checked the all th
Related Enforcement Actions (0)
No other enforcement actions found for REPSOL COMERCIALIZADORA DE ELECTRICIDAD Y GAS S.L.U. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 May 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€1,380,000
GDPRhub ID
gdprhub-9391About this data
Cite as: Cookie Fines. REPSOL COMERCIALIZADORA DE ELECTRICIDAD Y GAS S.L.U. - Spain (2025). Retrieved from cookiefines.eu
Last updated: