ADNAYA GREEN SOLUTIONS – €10,000 Fine (Spain, 2025)

ADNAYA GREEN SOLUTIONS, S.L. (the controller) is a company that provides electrical work and services, including installing solar panels. The controller had a contract with a data subject, in which the controller processed their personal data to manage the data subject’s grants to install solar panels. The data subject received several emails in April 2024 from a grants management company, informing them that the controller had gone bankrupt and proposing to continue managing grant applications. The data subject asked the grants management company how it obtained their data. The grants management company replied that it worked with the controller and it had a shared list of all of the controller’s customers, from which it was assigned those it had to manage. From there, the grants management company also obtained the data for the rest of the customers it didn’t manage. The consumer filed a complaint to the Spanish DPA on 10 June 2024. The DPA stated out that, in accordance with Article 6(1) GDPR, the processing of personal data requires the existence of a legal basis. The DPA considered that the controller had transferred the data subject’s personal data without a legal basis. This would include the data subject’s name and email address, and realistically, their ID information as well. The DPA noted that grants management company obtained the data before the controller had communicated the bankruptcy situation to the data subject. Therefore, the DPA imposed a fine of €10,000 to the controller. The DPA considered it a severe violation, as it involved processing without a legal basis. In addition, the fact that the controller assigned customers to the grants management company meant that the controller likely regularly transferred data subjects’ personal data without a legal basis. The DPA concluded that this suggested the number of people affected by the unlawful processing is high.