I-DE Redes Eléctricas Inteligentes, S.A.U. – €3,500,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. (the controller) detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. At that point, the controller had yet to detect any effect on personal data. The following day (16 March), a brute force attack was made against the same webpage, resulting in a general slowdown. The controller adopted security measures in order to repel the attack. The controller analysed the attack’s activity and concluded that it has extracted the personal data of 1.35 million clients. The breached data included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, the controller notified the breach to the AEPD. The controller is Iberdrola's energy distribution brand. Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, the controller stated that it could only access the personal data of users of its electric service. It thus claims that it does not have access to the data of data subjects managed by other distribution companies. Despite this separation, the controller communicated the breach to other companies of the Iberdrola group on 28 March 2022, noting that it could have affected information referring to clients of these companies. The controller included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. Due to the numerous companies affected, the AEPD initiated investigations into four entities. The contro
GDPR Articles Cited
On 15 March 2022, I-DE Redes Eléctricas Inteligentes, S.A.U. (the controller) detected an attack on its GEA management portal (GEA portal), which is a web portal that manages service connections between the electric distribution network. At that point, the controller had yet to detect any effect on personal data. The following day (16 March), a brute force attack was made against the same webpage, resulting in a general slowdown. The controller adopted security measures in order to repel the attack. The controller analysed the attack’s activity and concluded that it has extracted the personal data of 1.35 million clients. The breached data included names, surnames, email addresses, phone numbers, addresses, national identification card numbers and client codes. On 18 March 2022, the controller notified the breach to the AEPD. The controller is Iberdrola's energy distribution brand. Spanish law concerning the electricity sector requires that regulated activities (such as distribution of electricity) and unregulated activities (such as marketing) be unbundled. In accordance with such law, the controller stated that it could only access the personal data of users of its electric service. It thus claims that it does not have access to the data of data subjects managed by other distribution companies. Despite this separation, the controller communicated the breach to other companies of the Iberdrola group on 28 March 2022, noting that it could have affected information referring to clients of these companies. The controller included internal codes corresponding to the affected clients so that the companies could verify if those clients’ data had been compromised. Two companies, Iberdrola Clientes, S.A. and Curenergía Comercializador de Ultimo Recurso SA, subsequently reported to the AEPD that personal data of 92,550 and 1,515,000 clients was affected, respectively. Due to the numerous companies affected, the AEPD initiated investigations into four entities. The contro
Related Enforcement Actions (0)
No other enforcement actions found for I-DE Redes Eléctricas Inteligentes, S.A.U. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
7 February 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€3,500,000
Enforcement Tracker ID
ETid-2558
GDPRhub ID
gdprhub-7819About this data
Cite as: Cookie Fines. I-DE Redes Eléctricas Inteligentes, S.A.U. - Spain (2024). Retrieved from cookiefines.eu
Last updated: