EDP ENERGIA, S.A.U., energy company, fined EUR 75k

On 14/Jan/2020, EDP ENERGIA, S.A.U. received a privacy fine of EUR 75,000. The enforcement authority (Spanish Data Protection Agency) has cited these legal provisions in imposing the fine on EDP ENERGIA, S.A.U.: Article 6 GDPR/ GDPR/


Date of enforcement action:
Jurisdiction: Fine imposed:
Spain Flag for Spain, which is the jurisdiction taking enforcement action EUR 75,000 (US$82,000)
Defendant company or entity: Industry segment:
EDP ENERGIA, S.A.U. Utilities /

Case summary

The Spanish Data Protection Agency has fined EDP ENERGIA, S.A.U. EUR 75,000 for processing the personal data of a data subject, said to be a customer, without a lawful basis. The fine was imposed because the company did not check whether a third party had the proper authority to represent the data subject. The company did not have in place adequate procedures on this point and proceeded to process personal data as a result of the third party’s instructions.

The data subject stated that, after receiving an “invoice” for utility services at his home, a further document, i.e. a “Notification of default” arrived. After this, he made a complaint to the Spanish Data Protection Agency. The invoice and notice of default both contained the data subject’s personal data.

The Spanish Data Protection Agency made findings that the respondent company had processed the data subject’s personal data based on the instructions of a third party. Two relevant issues were then (i) whether that third party had the proper authorisation to act on the behalf of the data subject and (ii) whether the respondent company had procedures in place to verify such third party representation.

“In the light of the documentation provided by EDP – four audio transcripts with the calls made between that company and Mrs. BBB [third party] on September 17 and 18, 2018 in order to manage the signing of the contract on behalf of the claimant [data subject] – it is found that at no time the entity [company] demanded that the third party (Mrs. BBB), who provided the claimant’s information, and said to have his representation, provide a document that verifies or evidences the representation. Nor is it known that the entity, before registering the electricity supply contract in the name of the data subject – and despite the fact that EDP’s lawful basis to process the claimant’s personal data was based exclusively on the fact that these had been provided by the alleged representative – had some measure to verify the reality of that representation.”

Accordingly, the Spanish Data Protection Agency found that EDP ENERGIA, S.A.U. had no lawful basis to process the data subject’s personal data and had not engaged sufficiently diligent internal procedures to verify cases of claimed third party representation. This was a breach of Article 6, in that there was no link of consent or contractual assent that could be proved between the data subject and EDP ENERGIA, S.A.U.

(Spanish Data Protection Agency)

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Spanish Data Protection Agency Flag for Spain, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?

Cite this fine in your work

Data Privacy Fines Index. (2020-01-14 12:55) EDP ENERGIA, S.A.U., energy company, fined EUR 75k. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/edp-energia-s-a-u-energy-company-fined-eur-75k/

Entry last updated: 2020-01-18 01:12 GMT.