Spain
ENDESA ENERGÍA, S.A.U.
GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2023-10-25.
Case details
- Authority
- Spanish Data Protection Authority (aepd)
- Date
- 2023-10-25
- Controller / Processor
- ENDESA ENERGÍA, S.A.U.
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 GDPR, Art. 33 GDPR, Art. 34 GDPR, Art. 44 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The Spanish DPA has fined ENDESA ENERGÍA, S.A.U. EUR 6,1 million due to a security breach resulting in unauthorized access to its systems. The controller had informed the DPA that certain Facebook ads had been placed offering the sale of login credentials for the Endesa platform, resulting in the compromise of data such as names, first names, ID numbers, telephone numbers, email addresses, postal addresses, bank account numbers, of millions of individuals.
The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such incidents. In addition, the controller failed to inform the DPA and the data subjects of the security incident in a timely manner. Finally, the DPA found that the controller did not implement adequate safeguards for the transfer of personal data to countries not covered by an adequacy decision of the EU Commission.
Related fines