Spain Spain

ENERGYA VM GESTIÓN DE ENERGÍA, S.L.

5,000,000 €

GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2024-02-06.

Rank · Sector
#13
of 167 in Transportation and Energy
Rank · Spain
#9
of 1,075
Rank · All fines
#73
of 3,050

Case details

Authority
Spanish Data Protection Authority (aepd)
Date
2024-02-06
Controller / Processor
ENERGYA VM GESTIÓN DE ENERGÍA, S.L.
Sector
Transportation and Energy
Quoted Articles
Art. 5 (1) a) GDPR, Art. 5 (2) GDPR
Type of violation
Non-compliance with general data processing principles

Summary

The Spanish DPA (AEPD) has fined ENERGYA VM GESTIÓN DE ENERGÍA, S.L. EUR 5 million following an investigation into unlawful personal data processing by Nivalco, a company contracted by Energya VM to make sales calls to customers. During these calls, customers were misled into providing additional personal data to conclude a new energy supply contract. The AEPD determined that Energya VM acted as the 'data controller' for the processing of this personal data, as it provided Nivalco with a sales script, thereby influencing the data processing. However, Energya VM failed to comply with GDPR requirements, particularly by not conducting a risk assessment for Nivalco's data processing activities

Open original source Links to the regulator's original publication or another source.

Related fines

Spain
Spain
2025-04-07
14,400,000 €
ETid-3192
AMADEUS IT GROUP, S.A.
Transportation and Energy
Spain
Spain
2025-11-06
10,043,002 €
ETid-2962
Aena, S.M.E., S.A.
Transportation and Energy
Spain
Spain
2022-05-18
10,000,000 €
ETid-1176
Google LLC
Media, Telecoms and Broadcasting
Spain
Spain
2021-03-11
8,150,000 €
ETid-594
Vodafone España, S.A.U.
Media, Telecoms and Broadcasting
Spain
Spain
2023-12-27
6,500,000 €
ETid-2532
THE PHONE HOUSE SPAIN, S.L.
Media, Telecoms and Broadcasting
Spain
Spain
2023-10-25
6,100,000 €
ETid-2220
ENDESA ENERGÍA, S.A.U.
Transportation and Energy
Back to all fines