Offices – Norway
Explore all Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
Insights – Norway
Explore all insights
Expertise
Insights
Insights

CMS lawyers can provide future-facing advice for your business across a variety of specialisms and industries, worldwide.

Explore topics
Offices
Global Reach
Global Reach

Apart from offering expert legal consultancy for local jurisdictions, CMS partners up with you to effectively navigate the complexities of global business and legal environments.

Explore our reach
CMS Norway
Insights
Trending Topics
Insights by type
About CMS

Select your region

Publication 13 May 2025 · Norway

GDPR Enforcement in Transportation & Energy

Deep dive into relevant data protection enforcement cases and insights for transportation & energy

3 min read

On this page

In the Transportation and Energy sector, DPAs from 20 different countries have so far imposed 136 fines (+27 compared to the 2024 ETR) totalling approximately EUR 195 million (+EUR 110 million compared to the 2024 ETR). While the increase in the number of fines remained relatively consistent with previous years, the total amount was heavily impacted by the EUR 79 million fine imposed on Enel Energia S.p.A. by the Italian DPA (Garante), the highest fine ever imposed by the Italian DPA.

Excluding the record fine imposed by the Italian DPA (Garante) in order to obtain undistorted and comparable statistics, the average fine in the sector increased to ~EUR 1.2 million (compared to an average of EUR 796,000 last year), while the number of fines decreased slightly.

The most common reasons for fines in the transport and energy sector were again inadequate technical and organisational measures (8 cases) and failure to comply with general data processing principles (8 cases).

Let's take a closer look

  • Although the first fine imposed on Enel Energia S.p.A by the Italian DPA (Garante) in 2021 (ETid-1005) has been overturned by the Court of Rome, Enel Energia S.p.A has been fined again for EUR 79 million (ETid-2306) on different grounds. According to the DPA, Enel Energia S.p.A acquired as many as 978 contracts from four different previously sanctioned companies, even though they did not belong to the energy company's sales network. The DPA also found that the company's information systems used for customer management and service activation showed serious security shortcomings and that Enel Energia S.p.A failed to prevent unlawful activities of unauthorised agents that fuelled illicit business for years through nuisance calls, service promotions and the signing of contracts with no real economic value for customers.
     
  • After fining Italian electricity and gas supplier Axpo Italia S.p.A for activating electricity and gas contracts without the customers' knowledge in 2023 (ETid-2077), the Italian DPA (Garante) fined electricity and gas supplier Hera Comm S.p.A for the same reasons in 2024 (ETid-2535). Hera Comm S.p.A failed to implement adequate technical and organisational measures to prevent the unlawful use of customer data by door-to-door agents and did not respond to data subject rights requests in a timely manner. For this breach of the general data processing principles, Hera Comm S.p.A. was fined EUR 5 million by the DPA.
     
  • The Spanish DPA (aepd) fined I-DE REDES ELÉCTRICAS INTELIGENTES, S.A.U. EUR 3.5 million for a cyber-attack that compromised the personal data of millions of customers (ETid-2558). IBERDROLA S.A. was also fined EUR 3 million for the same cyber-attack (ETid-2557), as the DPA found that Iberdrola, which was responsible for managing the group's IT systems and security infrastructure, did not take sufficient security measures to prevent the attack.
     
  • The Spanish DPA (aepd) has fined WATIUM S.L. for failing to provide information requested by the DPA (ETid-2339). The original fine of EUR 160,000 was reduced to EUR 96,000 due to voluntary payment and acknowledgement of responsibility. This is the second highest fine for insufficient cooperation with a supervisory authority in 2024 and the highest fine in the transportation and energy sector for this type of non-compliance since the introduction of the GDPR.
Main takeaways
While the number of fines in the transportation and energy sector has slightly decreased this year, the amount of fines imposed by Data Protection Authorities has increased.
The fines imposed by the Italian and Spanish DPA demonstrate a focus by these DPAs on abusive marketing practices and a failure to take the necessary steps to stop unlawful activities on behalf of the company. Consumer complaints to the DPAs partially initiated and impacted these investigations.
Where a larger number of consumers have been affected, the Spanish and Italian DPAs continue to impose hefty fines in the millions, while other countries DPAs, with the exception of Finland and Greece, have not (at least publicly) imposed such fines for the transportation and energy sector in 2024.
previous page

13. GDPR Enforcement in Real Estate

next page

15. GDPR Enforcement in Austria