In the Transportation and Energy sector, DPAs from 20 different countries have so far imposed 136 fines (+27 compared to the 2024 ETR) totalling approximately EUR 195 million (+EUR 110 million compared to the 2024 ETR). While the increase in the number of fines remained relatively consistent with previous years, the total amount was heavily impacted by the EUR 79 million fine imposed on Enel Energia S.p.A. by the Italian DPA (Garante), the highest fine ever imposed by the Italian DPA.
Excluding the record fine imposed by the Italian DPA (Garante) in order to obtain undistorted and comparable statistics, the average fine in the sector increased to ~EUR 1.2 million (compared to an average of EUR 796,000 last year), while the number of fines decreased slightly.
The most common reasons for fines in the transport and energy sector were again inadequate technical and organisational measures (8 cases) and failure to comply with general data processing principles (8 cases).
Let's take a closer look
- Although the first fine imposed on Enel Energia S.p.A by the Italian DPA (Garante) in 2021 (ETid-1005) has been overturned by the Court of Rome, Enel Energia S.p.A has been fined again for EUR 79 million (ETid-2306) on different grounds. According to the DPA, Enel Energia S.p.A acquired as many as 978 contracts from four different previously sanctioned companies, even though they did not belong to the energy company's sales network. The DPA also found that the company's information systems used for customer management and service activation showed serious security shortcomings and that Enel Energia S.p.A failed to prevent unlawful activities of unauthorised agents that fuelled illicit business for years through nuisance calls, service promotions and the signing of contracts with no real economic value for customers.
- After fining Italian electricity and gas supplier Axpo Italia S.p.A for activating electricity and gas contracts without the customers' knowledge in 2023 (ETid-2077), the Italian DPA (Garante) fined electricity and gas supplier Hera Comm S.p.A for the same reasons in 2024 (ETid-2535). Hera Comm S.p.A failed to implement adequate technical and organisational measures to prevent the unlawful use of customer data by door-to-door agents and did not respond to data subject rights requests in a timely manner. For this breach of the general data processing principles, Hera Comm S.p.A. was fined EUR 5 million by the DPA.
- The Spanish DPA (aepd) fined I-DE REDES ELÉCTRICAS INTELIGENTES, S.A.U. EUR 3.5 million for a cyber-attack that compromised the personal data of millions of customers (ETid-2558). IBERDROLA S.A. was also fined EUR 3 million for the same cyber-attack (ETid-2557), as the DPA found that Iberdrola, which was responsible for managing the group's IT systems and security infrastructure, did not take sufficient security measures to prevent the attack.
- The Spanish DPA (aepd) has fined WATIUM S.L. for failing to provide information requested by the DPA (ETid-2339). The original fine of EUR 160,000 was reduced to EUR 96,000 due to voluntary payment and acknowledgement of responsibility. This is the second highest fine for insufficient cooperation with a supervisory authority in 2024 and the highest fine in the transportation and energy sector for this type of non-compliance since the introduction of the GDPR.
