Home / Publications / GDPR Enforcement Tracker Report / Transportation and Energy

Transportation & Energy

In the transportation and energy sector DPAs from 20 different countries (+3 in comparison to the 2023 ETR) have so far imposed 109 fines (+32 in comparison to the 2023 ETR) totalling round about EUR 105 million (+20 million in comparison to the 2023 ETR). However, some of these fines have been overturned in the following by courts (e.g., on 16 February 2023, the Court of Rome overturned the fine in the amount of EUR 26.5 against Enel Energie S.p.A (ETid-1005). Compared to the last year, the number of fines increased. However the average amount of single fines slightly decreased, resulting in a new average of fines in this sector of around EUR 796,000 as of this year (compared to an average of EUR 864,000 last year).

Again, as in the 2023 ETR, insufficient legal basis (7 cases) as well as insufficient technical and organisational measures (6 cases) were one of the most common reasons for the fines in the transportation and energy sector.

Let's take a closer look

  • The Italian DPA (Garante) further fined Autostrade per l'Italia spa ("ASPI") EUR 1 million in 2023 after a consumer organization reported problems in connection with the toll reimbursement app "Free to X" (ETid-2023). The DPA found that ASPI unlawfully processed the data of approx. 100,000 registered users and held the position of the data controller, instead of a processor, as stated in the documents governing the relationship between "ASPI" and "Free to X".
  • In 2023 the Italian DPA (Garante) also imposed a EUR 10 million fine on the electricity and gas supplier Axpo Italia S.p.A after having received numerous complaints from data subjects (Etid-2077). The reason for the complaints were that without their knowledge electricity and gas contracts had been activated in their names, of which they had only learned after receiving termination letters from the previous supplier or reminders to pay outstanding bills. They also discovered that their personal data provided in the contract (e.g., email address or phone number) was incorrect or outdated. During its investigation, the DPA found that the controller had been acquiring new electricity and gas supply contracts through a network of approximately 280 vendors without ensuring that the data entered into the database by the vendors actually corresponded to the correct costumers. This resulted in unsolicited contracts that often contained inaccurate and outdated personal data.
  • The Spanish DPA (AEPD) fined ENDESA ENERGÍA, S.A.U. EUR 6.1 million due to a security breach resulting in unauthorized access to its systems (ETid-2220). The controller had informed the DPA that certain Facebook ads had been placed offering the sale of login credentials for the ENDESA platform, resulting in the compromise of data of millions of individuals such as (first) names, ID numbers, telephone numbers, email addresses, postal addresses, bank account numbers. The DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such incidents. In addition, the controller failed to inform the DPA and the data subjects of the security incident in a timely manner. Finally, the DPA found that the controller did not implement adequate safeguards for the transfer of personal data to countries not covered by an adequacy decision of the EU Commission.

Main takeaways

The tendency from the last years continues: The number of fines in the transportation and energy sector increases with each year.