Home / Publications / GDPR Enforcement Tracker Report / Transportation and Energy

Transportation & Energy

In the transportation and energy sector 14 DPAs (+7 in comparison to the 2021 ETR) have thus far imposed 47 fines (+17 in comparison to the 2021 ETR) totalling more than EUR 81 million (+47 million in comparison to the 2021 ETR). Even disregarding the 5 highest fines all above EUR 3 million (3 of which were imposed by the Italian DPA), fines have risen noticeably, and now range from low 4-figure to low 7-figure fines. The new average of fines in this sector (including all fines) is around EUR 1.82 million as of this year.

Again, as in 2020, insufficient legal basis was one of the most common reason for fines in the transportation and energy sector (7 cases).

But let's take a closer look


  • The Italian DPA (Garante) imposed a EUR 26.5 million fine on a gas and electricity supplier for various breaches (ETid-1005). The DPA found that the controller illegally processed the personal data of millions of users for telemarketing purposes. The users received unsolicited promotional calls even though no consent was given, or the users had already requested the controller to delete their personal data or had objected to their processing for advertising purposes. Furthermore, the controller failed to sufficiently provide data subjects with the required and timely feedback on their requests to exercise their rights of access and objection. Finally, from the DPA’s perspective the controller did not cooperate sufficiently with the DPA during the extensive investigation. Against this background, the following factors were the most aggravating for the fine: The severity, the duration and repetition of the violations, the large number of data subjects affected and the lack of cooperation with the DPA.
  • This shows that the willingness to cooperate with DPAs is important, although this does not mean that all decisions must be accepted. This was also noted by a Spanish controller, who received a moderate 4-digit fine from the Spanish DPA just for lack of cooperation (ETid-291).
  • The Italian DPA (Garante) fined another supplier of electricity and gas around EUR 2.9 million for similar reasons (ETid-737). In this case the fined controller had obtained various lists of data subjects from a company, that had obtained the lists from other companies, and used these lists for own telemarketing activities without the data subject’s explicit consent. The Italian DPA emphasized in this context that consent given by a customer to a certain company for third-party promotional activities cannot extend its effectiveness to subsequent transfers to other companies.
  • In contrast to the last years, in 2021 the Spanish DPA has begun to impose higher fines as well. E.g., the Spanish authority fined an electricity provider and distributor for a total of EUR 3 million in two cases (ETid-670 & ETid-671) and an international transportation company for EUR 2 million in one case (ETid-1073). Also, the Spanish authority has continued to impose multiple fines against the same controller (20 fines imposed on 13 companies). This highlights the risk that further data protection breaches will be discovered in the course of the investigations and that companies will remain on the radar of the authorities.
  • Austria’s DPA (dsb) issued a EUR 9.5 million fine to Austrian Post for not giving their customers the possibility to send their data protection related inquiries via e-mail instead of standardised forms, via phone or mail (ETid-871).  Austrian Post has declared its intention to take action against this decision.
  • Most noteworthy is the heaviest fine of 2020 (that had already been announced in 2019): The British ICO imposed a fine of EUR 22 million on the British Airways airline (ETid-58) based on insufficient technical and organisational security measures. In 2018, British Airways had been the target of a major cyberattack (personal data of around 500,000 customers including login, payment card and travel booking details, as well as name and address information). The ICO's investigation concluded that poor security measures were at least one reason why the attack was successful and why it had remained undetected for two months. Originally, in 2019, the ICO had planned to impose a fine of EUR 214 million. In 2020, the authority explicitly announced that one of the reasons for reducing the fine was the economic impact of the Covid-19 crisis on the airline industry.

Main takeaway

On the one hand, the number of fines in the transportation and energy sector has decreased compared to recent years. On the other hand, on average, the amount of single fines has increased. The increase could also be due to a less cautious attitude of the DPA’s, especially in member states where the economic impact of the COVID-19 crisis has turned out to be less severe than initially expected.

Despite fines in the transportation and energy sector being the highest across all sectors by far, they are still comprised of the same criteria: In particular, the amount of data subjects involved and the severity of the single violations, but also the willingness to cooperate with the respective DPA have represented important factors in determining the amount of the fines.

Several DPAs have imposed fines in the transportation and energy sector for the first time since the GDPR came into effect. Some DPAs, in particular the Italian DPA (Garante) and the Spanish DPA significantly increased their fines. The majority of DPA’s focused specifically on the legal basis and the purposes of the data processing. However, the number of fines for data security breaches was substantially lower in this sector. It could be that the sector has responded well to the close monitoring of this issue by DPA’s in recent years.