GDPR Enforcement in Transportation & Energy

• Following an investigation lasting more than two years, in 6 November 2025 the Spanish Data Protection Authority (Agencia Española de Protección de Datos – AEPD) fined Aena, S.M.E., S.A., a majority state-owned company responsible for the management and operation of Spain’s airport network, EUR 10 million (ETid-2962). The investigation concerned the use of a biometric facial recognition system for identification purposes. Among the AEPD’s conclusions was that the processing involved biometric data used for unique identification, which constitutes high-risk processing involving sensitive personal data, and that Aena failed to carry out a complete and sufficient data protection impact assessment. The AEPD also ordered the temporary suspension of the biometric identification systems until the processing complies with GDPR requirements.
   
• The Polish National Personal Data Protection Office (UODO) imposed a fine of EUR 6.3 million on 17 March 2025 against Poczta Polska SA (ETid-2563). During the COVID-19 pandemic, the Polish government attempted to organise a presidential election as an all-postal vote. The prime minister instructed Poczta Polska by administrative decision to prepare for the election process. Although the legislation enabling postal voting had not yet entered into force, Poczta Polska requested access to the national voter register and the Ministry of Digital Affairs granted access. The UODO found that the prime minister’s decision could not constitute a legal basis and therefore, the processing of voter data occurred before a legal framework authorising postal voting had entered into force. In determining the level of the fine, the UODO took the high number of affected people (approximately 80% of the Polish population) and the sensitivity of the information into account.
   
• On 10 April 2025, the Italian Data Protection Authority (Garante per la protezione dei dati personali) imposed sanctions in a large enforcement case involving multiple companies operating in an energy marketing network. Acea Energia S.p.A. was fined EUR 3 million (ETid-2660), while several associated companies and intermediaries (Ms Stefanelli Federica EUR 45,000; M.G. Company s.r.l. EUR 200,000; Fer-Energy s.r.l. EUR 500,000; Fer-Energy Call s.r.l. EUR 75,000; Diemme Group di Di Vico Luigi EUR 30,000) received additional fines totalling EUR 850,000 (ETid-2661). The DPA found that the energy provider Acea Energia S.p.A. built a marketing network engaging in aggressive customer recovery and marketing calls, using personal data from unauthorised databases. By using the data for marketing, Acea and its partners processed personal data without the consent of, or without first informing, the data subjects.
   
• On 26 May 2025, the Spanish DPA (Agencia Española de Protección de Datos – AEPD) imposed a fine over EUR 1.8 million on Repsol Comercializadora de Electricidad y Gas, S.L. a subsidiary of the Spanish energy group Repsol (ETid-2738). The case arose after electricity and gas supply contracts were registered in the name of an individual who had not requested the contract. After a complaint, the AEPD investigated and found that the error occurred because the company matched the request to an existing customer record with a nearly identical name, leading to the processing of the complainant’s personal data and the issuance of invoices belonging to another customer. AEPD found that Repsol Comercializadora de Electricidad y Gas, S.L. had processed the complainant’s personal data without legal basis and had breached the principles of accurate and confidential handling of the personal data. The sum of the fine was influenced by the economic capacity and the market position of Repsol.

• Biometric identification technologies represent a particularly sensitive compliance area for companies in the transportation sector. Systems using facial recognition or similar biometric verification methods involve special categories of personal data. Therefore, compliance with the GDPR is particularly important, obtaining explicit consent is often considered the most appropriate legal basis in commercial contexts.
• Marketing and customer acquisition practices also present significant risks, particularly in the energy sector where telemarketing networks, sales intermediaries and lead-generation providers are frequently used. The Acea Energia case demonstrates the importance of ensuring that customer data used in marketing campaigns originates from lawful sources and that valid consent has been obtained.
• Another recurring risk factor is the large-scale processing of customer data. Transportation operators and energy providers often process personal data from large numbers of individuals, which significantly increases the regulatory impact when GDPR infringements occur.

Transportation and energy companies operate critical infrastructure such as airport systems, railway networks and electricity grids. Supervisory authorities may therefore focus particularly on whether appropriate technical and organisational measures are implemented to protect personal data processed within these infrastructures. Other cases from different sectors (ETid-2898; 2899) show that supervisory authorities increasingly examine whether organisations adequately protect large datasets containing personal customer information.

Complex data ecosystems are common in both sectors. Cooperation between grid operators, suppliers, distributors and service providers raises questions about joint controllership, responsibility allocation and lawful data-sharing arrangements.

Finally, the increasing use of artificial intelligence systems in areas such as customer communication, predictive maintenance and security monitoring may give rise to new GDPR compliance challenges for companies operating in these sectors.

• Spanish airport operator Aena fined $11M over biometric boarding program | Biometric Update 
• Aktualności - UODO
• RESOLUCIÓN DE PROCEDIMIENTO SANCIONADOR