In the transportation and energy sector, six DPAs have so far imposed 17 fines totalling more than EUR 12 million. Disregarding two fines in the millions by the Italian authorities, the fines are relatively moderate, ranging from low four-figure to low six-figure fines, with an average of around EUR 43,000.
Two-thirds of the fines in the transportation and energy sector were based on either insufficient legal bases (8 cases) or insufficient data security measures (3 cases), which is in line with the overall statistics for all sectors.
Let's take a closer look
- The two fines in the million-euro range imposed by the Italian supervisory authorities on the same controller relate, inter alia, to unlawful promotional phone calls without data subjects' consent or despite the data subjects' objection to receiving promotional calls or without triggering special procedures for checking the public opt-out register (EUR 8.5 million) and infringements resulting from the conclusion of unsolicited contracts for the supply of electricity and gas (EUR 3 million). One reason for the size of the fines is because a certain degree of intent was seen in the controller's actions.
- In contrast to these isolated but rather high fines, it seems that the Spanish supervisory authority imposes more fines, but relatively moderate ones. However, it should be noted that the data protection violations in cases dealt with by the Spanish authority were less serious in terms of the number of persons concerned and the severity of the violations.
- In the three known cases of non-compliance with general data processing principles in the transportation and energy sector, the two fines by the Romanian supervisory authority issued for excessively processing employees' personal data captured by security cameras were very moderate. In another case, in which a taxi company neither anonymised nor deleted their guests' data, the fine by the Danish supervisory authority was less moderate.
The fines imposed in the transportation and energy sector illustrate – as in other sectors – that companies have to ensure sufficient technical and organisational measures (TOMs) and thus data security, especially when it comes to processing high volumes of customer and/or sensitive information. Similarly, an appropriate legal basis must be available for any data processing. Here the prerequisites of consent under GDPR and national data protection law must be observed. Otherwise there is a risk of heavy fines, particularly in the UK and Spain, but also in other countries. The severe impact that the COVID-19 crisis has had on the transportation and energy sector, whose companies partly came to a complete standstill, will most likely also have a strong impact on any future DPA fines in this sector. This is not only due to possible leniency in the context of the COVID-19 crisis on the part of the DPAs (perhaps even driven by national economic interests), but mostly due to the fact that the size of the fine is calculated as a percentage of total worldwide annual turnover for the preceding financial year (Art. 83, DSGVO), which will probably be drastically lower for many companies in this sector.