Home / Publications / GDPR Enforcement Tracker Report / Transportation and Energy

Transportation & Energy

In the transportation and energy sector DPAs from 17 different countries (+3 in comparison to the 2022 ETR) have so far imposed 77 fines (+30 in comparison to the 2022 ETR) totalling round about EUR 91 million (+10 million in comparison to the 2022 ETR, however, a fine of 2021 in the amount of EUR 26.5 was overturned in court in 2022, see below). There have been significantly more fines since last year, yet the fines have not been rising noticeably anymore, resulting in a new average of fines in this sector of around EUR 864,000 as of this year.

Again, as in the 2022 ETR, the insufficient legal basis was one of the most common reasons for the fines in the transportation and energy sector (8 cases).

Let's take a closer look


  • The Italian DPA (Garante) fined a gas and electricity supplier EUR 4.9 million in 2022 for several reasons, in particular regarding insufficient (or non-existing) consents (ETid-1671). Many persons had filed complaints with the DPA regarding unlawful marketing activities of the company. During its investigation, the DPA found that the company contacted data subjects by telephone for marketing purposes without explicit prior consent. Seemingly, the company used contact lists from third parties, which in many cases, however, did not contain sufficient consent of the data subjects. The DPA also found that the company did not provide these data subjects with a direct and easy way to exercise their right to object. In addition, the company failed to respond to data subject requests in a timely manner in several cases. The DPA also found that, in the context of the app and the website, the company obtained combined consents for both marketing and profiling purposes, instead of separate ones. Finally, the DPA found that the company failed to provide data subjects with transparent information about the processing of their personal data.
  • The Italian DPA also fined another electricity supplier EUR 1 million in 2022 (ETid-1541). A customer had filed a complaint with the DPA because the company had classified him as a defaulting customer, which prevented him from switching to another electricity supplier. Seemingly this misclassification was due to an internal incident, in which context outdated data had not been updated following a mismatch in the company's internal systems. The incident affected around 47,000 customers. The DPA's investigation also found that the company had stored the data for an inadequate length of time. In addition, the company had failed to properly respond to customer’s requests to exercise their data subject rights.
  • The Spanish DPA (AEPD) fined a Spanish logistic company EUR 2,000,000 in 2022 for processing data without sufficient legal basis (ETid-1073). The DPA had received a complaint from a trade union claiming the company required certificates confirming the absence of criminal records when hiring drivers. The company believed these certifications were not subject to Art. 10 GDPR, which stipulates the processing of personal data relating to criminal convictions and offences, as the certificates contained the information that no criminal conviction existed. However, the DPA determined the opposite, namely that such data do fall under Art. 10 GDPR and that consequently the company did not comply with the requirements of Art. 10 GDPR.
  • In 2021 the Italian DPA fined an electricity supplier EUR 26.5 million for numerous breaches of the GDPR (ETid-1005). Following a complex preliminary investigation launched after hundreds of reports and complaints from users, the DPA found that the controller illegally processed the personal data of millions of users for telemarketing purposes. However, the Court of Rome overturned the fine in early 2023. Further information on the decision so far remains unavailable.
  • Still noteworthy is the heaviest fine of 2020 (that had already been announced in 2019): The British DPA (ICO) imposed a fine of EUR 22 million on the airline British Airways (ETid-58) based on insufficient technical and organizational security measures. In 2018, British Airways had been the target of a major cyberattack (personal data of around 500,000 customers including login, payment card and travel booking details, as well as name and address information). The DPA's investigation concluded that poor security measures were at least one reason why the attack was successful and why it had remained undetected for two months. Originally, in 2019, the DPA had planned to impose a fine of EUR 214 million. In 2020, the authority explicitly announced that one of the reasons for reducing the fine was the economic impact of the Covid-19 crisis on the airline industry.

Main takeaways

In the transportation and energy sector on the one hand the number of fines has greatly increased compared to the last years. On the other hand, the amount of the single fines has decreased on average.

When assessing the individual fines, in particular the amount of involved data subjects, the severity of the single violations and the willingness to cooperate with the respective DPA represent important factors.

Insufficient legal basis for data processing and non-compliance with general data processing principles resulted in severe fines for companies in the transportation and energy sector. However, the number of fines for data security breaches was substantially lower in this sector. This could be due to the fact that the sector may have responded well to the strict monitoring of this issue by DPA’s in previous years.