On 19 January 2022, The Italian Data Protection Authority- Garante published its decision to impose a €26,5 million fine to Enel Energia, for violations of the General Data Protection Regulation (GDPR) regarding the unlawful processing of personal data for telemarketing purposes and violation of accountability principle, among other violations.
Note: The fine was overturned in February 2023
Complaints and investigation
Garante carried out an investigation following numerous complaints and reports regarding:
- Unsolicited marketing and promotional calls,
- Late or non-response to requests for the exercise of the right of access to personal data or opposition to processing for marketing purposes,
- And various problems deriving from personal data management in the context of energy supply services, including the activities carried out through the company website and related app.
Additionally, the Garante addressed an increasing and concerning number of unwanted telemarketing calls without proper consent in the energy sector that coincides with the transition from the protected electricity and gas market to the free market, even to the users registered in the public opposition register.
Garante’s findings
Based on its investigation Garante found multiple violations of the Regulation:
1. Lack of cooperation with the supervisory authority
The Garante noted that the Enel Energia demonstrated a lack of cooperation with the supervisory authority during the investigation and did not provide any response to Garante’s repeated requests for additional information and clarifications or that they have responded with the series of standardized answers, thus violating Article 31 of the GDPR.
2. Accountability principle & Privacy by design
The Garante also discovered the violation of the principle of accountability and privacy by design for the lack of counteraction related to promotional contracts carried out in Enel Energia’s name Article 5(2) and Article 25(1).
The principle of accountability was violated by Enel Energia’s inability to prove compliance with data protection laws in relation to unwanted promotional calls carried out by its business partner and for its failure to bind its partners to adopt specific technical and organizational measures, which also resulted in a breach of its responsibilities as the data controller.
3. Principle of accuracy
The company also violated the principle of accuracy by automatically associating unverified and incorrect personal data to different users which led to the communication of personal data (name, surname, and tax code) without any legitimate base, violating the lawfulness of processing Article 6.
4. Transparency principle
The Garante found that Enel Energia also failed to meet the requirements for transparency by not providing timely and necessary feedback about users’ requests for excising their right of access and the right to object.
Additionally, the Garante found violations of the principle of fairness for having provided contradictory feedback regarding a further request to exercise the rights- Article 5(1) and Article 12(2).
Garante found a breach of the principles of transparency and disclosure obligations concerning processing activities on Enel Energia’s website and app.
The company presented users with two conflicting statements as to the identity of the data controller and failed to provide data subjects with the information necessary to identify the recipients of their personal data.
5. Violation of the right to object
Violation of the right to object, Article 21 of the Regulation and Articles 130(1)(2) of the Code (Unwanted communications and right of opposition), for sending promotional communications by email, despite the opposition of the user and lack of consent for the communication of marketing and promotional messages.
6. Soft spam
Violation of the Code for sending communication concerning registration to the EE loyalty program, which was considered soft spam.
7. Data minimization principle
Violation of the data minimization principle for using a procedure that allowed the passage of irrelevant data between the companies of the Group.
Decision
Based on its finding, the Garante issued a fine in the total sum of €26,513,977. The Garante justified its decision by the number of violations, their seriousness, the number of individuals involved, the repeating pattern of violations, lack of cooperation with the DPA, and the negligence of Enel Energia, among other factors.
In Addition to the fine, Garante also issued a warning regarding promotional campaigns, which will have to comply with the requirements for the principles of accountability, privacy by design, and other provisions of the Regulation, in the future.
The Garante also ordered implementation of technical and organizational measures for managing data subject requests.
Read the entire Garante’s decision:
Order injunction against Enel Energia Spa – December 16, 2021
![Pseudonymization according to the GDPR [definitions and examples]](https://dataprivacymanager.net/wp-content/uploads/2019/11/Pseudonymization-according-to-the-GDPR-definitions-and-examples-768x402.png)
