O 17 January 2020, the Italian Data Protection Authority (Garante per la protezione dei dati personali or Garante) issued two fines in the total amount of €11.5 million.
The two fines were issued the same day to the same entity, Eni Gas e Luce for the insufficient legal basis for data processing.
As they state on their website page “Eni gas e luce is a new company, established on 1 July 2017 and 100% controlled by Eni SpA, created to develop the sale of gas, electricity and energy solutions.” The company operates in 4 countries in Europe, with 1,600 employees and 8 million customers in Italy.
Why were the GDPR fines issued?
The first fine for the amount of EUR 8,5 million for unlawful processing in connection with telemarketing and teleselling activities, the second GDPR fine in the amount of EUR 3 million for unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions.
€8,5 million GDPR fine for unsolicited marketing activities
The Garante received numerous complaints related to the marketing activities conducted by the Eni Gas e Luce, to be more precise telemarketing and teleselling activities.
Italian Authority performed the inspection and revealed a few dozen cases that pointed to systematic non-compliant conduct by the Eni Gas e Luce. The Garante also criticized the overall general processing of data in the company.
The Eni Gas e Luce conducted advertising calls without proper consent or regardless of customers’ previous refusal to receive advertising calls.
The company did not implement appropriate technical and organizational measures for consent management or any other appropriate solution for recording data subjects’ communication preferences and without verifying the public opt-out register. Under the violations that were discovered during the investigation was also the excessive data retention period.
Adding to the really serious list of violations is purchasing the data of potential customers from the list providers without any consent for the disclosure of those data sets.
€3 million GDPR fine for unsolicited contracts
The “smaller” GDPR fine in the amount of 3 million EUR was issued for unsolicited contracts in the free market for the supply of energy and gas, with 7200 affected individuals.
The investigation was prompted by the complaints of the Eni Gas e Luce customers who stated they learned of the stipulation of a new contract only after receiving the old supplier’s letter of cancellation or from the first invoices issued by the Eni Gas e Luce.
As the Garante stated: The […] investigations revealed that the conduct adopted by Egl in the acquisition of new customers through some external agencies operating on its behalf, due to organizational and management methods, resulted in treatments not compliant with the EU Regulation, as they are contrary to the principles of correctness, accuracy and updating of data.
Aftermath
The Italian Authority ordered Eni Gas e Luce to put in place procedures and systems to verify the consents of the individuals included in the contact lists prior to the start of promotional campaigns.
Eni Gas e Luce will also have to ensure full automation of data flows from its database to the company’s list of those who do not wish to receive marketing communication.
The Garante further prohibited using the data made available by the list providers without specific consent for the communication of such data.
The sanctions were determined taking into account the number of individuals affected, the time period in which the violations occurred, the financial status of EGL…
The Authority also set the time limit in which the appropriate measures need to be taken while the payment must be made within 30 days.
Read the official statement of the Italian Data Protection Authority!