Who: The Italian Data Protection Authority (Garante per la protezione dei dati personali or Garante) and Eni Gas e Luce (EGL), a company leader in the Italian gas, electricity and energy solutions retail and business market
Where: Italy
When: The decisions no. 231 and 232 of the Garante were issued on 11 December 2019 and published on 17 January 2020
Law stated as at: 4 February 2020
What happened:
In decision no. 232, the Garante imposed on EGL a fine of €8.5 million on the basis of the alleged unlawfulness of data processing carried out in connection with telemarketing and teleselling activities. The inspections and inquiries that were carried out by the Garante revealed a limited number of cases, which were deemed to reveal “systematic” critical issues with regard to the general processing of personal data by EGL.
In particular, the Garante challenged the telemarketing and teleselling activities carried out by EGL on the following grounds: (i) calls made without the consent of the contacted person, in spite of that person’s specific refusal to receive promotional calls by EGL, or without triggering the specific procedures for verifying the public opt-out register; (ii) lack of technical and organisational measures to ensure that the withdrawal of consent and the amendment of the users’ choices were properly registered into the EGL systems; (iii) a retention period of personal data longer than permitted under applicable laws; and (iv) a lack of a lawful basis to process personal data of prospective customers provided by third parties list providers that had not obtained any consent for the disclosure of such data to EGL.
Following the above, the Garante ordered EGL to adopt procedures and systems suitable to verify the consent of the persons included in the contact lists acquired by third-party list providers (also by examining a large sample of customers) prior to the start of each promotional campaign. Additionally, the Garante ordered EGL to implement measures to ensure full automation of data flows from its database to the company’s own black list which includes people no longer to contact for marketing purposes.
With its decision no. 231, the Garante imposed on EGL a fine of €3 million on the basis of the alleged breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas with EGL under free market conditions. The investigations of the Garante were carried out following many complaints received from individuals who had become aware of the conclusion of a contract only on receiving the first EGL bills or the letter of termination of the contract with the previous supplier. The Garante ascertained that about 7200 consumers were affected by serious irregularities, and several contracts also reported incorrect data and forged signatures.
The Garante concluded that the conduct of EGL in acquiring new customers through certain third-party agencies operating on its behalf led to processing activities in breach of the General Data Protection Regulation (GDPR), due to third-party violations of the principles of fair processing concerning accurate and up-to-date data.
In light of the above, the Garante ordered EGL to take several corrective measures and to introduce specific alerts systems and other procedures in order to detect and stop various procedural anomalies.
Why this matters:
This is the first significant application by the Garante of the sanctioning powers provided under the GDPR. The decision provides guidance in order to concretely implement the accountability principle of the GDPR in the framework of telemarketing and activation of unsolicited contracts. Furthermore, activities which might also be sanctioned as unfair commercial practices have been sanctioned for the related breaches of data protection laws.
