On January 19, 2022, the Italian Data Protection Authority, Garante per la protezione dei dati personali, announced a €26.5 million fine against an Italian multinational electricity and gas company for unlawfully processing the personal data of thousands of users.
The Garante’s order, issued on December 16, 2021, resulted from an industry-wide investigation of the energy sector, which focused on the company after hundreds of complaints were received from consumers who claimed that the company had mismanaged their personal data, and that they had received unsolicited telemarketing calls — some pre-recorded — made on behalf of the company.
After an investigation that included four requests for information issued between December 2018 and July 2020, the Garante concluded that the company had violated several provisions of the General Data Protection Regulation (Regulation (EU) 2016/679, incorporated in the Italian Codice in material di protezione dei dati personali via legislative decree n.196 of 30 June 2003, as amended by legislative decree 101 of 10 August 2018). The Garante found that the company had breached the accountability provisions, as it had not investigated or addressed consumers’ claims regarding the aggressive telemarketing calls, and had not demonstrated to the Garante that its practices were in compliance with the GDPR in terms of supervision and due diligence regarding commercial partners.
Specifically, the Garante found that the company had violated Article 21 of the GDPR, as embodied in sections 130(1) and 130(2) of the Codice, by sending or allowing telemarketing communications without the recipients’ consent, and their consent, when solicited, was taken illegally to cover multiple purposes, in violation of Article 6 of the GDPR. The Garante found that the company also had violated the principle of transparency by misleading users of the company’s website, and had not satisfied its obligation to disclose accurate information to consumers, as embodied in Articles 5 and 12 of the GDPR. Moreover, the company should have investigated the consumers’ claims and done more to counteract the telemarketing calls made in its name. Finally, the company was found to be in violation of Articles 30 and 31 of the GDPR for failing to cooperate with the Garante during the course of the investigation because of allegedly tardy and inadequate responses.
As a result of these findings, and in consideration of the gravity of the violations, the large number of consumers involved, the duration of the violations, and the lack of cooperation, the Garante it imposed a fine of €26,513,977. The company was ordered to pay at least half of the fine within thirty days, and to publish the Garante’s decision on its website. Furthermore, the Garante enjoined the company from further violations, and required the company to take measures to comply with the data protection laws in the future and to report these compliance measures to the Garante.