The Italian Supervisory Authority served two fines of EUR 8.5 and 3 million on Eni Gas and Luce (Egl), an Italian electricity and gas supplier.
The first fine sanctions illicit processing of personal data in the context of promotional activities while the second sanctions the activation of unsolicited contracts.
The amount of the fines were determined by taking into account parameters such as the wide range of stakeholders involved, the pervasiveness of the conduct, the duration of the infringement, and the economic conditions of Egl.
The first fine of EUR 8,5 million relates to the unlawful processing of personal data carried out in connection with telemarketing and teleselling activities.
Following dozens of alerts and complaints, the Italian Authority carried out inspections and made inquiries that revealed that:
- the company made calls without individuals’ consent or despite their refusal to receive marketing calls or without specific procedures for verifying the public opt-out register.
- the absence of technical and organisational measures to take into account users’ marketing wishes.
- data retention period longer than permitted
- the acquisition of data with a third-party provider that had not obtained prior individuals’ consent
Taking in consideration the gravity of the breaches, the Italian authority served a fine of EUR 8.5 million, ordered the company to take the necessary remediation actions so that to address all the breaches (e.g. implementation of procedures and systems to verify individuals’ consent and coordination of the database with the opt-out list etc.). It also prohibited the company to use the third party provider’s data where individuals have not given their consent.
The second fine of EUR 3 million sanctions the conclusion of unsolicited contracts that revealed the use of inaccurate data and illicit processing of personal data
In practice, customers (7200 consumers) complained that they receive letter of termination of their contract with their previous supplier or the company’s first bill without being aware of having agreed on a new contract with the company. It was reported that incorrect data and forged signatures were used.
The company managed to enter into contracts with individuals through external agencies operating on its behalf. The Garante found that such processing violated the fairness and accuracy of data principles and in addition to serving a EUR 3 million fine, it ordered the company to take remediation actions including implementing system detecting and sending alerts when it finds procedural anomalies.