The Italian data protection authority ('Garante') announced, on 21 February 2023, in its monthly newsletter, the publication of its Decision No. 431, as issued on 15 December 2022, in which it imposed a fine of €4.9 million on, and issued various compliance orders to, Edison Energia S.p.A., for violations of Articles 5(1)(a), 5(2), 6, 7, 12(1), 12(2), 12(3), 21(2), 24(1), 24(2), and 25(1) of the General Data Protection Regulation (Regulation (EU) 2016, 679) ('GDPR'), and Article 130 of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('the Code'), following several complaints submitted by individuals.

Background to the decision

In particular, the Garante reported that the complainants had lamented unlawful conduct related to the processing of personal data by Edison Energia for marketing and profiling purposes. In particular, the Garante stated that Edison Energia, among other things, was using contact lists prepared by other companies that have not acquired a free, specific, informed, and documented consent to the disclosure of user data and that the customers who have expressed their wish not to be contacted anymore are included in a 'no-contact list', which does not contain any indication of the date of the refusal, nor of the inclusion on the list and of the identity of the person concerned, making it impossible to ascertain the lawfulness of the promotional contacts and the proper handling of the opposition made by those concerned.

Further to this, the Garante noted that the complainants lamented, among other things, the receipt of telephone calls without consent, the failure to respond to requests not to receive any more unsolicited telephone calls, the impossibility of expressing free and specific consent for various purposes (promotional, profiling, or communication of data to third parties) within the website or app, and the presence of deficient or inaccurate privacy policies.

Findings of the Garante

At the end of the investigation carried out, the Garante found that Edison Energia violated:

• Articles 5(1)(a) and 12(1) of the GDPR as some of the processing activities described in the privacy notice on the internal website were not actually carried out by Edison Energia, violating the obligation to provide transparent information;
• Articles 5(2), 24(1), 24(2), and 25(1) of the GDPR for having carried out promotional campaigns without implementing data protection requirements, such as informing the data subjects, lawfully obtaining their consent, and maintaining the accuracy and quality of data, contrary to the principles of Privacy by Design and accountability;
• Articles 6 and 7 of the GDPR and 130 of the Code because the user's registration to the website www.edisonenergia.it and to the MyEdison App was subject to the simultaneous issue of a single consent for marketing and profiling purposes, making this consent neither specific nor free; and
• Articles 12(2), 12(3), and 21(2) for not having provided for direct and simplified procedures to enable the data subject to exercise their right to object to the processing carried out for promotional purposes immediately.

Outcomes

In light of the violations ascertained, the Garante issued a fine of €4.9 million and ordered Edison Energia to, among other things:

• facilitate the exercise of rights under the GDPR and to provide feedback, without delay, to requests, including those concerning the right to object;
• refrain from any further processing for promotional purposes using contact lists prepared by other companies that have not acquired free, specific, informed, and documented consent to the disclosure of user data;
• abstain from processing of data for marketing and profiling purposes collected without free and specific consent; and
• provide users with correct information, indicating only the processing activities actually carried out.

In conclusion, the Garante noted that Edison Energia may lodge an appeal against the decision before the judicial authority within 30 days.

You can read the newsletter here and the decision here, both only available in Italian.