Italy: Garante fines Enel Energia €26.5M for multiple data protection violations
The Italian data protection authority ('Garante') published, on 19 January 2022, its decision in case No. 443, as issued on 16 December 2021, in which it imposed a fine of €26,513,977 to Enel Energia S.p.A, for violations of Articles 5(1)(a), 5(1)(d), 5(2), 6(1), 12, 13, 21, 24, 25(1), 30, and 31 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and Articles 130(1), 130(2), 130(4) of the Personal Data Protection Code, Containing Provisions to Adapt the National Legislation to General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') ('the Code'), following numerous complaints submitted by individuals.
Background to the decision
In particular, the Garante reported that it had received numerous complaints concerning the receipt of unwanted promotional calls, including pre-recorded ones, also by users registered in the register of oppositions; the lack or inadequate facilitation of data subjects' rights; and, more generally, various problems deriving from the processing of personal data in the context of energy supply services, including the processing activities carried out through the dedicated area of Enel Energia's website and the relative app. Following this, the Garante highlighted that is had carried out a complex investigation, which also covered Enel Energia's business partners and which included the submission of four separate requests for cumulative information, from December 2018 to July 2020, concerning a total of 135 files.
Findings of the Garante
Further to the above, the Garante, based on the elements acquired, found multiple instances of unlawfulness. Specifically, the Garante outlined that Enel Energia had breached Article 30 and Article 31 of the GDPR for not having sufficiently cooperated with the Garante during the course of the investigation. For example, the Garante noted that Enel Energia had not provided any response to various requests submitted by the Garante and that in other occasions, it had solely responded with a series of standardised answers. In addition, the Garante took the view that Enel Energia's claims that the numbers used to make the promotional phone calls did not belong to it, nor to its business partners, rather than being defensive statements, were in fact critical elements to determine Enel Energia's lack of effective counteractions against the promotional calls carried out in its name, especially considering that Enel Energia had directly received complaints for aggressive telemarketing practices, thus resulting in a breach of the principles of accountability and Privacy by Design. Moreover, the Garante added that the principle of accountability was also violated by Enel Energia's inability to prove compliance with data protection laws in relation to unwanted promotional calls carried out by a business partner, and for its failure to carry out the required checks on the activities of its business partners in general, which also resulted in a breach of its responsibilities as data controller.
Furthermore, the Garante considered that Enel Energia had violated the principle of accuracy, having erroneously associated the personal data of different data subjects in its records, which led to undue communications of personal data, also in the absence of any legitimate basis for doing so. Notably, the Garante found that Enel Energia had not respected the requirements for transparency and had not facilitated the exercise of data subjects' rights, including by failing to provide the necessary and timely feedback to the data subjects following their requests to exercise the right of right of access and the right to object. In addition, the Garante deemed Enel Energia in breach of Articles 21 of the GDPR and 130(1) and 130(2) of the Code, considering the undue sending of promotional communications by email, despite the lack of the data subjects' consent to the processing of their personal data for marketing purposes and the subsequent opposition to the processing expressly addressed via a separate email communication. With regards to the data processing activities in the context of Enel Energia's website and app, the same was found by the Garante in breach of the principle of lawfulness, fairness, and transparency, as well as of its disclosure obligations, for having presented website users with two conflicting statements as to the identity of the data controller and for having failed to provide data subjects with information necessary for the identification of the recipients of their personal data. The Garante had also found that Enel Energia had violated Article 130(4) of the Code, since it had sent communications regarding the registration to its loyalty program that qualify as 'soft spam'. Furthermore, the Garante considered that Enel Energia had violated the provisions of the GDPR and the Code on the requirements for valid consent, as it had acquired single declarations of consent from data subjects that covered multiple and generic purposes.
In consideration of the above, the Garante imposed a fine of €26,513,977, and in determining said amount, it took into consideration several aggravating factors, such as the seriousness of the violations, their durations and repeated nature, the high number of data subjects involved, and the negligent nature of the conduct. In addition to the fine, the Garante issued warnings to Enel Energia regarding the promotional campaigns, which will have to comply with data protection laws going forward, and also regarding circumstances relating to Enel Energia's behaviour in the course of the investigation. Moreover, the Garante ordered Enel Energia to implement further technical and organisational measures to manage the requests for the exercise of data subjects' rights, and to communicate to the Garante the measures undertaken to comply with the orders contained in the decision. Lastly, the Garante ordered the publication of the decision on the Garante website as an ancillary sanction.
In conclusion, the Garante issued the fine of €26,513,977 and aforementioned warnings and orders, and noted that Enel Energia has 30 days to lodge an appeal with the judicial authority.
UPDATE (10 February 2022)
EDPB publishes English summary of Garante's decision
The European Data Protection Board ('EDPB') published, on 8 February 2022, an English summary of the decision of the Garante, in which it imposed a fine of €26.5 million on Enel Energia.
You can read the summary here.