Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Enel Energia €79.10M for GDPR violations

On February 29, 2024, the Italian data protection authority (Garante) published its decision no. 81 of February 8, 2024, in which it imposed a fine of €79.10 million on Enel Energia SpA (Enel Energia) for violations of the General Data Protection Regulation (GDPR) after an investigation. 

Background to the decision 

The Garante stated that an investigation was carried out by the Guardia di Finanza (financial police) in which fines were imposed on four companies and databases were confiscated as they related to unlawful activities. Further investigation of the databases revealed that Enel Energia acquired as many as 978 contracts from the four companies, even though the companies did not belong to Enel Energia's sales network. As a result, an additional investigation was launched by the Garante, which revealed that Enel Energia's marketing activities were carried out using illicitly acquired lists of customers which contained addresses, telephone numbers, municipality of customer residences, and the customer's relevant energy company.

Findings of the Garante 

Based on the results of the investigation, the Garante stated that Enel Energia violated Articles 5(1)(f) and 32 of the GDPR where it failed to carry out an adequate assessment of the risks connected to its customer resource manager (CRM) interface and failed to adopt appropriate measures to guarantee the correct use of access credentials and avoid the sharing of credentials. The Garante stated that this allowed the introduction of contract proposals acquired by employees of the agencies not authorized to access and process personal data within Enel Energia's contractual system.

The Garante mentioned that Enel Energia also violated its duties of accountability and privacy by design where it failed to combat the incorrect behavior of other agencies that intended to procure contracts for Enel Energia, and for not exercising its duties to maintain control over the prevention, functionality, security of systems, and transparency of the processing of personal data according to Articles 5(2), 24(1), and 25 of the GDPR. Lastly, the Garante highlighted that Enel Energia violated Article 28 of the GDPR based on contracts with agencies that detailed a division of responsibility that was not reflective of the actual processing of personal data and lacked terms regarding the obligation of the data controller and for not ensuring necessary legal acts were entered into with data subjects.  

In the determination of the fine, the Garante highlighted that it considered numerous factors of the investigation including: 

  • the seriousness of the violations as it relates to unwanted telemarketing; 

  • the number of data subjects involved and the duration of the contracts; 

  • the negligent nature of the violations; and 

  • the ineffectiveness of the technical and organizational measures implemented and the role that Enel Energia assumes as the leading company in industrial and technological development processes. 

The Garante also considered mitigating factors when determining the fine amount to include:  

  • Enel Energia's introduction of an authentication system that prevents simultaneous use of the same credentials to access the CRM system from different locations; and 

  • the number of contracts favoring Enel Energia is lower than those 'outgoing' contracts favoring other companies that were entered into Enel Energia's systems. 

Outcomes 

The Garante imposed a fine of €79.10 million on Enel Energia. Additionally, Enel Energia must:  

  • communicate, within 30 days, to the 595 interested parties whose personal data entered the company's systems the outcome of this proceeding with text to be agreed upon by the Garante; 

  • provide adequate documentation to certify the implementation of security measures that prevent simultaneous access to its system with the same authentication credentials;

  • implement further measures to ensure traceability and effective monitoring of the operations carried out and critical events on the CRM system are guaranteed and to prevent access from IP addresses not attributed to specific agencies; and 

  • provide that agencies stipulate with any sub-agents to maintain contracts that are fully compliant with the standard contract between Enel Energia and the agency and that the distribution of responsibilities in the processing of personal data is clearly explained as per Article 28 of the GDPR. 

You can read the press release here and the decision, only available in Italian, here.