The Italian Data Protection Authority (Garante) published on May 21, 2024, its decision no. 205 as issued on April 11, 2024, in which it imposed a fine of €100,000 on Facile.Energy Srl following violations of the General Data Protection Regulation (GDPR). 

Background to the decision

The Garante stated that a request for information was sent to Facile on March 31, 2023, after 56 reports and 2 complaints were received between January 2022 and March 2023 relating to telemarketing practices. The Garante stated that Facile was asked to provide a list of purchase proposals from its sales network which led to the activation of energy services from March 6, 2023, to March 13, 2023.  

Findings of the Garante

The Garante stated that after it submitted the list of numbers received to the Public Register of Oppositions, it was determined that 106 telephone numbers (6% of total contracts during the period) were improperly registered with Facile, resulting in contracts. As a result, the Garante highlighted violations of Articles 5(1)(a) and 6(1)(a) of the GDPR occurred due to a violation of the principles of lawfulness and lack of legal basis of consent to legitimize the processing of the data for promotional purposes. 

Additionally, violations of Article 5(1)(f), 5(2), 24(1), 25(1), and 32 of the GDPR occurred because of deficiencies in compliance with the principles established to require the accountability and responsibility of the data controller and the specific rules regarding the security of the processing of data. The Garante mentioned that these violations occurred due to the lack of adherence to regulatory principles by Facile. 

Regarding Article 28 of the GDPR, the Garante mentioned that if processing must be carried out on behalf of the data controller, only third parties who present sufficient guarantees to implement adequate technical and organizational measures should be utilized, and a series of supervisory and control obligations should be implemented. The Garante mentioned that Facile failed to fulfill these obligations under Article 28 by placing the responsibility of retrieving the contact lists to telesellers. 

Outcome

The Garante highlighted that because of the findings, a fine of €100,000 was imposed on Facile in addition to other penalties including:   

• prohibition on further processing of the data of whistleblowers and complainants;  
• duty to communicate to the 106 data subjects whose personal data was entered into Facile's systems the outcome of the Garante's decision; and 
• prepare adequate controls within its sales network and adequate implementations of the systems to exclude illicit contracts that could lead to the activation of energy services. 

You can read the press release, only available in Italian, here.