The Italian data protection authority ('Garante') announced, 22 June 2021, that it had issued a decision to fine Iren Mercato SpA, a company operating in the energy sector, €3 million for carrying out telemarketing activities without valid consent in violation of Articles 5(1) and (2), 6(1), and 7(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the Garante outlined that, following various complaints and reports, it had found that the personal data that Iren processed for its telemarketing activities had been obtained indirectly from a third-party source, Nethex Digital Merketing Srl, which in turn had acquired the data, as an independent data controller, from two additional companies. Furthermore, the Garante highlighted that these two latter companies had obtained the necessary consent from their customers for the telemarketing activities carried out by both themselves and by third parties, including Nethex, but that this consent did not extend to the transfer of customer data from Nethex to Iren.

Therefore, the Garante found that Iren, having failed to verify that all of its telemarketing activities were based on free, specific, and informed consent, was, among other violations, in breach of the principles of lawfulness, transparency and accountability. In addition, the Garante further highlighted that the factors considered in determining the amount of the sanction included the fact that the marketing lists, further use of which for marketing purposes the Garante also prohibited in its decision, concerned several million people. Finally, the Garante noted that it had also issued a warning to Iren for having provided incomplete and unsuitable representation and evidence during the investigation.

You can read the Garante's newsletter here and the decision here, both only available in Italian.