Italian DPA (Garante) Imposes a Double Fine on Eni Gas E Luce Totalling EUR 11.5 Million for Two Violations of the GDPR.
The Italian Data Protection Authority (Garante) imposed a double fine on Eni Gas E Luce (EGL) of EUR 11.5 million for unlawful data processing for promotional purposes and activation of unsolicited contracts.
Last month, the European Data Protection Board reported on a double fine imposed on Eni Gas E Luce, by the Italian Data Protection Authority, Garante. Following an investigation into the marketing practices of Eni Gas E Luce (EGL), the Italian Data Protection Authority imposed a total fine of EUR 11.5 million for unlawful data processing for promotional purposes and activation of unsolicited contracts. Of the two fines imposed on EGL, the first, was a fine of EUR 8.5 million, for processing in connection with telemarketing and teleselling activities and the other,of EUR 3 million, for breaches due to the conclusion of unsolicited contracts for the supply of electricity and gas under ‘free market’ conditions.
Of the several infringements uncovered during the investigation, the first fine of EUR 8.5 million were for several counts of unlawful data processing. The specific violations included advertising calls made without the consent of the contacted person or despite that person’s refusal to be subjected to promotional calls, or without the required procedures for verifying the public opt-out register. The Italian DPA also found that there were no technical and organisational measures to take account of the indications provided by users. EGL also had longer than permitted data retention periods; and were acquiring data on prospective customers from list providers who had not obtained any consent for the disclosure of such data.
After receiving many complaints from customers that they received a letter of termination of the contract with the previous supplier or an initial EGL bill without ever having requested a change in supplier, the Italian DPA conducted an investigation which resulted in an additional EUR 3 million fine. In some cases, customers even reported incorrect data in the contracts and forged signatures.
The Garante has ordered that, in addition to paying the fine, EGL is to introduce specific alerts in order to detect certain procedural anomalies. The company is also prohibited from using the data made available by the list providers if those providers had not obtained specific consent from consumers, for the communication of such data to EGL. EGL is also expected to verify the consent of the persons included in the contact lists prior to the start of any promotional campaigns.They are to do so by examining a large sample of customers, and all of the aforementioned measures have to be implemented and communicated to the Italian DPA within a set timeframe, while fines must be paid within a 30 day period.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and UK Data Protection Act? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.
- Facial recognition technology use by US federal agencies - September 21, 2021
- Proposal for an EU AI Regulation - September 16, 2021
- Cookie consent pop-ups among the ICO’s intended topics of discussion at the recent G7 meeting - September 14, 2021