With decisions no. 231 and 232 of 2019, the Italian Data Protection Authority imposed two substantial fines on the well-known company Eni Gas e Luce (hereinafter “EGL”) amounting to € 3,000,000 and € 8,500,000 at the end of two different proceedings relating to the infringement of data protection laws in the context of the conclusion of unsolicited supply contracts and illicit telemarketing and teleselling activities, respectively.

As for the first proceedings, the DPA’s investigation – which followed several users’ reports – evidenced that, for the purpose of acquiring new customers in the free market of energy and gas, EGL had made use of various agents who were required to follow a specific procedure to conclude the contracts in question. In particular, those agents were supposed to acquire through paper forms or tablet apps the personal data of potential customers, subsequently stored in EGL’s database following formal checks (e.g. the filling of all the fields on the form, the signature of the contract). Then, these prospects were validated by means of automated calls to the telephone number indicated on the form or an e-mail/sms containing a link and a contact number. Only in the event of a manifestly negative outcome of the assessment (but not in the event of the unavailability of the customer) an operator was supposed to make a further verification call, after which the acceptance letters were sent to the customers and the contract was finally entered into.

Having ascertained that a substantial number of contracts had been concluded by the agents using incorrect personal data or, more generally, the customers had not requested the supply contract itself, EGL had spontaneously adopted corrective and precautionary measures aimed at preventing such situations. However, beyond the evident unsuitability of the aforementioned procedures to conclude the contracts, the Authority underlined that the numerous deficiencies in EGL’s privacy policies – with regard to the accuracy of the data processed, the security of processing as well as the supervision of the people entrusted with the processing – had made it possible for the agents to operate for a considerable period of time in breach of the instructions given (in particular, in breach of the principles of fairness, accuracy and the updating of the data). The Authority therefore considered that EGL, in its capacity as data controller, was responsible for the processing carried out through its data processors (the agents) even if they had operated in breach of the instructions given, provided that the data controller is generally required to adopt technical and organisational measures to prevent such violations.

The second proceeding concerned instead the promotional calls made on behalf of EGL to numbers taken from  EGL’s database, or from the lists purchased from list providers (in turn, acquired from third parties) or self-generated by the filling of forms by the customers. In this context, the Authority’s investigations evidenced different infringements of data protection laws. First of all, in fact, EGL had not carried out any assessment (not even by means of random checks) on the processing’s compliance with the provisions relating to the privacy policy, the acquisition of the consent and its subsequent refusal, or to the registration in the Public Opt-Out Register. Basically, the Authority found that EGL had in no way taken into account the customers’ refusal to consent to the processing for promotional-advertising purposes and had therefore carried out telemarketing and teleselling activities in breach of the principle of lawful processing. Moreover, with reference to the lists provided by third parties, the Authority clarified that the consent originally given by the customers for the transfer of their data to third parties for marketing purposes could also not be considered tacitly given for subsequent transfers, due to the lack of specificity and appropriate information in this regard. Lastly, in addition to all this, the Authority found that EGL had not adopted the technical and organisational measures suitable to guarantee the respect of the data subject’s consent (or denial), and had stored the personal data concerned for longer than  required for the pursuit of the purposes for which they had been collected.

Therefore, at the end of the two proceedings, the Authority found the two processing activities to be unlawful and prohibited the further use of the data concerned. In both cases, the substantial amount of the fines was determined on the basis of factors such as the wide scope of the processing and the number of subjects involved, the duration and seriousness of the infringement, the significantly negligent behaviour of EGL, the damages suffered by the data subjects and, for telemarketing and teleselling activities, the economic advantages obtained by EGL and the existence of a previous similar decision against the same. On the other hand, EGL’s cooperation in the proceedings and the implementation of corrective measures during the proceedings were taken into account as positive factors. Finally, together with the fines, the Authority ordered EGL to implement procedures and measures aimed at preventing the same infringements from occurring in the future.