The Italian Guarantor for the protection of personal data has fined the energy company, Enel Energia, €26.5 million after an investigation into their marketing practices showed they violated GDPR. The investigation was prompted by hundreds of complaints from users about continuous unwanted telephone calls and emails from the company. The calls and emails were attempting to promote the services offered by Enel Energia.
Upon investigation it was found that the company continuously sent marketing communications to users. This was despite the data subjects refusing the communications both when signing the energy supply contract and by opposing the emails via the dedicated email box.
GDPR states that processing of personal data is prohibited unless consent is given by the data subject. Enel Energia failed to get the necessary consent for the processing they and their associates carried out. They also failed to control the activities of their business partners through appropriate technical and organizational measures.
Another key part of GPDR is consumer rights; when users exercised their right of access and right to object the company did not act appropriately. They failed to provide the necessary and timely feedback on their requests. A contradictory response was provided to a further request in response to promotional calls via a pre-recorded message. They failed to provide accurate information to data subjects regarding third parties they shared data with. When data subjects tried to find information about the data controller on the company website there were two statements. The investigation concluded this could generate confusion and does not reflect the essential principle of transparency.
Article 31 of the GDPR talks about how a company must cooperate with requests from any supervisory authority. However, when the Guarantor contacted Enel Energia they failed to provide a response and only responded after the third request. They did not provide analytical or detailed answers to the cases reported which stopped any reasonable assessment. Enel Energia offered insufficient cooperation to the investigation, having failed to provide any information on how to issue consents for marketing and profiling purposes. This was despite two requests already and specific indications from the data subjects on the matter.
The final decision was that Enel Energia must pay a fine of €26,513,977 (USD 29,302,054.25). The deciding factors when calculating this fine were:
- Seriousness of the violations
- Duration of the violations (i.e. more than 6 months)
- Number of data subjects involved
- Significantly negligent nature of the conduct
- Repeated nature of the conduct
- Enel Energia has been sanctioned for one of these offences before
Value Privacy’s team of experts are here to make privacy simple. We can conduct a comprehensive evaluation of your data and privacy practices and let you know where you may be at risk. We can create, implement and maintain a program that works for you and your organization. Contact us today.