The Garante has issued two penalties against Eni Gas e Luce, totaling EUR 11.5 million, for violations of the EU General Data Protection Regulation.
In a statement, The Italian Data Protection Authority, Garante, explained that the fines concerns the illicit processing of personal data within the context of promotional activities and the activation of unsolicited contracts.
The first fine (EUR 8.5 million) relates to unlawful processing in connection with telemarketing and teleselling activities, which was discovered during inspections conducted by the Authority after receiving numerous complaints.
“The violations brought to light include advertising calls made without the consent of the contacted person or despite that person’s refusal to receive promotional calls, or without triggering the specific procedures for verifying the public opt-out register; the absence of technical and organisational measures to take account of the indications provided by users; longer than permitted data retention periods; and the acquisition of the data on prospective customers from entities (list providers) that had not obtained any consent for the disclosure of such data.”
The Garante has ordered Eni Gas and Luce (Egl) to implement and enforce new procedures whereby it can verify the consent of those included in the contact lists.
In addition, Egl would have to ensure full automation of data flows from its database to the company’s own black list.
The second fine (EUR 3 million) relates to breaches as a result of unsolicited contracts for the supply of gas and electricity under “free market” conditions.
“Many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first Egl bills,” said the Garante.
With some cases, consumers had reported having incorrect data in their contracts and even forged signatures.
Altogether, nearly 7,200 consumers were impacted by the irregularities, subsequently Egl has been ordered to take several corrective measures and introduce alerts to detect various procedural anomalies, in addition to paying the EUR 11.5 million fine.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.