Data Protection Academy » Data Protection News » Italian data protection fine of 11,5 million euro

Data protection Fines Energy Italy 11 million euros

Italian data protection fine of 11,5 million euro

Date: 17.01.2020

Responsible body: Eni Gas e Luce

Nature of the data protection violation:

The Italian data protection supervisory authority imposed two fines totalling EUR 11.5 million on the energy supplier Eni Gas and Luce for the unlawful processing of personal data in the context of advertising activities and the activation of unlawful contracts respectively.

The fines have been determined taking into account the parameters established by the EU Regulation, including the number of persons involved, the frequency and duration of the infringement and the economic conditions of Eni Gas e Luce.

Italian data protection fine for advertising activities

The first Italian data protection fine of €8.5 million relates to unlawful processing in connection with telemarketing and telesales activities identified during inspections and investigations. The investigation by the authority in Italy was launched after several dozens of warnings and complaints received immediately after the entry into force of the GDPR have been received.

The investigations revealed a limited number of cases, but they indicated "systematic" behaviour by Eni Gas e Luce and revealed serious points of criticism regarding general data processing.

>Infringements identified include:

  • promotional calls made without the consent of the person contacted or despite that person's refusal.
  • The lack of technical and organisational measures to take account of the information provided by users.
  • Longer than permitted data storage periods
  • The collection of data on potential customers of institutions (list providers) who had not obtained consent to the disclosure of such data.

Measures which had to be carried out on the instructions of the supervisory authority:

  • Procedures and systems to verify the consent of the persons included in the contact lists before the start of the promotional campaigns.
  • The implementation of a complete automation of the data flow, from the database to a black list, i.e. the list of people who do not wish to receive advertising.

Data protection fine for unlawful contracts

The second fine of EUR 3 million concerns infringements relating to the conclusion of unsolicited contracts for the supply of electricity and gas under 'market economy' conditions.

Many people complained to the Authority that they only learned of the conclusion of a new contract after receiving the letter of termination of the contract with the previous supplier or after receiving the first invoices from Eni Gas e Luce. In some cases the complaints reported false information in the contracts and forged signatures.

Some 7,200 consumers were affected by the serious irregularities mentioned above.

Categories of data: Names, addresses, telephone numbers, signatures

Country: Italy

Fines: 11.5 million euros

SourceEuropean Data Protection Supervisor 

Back to the overview of the data breaches

Caroline Schwabe

This might interest you too:

Examples of GDPR fines: what happens in data protection

GDPR infringements are punished with heavy fines. Find out which data protection infringements are suspected and secure yourself.

Data protection fine imposed on the Municipality of Oslo Education Authority

120.000 € because the security of the app "Skolemelding" for communication between school staff, parents and pupils was not guaranteed.

Data protection fine Swedish company

35,000 euros fine for violation of three Swedish laws at once. Information about creditworthiness published.