Telemarketing activities and aggressive practices against the consumers are again in the spotlight of the Italian Data Protection Authority (Garante), that imposed the highest fine ever on the Italian electricity provider Enel Energia. It is unfortunately very common that Italian consumers are harassed by unwanted telephone calls from marketing agencies proposing contracts for different services and it is not always easy to identify the controller of the data and to understand how the personal data are exchanged between the different actors in the telemarketing world.

Even though the Garante issued many fines regarding those marketing practices in the past (for example TIM S.p.A. was fined in April 2023 of about 7 million euros, Vodafone Italia S.p.A. was fined in November 2020 of more than 11 million euros), this was not effective as a deterrent for the marketing practices of the companies so far.

The investigations into Enel Energia revealed multiple violations

The proceedings against Enel Energia resulting in a fine in February 2024 originated from findings of the Garante following the results of an investigation by local authorities responsible for taxes, privacy and online frauds, among the others (the Guardia di Finanza and the Nucleo Speciale Tutela Privacy) concerning the telemarketing activities of some local marketing agencies. The investigations revealed that two agencies were promoting the services of energy companies such as Enel Energia and another one, using forged identification cards and forms. These companies contacted potential customers through phone calls using illegally acquired contact lists and did not comply with telemarketing regulations.

In addition, as a regular practice, they were offering to change energy providers to customers already affiliated with the other provider, for the benefit of Enel Energia. Another relevant and important factor was that none of those marketing agencies had appropriate contractual arrangements with Enel Energia and they were sharing the contracts concluded with the customer with a third party that itself, via another separate company, was providing the contracts to the Enel data base.

In summary, the four companies involved organised and coordinated activities to acquire orders from the Enel Energia sales network, contact potential customers using illegally acquired data, and upload contracts without authorisation.

At the end of the investigation, it emerged that Enel Energia acquired over 950 contracts from the agencies and companies that were in fact, not belonging to the Enel Group. The investigation  involved also the management of the customer databases of Enel Energia and it was found that there were many “ways of access” to the databases available to the agencies that had no clear security measures in place, hence raised lawfulness doubts on the whole procedure.

Severe consequences for violating data protection laws

In regard to the identified breaches on the telemarketing practices and management of the databases by Enel Energia, the Garante imposed the following:

  1. Enel Energia must communicate to the 595 individuals whose personal data were acquired unlawfully by the marketing agencies and entered into the systems of the company;
  2. Enel Energia must provide adequate documentation to certify the implementation of security measures preventing simultaneous access to the relevant system with the same authentication credentials. At the same time the company is required to introduce additional measures to ensure the traceability and effective monitoring of operations and critical events on the system, and to prevent access from IP addresses different from those attributed to each agency.
  3. Enel Energia has to ensure that agencies enter into contracts with any sub-agents entirely compliant with the standard contract between the controller and the agencies themselves, clearly specifying the distribution of responsibilities in data processing as indicated by Article 28 of the Regulation (Data Processor Agreements).
  4. A pecuniary administrative sanction provided for by Article 83 GDPR.

For the calculation of the amount of the administrative fine, the Authority took into consideration the annual global turnover of the controller as of December 2022. Considering many elements that emerged from the investigation and the principles of effectiveness, proportionality and dissuasiveness provided for in Article 83(1) GDPR, and taking into account the necessary balance between the rights of the data subjects and the freedom to conduct business, the Garante decided to impose the administrative sanction of the payment of a sum of 79,107,101 euros equal to 8% of the maximum fine and 0.32% of the annual turnover.