Alpha Exploration, operator of the social media app Clubhouse, received a penalty from the Italian data protection authority (DPA) for the unlawful processing of European Union citizens’ data in violation of the General Data Protection Regulation (GDPR).

The company was ordered to pay a fine of 2 million euros (then-U.S. $2 million) on Oct. 6. The Italian DPA, Garante, announced its findings in a press release Monday.

On Clubhouse, users communicate in audio chat rooms. The U.S.-based app launched to the public in 2020 and quickly grew to reach 16 million active users per month.

During that rapid growth, Alpha Exploration failed to implement controls to safeguard EU user data—specifically, that of Italian citizens—according to Garante. The company did not have established representation in the European Union and told the regulator it did not intend to offer services to citizens of the bloc.

It wasn’t until August 2021 that Alpha Exploration updated its privacy policy to meet requirements of the GDPR regarding requests for access and deletion of data, the DPA noted, adding the company not having such controls in place earlier was an “incorrect assessment.”

“[T]he company could have correctly configured the structure of the obligations and fulfilments related to the application of the provisions on the protection of personal data in Europe … if it had made use of legal and consultants more integrated into the processes that were being developed and if it had monitored more punctually the change in the legal scenario that the sudden growth in membership of the Clubhouse platform had brought about,” Garante said in its translated findings.

Other issues the DPA explored in its investigation included improper marketing, recording and sharing audio with third parties, profiling and sharing information on accounts, unsuitable data retention practices, and lack of transparency by Alpha Exploration.

The company defended itself against the regulator’s findings in a June hearing. As part of its conversations with Garante, Alpha Exploration has further fine-tuned its privacy policy and terms and conditions to make data protection-related information “more understandable,” though the regulator said issues regarding audio retention “do not seem to have been overcome.”

“In particular, it has not been clarified which data may be subject to prolonged retention in the event of litigation (even potential) and whether for the eventual cancellation of such data reference is made to the statute of limitations (and of which country) or to other circumstances,” the DPA said.

Alpha Exploration has satisfied requirements to have an EU representative by designating VeraSafe Ireland for the role. The company was ordered to make further user privacy enhancements and conduct a data protection impact assessment.

The Clubhouse app was also the subject of investigations by DPAs in France and Germany launched in 2021.

Alpha Exploration did not respond to a request for comment.