Italian DPA fines Enel Energia $30.1M under GDPR over telemarketing practices

The penalty, while announced Wednesday, was ordered by the Italian data protection authority (Garante) on Dec. 16.

It is the sixth-largest fine to be imposed by an EU data regulator under the GDPR, according to the GDPR Enforcement Tracker, and the second-largest penalty issued by the Italian data protection authority, following a €27.8 million (then-U.S. $31 million) fine against telecommunications operator TIM in 2020.

Enel Energia was cited by Garante for hundreds of complaints regarding unsolicited sales calls made on the company’s behalf without customer consent. The regulator also found the company had persistently targeted users who were not even listed in the phone directory or had opted out of sales promotions altogether.

The company allegedly delayed responding to customers’ requests to access their personal data and/or to object to their data being processed for marketing purposes. In some instances, company feedback went missing altogether.

For its part, Enel Energia represented to Garante in response to requests for information that the unwanted calls customers attributed to the company were from outside the company and its network of commercial partners, according to a translation of the fine order.

“In general, in the face of all the complaints about unwanted promotional telephone calls, the company has always declared itself completely unrelated to the calls reported,” the translated order stated. Garante found this contention lacking, noting Enel Energia did not have “specific technical and organizational measures suitable” to combat such a phenomenon.

In an emailed statement, Enel Energia said it had originally stopped direct sales calls to customers in May 2017 but restarted its telemarketing operations during the pandemic so it could contact customers directly.

The company added it will “evaluate any subsequent action.”

In addition to the fine, Enel Energia will have to implement several measures imposed by the regulator to bring its processing activities into compliance with EU and domestic data protection law.

This includes bringing all processing of data by its sales network into compliance with “suitable arrangements and measures” to demonstrate promotional schemes and services or contracts are only activated following promotional calls addressed to listed numbers.

The company will also have to implement “further technical and organizational measures to handle data subjects’ requests to exercise their rights,” including the right to object to processing for promotional purposes, as well as respond to user requests within 30 days.

Enel Energia will need to inform Garante what steps it has taken to comply with the measures in question.

Garante has had telemarketing practices in its sights for some time, particularly in increasingly competitive industry sectors, such as energy and telecoms.

Last year, Sky Italia and Fastweb were hit with fines worth €3.3 million (then-U.S. $3.8 million) and €4.5 million (then-U.S. $5.3 million), respectively, for aggressive telemarketing tactics, while Vodafone’s Italian operation was fined €12.25 million (then-U.S. $14.5 million) for the same offenses in 2020.

Other European data protection authorities, such as the AEPD in Spain and the U.K. Information Commissioner’s Office, have recently imposed record fines under the GDPR and/or national legislation for misusing personal data for telemarketing purposes.

Editor’s note: This story was updated Jan. 24 to include Enel Energia’s response statement.