A record fine of over €79m ($85.4m) has been imposed on Enel Energia over alleged mishandling of numerous electricity and gas supply customers’ personal data for telemarketing purposes. The company, which is a unit of Enel – Italy’s national entity for electricity – allegedly used customers’ personal data in connection with at least 9,300 contracts to illicit promote its energy and gas services.
The company was also believed to have acquired the personal data of 978 users from four companies outside its sales network.
According to Garante per la protezione dei dati personali, the Italian Data Protection Authority, the company’s customer management and service activation information systems also showed “serious security shortcomings” for not protecting its databases from access by unauthorized agents.
The Italian watchdog said that the company failed to implement all the required measures to prevent “the unlawful activities of unauthorized agents who fuelled for years an illicit business carried out through nuisance calls, service promotions, and the signing of contracts with no real economic benefits for customers by identifying easy ‘front doors’ in the company’s information systems”.
The large fine follows an inquiry by the Italian financial police into the four companies, which the Garante earlier fined €1.8m ($1.95m) and seized some of their databases.
The fine of €79,107,101 ($85,432,724) is the largest sanction set to date by Garante.
According to Reuters, Enel Energia has stated that it always acted correctly and has taken “all suitable measures” to ensure that its systems are secure, and to respect data protection rules. The company also considered itself the injured party, and will appeal against the decision.
Other fine dismissed
In January 2022, Garante also fined Enel Energia over €26.5m ($28.7m) over aggressive marketing, where the company was using consumers’ data without consent. The authority received hundreds of complaints from customers who had both received unsolicited calls on behalf of Enel Energia, some with pre-recorded messages, and also found it difficult to exercise their data protection rights on the company website and app.
That case was, however, dismissed when the Court of Rome granted the appeal lodged by Enel Energia SpA to have the fine annulled. This was the first time that a fine from Garante under the GDPR has been annulled by a Court, and was due to Garante not complying with its own time limits.