In the first decision, the Garante found that Eni had repeatedly contacted Italian consumers via phone for promotional purposes without their consent or when such consent was expressly revoked by the data subjects. Specifically, the contact details were provided via third-party list providers, which did not obtain the personal data directly from the data subjects. Rather, data was collected from other data controllers who obtained the data subjects’ consent to communicate their personal data to third parties for promotional purposes. However, the Garante found that such consent could not be a valid legal basis for onward communications for commercial purposes. Furthermore, the inspections conducted by the Garante showed a general lack of adequate organizational measures intended to appropriately consider the preferences expressed by data subjects, and that the personal data relating to the contracts with the data subjects were retained for longer than needed.
In the second decision, the Garante found that Eni unlawfully processed the personal data of 7,200 consumers in relation to the performance of unsolicited contracts for the supply of electricity and gas. The Garante in fact found that some of the vendors/agencies (which Eni relied on to enter into supply contracts with consumers) regularly collected incorrect personal data from consumers demanding the supply of electricity/gas by Eni. Such inaccuracies were due to inadequate procedures aimed at verifying the accuracy of the personal data collected and, ultimately, resulted in the performance of a significant number of supply contracts with consumers that had never asked for such services.
The Garante issued fines for EUR 8.5 million and EUR 3 million, respectively, for the conduct described above. The amounts were calculated considering several factors, such as: the considerable amount of processing activities conducted as well as the number of data subjects involved, the seriousness of the infringement, the significant economic gains deriving from these activities, etc. Noteworthy, the Garante calculated the fine considering Eni Gas e Luce’s annual turnover only (and not just its global turnover).
In addition to the fines, the Garante prohibited Eni from processing the personal data communicated by list providers that had not obtained the data subjects’ consent to communicate such data to Eni as well as those of the 7,200 consumers whose data was processed to perform the contracts. The Garante also ordered Eni to implement appropriate organizational procedures to ensure that the vendors acting on its behalf comply with the GDPR, and that the personal data and the preferences expressed by data subjects are always accurate and up to date.