With Injunction Order No. 443 of December 16, 2021, the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali – “Garante”) sanctioned Enel Energia S.p.A. (“Enel”) for teleselling activities in breach of the GDPR (Regulation EU 2016/679) and the Italian Data Protection Code (Legislative Decree No. 196/2003).
The proceedings were initiated in response to hundreds of user reports complaining about the receipt of unwanted promotional telephone calls, including robocalls, in the name of and on behalf of Enel; users also complained of difficulty in exercising their rights as data subjects (especially the right to revoke consent and the right to object to processing).
The investigation carried out by the Garante showed systematic unwanted promotional phone calls to confidential users and users listed in the Public Do Not Call Registry (Registro Pubblico delle Opposizioni) without the necessary consent, in addition to late responses or no response to requests to exercise rights regarding access to personal data, revocation of consent, and objection to calls for marketing purposes. The Garante also found that the consent wording adopted by Enel was not compliant with the GDPR, because it was too generic when it came to the entities to which data could be communicated for marketing purposes, and the information notice it provided to users had significant gaps. Finally, the Garante pointed to several significant delays in Enel’s response to requests sent by the Garante during the course of the investigation.
To defend itself against the Garante’s allegations, Enel, among other things, argued that many of the telephone calls were made by unauthorized operators who passed themselves off as Enel agents to catch callers’ attention, at which point they would offer contracts with competing third parties during the call. Additionally, for calls that could be traced to Enel’s partners, Enel argued that it could not be responsible for the actions of its partners, because these activities were carried out in breach of its own contractual agreements with them. However, the Garante dismissed these arguments as groundless, since it determined that in many cases the calls led to contracts being signed with Enel. Additionally, according to the Garante, it was Enel’s specific duty as data controller to monitor the activities carried out on its behalf and ensure that they followed data protection legislation.
Based on the above, the Garante found Enel noncompliant with the principles of accountability and privacy by design, as well as with the rules governing direct marketing activities and ordered Enel to:
- pay an administrative fine of EUR26,513,977.00;
- implement adequate measures to provide that offers, services, and contracts are activated only following promotional contact made by Enel (or entities operating on its behalf) using telephone numbers registered in the Registry of Communications Operators (ROC) and in compliance with Article 130 of the Italian Data Protection Code;
- implement technical and organizational measures to manage requests to exercise the rights of data subjects, in particular the right to object to promotional activities, so as to provide feedback to data subjects no later than 30 days after a request;
- inform the Garante of the steps taken to comply with the provisions of the measure within 40 days of the injunction order.
Additionally, the Garante formally warned Enel that filing incomplete or inaccurate documentation in response to requests from the authority or failing to reply to such requests is in breach of the duty to cooperate under Article 31 GDPR.