The Italian Data Protection Authority imposed a sanction against Enel Energia amounting to 79 million euros for serious deficiencies in personal data processing, making it the highest sanction ever imposed.
The Italian Data Protection Authority has sanctioned Enel Energia S.p.A. for serious deficiencies in personal data processing with an administrative fine of 79,107,101 euros, or 8 percent of the maximum fine, which is significantly higher than the average.
The Measure follows an inquiry initiated by the Authority following an investigation relating to telephone marketing activities carried out by four Italian companies that, without any cooperation contract or authorization from Enel, promoted electricity and gas services through forged forms and identification cards. These companies contacted potential customers through the use of illicitly purchased telephone directories and in violation of Data Protection and Telemarketing regulations, and uploaded contracts concluded on behalf of Enel into its information systems without, however, having authorizations and autonomous access credentials.
As a result of this investigation, the Authority had already sanctioned the four companies with fines of 1.8 million euros and the confiscation of the databases used for the illicit marketing activities established.
This illicit telemarketing activity resulted in the conclusion of 978 electricity and gas supply contracts in favor of Enel by the four companies and, further, “according to the examination of the material confiscated in execution of Order No. 184/2023, they would have introduced about 9300 contracts into the systems of Enel, from 2015 to 2022 †despite the fact that the companies themselves did not belong to the sales network of the energy company in question (in this sense we speak of “telemarketing undergrowthâ€).
As a result, the Authority’s investigative activity resulted in a finding that Enel was responsible for the following violations: i) Violation of the principles of accountability and privacy by design, because Enel did not adequately control the agencies that illicitly procured contracts for the company; ii) Lack of proper risk assessment related to the use of the “N.Eve†platform made available to agencies authorized to carry out Telemarketing activities in order to introduce the contracts concluded into the company’s information system. Specifically, Enel did not have controls in place to prevent the credentials to access the information systems from being used on several devices at the same time; iii) Violation of Article 28 GDPR because Enel, the data controller, did not carry out the necessary controls on the agencies that carry out telemarketing activities (data processors/sub data processor).
For these reasons, in addition to the fine, the Authority ordered Enel to communicate the outcome of the proceedings to the individuals whose data was unlawfully acquired and entered into Enel’s computer systems, and to prove, with adequate documentation, the implementation of security measures relating to the access credentials of the N.Eve platform, and measures to ensure the traceability and monitoring of the operations carried out on the platform itself. In addition, the Data Protection Authority enjoined the company in question to provide that telemarketing agencies authorized for this activity, enter into appropriate contracts with any sub-agencies, clearly explaining the distribution of responsibilities for the processing of personal data under Article 28 GDPR.
With reference to the amount of the penalty, as already stated, the Authority issued the highest penalty ever, taking into consideration: (i) the severity of the violations, considering the object and purpose of the processing in the context of a telemarketing activity, as well as the number of subjects involved and the duration of the unlawful conduct (from 2015 to 2022); (ii) the negligent nature of the violations, as an aggravating factor; and (iii) the additional aggravating factor of the high degree of responsibility of the data controller who adopted ineffective technical and organizational measures that were not suitable to protect its customers’ data.
This is certainly a harsh measure, perhaps the result of the soured relationship with Enel, but a reminder to all owners that proper control of their supply chain is absolutely necessary.