Iren Mercato S.p.A. – €2,856,169 Fine (Italy, 2021)

€2,856,169Garante per la protezione dei dati personali13 May 2021Italy
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Iren Mercato S.p.A. was fined over EUR 2.8 million for sending promotional messages without checking if they had proper consent. This is important because it stresses the need for companies to verify consent before using personal data for marketing. The ruling warns businesses about the risks of using third-party data without ensuring all consents are valid.

What happened

Iren Mercato S.p.A. sent unsolicited advertising messages without verifying consent for data transfers.

Who was affected

Individuals who received promotional messages from Iren Mercato S.p.A. without having given consent.

What the authority found

The Italian DPA ruled that Iren Mercato S.p.A. violated GDPR by failing to ensure valid consent for data used in telemarketing.

Why this matters

This case highlights the critical importance of verifying consent when acquiring data from third parties. Companies should implement robust consent management processes to avoid hefty fines.

GDPR Articles Cited

AI-verified

Art. 5(1) GDPR
Art. 6(1) GDPR
Art. 7(1) GDPR
View original scraped data
Art. 5(1) GDPR
(2) GDPR
Art. 6(1) GDPR
Art. 7(1) GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
national law identified
Italy enforcementGarante per la protezione dei dati personali actionsAll Iren Mercato S.p.A. actions
Full Legal Summary
Detailed

The Italian DPA (Garante) fined Iren Mercato S.p.A. EUR 2,856,169 for failing to verify that all transfers of data of recipients of promotional activities were covered by consent. Several data subjects filed complaints with the DPA against the controller because they had received unsolicited advertising to which they had never consented. In its investigation against the cotroller, the DPA found that the cotroller had in fact processed personal data for telemarketing activities that it had not collected directly but had acquired from other sources. It had not checked whether valid consents had been obtained from the advertising addressees for all transfers of the data. The controller had received lists of personal data from one company, which in turn had acquired them from two other companies. The latter companies had obtained the consent of potential customers for the telemarketing carried out by them and by third parties, but this consent did not include the transfer of customer data to the controller. In this context, the DPA emphasized that consent given by a customer to a company for third-party promotional activities cannot extend its effectiveness to subsequent transfers to other operators.

Related Enforcement Actions (0)

No other enforcement actions found for Iren Mercato S.p.A. in IT

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

13 May 2021

Authority

Garante per la protezione dei dati personali

Fine Amount

€2,856,169

Enforcement Tracker ID

ETid-737

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Iren Mercato S.p.A. - Italy (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: