Enel Energia Spa – €26,513,877 Fine (Italy, 2021)

Enel Energia is one of Italy's most important energy providers. Following hundreds of reports and complaints from users who complained about receiving unwanted promotional phone calls by Enel Energia including, including pre-recorded calls, the Italian DPA (GPDP) opened an investigation. The GPDP received complaints from citizens regarding a persistent and disturbing sense of interference in their sphere of privacy due to these practices, which are often accompanied by behavior that complainants perceived as not only invasive, but also particularly aggressive. The GPDP ascertained the following violations by Enel Energia: Violation of Article 31 GDPR, for failing to provide any response to the request sent by the GPDP to the Company on 17 December 2019. The company only replied to the GPDP until it was requested to do so a third time. It did not provide, in a collaborative and proactive manner, analytical and detailed answers on the different cases reported, so as to facilitate any appropriate assessment by the Authority. Violation of Article 5(2) GDPR and Article 25(1) GDPR, for not having taken effective action against undue promotional contacts made in its name by exercising its duties of accountability and privacy by design (through elements of prevention, functionality, security, transparency of treatment and centrality of the person concerned). Violation of Article 5(2) GDPR, for failing to provide evidence of compliance with data protection legislation in the case of unsolicited promotional communications by a business partner. Violation of Article 5(2) and Article 24 GDPR, for failing to control the activities of its business partners, including through appropriate technical and organisational measures. Violation of Article 5(1)(d) GDPR, for having mistakenly associated the number from which a call had been made to the company's free phone number with the claimant's personal data (presumably a landline used once only once by the claimant). Violation of A