Mas s.r.l. – €1,800,000 Fine (Italy, 2023)

In February 2021, the Italian Financial Police (Guardia di Finanza) informed the Italian DPA that two related companies, MAS S.R.L. and MAS S.R.L.S., were engaging in door-to-door marketing and ilegally using personal data to promote and offer contracts with electric companies. Initially, the DPA opened an investigation only against the two companies. However, the investigations revealed a complex system of direct and indirect contractual relationships, with two companies in the energy sector as final recipients of said marketing services: HERA COMM and ENEL ENERGIA. Operating as part of that system, MAS S.R.L.S. first bought personal data bases from an Italian and a Spanish company and also from an unidentified vendor on Facebook. Then, together with MAS S.R.L., it processed these data for door-to-door marketing on behalf of the electric companies, without telling consumers that they were mere intermediaries. Additionally, the companies did not tell them how they collected their personal data. Moreover, MAS S.R.L. and MAS S.R.L.S. shared the collected personal data with telemarketing companies SESTA IMPRESA and ARNIA, that further processed the data for telephone advertising. During the investigation, no proof of consumer consent was provided. The DPA also found that SESTA IMPRESA got the credentials to access ENEL's infromation systems and shared them with ARNIA. In turn, ARNIA used these credentials to upload the signed contracts into the system without authorization from ENEL. None of the telemarketing companies had a written contract with ENEL appointing them as processors. Although ARNIA had been appointed as a processor by SESTA in 2019, none of the other companies had signed data processing or joint controllership agreements. They were also not appointed as processors or sub-processors by other intermediaries nor by the final customers HERA COMM and ENEL. The DPA also verified that the marketing activities involved a large number of consumers as ARNIA up