Facile.Energy SRL – €100,000 Fine (Italy, 2024)

Between January 2022 and March 2023, the DPA received several complaints against an electricity company (Facile.Energy SRL). The data subjects complained that they had received unwanted telemarketing phone calls. According to them, the controller did not collect their consent before performing the phone call. Moreover, some of them further argued that they had previously signed up for the Italian Public Opt-out Registry (Registro Pubblico delle Opposizioni - RPO). The RPO is an Italian registry extended to all national phone numbers, which allows citizens to opt-out of unwanted telemarketing calls. Furthermore, they stressed the fact that the controller had, without their request, activated for them an energy supply contract at unfair prices. Therefore, they believe they suffered material and non-material damage as a consequence of the illegal processing of their data. The controller argued that its processing was lawful. More specifically, it pointed out that the data subjects had not been contacted by the controller itself, but by a “teleseller”, which had the role of finding the phone numbers of potential customers and contacting them on behalf of the controller. The controller explained that it had entered in a “teleselling contract” with the processor. This contract laid down an obligation for the processor to collect data subjects’ consent before contacting them. Moreover, it contained an indemnification clause, so that the controller would not have any liability as for the processor’s compliance with data protection law. The DPA criticised the conduct of the controller, arguing that the evidence collected showed a “worrying outline of non-compliance with the GDPR”. The DPA rejected the controller’s argument leaning on the “teleselling” contract. It was of the view that such an agreement cannot exempt a controller from respecting GDPR and prevent it from being liable if a violation occurs. The DPA’s reasoning is based on several articles of the GDPR. Fir