Illumia – €678,897 Fine (Italy, 2024)

Two complaints were advanced by two data subjects against the energy supply company Illumia, the controller. The first data subject claimed to have been contacted for telemarketing purposes on their telephone number, without a relevant legal basis and although he was listed in the “Opposition Register” (in Italian “Registro delle Opposizioni”), a register where consumers can express their preference not to be contacted for telemarketing purposes. The second data subject, who was already a client of the controller, claimed that she was called on her son´s contact number (the contact number put down for energy supplies exchanges) from an operator from the commercial office of the controller. During the conversation, this operator claimed that the controller was aware of the intention of the data subject to switch to another operator for energy and gas supplies. They also considered that the contract switch that the data subject requested would not be feasible and then the data subject would need to conclude a new contract with the controller. The DPA decided to start investigating on this matter and advanced two information requests, asking the controller to prove that its telemarketing activities complied with data protection rules. The controller replied that, before contacting data subjects, all agencies belonging to their commercial sphere were required to check the numbers that they are going to contact. The controller considered that neither the number of the operator from the commercial office nor the data subjects´ numbers were present in the controller´s registers. The controller also submitted that they already advanced a complaint against an unknown party to the Postal Police due to these circumstances. The DPA concluded its investigation and found the following violations. Violation of Articles 5, 6 and 7 of the GDPR The DPA started its analysis by stating that, in relation to the second complaint, it is clear that the operator was aware of some per