Energia Pulita S.r.l. – €300,000 Fine (Italy, 2025)

The Italian data protection authority received many complaints of aggressive telemarketing practices carried out on behalf of energy company Energia Pulita S.r.l. (the data controller). Some of the complainants reported deceitful marketing practices. Others were called despite their number’s inclusion in Italy’s Do Not Call registry. In November 2023 the authority started a broad investigation on the controller. Additionally, the authority required information about all of the purchase offers from February 5 to February 12 2024. Privacy compliance and quality controls The authority inquired about the measures taken by the data controller to ensure privacy compliance both in its own marketing activities, and in the marketing activities of its subcontractors (acting as data processors or sub-processors). The controller implemented some technical and organizational measures to implement data protection principles, including quality check calls and checks for the recipient’s consent to marketing. Starting March 2024, the controller implemented a more robust privacy compliance program: for instance, the controller provided its employees with privacy training and adopted more robust privacy standards for its contractors. The authority found these measures to be insufficient. The authority held that the data controller failed to vigilate over the privacy practices of its subcontractors. Additionally, the controller failed to choose subcontractors with robust privacy practices. In this regard, the authority pointed out that it still received complaints about aggressive marketing on behalf of the controller after March 2024. The authority also observed that controllers must adopt appropriate technical and organisational measures to ensure the implementation of data protection principles from the very beginning of the data processing (data protection by default). Consent and the Do Not Call registry The data controller pointed out that some of the recipients (the data subject