Enel Energia S.p.a. – €563,052 Fine (Italy, 2026)

The controller for the case is Enel Energia S.p.a., Italy’s largest energy provider. Several customers (the data subjects) filed complaints over the controller’s marketing practices. Some of the data subjects complained about unwanted marketing calls from third parties (the processors) on behalf of the data controller. Other data subjects received “customer care” calls from the controller, during which the controller also put forward marketing proposals for different contracts. All data subjects had denied their consent to the use of their data for marketing purposes. The DPA addressed all the complaints with a single investigation. The investigation revolved around three distinct issues: * the marketing propositions during “customer care”-type of calls; * the unwanted calls from the processors; * the controller’s reliance on processors for its marketing activities. Overall, the DPA concluded that the controller violated Articles 5, 6, 7, 24 and 28 GDPR as well as [https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%2528Testo+coordinato%2529.pdf/b1787d6b-6bce-07da-a38f-3742e3888c1d?version=14.0 Article 130 of the national GDPR implementation law]. On these grounds, the DPA issued a €563,052 fine. = The DPA first clarified that customer care calls are not considered a form of direct marketing. Generally, such calls are lawful under Article 6(1)(b) GDPR and can therefore take place without the data subject’s consent. However, the DPA also noted that such calls should not become an excuse to carry out non-consensual marketing. In the DPA's view, a controller may only provide marketing information during a customer care call if the recipient had previously consented to direct marketing, or if the recipient themselves requested the information. On these grounds, the DPA held that the controller processed personal data unlawfully for the purpose of marketing its services. = The investigation found that the controller us