Enel Energia S.p.A – Fine (Italy, 2021)

Originial fine summary: The Italian DPA has fined Enel Energia S.p.A EUR 26.5 million for numerous breaches of the GDPR. Following a complex preliminary investigation launched after hundreds of reports and complaints from users, the DPA finds that the controller illegally processed the personal data of millions of users for telemarketing purposes. The DPA found, among other things, that data subjects received unsolicited promotional calls in the name of and on behalf of Enel Energia, in some cases even recorded calls. Some of the data subjects still received advertising calls, even though they had already requested Enel Energia to delete their personal data several times or had objected to their processing for advertising purposes. In particular, the DPA found that Enel Energia had not provided data subjects with the required and timely feedback on their requests to exercise their rights of access and opposition. In addition, the DPA found that the company had not sufficiently cooperated with the DPA during the investigation. For example, Enel Energia failed to respond to various inquiries from the DPA. In assessing the fine, the DPA considered the following factors aggravating: the seriousness of the violations, the duration and repetition of the violations, as well as the large number of persons affected and the negligence of the conduct. Update: The Court of Rome overturned the fine of EUR 26.5 million.