- Authority: Guarantor for the protection of personal data
- Company: Eni Gas y Luce SpA (EGL)
- Penalty amount: 8,500,000
- Subject: Telemarketing and teleselling
- Infringement: Article 5(1)(a)(c)(e), Article 6(1)(a), Article 7(1), Article 25 and Article 31 RGPD
Eni Gas y Luce SpA processed the personal data of hundreds of people, for a very long period of time, without any legitimizing basis. In particular, it processed the personal data of the interested parties for the purpose of offering its products through advertising calls without the consent of the interested parties. Dozens of people complained to the “Garante per la protezione del dati personali”. In the course of the investigation the authority concluded that:
With its advertising activity, it has been importunate to people who had expressly declared their opposition to receiving any type of message or call with advertising content.
I do not take the technical organizational measures to guarantee the rights of the interested parties (nor do I record their requests) and therefore I violate the substantial principles of the regulation by depriving individuals of their rights.
The company also negligently made advertising calls to persons who were registered in the Italian ‘public opposition register’. This demonstrated the absence of any control or security measures.
It was demonstrated that the periods of data storage were not subject to any limit, being stored for much longer periods than they should be.
The purchase of personal data from suppliers was illegitimate as there was no consent from the data subjects to carry out such a transfer. EGL did not carry out any control over the legality of the data it incorporated into its files. It did not demonstrate the minimum diligence required.
No cooperation with the authority during the investigation, responding in a contradictory manner to requests for information and the presentation of documents.
It was demonstrated that the processing of personal data did not comply with the principles set out in Article 5 of the RGPD.
The data obtained to make the advertising phone calls were obtained from various sources. 1) Data that appeared in the company’s database. 2) Purchase from suppliers. 3) Generated automatically by the completion of forms by the interested parties themselves. None of the sources had a legitimate basis for processing personal data for telemarketing purposes.
They were taken into account as aggravating measures:
- Wide scope of the treatments and high number of people involved.
- Violation of, in addition to the right to protection of personal data, the right to individual peace of mind and the right to confidentiality.
- Great difficulty faced by the data subjects to oppose the processing of their personal data.
- The multiplicity of infringed behaviours.
- The lack of technical and organisational measures to protect the security of personal data.
- The duration of the infringement (it lasted for months)
- Lack of deployment of minimum diligence by the company.
- The existence of economic advantages derived from telemarketing activities.
- The company was a repeat offender.
The resolution imposes formal obligations on the company regarding the implementation of procedures and systems to ensure that the anti-legalisation cannot take place again. It is noted that after the investigation the company took the relevant technical and organisational measures.