THREATNOIR
Subscribe
Back to Feed
GDPRMar 30, 2026

Garante per la protezione dei dati personali (Italy) - 10233396

Italian DPA fines Enel Energia €563K for unlawful direct marketing via inadequate SMS consent system.

Read at source

Summary

Italy's Garante per la protezione dei dati personali (DPA) sanctioned Enel Energia S.p.a. with a €563,052 fine for processing personal data unlawfully in direct marketing campaigns. The DPA found that the company's SMS-based opt-out notification system was insufficient to document valid consent, with unreasonably short opt-out windows (as brief as 90 seconds) and inadequate processor vetting. The decision reinforces the DPA's preference for double opt-in systems and stricter accountability over single opt-out mechanisms.

Full text

Help Garante per la protezione dei dati personali (Italy) - 10233396: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editNewer edit →VisualWikitext Revision as of 13:38, 30 March 2026 view sourceCarloc (talk | contribs)666 edits Tag: Visual edit← Older edit Revision as of 14:12, 30 March 2026 view source Carloc (talk | contribs)666 edits Tag: Visual editNewer edit → (2 intermediate revisions by the same user not shown)Line 97: Line 97: ==== On the unwanted calls ======== On the unwanted calls ==== During the investigation, the controller failed to prove that the data subjects had consented to direct marketing.During the investigation, the controller failed to prove that the data subjects had consented to direct marketing. In particular, the DPA held that the controller's SMS-based notification system<ref>See the comments for more information about the system and its shortcomings.</ref> was not sufficient proof of consent. In particular, the controller implemented an SMS notification system as a way to both ensure the validity of consent and document said consent; however, the DPA considered that the system was not sufficient for such purposes (!). On these grounds, the DPA held that the controller processed personal data unlawfully.On these grounds, the DPA held that the controller processed personal data unlawfully. Line 108: Line 106: In particular, the DPA observed that it had sanctioned one of the processors in the past. While engaging with this processor was in and of itself lawful, the controller had done so without auditing it and without ensuring that it had remedied its past violations.In particular, the DPA observed that it had sanctioned one of the processors in the past. While engaging with this processor was in and of itself lawful, the controller had done so without auditing it and without ensuring that it had remedied its past violations. On these grounds, the DPA held that the controler Articles 5, 4 and 28 GDPR.On these grounds, the DPA held that the controller violated Articles 5, 4 and 28 GDPR. == Comment ==== Comment == Line 117: Line 115: In the controller’s view, this system was sufficient to properly document consent. The DPA, however, noted that the time limit for opting out was very short (sometimes as short as 90 seconds). The DPA also noted that many data subjects would likely dismiss an SMS containing a link as spam or as a fraud attempt, as it is generally inadvisable to open links found in SMSs. In the DPA's view, this opt-out system could be abused for data laundering, whereas a double opt-in system could prevent such a risk.In the controller’s view, this system was sufficient to properly document consent. The DPA, however, noted that the time limit for opting out was very short (sometimes as short as 90 seconds). The DPA also noted that many data subjects would likely dismiss an SMS containing a link as spam or as a fraud attempt, as it is generally inadvisable to open links found in SMSs. In the DPA's view, this opt-out system could be abused for data laundering, whereas a double opt-in system could prevent such a risk. Notably, the controller and the DPA also disagreed on the legal “weight” of the [https://www.garanteprivacy.it/documents/10160/0/Codice+di+condotta+per+le+attivit%C3%A0+di+telemarketing+e+teleselling+-+marzo+2024.pdf/7c3e438f-b9fd-7f7e-2f78-e03aa61104be?version=4.0 Code of conduct for telemarketing]- a best practices code approved by the DPA itself in 2024.Notably, the controller and the DPA also disagreed on the legal “weight” of the [https://www.garanteprivacy.it/documents/10160/0/Codice+di+condotta+per+le+attivit%C3%A0+di+telemarketing+e+teleselling+-+marzo+2024.pdf/7c3e438f-b9fd-7f7e-2f78-e03aa61104be?version=4.0 Code of conduct for telemarketing]- a best practices code approved by the DPA itself in 2024. The controller observed that the Code listed opt-out systems as a possible way to document consent in the context of direct marketing. On this basis, it argued that the system had to be fit for such a purpose. The DPA, however, took the view that the Code merely served as an example of best practices and did not introduce derogations to the GDPR or presumptions of GDPR conformity. The controller noted that the Code listed opt-out systems as a possible way to document consent in the context of direct marketing. On these grounds, the controller argued that the system had to be fit for such a purpose. The DPA, however, took the view that the Code merely served as an example of best practices and did not introduce derogations to the GDPR or presumptions of GDPR conformity. This is one of several recent decisions in which the DPA required, or at least strongly suggested, a double opt-out system as a way to document consent to direct marketing (see for instance: [[Garante per la protezione dei dati personali (Italy) - 10143278#cite ref-2|Garante per la protezione dei dati personali (Italy) - 10143278]]).As explained above, the DPA ultimately held that the opt-out system implemented by the controller, could not document data subjects' consent. This is one of several recent decisions in which the DPA required, or at least strongly suggested, a double opt-out system as a way to document consent to direct marketing (see for instance: [[Garante per la protezione dei dati personali (Italy) - 10143278#cite ref-2|Garante per la protezione dei dati personali (Italy) - 10143278]]). == Further Resources ==== Further Resources == Revision as of 14:12, 30 March 2026 Garante per la protezione dei dati personali - 10233396 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 24 GDPR Article 28 GDPR d. lgs. 196/2003 Type: Complaint Outcome: Upheld Started: Decided: 12.03.2026 Published: Fine: 563,052 EUR Parties: Enel Energia S.p.a. National Case Number/Name: 10233396 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: carloc The DPA fined an energy company €563,052 over its marketing activities. The company advanced marketing proposals during customer care calls, failed to oversee the operations of its processors, and failed to prevent unlawful marketing calls on its behalf. Contents 1 English Summary 1.1 Facts 1.2 Holding 1.2.1 On the “customer care” calls 1.2.2 On the unwanted calls 1.2.3 On the controller’s reliance on processors 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller for the case is Enel Energia S.p.a., Italy’s largest energy provider. Several customers (the data subjects) filed complaints over the controller’s marketing practices. Some of the data subjects complained about unwanted marketing calls from third parties (the processors) on behalf of the data controller. Other data subjects received “customer care” calls from the controller, during which the controller also put forward marketing proposals for different contracts. All data subjects had denied their consent to the use of their data for marketing purposes. The DPA addressed all the complaints with a single investigation. The investigation revolved around three distinct issues: the marketing propositions during “customer care”-type of calls; the unwanted calls from the processors; the controller’s reliance on processors for its marketing activities. Holding Overall, the DPA concluded that the controller violated Articles 5, 6, 7, 24 and 28 GDPR as well as Art. 130 of Italy’s “Privacy code”. On these grounds, the DPA issued a €563,052 fine On the “customer care” calls The DPA first clarified that customer care calls are not considered a form of direct marketing. Generally, such calls are lawful under Article 6(1)(b) GDPR and can therefore take place without the data subject’s consent. However, the DPA also noted that such calls should not become an excuse to carry out non-consen