Garante per la protezione dei dati personali (Italy) - 10233396
Italian DPA fines Enel Energia €563,052 for unlawful marketing calls and processor oversight failures.
Summary
Italy's data protection authority (Garante) fined energy company Enel Energia €563,052 for violating GDPR Articles 5, 6, 7, 24, and 28. The violations included pushing marketing proposals during customer care calls without consent, using a flawed SMS-based opt-out system that functioned as unlawful data laundering, and failing to adequately oversee third-party processors making marketing calls on its behalf.
Full text
Help Garante per la protezione dei dati personali (Italy) - 10233396: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:58, 31 March 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators539 editsmTag: Visual edit← Older edit Latest revision as of 09:40, 1 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators539 editsmTag: Visual edit Line 71: Line 71: }}}} The DPA fined an energy company €563,052 over its marketing activities. The company advanced marketing proposals during customer care calls, failed to oversee the operations of its processors, and failed to prevent unlawful marketing calls on its behalf.The DPA fined an energy company €563,052 over its marketing activities. The company advanced marketing proposals during customer care calls, failed to oversee the operations of its processors, and failed to prevent unlawful marketing calls made on its behalf. == English Summary ==== English Summary == Latest revision as of 09:40, 1 April 2026 Garante per la protezione dei dati personali - 10233396 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 24 GDPR Article 28 GDPR d. lgs. 196/2003 Type: Complaint Outcome: Upheld Started: Decided: 12.03.2026 Published: Fine: 563,052 EUR Parties: Enel Energia S.p.a. National Case Number/Name: 10233396 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: carloc The DPA fined an energy company €563,052 over its marketing activities. The company advanced marketing proposals during customer care calls, failed to oversee the operations of its processors, and failed to prevent unlawful marketing calls made on its behalf. Contents 1 English Summary 1.1 Facts 1.2 Holding 1.2.1 On the “customer care” calls 1.2.2 On the unwanted calls 1.2.3 On the controller’s reliance on processors 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The controller for the case is Enel Energia S.p.a., Italy’s largest energy provider. Several customers (the data subjects) filed complaints over the controller’s marketing practices. Some of the data subjects complained about unwanted marketing calls from third parties (the processors) on behalf of the data controller. Other data subjects received “customer care” calls from the controller, during which the controller also put forward marketing proposals for different contracts. All data subjects had denied their consent to the use of their data for marketing purposes. The DPA addressed all the complaints with a single investigation. The investigation revolved around three distinct issues: the marketing propositions during “customer care”-type of calls; the unwanted calls from the processors; the controller’s reliance on processors for its marketing activities. Holding Overall, the DPA concluded that the controller violated Articles 5, 6, 7, 24 and 28 GDPR as well as Article 130 of the national GDPR implementation law. On these grounds, the DPA issued a €563,052 fine. On the “customer care” calls The DPA first clarified that customer care calls are not considered a form of direct marketing. Generally, such calls are lawful under Article 6(1)(b) GDPR and can therefore take place without the data subject’s consent. However, the DPA also noted that such calls should not become an excuse to carry out non-consensual marketing. In the DPA's view, a controller may only provide marketing information during a customer care call if the recipient had previously consented to direct marketing, or if the recipient themselves requested the information. On these grounds, the DPA held that the controller processed personal data unlawfully for the purpose of marketing its services. On the unwanted calls The investigation found that the controller used an SMS-based opt-out system for documenting consent to its so-called “call-back process”. Data subjects (customers and prospective customers alike) could enter their contact details in a form on the controller’s website and request a call with an operator. Afterwards, the controller would automatically forward an SMS to the data subject. The SMS informed the data subject that their number had been provided to the controller and prompted them to opt out of the call-back (via a link) if they had not provided the number themselves. If the data subject did not use the link, the controller would consider the data subject's consent to be valid and flag their number as usable for marketing purposes. In the controller’s view, this system was sufficient to properly document consent. The DPA, however, noted that the time limit for opting out was very short (sometimes as short as 90 seconds). The DPA also noted that it is generally inadvisable to open links found in SMSs and that many data subjects would likely dismiss the controller's message as spam or as a fraud attempt. In the DPA's view, this opt-out system could be abused for data laundering whereas a double opt-in system could prevent such a risk. On these grounds, the DPA held that the opt-out system implemented by the controller, could not document the consent of data subjects. So, the DPA concluded that the controller processed the data subjects’ numbers without a legal basis. On the controller’s reliance on processors Finally, the DPA investigated the relationships between the controller and the third-party callers and found that the third parties were acting as processors. The DPA also found that the controller had failed to monitor the processors’ operations and that it had been careless in choosing some of its processors. In particular, the DPA observed that it had sanctioned one of the processors in the past. While engaging with this processor was in and of itself lawful, the controller had done so without auditing it and without ensuring that it had remedied its past violations. On these grounds, the DPA held that the controller violated Articles 4, 5, and 28 GDPR. Comment This is one of several recent decisions in which the DPA required, or at least strongly suggested, a double opt-out system as a way to document consent to direct marketing (see for instance Garante per la protezione dei dati personali (Italy) - 10143278). The DPA and the controller engaged in some interesting back-and-forth about the value of Italy's Code of conduct for telemarketing and teleselling. In discussing the merits of its SMS-based opt-out system, the controller pointed out that such systems are explicitly listed by the Code of conduct as one of several possible ways to document consent, and that the DPA itself had officially approved the Code's content. On these grounds, the controller protested that such systems must be deemed effective for the purpose of documenting consent. The DPA, however, held that the Code merely serves as an example of best practices and does not introduce GDPR derogations or presumptions of compliance. Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. SEE ALSO Newsletter of March 26, 2026 [web doc. no. 10233396] Measure of March 12, 2026 Register of Measures No. 170 of March 12, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Claudio Filippi, Deputy Secretary General; CONSIDERING Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of s