Garante per la protezione dei dati personali (Italy) - 312/2026
Italian DPA fines Nuova Corrente S.r.l. €15,000 for GDPR violations.
Summary
Italy's Garante per la protezione dei dati personali (DPA) has fined Nuova Corrente S.r.l., a utilities company, €15,000 for multiple GDPR violations. The violations stemmed from a complaint about unsolicited direct marketing calls and inadequate response to a data subject's access request. The DPA found that Nuova Corrente provided contradictory information about data acquisition and failed to demonstrate lawful processing, delegating significant decisions to its processor, Joseph Agency S.r.l.s.
Full text
Help Garante per la protezione dei dati personali (Italy) - 312/2026: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 10:30, 9 June 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators674 edits Tag: submission [1.0] Latest revision as of 10:33, 9 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators674 editsmTag: Visual edit Line 82: Line 82: === Facts ====== Facts === Nuova Corrente S.r.l. (the controller) is a utilities company. A data subject filed a complaint with the DPA, on the grounds that they had received several direct marketing calls on behalf of the controller. According to the data subject, their data was processed for fraudulent purposes, as they were not aware that they were entering into a contract until the second call. The controller had also not responded adequately to the data subject’s access request under [[Article 15 GDPR|Article 15 GDPR]].Nuova Corrente S.r.l. (the controller) is a utilities company. A data subject filed a complaint with the DPA, on the grounds that they had received several direct marketing calls on behalf of the controller. According to the data subject, their data was processed for fraudulent purposes, as they were not aware that they were entering into a contract until the second call. The controller had also not responded adequately to the data subject’s access request under [[Article 15 GDPR]]. The controller responded to the access request during the DPA’s investigations. The controller explained that the data subject’s data had been processed by a separate company (Joseph Agency S.r.l.s, the processor) hired by the controller to carry out promotional activities.The controller responded to the access request during the DPA’s investigations. The controller explained that the data subject’s data had been processed by a separate company (Joseph Agency S.r.l.s, the processor) hired by the controller to carry out promotional activities. Line 89: Line 89: === Holding ====== Holding === The DPA found a violation of Articles 5, 6, and 7 GDPR, as well as Article 130 of the Code. According to the DPA, the controller provided contradictory statements on how it obtained the data subject’s personal data. The controller named several companies as its source of the data subject’s data at different points of the investigation. The DPA also found issues with the way the one of the companies obtained consent, as it allowed for the data to be transferred indiscriminately regardless of the data subject’s choices. The DPA found a violation of [[Article 5 GDPR|Articles 5]], [[Article 6 GDPR|6]], and [[Article 7 GDPR|7 GDPR]], as well as [https://www.garanteprivacy.it/documents/10160/0/Codice+in+materia+di+protezione+dei+dati+personali+%28Testo+coordinato%29 Article 130 of the Code]. According to the DPA, the controller provided contradictory statements on how it obtained the data subject’s personal data. The controller named several companies as its source of the data subject’s data at different points of the investigation. The DPA also found issues with the way the one of the companies obtained consent, as it allowed for the data to be transferred indiscriminately regardless of the data subject’s choices. The DPA also found a violation of Articles 24 and 28. The DPA noted that the controller had not fulfilled its obligations arising from the principle of accountability, especially in explaining where the data subject’s data was obtained from or demonstrating that the data was processed lawfully. The DPA noted that the controller seemed to have completely delegated decisions on how to obtain personal data for direct marketing to its processor. The DPA also found a violation of [[Article 24 GDPR|Articles 24]] and [[Article 28 GDPR|28 GDPR]]. The DPA noted that the controller had not fulfilled its obligations arising from the principle of accountability, especially in explaining where the data subject’s data was obtained from or demonstrating that the data was processed lawfully. The DPA noted that the controller seemed to have completely delegated decisions on how to obtain personal data for direct marketing to its processor. Finally, the DPA found a violation of Articles 12 and 15 GDPR, as the controller had not adequately responded to the data subject’s access request. The DPA found that the controller lacked appropriate measures to handle data subjects’ requests to exercise their rights in general. Finally, the DPA found a violation of [[Article 12 GDPR|Articles 12]] and [[Article 15 GDPR|15 GDPR]], as the controller had not adequately responded to the data subject’s access request. The DPA found that the controller lacked appropriate measures to handle data subjects’ requests to exercise their rights in general. The DPA fined the controller €15,000. The DPA considered it a serious violation, as it affected at least nine other data subjects.The DPA fined the controller €15,000. The DPA considered it a serious violation, as it affected at least nine other data subjects. Latest revision as of 10:33, 9 June 2026 Garante per la protezione dei dati personali - 312/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 12 GDPR Article 15 GDPR Article 24 GDPR Article 28 GDPR Art. 130 of the Code Type: Complaint Outcome: Upheld Started: 10.03.2026 Decided: 29.04.2026 Published: 02.06.2026 Fine: 15,000 EUR Parties: Nuova Corrente S.r.l. Joseph Agency S.r.l.s National Case Number/Name: 312/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a utilities company €15,000 for delegating the decisions on how to obtain data subjects’ data for marketing purposes to its processor. In addition, the controller failed to adequately respond to the data subjec’s access request. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Nuova Corrente S.r.l. (the controller) is a utilities company. A data subject filed a complaint with the DPA, on the grounds that they had received several direct marketing calls on behalf of the controller. According to the data subject, their data was processed for fraudulent purposes, as they were not aware that they were entering into a contract until the second call. The controller had also not responded adequately to the data subject’s access request under Article 15 GDPR. The controller responded to the access request during the DPA’s investigations. The controller explained that the data subject’s data had been processed by a separate company (Joseph Agency S.r.l.s, the processor) hired by the controller to carry out promotional activities. The controller claimed that the data was processed based on the data subject’s consent. The controller also argued it was not involved in any potential fraudulent conduct carried out on its behalf. The controller stated it assessed and terminated its contract with the processor in order to prevent similar situations in the future. Finally, the controller argued that it did not obtain most of its contact data from its processor. Holding The DPA found a violation of Articles 5, 6, and 7 GDPR, as well as Article 130 of the Code. According to the DPA, the controller provided contradictory statements on how it obtained the data subject’s personal data. The controller named several companies as its source of the data subject’s data at different points of the investigation. The DPA also found issues with the way the one of the companies obtained consent, as it allowed for the data to be transferred indiscriminately regardless of the data subject’s choices. The DPA also found a violation of Articles 24 and 28 GDPR. The D