Garante per la protezione dei dati personali (Italy) - 312/2026

Summary

Italy's Data Protection Authority (Garante per la protezione dei dati personali) issued a €15,000 fine to Nuova Corrente S.r.l., a utilities company, for violations of GDPR Articles 5, 6, 7, 12, 15, 24, and 28. The controller delegated decisions on obtaining personal data for direct marketing to a processor without proper accountability, provided contradictory statements about data sources, failed to adequately respond to a data subject's access request, and allowed the processor to transfer data indiscriminately without respecting subject choices. The violation affected at least nine additional data subjects beyond the initial complainant.

Full text

Help Garante per la protezione dei dati personali (Italy) - 312/2026: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 10:30, 9 June 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators674 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 10:30, 9 June 2026 Garante per la protezione dei dati personali - 312/2026 Authority: Garante per la protezione dei dati personali (Italy) Jurisdiction: Italy Relevant Law: Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 12 GDPR Article 15 GDPR Article 24 GDPR Article 28 GDPR Art. 130 of the Code Type: Complaint Outcome: Upheld Started: 10.03.2026 Decided: 29.04.2026 Published: 02.06.2026 Fine: 15,000 EUR Parties: Nuova Corrente S.r.l. Joseph Agency S.r.l.s National Case Number/Name: 312/2026 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Italian Original Source: GPDP (in IT) Initial Contributor: ap The DPA fined a utilities company €15,000 for delegating the decisions on how to obtain data subjects’ data for marketing purposes to its processor. In addition, the controller failed to adequately respond to the data subjec’s access request. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Nuova Corrente S.r.l. (the controller) is a utilities company. A data subject filed a complaint with the DPA, on the grounds that they had received several direct marketing calls on behalf of the controller. According to the data subject, their data was processed for fraudulent purposes, as they were not aware that they were entering into a contract until the second call. The controller had also not responded adequately to the data subject’s access request under Article 15 GDPR. The controller responded to the access request during the DPA’s investigations. The controller explained that the data subject’s data had been processed by a separate company (Joseph Agency S.r.l.s, the processor) hired by the controller to carry out promotional activities. The controller claimed that the data was processed based on the data subject’s consent. The controller also argued it was not involved in any potential fraudulent conduct carried out on its behalf. The controller stated it assessed and terminated its contract with the processor in order to prevent similar situations in the future. Finally, the controller argued that it did not obtain most of its contact data from its processor. Holding The DPA found a violation of Articles 5, 6, and 7 GDPR, as well as Article 130 of the Code. According to the DPA, the controller provided contradictory statements on how it obtained the data subject’s personal data. The controller named several companies as its source of the data subject’s data at different points of the investigation. The DPA also found issues with the way the one of the companies obtained consent, as it allowed for the data to be transferred indiscriminately regardless of the data subject’s choices. The DPA also found a violation of Articles 24 and 28. The DPA noted that the controller had not fulfilled its obligations arising from the principle of accountability, especially in explaining where the data subject’s data was obtained from or demonstrating that the data was processed lawfully. The DPA noted that the controller seemed to have completely delegated decisions on how to obtain personal data for direct marketing to its processor. Finally, the DPA found a violation of Articles 12 and 15 GDPR, as the controller had not adequately responded to the data subject’s access request. The DPA found that the controller lacked appropriate measures to handle data subjects’ requests to exercise their rights in general. The DPA fined the controller €15,000. The DPA considered it a serious violation, as it affected at least nine other data subjects. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. [web doc. no. 10255198] Provision of April 29, 2026 Register of Provisions No. 312 of April 29, 2026 THE ITALIAN DATA PROTECTION AUTHORITY IN today's meeting, attended by Professor Pasquale Stanzione, President, Professor Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia, Member, and Dr. Luigi Montuori, Secretary General; CONSIDERING Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "Regulation"); HAVING SEEN the Personal Data Protection Code (Legislative Decree No. 196 of June 30, 2003), as amended by Legislative Decree No. 101 of August 10, 2018, containing provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter the "Code"); HAVING SEEN the documentation in the file; HAVING SEEN the observations formulated by the Secretary General pursuant to Article 15 of the Guarantor's Regulation No. 1/2000, adopted by resolution of June 28, 2000; RAPPORTEUR: Professor Pasquale Stanzione; 1. INVESTIGATIVE ACTIVITY 1.1. Introduction With deed no. 36361 of March 10, 2026, notified on the same date by certified email, which is reproduced here in its entirety, the Office initiated, pursuant to Article 166, paragraph 5, of the Code, a proceeding for the adoption of the measures referred to in Article 58, paragraph 2, of the Regulation against Nuova Corrente S.r.l. (hereinafter "Nuova Corrente" or the "Company"), represented by its legal representative pro tempore, with registered office in Vibo Valentia (VV), Via Spogliatore, s.n.c., VAT no. 12126890966. The proceeding stems from an investigation initiated by the Authority following the receipt of a complaint in which the interested party complained of having received two promotional and fraudulent calls made in the interest of Nuova Corrente and of the inadequate response to the request submitted pursuant to Article 166, paragraph 5, of the Code. 15 of the Regulation. In this case, the interested party stated that the first contact had been made by an external company claiming to be the local distributor and feared a double billing error, warning that the interested party would be contacted again by a company called "Nuova Corrente." The second contact had been made by a Nuova Corrente operator and was aimed at concluding a new supply contract. Therefore, the interested party contacted the Authority to obtain the protections recognized by the applicable legislation on the protection of personal data. 1.2. Requests for information made by the Authority Having examined the complaint and all the attached documentation, with a note dated October 13, 2025 (see Prot. No. 135446/25), the Office invited Nuova Corrente, pursuant to art. 157 of the Code, to provide its observations regarding the content of the complaint. Subsequently, with a note dated November 3, 2025 (see Prot. No. 145522/25), the Company first responded to the interested party's original request for access, clarifying in particular that the complainant's personal data had "been acquired under an agency contract stipulated with the company JOSEPH AGENCY S.R.L.S. (…), duly registered in the Register of Communications Operators (…). This company had been entrusted (…) with carrying out promotional and customer acquisition activities, with specific contractual obligations regarding the protection of personal data. In turn, Joseph Agency S.r.l.s. acquired Ms. Ferrario's contact information from the company Clean Energy Consulting, which collected the data via the web portal https://offertegratis.com/infor

Entities