23 Jan A 11,5 million euros fine was imposed on the energy supplier EGL by the italian Data Protection Authority
On the one hand, EUR 8.5 million will have to be paid by EGL for unlawfully processing personal data in the context of promotional activities, and more specifically for:
-performing advertising calls without the consent of individuals, or without triggering the specific opt-out verification procedures.
-failing to put in place technical and organisational measures to take account of indications provided by users ;
-have kept the data for a longer period of time than authorised;
-acquiring data on potential customers from entities that have not obtained consent from individuals for the disclosure of their data.
The Italian DPA therefore ordered EGL to put in place measures to verify the consent of individuals on contact lists before the start of promotional campaigns, and furthermore prohibited the use of data made available by list providers if the latter had not obtained specific consent for the disclosure of such data to EGL.
Another 3 million euros were imposed for the activation of unsolicited contracts.
Approximately 7200 consumers were surprised to learn that they had entered into a new contract with EGL, following receipt of invoices from them or following receipt of cancellation letters from their former supplier. Many of them therefore reached out to the italian DPA, with complaints in some cases referring to false signatures or incorrect data in the contracts.
By acquiring new customers through external agencies operating on its behalf, the italian DPA therefore concluded that EGL had carried out processing activities in violation of the GDPR, in violation of the principles of data fairness, accuracy and up-to-dateness. It therefore ordered EGL to take several corrective measures in order to introduce specific alerts to detect procedural anomalies.