Garante per la protezione dei dati personali (Italy) - 10029424: Difference between revisions

Garante per la protezione dei dati personali - 10029424
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 24 GDPR Article 25 GDPR Article 28 GDPR Article 1(5) Legge 5/2018 Article 130 d.lgs. 196/2003
Type:	Complaint
Outcome:	Upheld
Started:	28.12.2023
Decided:	06.06.2024
Published:
Fine:	6,419,631 EUR
Parties:	Eni Plenitude S.p.A. Società Benefit
National Case Number/Name:	10029424
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante per la protezione dei dati personali (in IT)
Initial Contributor:	fb

The DPA fined €6,419,631 an energy company. The controller performed marketing phone calls even if the data subjects had signed up for the Opt-Out Registry, where consumers can withdraw consent to telemarketing with general effect.

English Summary

Facts

The DPA received 108 informal reports and 7 complaints about unsolicited phone calls by Eni Plenitude S.p.A. The data subjects complained that they had received phone calls by the controller, promoting its energy services. They argued that they either had never given their specific consent for telemarketing purposes or that they had signed up for the Italian Opt-Out Registry (Registro Pubblico delle Opposizioni – RPO). According to Article 1(5) of Law 5/2018, when a data subject signs up for the RPO, this has the effect of revoking the previous consent given for marketing purposes. However, consent is deemed valid if it was given in the context of a contract which is still in place and only if a simplified way to revoke the consent is provided.

First of all, the controller pointed out that some calls had been made by employees of partner companies in violation of the internal instructions given by the controller.

Additionally, the controller stated that certain phone numbers were acquired during a “co-marketing campaign”. The phone number was first collected by a third party, who contacted the data subject to promote other companies’ products. Then, if the data subject showed interest towards the controller’s products, this third party would have made another phone call to them. In the latter case, this entity would have acted as a processor.

Other phone calls were made for “win back” purposes, contacting former clients to propose them a new energy supply contract. The controller relied on the fact that Article 1(5) of Law 5/2018 allows to contact former customers – without checking if their phone number is in the RPO – if their contract was ceased no earlier than 30 days.

Moreover, the controller argued that some of the data subjects’ phone numbers were not in its list of contacted users. The controller classified these phone calls as “third party suspicious phone calls”. It argued that these phone calls had been made by third parties which were not authorised by the controller and that illegally used the controller’s name to promote other companies’ products.

Furthermore, the controller stated that it had been using two processors, which had the task of acquiring new phone numbers and making sure that their processing was relying on a legitimate legal basis (consent).

Finally, as for the RPO, it argued that most of the data subjects were called as they had specifically consented to that processing as per Article 1(5) of Law 5/2018.

Holding

Firstly, the DPA pointed out that the controller contacted 746 data subjects who had signed up for the RPO. The DPA rejected the argument of the controller about the applicability of the exception contained in Article 1(5) of Law 5/2018. It noted that the exception applies only if a simplified way of revocation was provided and found that this was not the case. Therefore, the DPA stated that the controller should have consulted the RPO before making the calls in order to make sure that the phone numbers were not in that register. As a consequence, the DPA held that the processing lacked of a lawful legal basis and found a violation of Article 5(1)(a) and 6 GDPR and Article 130 of the Italian Data Protection Code.

Secondly, as for the “co-marketing” campaigns, the DPA believed that this processing was not compliant with the GDPR. The DPA noted that, also in this case, the controller did not consult the RPO before performing the call. It held that the original consent cannot be used for further purposes and therefore found a violation of Article 5(1)(a) and 6 GDPR and Article 130 of the Italian Data Protection Code.

Thirdly, as for the “win back” campaign, the DPA noted that, generally speaking, this processing activity could be legitimate. However, it needs to be performed in a limited period of time after the data subject quits the contract. On the contrary, in some cases the data subject was contacted even 4 years after the termination of the contract.

Moreover, the DPA noted that the controller implemented insufficient technical and organisational measures to ensure that the whole processing activities were compliant with GDPR. According to the DPA, the controller should have implemented a structure to effectively monitor how processors were operating. On the contrary, the DPA found “major shortcomings” regarding the processors oversight, as the controller performed only formal checks and conducted audits only after an incident occurred. Therefore, the DPA found a violation of Article 5(1)(f), 5(2), 24, 25 and 28 GDPR.

On these grounds, the DPA issued a fine of €6,419,631.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

[doc. web no. 10029424]

Provision of 6 June 2024

Register of measures
n. 342 of 6 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Pasquale Stanzione;

1. THE INVESTIGATORY ACTIVITY CARRIED OUT

1.1. Premise

With communication dated 28 December 2023, n. 170450/23 (notified on the same date by certified email), which must be considered reproduced in full here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Eni Plenitude S.p.A. Benefit Company (hereinafter “Eni Plenitude” or the “Company”), in the person of the legal representative pro tempore, with registered office in San Donato Milanese (MI), Piazza Vanoni n. 1, VAT number 12300020158.

The proceeding originates from an investigation started by the Authority, following the transmission of 108 reports and 7 complaints against the Company, regarding the receipt of unwanted promotional calls made without the prior acquisition of the interested party's consent or using registered numbers to the Public Register of Oppositions (hereinafter, “RPO”).

For the purposes of adopting this provision, the Authority duly took into consideration the appreciable measures to adapt to the legislation on the protection of personal data implemented in compliance with the corrective and sanctioning measures imposed with measures nos. 231 and 232 of 11 December 2019, adopted against the Company for having carried out illicit processing of personal data in the context of promotional activities and unsolicited activations of energy supplies (both available for consultation on the website www.gpdp.it, doc -web nos. 9244358 and 9244365).

1.2. The conduct of the investigation and the requests for information formulated by the Authority

1.2.1. The request for information pursuant to art. 157 of the Code

With a note dated 6 April 2023, the Office sent Eni Plenitude a cumulative request for information formulated pursuant to art. 157 of the Code (see protocol no. 58836/23), useful for the evaluation of 108 reports and 7 complaints received by the Authority in the period between September 2021 and March 2023, relating, for the most part, to the matter of telemarketing. With the same note, the Company was asked to «provide a list of purchase proposals coming from its sales network which led to the activation of energy services in the period from 6 March 2023 to 13 March 2023 inclusive, divided between "residential ” and “business””, as well as any evidence that emerged in relation to report no. 162187, with which the Company had brought to the attention of the Authority the phenomenon of the so-called. “suspicious calls”.

With a subsequent note dated 11 May 2023 (see Prot. no. 75644/23) the aforementioned request was again sent to the owner, since following internal checks and in light of the feedback provided by the DPO of the Eni Group, the Office has was able to ascertain that, due to a mere error, the communication had not been sent to the Company.

With a first response dated 26 May 2023 (see Prot. no. 84539/23 of 29 May 2023) Eni Plenitude sent the list of purchase proposals coming from its sales network and solicited by a telephone contact with the customer, collected through the following channels:

• “Outbound teleselling”: the call centers contact customers and potential customers (so-called prospects) based on lists of details provided or authorized by Eni Plenitude;

• "Comparator": partners who, through their own comparison site and/or structured web activities, gather the interest of prospective customers, with whom they subsequently carry out telephone recontact activities in order to illustrate the commercial offers of the various suppliers subject to comparison;

• “Web-assisted”: the call centers recontact by telephone the customers/prospects who have previously expressed the desire to receive an illustration of a commercial proposal from Eni Plenitude by filling in specific forms on the Company's website.

With specific reference to the request to provide the IP address of the workstation that uploaded the contractual proposals, the Company declared that at the time of notification of the request for information pursuant to art. 157 of the Code, this type of data was not tracked and that, following the approval of the Code of Conduct for telemarketing and teleselling activities, the Company «started a working group aimed at evaluating the most effective measures to guarantee the compliance with the provisions of the Code, among other things, with reference to the traceability of the operations carried out on the platform for the registration of contract proposals".

With a subsequent note filed on 9 June 2023 (see protocol 91502/23 of 12 June 2023), the Company transmitted the first deductions relating to the majority of the reports and complaints covered by this investigation, classifying the findings into 5 macro categories:

• “Legitimate contact” - the telephone contact was legitimately made by Plenitude network partners. To this end, a check of the name of the reporter was first conducted on the CRM and campaign operation (CoEVO) systems, the latter used to track telephone contacts made by the partners of the Plenitude network; subsequently, the privacy consents issued by the reporter were examined and tracked on the CRM for customers and former customers within 2 years and on CoEVO for prospects.

• “Suspicious calls from third parties” - the calling number is not present in the Register of Communications Operators (ROC), nor is it associated with partners of the Plenitude network on the Company's internal systems (see CoEVO). The company checks whether the calling number is present in the internal list prepared by the anti-fraud team as part of monitoring the phenomenon of suspicious calls (see Internal List of Suspicious Calls) and whether there are any reports relating to the calling number on the web pages dedicated to evaluation of the numbers used for telemarketing and/or teleselling activities (see "Online Reports"). Telephone contacts not solicited by users, made by some subjects with the aim of proposing to consumers to change provider, making incorrect and/or even misleading assumptions, are classified as suspicious.

• “FUB process being activated” – contacts made to prospect lists during the period of compliance with the RPO legislation fall into this category. The Company declared that "the process has been progressively started to be fully activated starting from 29 August 2022 for prospect lists" (see response dated 9 June 2023).

• “Lack of sufficient information to carry out checks” - the report does not contain sufficient information to allow checks to be carried out regarding the traceability of the contact to the Eni Plenitude network.

• “Analysis to be completed”.

In the same note, the Company highlighted that compared to the majority of files falling within the macro-category "suspicious calls from third parties", the calling numbers are repeated in multiple reports/complaints and are not registered with the ROC, nor are they present on the CoEVO system. Furthermore, these calls were often made in conjunction with promotional campaigns launched by Eni Plenitude itself, or in the period immediately following. With regard to these reports and complaints, the owner has expressed his desire to blacklist all the numbers indicated therein.

With regard to the phenomenon of suspicious calls, the Company also highlighted that starting from February 2020, an internal working group was launched, manned by the Anti-Fraud Team, which aims to continuously monitor reports concerning cases of suspicious calls and to compose an internal list of calling numbers. From the analysis of the data taken from this monitoring activity, it emerged that from 2021 to 2023 the cases falling within the phenomenon of suspicious calls were significantly reduced. In addition, starting from 2021 Eni Plenitude has created special channels to easily convey reports relating to the contacts in question (see toll-free number 800.689.829; chat; dedicated forms).

In the same note, the company provided further updates regarding report no. 162187, through which Eni Plenitude brought to the attention of the Guarantor the phenomenon of suspicious calls following undue telephone contacts received from internal parties and the judicial initiatives undertaken.

Subsequently, with note Prot. 98297 of 23 June 2023, the Office once again sent file no. to the company. 186509. This document transmission was requested several times by the company in the aforementioned findings, despite the fact that the files had already been transmitted together with the request for information pursuant to art. 157 of the Code. In the same note, the Office took note of the owner's desire "to send two separate replies, the second of which well beyond the deadline originally indicated", highlighting that "any extensions are permitted only upon presentation of a specific reasoned request to be presented to the Authority, which then evaluates the extent and reasons" and therefore inviting the company to transmit what was requested without further delay.

Subsequently, with feedback dated 29 June 2023 (see Prot. 101486 of 30 June 2023), the owner transmitted the results of the overall examination conducted on the cases subject to the complaint, classifying the reports and complaints as follows:

- 71% of complaints classified as “suspicious third-party calls”;

- 13% of complaints classified as “legitimate contact”;

- 7% of complaints classified as contacts which occurred while awaiting compliance with the RPO legislation;

- 2% of complaints classified as cases of lack of information to provide adequate feedback;

and adding the following further categories:

- 3% of complaints classified as "contacts not made on behalf of Eni Plenitude" (see «the telephone contact complained of by the reporting party was made by numbers belonging to a Plenitude partner but on behalf of other clients or within of contact activities carried out independently by the partner himself");

- 3% of complaints classified as contacts made through the use of the so-called technique. spoofing (see «despite the fact that the calling number indicated in the report/complaint is registered with the ROC and is present on CoEVO as a number associated with a Plenitude partner, the telephone contact indicated was not made by the Plenitude partner to whom this numbering refers reports. It is therefore reasonable to hypothesize that these are cases of so-called spoofing and that the calling number has been falsified to make it correspond to calling numbers regularly used by Plenitude's partners");

- 3% of complaints classified as "illegitimate contacts" (see «the contact was made by employees of Plenitude partners in violation of the instructions received from the partner and the Company itself. In all these cases, those responsible were removed from the partner as soon as the irregular conduct was detected, even before Plenitude received the request for information from the Authority. In addition, Plenitude activated the process for applying a penalty to the partners involved, as provided for in the agency contract with the latter, for. the conduct carried out by their employees in violation of Plenitude's instructions");

- 1% of the complaints as "feedback already provided to the interested party" (see «Plenitude has already provided its feedback to the interested party, directing the request to XX for further additions (since these are contacts carried out as part of a campaign co -XX/Plenitude marketing aimed at the XX customer base").

In the same acknowledgment note, the Company illustrated the procedure implemented in compliance with the corrective measures prescribed by the Authority through the Provision. n. 232/2019 in relation to the purchase of contactability lists of prospect users coming from list providers.

Eni Plenitude has therefore declared that it uses two list providers, who act as data controllers pursuant to art. 28 of the Regulation and who manage the acquisition of lists from publishers. These suppliers also take care of the subsequent "normalization" activity of the data in order to verify compliance with the privacy compliance requirements identified by Eni Plenitude, before the lists are uploaded to the Company's CoEVO system for processing. The publishers' privacy policy contains the express reference to Eni Plenitude and any consent given, "is considered valid only if collected on the basis of a privacy policy that has these characteristics".

All records contain the consent form used by the publisher, the code of the relevant privacy information, the IP address of the interested party who gave the consent, as well as the date on which the consent was given. The CoEVO system verifies that all the records are complete and in the event of a negative outcome, they are blocked and subsequently deleted from the system.

Before the lists are acquired and uploaded to CoEVO, Eni Plenitude verifies the compliance of the privacy information and the consent forms associated with them and, in case of a positive outcome, approves the list.

The Company, with the help of the CoEVO application, carries out random checks on the details (privacy information and consent collected) contained in the publishers' contact lists. In the event of a negative outcome, the use of the relevant records is inhibited and a specific audit is initiated on the publisher.

Furthermore, the lists of prospect users are subject to verification at the RPO before the start of the campaign and every 14 days, to ensure that only interested parties who have not requested registration in the Public Register of Oppositions are contacted.

1.2.2. Verification at the Public Registry of Oppositions

In order to carry out the necessary checks regarding the correctness of the aforementioned telemarketing activities, on 3 August 2023 (see Prot. no. 117145/23) the Office sent the Ugo Bordoni Foundation, which manages the Public Register of Oppositions , the aforementioned list of telephone numbers contacted by Eni Plenitude as part of the telemarketing activities carried out in the period February-March 2023. With this in mind, information was requested, pursuant to art. 157 of the Code, for each numbering, regarding the possible registration in the Public Register of Oppositions (RPO) no later than 31 January 2023.

With note Prot. n. 122099 of 29 August 2023, the aforementioned Foundation sent its feedback, from the analysis of which they were registered in the Public Register of Oppositions, at the time of the promotional calls made by the Company, no. 746 telephone users, equal to just over 7% of the total number of telephone contacts that led to the activation of the service in the reference period February-March 2023 (no. 10625).

1.2.3. Supplement to the investigation

Pending the investigation, further complaints of the same tenor and content were received by the Office (see files nos. 286608 - 314553 – 322104 – 315372 - 328844).

More specifically, with complaint no. 286608, the applicant complained about the receipt of approximately 248 promotional phone calls since January 2023 on users registered with the RPO, highlighting that "the situation is intolerable, also because being a work user I often have to interrupt myself to answer, even though I have activated filters" and to have filed a complaint with the competent authorities. In this case, the applicant states that he has been subjected to unsolicited activations for months and that in addition to his personal data and identity documents, the personal data of his partner have also been stolen or otherwise transferred by Eni Plenitude to call centres.

With report no. 314553 the interested party complained about receiving numerous calls made for promotional purposes, despite registration with the RPO.

With reference to file no. 322104, the complainant stated that he was first contacted by an Eni Plenitude operator - already illegitimately in possession of his personal data - and that he was induced to accept a non-binding proposal relating to an energy supply. In the immediately following days, the interested party was the recipient of further telephone contacts for the marketing of an insurance policy by operators illegitimately aware of his personal data and vicissitudes.

With report no. 315372 the interested party complained about receiving numerous unwanted calls made on behalf of Eni Plenitude. The Company responded to the complaint by noting that the interested party had given consent to receive calls for promotional purposes and for carrying out market research by Eni Plenitude, furthermore the calling number indicated belonged to a partner in charge of carrying out promotional activities . The owner has acknowledged and recorded the revocation of consent on its systems.

Finally, also with report no. 328844 the interested party complained of having been contacted by telephone on behalf of the Company, despite the change of manager.

Considering that the complaints referred to in the aforementioned files were addressed to the same owner and concern issues of the same tenor, in order to promote their organic examination and implement the principles of economy and speed referred to in the art. 9 of internal regulation no. 1/2019 (available for consultation on the website www.gpdp.it, doc-web n. 9107633), it was deemed appropriate to deal with such complaints and reports as part of the investigation already underway pursuant to and for the purposes of the following art. 10, paragraph 4, of the same regulation (joining of proceedings).

Furthermore, in this case, the joint treatment appeared more suitable for guaranteeing the right of defense and the need not to aggravate the proceedings, also in terms of the lower expenditure of time and resources that it objectively entails for the data controller. .

1.3.  Dispute of violations

Following the investigation, the Office adopted the aforementioned communication to initiate proceedings pursuant to art. 166, paragraph 5 of the Code (Prot. no. 170450/23 of 28 December 2023), in which it firstly noted that having contacted 746 telephone numbers as part of the telemarketing activities carried out in the period February-March 2023, equal to just over 7% of the total number of telephone contacts made for promotional purposes, given the registration of the same users in the RPO, and therefore the opt-out mechanism determined by the current legislation, could lead to the violation of the legislation in force regarding the protection of personal data.

This data, moreover, seemed to coincide with that - equally alarming - obtained from the feedback provided by the Company to the request for information pursuant to art. 157 of the Code. In fact, from the arguments provided by Eni Plenitude in relation to the numerous complaints received by the Authority, it emerged that only 13% of telephone contacts had been carried out in the presence of legitimacy requirements and that, on the other hand, the remaining 87% of cases were allegedly attributable to the responsibility of third parties.

In this last percentage, then, the Company included a series of contacts made during the implementation of the measures to adapt to the RPO legislation, although at the time of the contacts the Registry was already fully operational.

The Authority also noted that from the documentation in the documents and from the feedback provided by the Company, it emerged that suitable measures and controls were not put in place to ensure the traceability of the operations carried out on the company systems and to guarantee the legitimacy of the entire processing chain which , starting from the telephone contact, allows you to reach the conclusion of the contract. Nor did a mechanism appear to have been implemented to monitor and block contracts originating from illicit contact ab origine.

Equally critical issues emerged in relation to the fulfillment of the duties of monitoring and supervision of the work of data controllers and remediation initiatives in the event of obvious violations of the current legislation on the protection of personal data by such subjects.

With the same communication, the Office also contested the violation of the principles referred to in the art. 5 of the Regulation due to obvious delays in updating customer records.

Finally, the contradictory nature of the circumstances revealed through the evidence provided was highlighted, given that the Company had declared that it only used two list providers, but then in the body of the various documents sent it had referred to multiple sub-agencies.

In summary, the Office accused Eni Plenitude of the possible violation of the articles. 5, par. 1, letter. a), d) and letter. f), 5, par. 2, 6, par. 1, letter. a), 24 par. 1, 25 and 28 of the Regulation, as well as art. 130, paragraphs 3 and 3-bis, of the Code, for having carried out processing of personal data of users and contractors in the energy sector in conflict with the principles of lawfulness and responsibility, in the absence of an appropriate legal basis and by implementing technical measures and organizational issues that are not adequate to guarantee, right from the design stage, and be able to demonstrate, that the processing is carried out in accordance with the Regulation.

2. THE DEFENSE OF THE OWNER

With note Prot. n. 569/24 of 03 January 2024, the Company requested a 60-day extension of the deadline for the defense referred to in the art. 166, paragraph 6, of the Code and to be heard by the Authority on a date subsequent to the expiry of this deadline. More specifically, on this occasion Eni Plenitude noted that the granting of a longer deadline than that of 15 days. provided for by the art. 13 of internal regulation no. 1/2019 was justified by the circumstance that the Authority had attached to the communication pursuant to art. 166, paragraph 5 of the Code, new elements (see five complaints and the results of the checks at the FUB), as well as the complexity of the issues covered by the proceedings and the dimensional characteristics of the Company. On this point, Eni Plenitude also highlighted that art. 13, paragraph 3, of internal regulation no. 1/2019 had to «be interpreted in the sense that the extension can be even greater than 15 days in the presence of objective needs represented by the recipient of the provision, in order to guarantee the effectiveness of the right of defense».

With note Prot. n. 3844 of 11 January 2024, the Office partially accepted the request, granting an extension of the deadline referred to in the art. 166, paragraph 6, of the Code up to 15 days. and representing that the files attached to the aforementioned communication of 28 December 2023 and which arrived during the proceedings were objectively small in number and concerned the same issues as those attached to the request for information pursuant to art. 157 of the Code, and in most cases the owner was already aware of it, since it was copied in the reports or because he had already provided feedback to the interested party.

With the same note, the Office also represented that the art. 166, paragraph 6, of the Code and articles. 12 and 13 of regulation no. 1/2019 of the Office of the Guarantor (in www.gpdp.it, web doc. n. 9107633) establish in favor of the owner, as the ordinary deadline for the presentation of defense briefs and request for a hearing, that of 30 days starting from receipt of the dispute. Any "short" extension, normally not exceeding 15 days, can be granted "according to proportionality criteria also in relation to the operational/dimensional characteristics of the recipients themselves and the complexity of the matter examined". An extension of 60 days, with the effect of extending the overall deadline for sending the defense documents to 90 days (3 months), in the opinion of the Office, did not appear to comply with these proportionality criteria, both for the type of preliminary investigation (purely documentary) and in consideration of the operational-dimensional characteristics of the company which represents one of the main economic-corporate realities in the country, equipped with important resources also of a legal and organizational nature. Finally, the Office represented that the granting of such a broad extension did not even appear compatible with the practice consistently followed towards other data controllers, nor with the needs of cost-effectiveness and reasonable duration of the procedure.

With a subsequent request dated 19 January 2024 (see Prot. no. 7707 of 22 January 2024), Eni Plenitude requested access to the documents of the proceedings, with particular reference to the request for information pursuant to art. 157 of the Code sent to the FUB and to the documentation relating to complaints nos. 286606 and 322104.

Thus with note Prot. n. 9274 of 24 January 2024, the Office notified a counter-interested party, granting a deadline for the submission of any observations.

Finally, with subsequent communication Prot. n. 14721 of 6 February 2024, the Office communicated that «having examined the reasons illustrated and considering the lack of opposition and/or transmission of observations by the other interested party, the request for access to the documents contained in file no. is accepted. 322104 (…). With reference to the further documentation requested (...) All the documentation relating to the investigation is already fully available to this Company, as transmitted by the Office together with the request for information pursuant to art. 157 of the Code and the subsequent communication of initiation of the procedure pursuant to art. 166 of the same Code. The only document not sent so far - which is attached to this document, in acceptance of the aforementioned request (annex 2) - is the request for information pursuant to art. 157 of the Code sent by the Authority to the FUB in relation to the list of telephone numbers subject to verification by Eni Plenitude itself (see telephone contacts made in the "sample" week) and of which the results were in any case shared, in the form attached to the aforementioned notification of alleged violations. The documentation relating to file no. 286608 has already been completely sent together with the aforementioned communication pursuant to art. 166 of the Code. In fact, it should be noted that annex no. 3 is reported at the bottom of the file bearing the wording "denunce030723". In any case, the file in question will be sent again."

2.1 Preliminary and procedural objections raised by the data controller

With defense briefs filed on 12 February 2024 (see Prot. no. 17493 of 13 February 2024), the Company preliminarily highlighted the onerousness of the request for information pursuant to art. 157 of the Code due to the "short deadlines assigned for feedback", the extension of the time frame of the request and the further and contemporary requests for information received by the Company from another department of the same Authority.

The Company then noted that the correctness of the governance adopted for the management of telephone contact activities for promotional and sales purposes had already been addressed with the Authority's provision no. 232/2019 and that nevertheless «on the night of 28 December 2023, after six months of silence, the Authority notified Plenitude of the communication of initiation of the procedure», also contesting «totally new elements: (a) five new complaints, on which the Company had to carry out internal investigations, moreover without having had the opportunity to speak with the Guarantor in the preliminary investigation phase of the procedure designated for this purpose; and (b) a response received by the Authority on 29 August 2023 from the Ugo Bordoni Foundation (...) without the knowledge of Plenitude and not shared during the preliminary investigation, asking to verify for each of the telephone numbers provided by Plenitude with the First Feedback "the possible registration in the Public Register of Oppositions".

Eni Plenitude then highlighted that the Office had granted an extension of the deadline referred to in the art. 166, paragraph 5, "of only 15 days" and that the response to the access request presented by the Company had only been sent on 6 February 2024 "a few days after the deadline for submitting written deductions".

Furthermore, the company objected to the violation of the 120-day deadline for notification of the communication pursuant to art. 166, paragraph 5 of the Code, provided for in Table B of internal regulation no. 2/2019 (available for consultation on the website www.gpdp.it, doc-web n. 9107640), identifying the dies a quo with the date «29 June 2023, when Plenitude sent the last response to the request for information of 11 May 2023" and representing that the deadline for notification of the dispute was 27 November 2023.

On this point, Eni Plenitude also noted that the aforementioned deadline could not start from the date of the FUB's response to the request for information, given that the request pursuant to art. 157 of the Code and the confirmation had occurred during the period of suspension of the deadlines (see 1-31 August), that the Company had not been informed of this request and therefore had relied on the passage of the deadlines, which the Authority on the date of the request to the FUB had already benefited more than 30 days. for their own reflections and that therefore the claim to reset "the deadline by making it unilaterally start from the request to the FUB" was not admissible.

Eni Plenitude then objected to the violation of the principle of due process and that the objections raised are the result of misunderstandings of the facts due to the lack of effective cross-examination and collaboration, as the Authority:

the. «has kept the complaints and reports in storage (…) for over a year and a half»;

ii. «with the request for information dated 11 May 2023, it launched autonomous investigations that were largely independent of each other (i.e., the feedback relating to the so-called sample week and the feedback on the individual complaints together with the relevant update to reporting on the phenomenon of suspicious calls in March 2021)";

iii. «he formulated generic and aseptic questions (…) raising surprise and merely hypothetical objections»;

iv. «while Plenitude was committed to responding in a very short time to the request of 11 May 2023, it sent in parallel to Plenitude further requests for information relating to completely different issues and the subject of further new investigations on 9 and 14 June 2023»;

v. did not communicate the sending of the request to the FUB and with the objection deduced completely new facts and circumstances, without granting an extension of the defense deadline;

you. granted access to the documents with delay.

Finally, Eni Plenitude disputed the violation of the principle of ne bis in idem and legitimate expectations, noting that the facts covered by the investigation conducted in 2023 had already been examined by the Guarantor during the 2019 investigation, concluded with the adoption of provision no. 232/19 and that the corrective measures implemented in compliance with this provision had been agreed with the Authority itself.

2.2 The substantive objections raised by the data controller

On the merits, the Company requested the dismissal of the proceedings due to the absence of the subjective element of fault, provided for by the art. 3 of Law no. 389/1981, as a minimum requirement for the application of administrative sanctions, as «Plenitude has not only adapted to the measures prescribed by the Authority with provision no. 232/2019 but to date has also had the legitimate expectation that the measures represented at the time during the investigation had been deemed adequate".

With specific reference to the 747 numbers registered in the RPO and related to the purchase proposals that occurred during the so-called. sample week, Eni Plenitude stated that «these numbers, however, do not necessarily correspond to those used for contacts in the context of promotional campaigns, as during telephone contacts various customers ask to include in the contractual proposals telephone numbers other than those on who were contacted." On this point, the Company also noted that not all numbers must be previously verified with the RPO, but that this need depends on the reference target (customers, potential customers, former customers) and the sales channel used.

In the case of promotional campaigns aimed at customers, the Company deems verification with the RPO unnecessary, since for outbound teleselling the contact lists are created on the basis of the specific consent for telemarketing activities issued within the contractual relationship , in line with the provisions of the art. 1, paragraph 5, of Law no. 5/2018. For the assisted web channel, however, it is the customer who has expressed, via the appropriate contact form, the desire to be called for commercial purposes.

Differently in the case of promotional campaigns aimed at potential customers (so-called prospects) and carried out through the outbound teleselling channel, the Company explained that the contact lists are always verified in advance at the RPO, with the exception of co-marketing campaigns, which are carried out towards the customers of Eni Plenitude's commercial partners on the basis of a specific consent provided to the partners by their customers. In the comparator and assisted web channels, however, it is the potential customer who requests telephone contact, which takes place immediately after the request.

In the context of promotional campaigns aimed at former customers, carried out through the outbound teleselling channel and aimed at customers who ceased for less than 30 days, however, the contact is made on the basis of the consent given in the context of the contractual relationship pursuant to art. . 1, paragraph 5 of Law no. 5/2018. Otherwise, the lists of customers who have ceased working for more than thirty days are previously verified at the RPO.

Again, with reference to the 747 contacts made over the course of the so-called. sample week, Eni Plenitude found that:

• 89 numbers do not correspond to those used for telephone contacts;

• 381 numbers were contacted via the comparator channel on the basis of the express consents given on the portals;

• 179 numbers were contacted via the assisted web channel;

• 80 numbers were contacted as part of campaigns aimed at customers on the basis of consents given in the context of contractual relationships;

• 17 numbers were contacted as part of co-marketing campaigns;

• 1 number contacted the Company's partner number directly.

In relation to the complaints received by the Authority, the Company recalled the division into 5 macro-categories carried out during the responses to the request for information pursuant to art. 157 of the Code and with specific reference to the complaints attached to the communication pursuant to art. 166, paragraph 5, of the Code objected that they were not the subject of a specific investigation. On this point, the Company nevertheless noted that files nos. 314553, 315372 and 322104 can be classified as legitimate contacts, file no. 328844 is the result of a so-called. suspicious third party call and file no. 286608 cannot be traced back to any macro-category and therefore cannot be said to be homogeneous with the other complaints.

For the same reasons, Eni Plenitude then objected to the unfoundedness of the complaint relating to the absence of adequate control and monitoring measures for the uploading phase of the contractual proposals, also reiterating that the failure to track the IP address of the workstation which uploaded is not able to demonstrate the general absence of measures aimed at preventing the infiltration into the Company's systems of proposals generated by subjects outside the sales network, that there is no evidence of the presence of illicit proposals in the company systems, which none of the suspicious third-party calls resulted in a purchase offer.

The Company reiterated its commitment to combating the phenomenon of suspicious calls from third parties and that it does not derive any economic advantage from them, as they are made by competitors who illicitly use the name of Eni Plenitude with the intention of offering energy services provided by other operators .

Finally, Eni Plenitude contested the value of best practices attributed to the Code of Conduct for telemarketing and teleselling activities, noting that it constitutes a «consolidation proposal and an attempt to reorganize the guidelines expressed by the Guarantor in a single document. The Code absolutely does not represent the state of the art adopted by all market operators and in any case provides for certain measures, including IP address tracking, for simplifying purposes only".

In this regard, the Company also noted that based on the specifics of its sales chain, it assessed the IP address as "an unnecessarily and excessively invasive measure" compared to the benefit returned by the various safeguards adopted in terms of due diligence and monitoring towards partners (so-called privacy induction).

In relation to the complaints raised on the commercial chain, Eni Plenitude highlighted that in recent years the relationship between the number of agencies and the volume of business has become inversely proportional, that the partners involved in the cases classified as "illegitimate contacts" had been appointed responsible of the processing pursuant to art. 28 of the Regulation and who therefore acted in violation of the instructions given. Furthermore, the same partners had become aware of the illegitimate conduct carried out by their agents and had removed them even before the start of the preliminary investigation by the Guarantor. In any case, thanks to the timely intervention, the agents in question had not generated any contractual proposals.

Eni Plenitude then objected to the unfoundedness of the complaint relating to the lack of separation measures for the databases used by multi-firm agencies, deducing the absence of evidentiary elements and attributing these telephone contacts to human error.

Compared to the contacts made during the so-called sample week and classified as "FUB in the process of being activated", Eni Plenitude has clarified that these are «telephone contacts made to numbers registered in the RPO pending the completion of the internal Plenitude process for adaptation to the new rules on the RPO, which ended with a delay of just around 30 days", due to the delay in the publication of the price lists by the FUB and the timescales necessary for the complete updating of the internal processes.

Finally, with reference to the violation of the principle of accuracy of the data processed (see file 183604), Eni Plenitude contested the findings on the contact times and stated that in this case it was «an exceptional and completely isolated case deriving from the configuration initial CoEVO of 2019, consolidated for years now, which cannot therefore in itself constitute an element to be placed at the basis of the system challenge the Authority addresses to Plenitude, given that evidently no further circumstances emerged from the preliminary investigation capable of demonstrating the existence of critical issues at the process level".

2.3 The hearing pursuant to art. 166, paragraph 6 of the Code.

During the hearing held on 20 February 2024 at the Authority's offices, the Company provided the complete and updated mapping of its commercial supply chain, including the appointments as Data Controller pursuant to art. 28 of the Regulation.

The Company then clarified that in the event of an expression of interest by the customer (via web or telephone) who provides their contact details, they will usually be contacted within a couple of days. Any extensions of this time window are due to the coincidence of holidays, weekends, or in the event that the customer does not respond. The lead is considered "hot", i.e. usable for possible recontacts, for 15 days. expired which no further contacts are made.

As for co-marketing activities, the Company explained that these campaigns are carried out using the customer base of the respective companies, which have previously acquired the customer's consent. By way of example, in the context of campaigns carried out in co-marketing with XX, the list is passed from XX to its teleseller partner. The user is contacted preliminarily on behalf of XX and, if he expresses his interest in adhering to the Eni Plenitude offer, the teleseller at that point no longer acts as an external manager of XX, but in the guise of data controller on behalf of Eni Plenitude and submits the contractual proposal to the customer.

Finally, with reference to the activities of the so-called win back, it emerged that the Company makes contact attempts with former customers to understand the reasons for changing supplier and verify their interest in a new offer, after verifying the existence of marketing consent. These activities are carried out over 30 days. from the termination of the contract.

3. ASSESSMENTS BY THE AUTHORITY

From the elements that emerged during the investigation and from the examination of the defense deployed by the Company, as will be argued more fully and analytically below, all the hypotheses of violation formulated through the communication of initiation of the procedure pursuant to art. 166, paragraph 6, of the Code.

3.1 Preliminary and procedural questions

The preliminary and formal objections formulated by the Company cannot be accepted as they are specious and clearly unfounded.

In this case, Eni Plenitude preliminarily objected to the violation of the principle of due process and of ne bis in idem, to have the Authority open a new investigation, despite the adoption of the provisions. no. 231 and 232 of 11 December 2019, simultaneously notified multiple requests for information and rejected the request for an extension of the deadlines granted for the purposes of feedback.

The invoked ne bis in idem prohibition, of known criminal origin, can be deduced from the provisions of the art. 649 c.p.p., which establishes the prohibition on subjecting the accused who has been definitively acquitted or convicted for the same fact to a new trial, even if considered differently in terms of title, degree or circumstances.

This principle undoubtedly represents, as well as a canon of civilization, a fundamental right of the person. So much so that even at the level of supranational legislation it is possible to find similar provisions both in the letter of the art. 50 of the Charter of Fundamental Rights of the European Union, which provides that «No one may be prosecuted or convicted for a crime for which he has already been acquitted or convicted in the Union following a final criminal sentence in accordance with the law», which to Prot. n. 7, art. 4 of the ECHR which reads «1. No person may be criminally prosecuted or convicted by the jurisdiction of the same State for an offense for which he has already been acquitted or convicted following a final judgment in accordance with the law and criminal procedure of that State. 2. The provisions of the previous paragraph do not prevent the reopening of the trial, in accordance with the law and criminal procedure of the State concerned, if supervening facts or new revelations or a fundamental flaw in the previous procedure are capable of invalidating the sentence received. 3. No derogation from this Article shall be authorized under Article 15 of the Convention."

By constant orientation of jurisprudence, the identity of the fact exists when there is historical-naturalistic correspondence in the configuration of the crime, considered in all its constituent elements (conduct, event, causal link) and with regard to the circumstances of time, place and person .

With reference to proceedings before independent Administrative Authorities, the question of the applicability of the principle in question has historically arisen with particular reference to the so-called. double track of sanctions and was resolved with the well-known and consolidated jurisprudential orientation which considers the principle of ne bis in idem applicable to proceedings instituted before independent Administrative Authorities, when the sanctions actually imposed are essentially criminal in nature (see ECtHR ruling of 4 March 2014, Grande Stevens v/Italy). 

According to European jurisprudence, therefore, regardless of the nomen iuris, those sanctions which can be considered such in light of the so-called criminal nature are essentially criminal in nature. Engel criteria: internal legal qualification; nature of the offense and function of the consequent provision envisaged, which must be generally applicable and have a preventive and repressive purpose; severity of the sanction.

On this point it is also appropriate to remember that the provisions of the Guarantor, pursuant to articles. 78 of the Regulation and 152 of the Code, can be challenged before the judicial authority through an effective judicial appeal.

It follows that once the deadlines for appealing the Guarantor's decision have expired, or once all the means of appeal provided for by the law have been exhausted, the provisions contained in the provision or in the sentence become definitive and unassailable both for the supervisory Authority and for the recipient thereof.

The described procedural sequence constitutes the normative application of the principle of legal certainty, of which the principle of ne bis in idem is a logical corollary.

Even if in 2019 the Authority adopted two separate measures against Eni Plenitude (then Eni gas and Luce), concerning facts, complaints and the privacy governance implemented at the time by the Company, the alleged violation of the principle of ne bis in idem , in this case cannot be accepted given the evident absence of the requirement of the identity of the naturalistic fact underlying the proceeding.

Today's investigation, in fact, originates from numerous complaints received by the Authority subsequent to the resolution of measures nos. 231 and 232 of 2019 and from the verification carried out as part of a "sample week" (6-13 March 2023) on telephone contacts made during the reference period, which led to the activation of an energy supply.

The identity of the thema decidendum cannot even be artfully invoked on the basis of the fact that some of the provisions referred to in today's dispute were also invoked in the previous proceedings, given that what amounts to violating the principles of legal certainty and the prohibition of ne bis in idem, it is not so much and only the normative basis of the reproach, but - we reiterate - the identity of the naturalistic fact.

Also because if this were not the case, hypothetically, after having been the recipient of an initial provision, the data controller could violate the same provisions again and ad libitum, being exempt from any reprimand and/or sanction.

On the other hand, the observation on the measures to adapt to previous provisions "agreed" with the Authority, which the Company appears to invoke as certification of conformity of its privacy system with current legislation, cannot be accepted as the guidelines expressed by the Office they have limited effectiveness to the object and the historical context in which they were pronounced, also due to the considerable period of time that has passed and the regulatory and socio-economic developments that have occurred in the meantime.

So much so that the Regulation, in more than one rule, requires the data controller to periodically update the security measures and its privacy governance, precisely in order to adapt it to the so-called. "state of the art", "scope" and "context".

The exception regarding the alleged onerousness of the requests sent by the Authority appears equally specious, since Eni Plenitude never mentioned it in any of the previous discussions with the Department, but raised this exception for the first time only during the filing of defense briefs pursuant to art. 166, paragraph 6, of the Code, which took place on 12 February 2024 (see Prot. no. 0017493 of 13 February 2024) and referring to the requests for information sent in June 2023 (i.e. eight months earlier).

In the Company's opinion, the practice followed by the Office of cumulatively investigating complaints received even at different times would also violate the principles of due process and make the investigation onerous.

In this regard, it is worth noting that the joint investigation is not only provided for by the internal regulations, since it responds to the principles of economy and non-exacerbation of the administrative procedure, but also represents a safeguard for the prerogatives of the data controller.

In fact, with reference to the processing of personal data carried out in the context of telemarketing, the Authority receives thousands of reports. The individual treatment of each complaint would not only be practically impossible, but would have the effect of forcing the data controller to invest significant resources in the defense of his own reasons and of infinitely multiplying the proceedings and the consequent sanctions, which would also end to constitute a precedent - and therefore an aggravating circumstance - for the other.

Nor can the alleged onerousness of the procedure and the alleged violation of the procedural rules be traced back to the circumstance that the Office contested for the first time in the communication pursuant to art. 166, paragraph 5, of the Code, what emerged in relation to no. 5 complaints/reports, which arose while the investigation was pending against the same Company. In fact, the prior conversation with the party, e.g. through the request for information pursuant to art. 157 of the Code, constitutes only one of the possible investigation methods provided for by law.

It follows that, in the event that it is not necessary to acquire further investigative elements, the Authority can validly and directly proceed to contest the violation on the basis of the circumstances acquired through complaints and reports. In similar cases, however, the right of defense and the right to be heard are in any case guaranteed by the possibility granted to the party to present within the 30-day deadline. starting from the notification of the communication, documents and briefs, as well as the request to be heard by the Authority.

Finally, the alleged violation of the principle of due process and internal regulations, in relation to the failure to grant the extension of the deadline for defense pursuant to art. 166, paragraph 6, of the Code and the alleged delay in accepting the request for access, given that the Company was already in possession of all the preliminary documentation, as the direct recipient of the complaints or because it had already been sent to it by the Authority.

The art. 13 of internal regulation no. 1/2019 provides that normally the deadline for exercising the right of defense is equal to 30 days, but that upon justified request, this deadline can normally be extended up to 15 days, also according to proportionality criteria. in relation to the operational/dimensional characteristics of the recipients themselves and the complexity of the matter examined. It follows that only in exceptional cases can a longer deadline be granted.

In this case, having examined the reasons given by the Company, considering the purely documentary nature of the proceedings and the issues that arose, the dimensional characteristics of the company and that Eni Plenitude was already aware of almost all of the complaints, there is no doubt that no circumstances existed such as to justify the granting of a term longer than the aforementioned 15 days.

In addition, it is worth noting that in multiple completely similar investigations (including the previous one against Eni Gas e Luce - now Eni Plenitude), from which the adoption of provision no. 232 of 11 December 2019) the Office has consistently granted an extension of 15 days. and no exceptions have ever been raised in this regard.

Furthermore, the request appeared ictu oculi specious and intended to pre-establish a possible reason for complaint, not only due to the absence of exceptional reasons and/or circumstances in support, but also because it would have had the effect of tripling the ordinarily deadline granted, in disregard of the principles of equal treatment and reasonable duration of the proceedings.

The exception regarding the alleged delay in accepting the request for access to documents as complained about by the Company is equally specious and designed to pre-establish grounds for complaint.

As proof of this, it would be sufficient in itself to observe the timing of the request forwarded on 19 January 2024 and therefore one week before the expiry of the deadline pursuant to art. 166, paragraph 6 of the Code.

Based on the practice constantly followed by the Office, attached to the request for information pursuant to art. 157 of the Code and the communication of initiation of the procedure pursuant to art. 166, paragraph 5, of the Code, all documents and elements useful for the exercise of the right of defense and the organic examination of the issues covered by the investigation are transmitted, with the exception of documentation that is excessive, irrelevant or covered by secrecy. .

In this case, the only documents that had not been attached to the aforementioned communications were correspondence that were completely irrelevant for the purposes of the defense, considering that:

- all the results of the verification at the FUB had already been shared (i.e. excel files with the analytical indication of the numbers registered in the RPO);

- the documentation relating to file no. 286608 had already been duly sent together with the note pursuant to art. 166 of the Code;

- the further documentation requested relating to file no. 322104 consisted of a contract and a transfer revocation concerning different companies and which have nothing to do with Eni Plenitude.

Furthermore, since the Company requested the presentation of contractual and banking documentation, as represented in the note replying to the request for access, it was necessary to notify the other interested party which led to a physiological extension of response times, certainly not attributable to the 'Office.

Finally, the exception relating to the alleged violation of the 120-day deadline cannot be accepted either. provided for the notification of complaints pursuant to internal regulation no. 2/2019.

In the case in question, the communication pursuant to art. 166, paragraph 5 of the Code was notified on 28 December 2023 and therefore, taking into consideration the holiday suspension period pursuant to the law, within the deadline of 120 days starting from the verification of the violation. 

The moment of ascertainment of the violation dates back, at least (and without wanting to cite the constant jurisprudence of the Supreme Court of Cassation and the Council of State which identifies a date subsequent to that of the material acquisition of information and documents, corresponding to the one in which the investigating officer summarizes these elements to determine the existence and consistency of the violation), on the date of the response by the FUB to the request for information pursuant to art. 157 of the Code (see Prot. no. 122099 of 29 August 2023), when the Office has definitively come into possession of all the objective and subjective elements useful for the classification and qualification of the case.

On this point, the Company criticizes the actions of the Office, maintaining that the period of time that elapsed between the last feedback provided by the same to the Authority and the notification of the dispute would have been such as to generate a legitimate expectation in relation to the dismissal of the method. This thesis cannot be accepted, since the Authority has requested a series of detailed information on the so-called. sample week, it was very reasonable to expect that the Office would carry out a series of checks and investigations on these activities as well. In any case, the psychological element linked to the acquisition of an erroneous expectation regarding the future decisions of the Authority falls exclusively within the internal sphere of the offender which cannot be relevant for determining the illegitimacy of an administrative act, in the absence of specific violations of procedural rules.

3.2 Substantive issues

Also on the merits, the complaints raised against Eni Plenitude appear fully supported by the elements acquired through the numerous complaints received by the Authority, by the results of the sample investigations conducted and by the circumstances that emerged during the investigation.

First of all, in fact, the violation of the articles appears to be extremely proven. 5 par. 1, letter. a), 5 par. 2 and 6 of the Regulation and art. 130 of the Code for having the Company carried out telemarketing activities in the absence of a suitable legal basis and for having contacted multiple interested parties pending the process of adaptation by the Company to the RPO legislation.

As for the delay found in the operations to adapt to the regulations referred to in art. 130 of the Code, it should be noted that the violation is not only proven by the numerous complaints received by the Guarantor and by the checks carried out, but also by the declarations issued during the procedure by Eni Plenitude itself.

The Company, in fact, with reference to n. 8 complaints received by the Authority, admitted that it had not promptly adapted to the legislation in question, due to the failure to publish the price lists by the FUB. Although the matter is known to the Office, it should be noted that Eni Plenitude could have waited for the publication of the price lists or diversified its advertising activities - as other operators appear to have also done - rather than continuing its marketing campaigns without carrying out the appropriate checks at the RPO.

Likewise, the process of managing contact lists, as represented by the Company, does not appear to be entirely compliant with the letter and spirit of the aforementioned regulations.

With regards to promotional campaigns aimed at customers via the out-bound teleselling channel, the Company has declared that it does not deem it necessary to verify with the RPO and to carry out this processing on the basis of the specific consent given in the context of the contractual relationship pursuant to art. . 1, paragraph 5, of Law no. 5/2018.

But from the documents of the proceedings it does not appear that the Company has implemented the prescribed simplified methods to allow the easy revocation of such consents (see art. 1, paragraph 5, of Law no. 5/2018 «(...) Without prejudice to the consents given in the context of specific contractual relationships in existence, or terminated for no more than thirty days, concerning the supply of goods or services, for which the right of revocation is in any case ensured, with simplified procedures"), It follows that the contact lists could not be used without prior verification with the RPO and that as a result, such telephone contacts were made in violation of the legislation on the protection of personal data.

In relation to the co-marketing campaigns, Eni Plenitude has stated that they are aimed at customers of partner companies who have previously given consent and who show interest in Eni Plenitude offers. In such cases the lists are not subject to verification at the RPO and the telephone contact is made by a person who acts first as data controller of the partner company and then, in case of interest in the offer, as data controller. treatment for Eni Plenitude. The practice just described, which also raises doubts in terms of transparency and correctness of the processing and commercial practice - does not appear legitimate, nor respectful of the regulatory provisions, since it effectively amounts to an expedient invoked to evade the provisions of the art. . 130 of the Code and articles. 5 and 6 of the Regulation, as well as the obligation to consult the RPO before carrying out a marketing campaign.

The processing in question, therefore, appears to have been carried out in the absence of an appropriate legal basis and adequate technical and organizational measures, considering that on the one hand the original consent cannot be used to justify the carrying out of processing for diversified purposes and the transfer of data from one owner to another. On the other hand, it does not appear that suitable security measures have been implemented to ensure the separation of the records of customers belonging exclusively to Eni Ple-nitude, customers attributable to both Eni and partner companies and customers belonging exclusively to partners.

Likewise also the management of CD campaigns. win back presents multiple critical aspects. On this point, the Company declared that pursuant to art. 1, paragraph 5 of Law no. 5/2018 customers who ceased for less than 30 days. are contacted without prior verification with the RPO, while campaigns aimed at customers who have ceased for more than 30 days. provide for such verification.

But similarly to what has already been noted with respect to marketing campaigns carried out towards customers, the rule in question cannot be applied in the absence of the implementation of simplified methods for exercising the right of revocation. It follows that these treatments are also carried out in the absence of an appropriate legal basis and in violation of the legislation on the protection of personal data.

Furthermore, from the feedback provided regarding the individual complaints received by the Authority, further critical issues emerge in relation to the so-called campaigns. win back also in terms of the relative timing and recontact attempts.

In fact, if it is incontrovertible that there may be a basis of legitimacy underlying the contact campaigns aimed at former customers and a mutual interest of both parties, these activities must be contained within reasonable time limits (corresponding to the retention period of the data for processing with promotional purposes) and attempts to recontact, as this could otherwise reveal an undue intrusion into the personal sphere of the interested party which is potentially unlimited in time.

In relation to file no. 185620, for example, the telephone contact being reported occurred on 25 August 2022, even though by Eni Plenitude's own admission the customer had ceased four years earlier (see 2 January 2018).

And again in relation to file no. 185972 the telephone contact being reported occurred on 30 August 2022, even if the customer had ceased to work two years earlier (see 31 August 2020).

According to the Company's declarations, another case study of marketing activities not subject to prior verification by the RPO is that concerning the so-called. hot leads, meaning those individuals who express an interest in receiving a commercial offer from Eni Plenitude by telephone or via the web and who are therefore considered contactable for 15 days. following this expression of interest.

Even this long period of contactability does not appear to be entirely compliant with the regulatory provisions and seems to confuse the pre-contractual interest in the offer with the granting of actual consent to processing for marketing purposes.

Furthermore, if this practice were to be considered legitimate, the interested party would remain without protection because he could not revoke the marketing consent - never given - either with a request presented directly to the owner, or by registering with the RPO. The interested party could, if anything, only object at the moment of contact and therefore to an unwanted call already received, with a consequent and unacceptable lack of protection. This proposition appears all the more paradoxical if we consider that no provision of the Code, the Regulation or Law no. 5/2018 exempts the data controller from reporting to the RPO the data of interested parties intended for promotional contact in the 15 days following the collection of the data themselves, but rather, the aforementioned legislation requires such feedback before carrying out any promotional campaign.

In light of these findings, therefore, with reference to the 747 contacts made during the so-called. sample week, at least the following 657 must be considered illegitimately carried out:

• 381 numbers were contacted via the comparator channel on the basis of the express consents given on the portals;

• 179 numbers were contacted via the assisted web channel;

• 80 numbers were contacted as part of campaigns aimed at customers on the basis of consents given in the context of contractual relationships;

• 17 numbers were contacted as part of co-marketing campaigns.

The data is extremely alarming if we consider that by multiplying 657 contracts stipulated following an illicit contact ab origine which occurred during the so-called. sample week, for the working weeks present in a year, we would obtain that hypothetically the Company would have received the proceeds of approximately 32,850 supplies in a year that should never have been activated.

Equally well-founded were the complaints relating to the failure to implement security measures and an effective monitoring and control structure on the entire commercial chain of processing which "from contact leads to the contract", with consequent violation of the articles. 5, 24, 25 and 28 of the Regulation.

On this point, the exception raised in relation to the failure to implement a tracking system for contracts included in company systems turned out to be completely contradictory, considering that the Company declared that it had set up a work team for compliance with the Code of Conducted and then contested its value as best practices.

In any case, with the entry into force of the Regulation and the principle of accountability, it is no longer the legislation that defines the minimum and mandatory measures that the data controller is required to adopt; In fact, the data controller has the task of identifying the most appropriate technical and organizational security measures in relation to the state of the art, the specificities of his organization and the context and of proving compliance with them (art. 5, § 2 , of the Regulation).

It follows that the measures and precautions provided for by the Code of Conduct (approved by the Guarantor with provision no. 70 of 9 March 2023, in www.gpdp.it, web doc. no. 9868813), in particular those established by art. 5, paragraph 8, assume, regardless of the full effectiveness of the same and the adhesion of the owners, a corpus of best practices to be personalized, integrated and appropriately adapted to the specificities of the individual organization and to the concrete risks for the rights and freedoms of the interested parties .

Therefore, the failure to adopt one of the measures provided for therein cannot automatically constitute a violation of the legislation on the protection of personal data, but on the basis of careful assessments to be conducted on a case-by-case basis, it can be a symptomatic indicator, especially in the event of failure to implement suitable measures to mitigate the same type of risk for which the measure envisaged by the Code was preordained.

In this case, therefore, the Company not only failed to adopt a series of measures and precautions which notoriously amount to best practices, which were also included in a sector Code widely shared with the major exponents of the categories involved, but it did not even demonstrate that it had adopted measures equally suitable to avoid the risk that contracts stipulated on the basis of illicit contact may enter company systems.

From the elements that emerged through the complaints sent to the Authority and from the random checks carried out, however, a serious gap was ascertained precisely in relation to the control and monitoring activities carried out on the agencies and sub-agencies.

The carrying out of purely formal controls, limited only to the removal of the individual agent who has violated the instructions given or to the carrying out of audits only in the case of anomalies, if not accompanied by the implementation of measures aimed at preventing entry into the company systems of contracts stipulated on the basis of telephone contacts that should never have occurred, is not in itself sufficient to guarantee full compliance with the regulatory provisions.

More than one complaint has been attributed by the Company to the actions of agents who were subsequently removed, but this did not result, for example, in any further verification of the contracts entered by the same agent or the same agency, not even in cases of recurring violations.

Likewise, no remedial measure or repressive conduct was adopted against those agents who, by the company's own admission, made telephone contacts "not on behalf of Eni Plenitude", since it appears evident that an illegitimate mixing of databases occurred with consequent unlawful processing of personal data.

Finally, the violation of the art must also be confirmed. 5 of the Regulation in relation to report no. 183604, in the part in which it provides that personal data must be accurate and, if necessary, updated by adopting all reasonable measures to promptly erase or rectify data that are inaccurate in relation to the purposes for which they were processed, attributable to a delay in updating the relevant data on company systems, as admitted by the Company itself in its defense writings.

In relation to the alleged violations and contrary to what is claimed by the Company, the subjective requirement of violation must also be considered to exist, at least in terms of guilt. Considering that Eni Plenitude was the direct recipient of more than one complaint, implemented various reporting channels, was aware of the dismissal of certain agents and in any case gained a significant economic advantage from the conduct subject to censorship, was therefore also aware of the consequent events in the terms described above.

Eni Plenitude's responsibility for the disputed violations must therefore be definitively confirmed through the communication of initiation of proceedings pursuant to art. 166, paragraph 5 of the Code.

4. CONCLUSIONS

For the above, Eni Plenitude's responsibility for the following violations is deemed to be established:

a) articles. 5, par. 1, letter. a), d) and f) and par. 2 of the Regulation for having processed personal data in violation of the principles of lawfulness, correctness, transparency, accuracy and security;

b) articles. 5 par. 1, letter. a), d), 5 par. 2, and 6 of the Regulation and art. 130 of the Code for having carried out telemarketing activities in the absence of a suitable legal basis;

c) articles. 5 par. 1, letter. f), 5 par. 2, 24, 25 and 28 of the Regulation for the failure to implement suitable security measures, as well as monitoring and control over the entire commercial chain which, from contact, allows the contract to be concluded.

Furthermore, having ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to:

- impose on Eni Plenitude, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of complainants and whistleblowers;

- order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 657 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision;

- order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate system implementations, in order to exclude contracts generated by illicit contacts from entering the company assets;

- order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate measures to ensure that the processing of personal data is carried out in compliance with the principles set out in the art. 5 of the Regulation;

- adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Eni Plenitude of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation.

5. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Eni Plenitude of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation (payment of a sum of up to €20,000,000.00 or, for businesses, up to 4% of the annual worldwide turnover of the previous financial year, if higher).

To determine the maximum statutory fine, reference must be made to Eni Plenitude's turnover, as obtained from the ordinary financial statements for the year 2022, in accordance with the previous provisions adopted by the Authority and with the indications contained in the " Guidelines no. 4/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR", and therefore this statutory maximum is determined, in the case in question, at €320,981,542.00.

To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last three years, numerous measures which have fully examined the many critical elements, providing data controllers with numerous indications to adapt the processing to current legislation and to mitigate the impact of nuisance calls on the interested parties;   

2) as a mitigating factor, the circumstance that Eni Plenitude promptly complied with the requirements imposed through the approval of the previous provisions (art. 83, par. 2, letter i) of the Regulation);

3) the circumstance that, in the previous sanctioning measures adopted by the Guarantor (n. 231 and 232 of 11 December 2019), Eni Plenitude defined the dispute with a reduced payment, which determines, pursuant to art. 8-bis, paragraph 5, of law no. 681/1989, the non-applicability of the aggravating circumstance referred to in the art. 83, par. 2, letter. And).

Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, it is believed that the administrative sanction of payment of a sum of euro 6,419,631.00 (six million four hundred and nineteen thousand six hundred and thirty-one/00) should be applied to Eni Plenitude, equal to 2% of the maximum sanction imposed.

In the case in question, it is believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the Company's processing and conduct, as well as the elements of risk for the rights and freedoms of the interested parties.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) imposes on Eni Plenitude, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of reporters and complainants;

b) orders Eni Plenitude, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 657 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision;

c) orders Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate system implementations, in order to exclude contracts generated by illicit contacts from entering the company assets;

d) order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate measures to ensure that the processing of personal data is carried out in compliance with the principles set out in the art. 5 of the Regulation;

e) orders Eni Plenitude, pursuant to art. 157 of the Code, to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;

ORDER

to Eni Plenitude S.p.A. Benefit company, with registered office in San Donato Milanese (MI), Piazza Vanoni n. 1, VAT no. 12300020158, to pay the sum of euro 6,419,631.00 (six million four hundred and nineteen thousand six hundred and thirty-one/00) as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of euro 6,419,631.00 (six million four hundred and nineteen thousand six hundred and thirty-one/00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts norm from the art. 27 of law no. 689/1981.

HAS

The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself.

Pursuant to the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, 6 June 2024

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei

 

 

SEE ALSO NEWSLETTER OF 26 JUNE 2024

 

[doc. web no. 10029424]

Provision of 6 June 2024

Register of measures
n. 342 of 6 June 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Pasquale Stanzione;

1. THE INVESTIGATORY ACTIVITY CARRIED OUT

1.1. Premise

With communication dated 28 December 2023, n. 170450/23 (notified on the same date by certified email), which must be considered reproduced in full here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Eni Plenitude S.p.A. Benefit Company (hereinafter “Eni Plenitude” or the “Company”), in the person of the legal representative pro tempore, with registered office in San Donato Milanese (MI), Piazza Vanoni n. 1, VAT number 12300020158.

The proceeding originates from an investigation started by the Authority, following the transmission of 108 reports and 7 complaints against the Company, regarding the receipt of unwanted promotional calls made without the prior acquisition of the interested party's consent or using registered numbers to the Public Register of Oppositions (hereinafter, “RPO”).

For the purposes of adopting this provision, the Authority duly took into consideration the appreciable measures to adapt to the legislation on the protection of personal data implemented in compliance with the corrective and sanctioning measures imposed with measures nos. 231 and 232 of 11 December 2019, adopted against the Company for having carried out illicit processing of personal data in the context of promotional activities and unsolicited activations of energy supplies (both available for consultation on the website www.gpdp.it, doc -web nos. 9244358 and 9244365).

1.2. The conduct of the investigation and the requests for information formulated by the Authority

1.2.1. The request for information pursuant to art. 157 of the Code

With a note dated 6 April 2023, the Office sent Eni Plenitude a cumulative request for information formulated pursuant to art. 157 of the Code (see protocol no. 58836/23), useful for the evaluation of 108 reports and 7 complaints received by the Authority in the period between September 2021 and March 2023, relating, for the most part, to the matter of telemarketing. With the same note, the Company was asked to «provide a list of purchase proposals coming from its sales network which led to the activation of energy services in the period from 6 March 2023 to 13 March 2023 inclusive, divided between "residential ” and “business””, as well as any evidence that emerged in relation to report no. 162187, with which the Company had brought to the attention of the Authority the phenomenon of the so-called. “suspicious calls”.

With a subsequent note dated 11 May 2023 (see Prot. no. 75644/23) the aforementioned request was again sent to the owner, since following internal checks and in light of the feedback provided by the DPO of the Eni Group, the Office has was able to ascertain that, due to a mere error, the communication had not been sent to the Company.

With a first response dated 26 May 2023 (see Prot. no. 84539/23 of 29 May 2023) Eni Plenitude sent the list of purchase proposals coming from its sales network and solicited by a telephone contact with the customer, collected through the following channels:

• “Outbound teleselling”: the call centers contact customers and potential customers (so-called prospects) based on lists of details provided or authorized by Eni Plenitude;

• "Comparator": partners who, through their own comparison site and/or structured web activities, gather the interest of prospective customers, with whom they subsequently carry out telephone recontact activities in order to illustrate the commercial offers of the various suppliers subject to comparison;

• “Web-assisted”: the call centers recontact by telephone the customers/prospects who have previously expressed the desire to receive an illustration of a commercial proposal from Eni Plenitude by filling in specific forms on the Company's website.

With specific reference to the request to provide the IP address of the workstation that uploaded the contractual proposals, the Company declared that at the time of notification of the request for information pursuant to art. 157 of the Code, this type of data was not tracked and that, following the approval of the Code of Conduct for telemarketing and teleselling activities, the Company «started a working group aimed at evaluating the most effective measures to guarantee the compliance with the provisions of the Code, among other things, with reference to the traceability of the operations carried out on the platform for the registration of contract proposals".

With a subsequent note filed on 9 June 2023 (see protocol 91502/23 of 12 June 2023), the Company transmitted the first deductions relating to the majority of the reports and complaints covered by this investigation, classifying the findings into 5 macro categories:

• “Legitimate contact” - the telephone contact was legitimately made by Plenitude network partners. To this end, a check of the name of the reporter was first conducted on the CRM and campaign operation (CoEVO) systems, the latter used to track telephone contacts made by the partners of the Plenitude network; subsequently, the privacy consents issued by the reporter were examined and tracked on the CRM for customers and former customers within 2 years and on CoEVO for prospects.

• “Suspicious calls from third parties” - the calling number is not present in the Register of Communications Operators (ROC), nor is it associated with partners of the Plenitude network on the Company's internal systems (see CoEVO). The company checks whether the calling number is present in the internal list prepared by the anti-fraud team as part of monitoring the phenomenon of suspicious calls (see Internal List of Suspicious Calls) and whether there are any reports relating to the calling number on the web pages dedicated to evaluation of the numbers used for telemarketing and/or teleselling activities (see "Online Reports"). Telephone contacts not solicited by users, made by some subjects with the aim of proposing to consumers to change provider, making incorrect and/or even misleading assumptions, are classified as suspicious.

• “FUB process being activated” – contacts made to prospect lists during the period of compliance with the RPO legislation fall into this category. The Company declared that "the process has been progressively started to be fully activated starting from 29 August 2022 for prospect lists" (see response dated 9 June 2023).

• “Lack of sufficient information to carry out checks” - the report does not contain sufficient information to allow checks to be carried out regarding the traceability of the contact to the Eni Plenitude network.

• “Analysis to be completed”.

In the same note, the Company highlighted that compared to the majority of files falling within the macro-category "suspicious calls from third parties", the calling numbers are repeated in multiple reports/complaints and are not registered with the ROC, nor are they present on the CoEVO system. Furthermore, these calls were often made in conjunction with promotional campaigns launched by Eni Plenitude itself, or in the period immediately following. With regard to these reports and complaints, the owner has expressed his desire to blacklist all the numbers indicated therein.

With regard to the phenomenon of suspicious calls, the Company also highlighted that starting from February 2020, an internal working group was launched, manned by the Anti-Fraud Team, which aims to continuously monitor reports concerning cases of suspicious calls and to compose an internal list of calling numbers. From the analysis of the data taken from this monitoring activity, it emerged that from 2021 to 2023 the cases falling within the phenomenon of suspicious calls were significantly reduced. In addition, starting from 2021 Eni Plenitude has created special channels to easily convey reports relating to the contacts in question (see toll-free number 800.689.829; chat; dedicated forms).

In the same note, the company provided further updates regarding report no. 162187, through which Eni Plenitude brought to the attention of the Guarantor the phenomenon of suspicious calls following undue telephone contacts received from internal subjects and the judicial initiatives undertaken.

Subsequently, with note Prot. 98297 of 23 June 2023, the Office once again sent file no. to the company. 186509. This document transmission was requested several times by the company in the aforementioned findings, despite the fact that the files had already been transmitted together with the request for information pursuant to art. 157 of the Code. In the same note, the Office took note of the owner's desire "to send two separate replies, the second of which well beyond the deadline originally indicated", highlighting that "any extensions are permitted only upon presentation of a specific reasoned request to be presented to the Authority, which then evaluates the extent and reasons" and therefore inviting the company to transmit what was requested without further delay.

Subsequently, with a response dated 29 June 2023 (see Prot. 101486 of 30 June 2023), the owner transmitted the results of the overall examination conducted on the cases subject to the complaint, classifying the reports and complaints as follows:

- 71% of complaints classified as “suspicious third-party calls”;

- 13% of complaints classified as “legitimate contact”;

- 7% of complaints classified as contacts which occurred while awaiting compliance with the RPO legislation;

- 2% of complaints classified as cases of lack of information to provide adequate feedback;

and adding the following further categories:

- 3% of complaints classified as "contacts not made on behalf of Eni Plenitude" (see «the telephone contact complained of by the reporting party was made by numbers belonging to a Plenitude partner but on behalf of other clients or within the of contact activities carried out independently by the partner himself");

- 3% of complaints classified as contacts made through the use of the so-called technique. spoofing (see «despite the fact that the calling number indicated in the report/complaint is registered with the ROC and is present on CoEVO as a number associated with a Plenitude partner, the telephone contact indicated was not made by the Plenitude partner to whom this numbering refers reports. It is therefore reasonable to hypothesize that these are cases of so-called spoofing and that the calling number has been falsified to make it correspond to calling numbers regularly used by Plenitude's partners");

- 3% of complaints classified as "illegitimate contacts" (see «the contact was made by employees of Plenitude partners in violation of the instructions received from the partner and the Company itself. In all these cases, those responsible were removed from the partner as soon as the irregular conduct was detected, even before Plenitude received the request for information from the Authority. In addition, Plenitude activated the process for applying a penalty to the partners involved, as provided for in the agency contract with the latter, for. the conduct carried out by their employees in violation of Plenitude's instructions");

- 1% of the complaints as "feedback already provided to the interested party" (see «Plenitude has already provided its feedback to the interested party, directing the request to XX for further additions (since these are contacts carried out as part of a campaign co -XX/Plenitude marketing aimed at the XX customer base").

In the same acknowledgment note, the Company illustrated the procedure implemented in compliance with the corrective measures prescribed by the Authority through the Provision. n. 232/2019 in relation to the purchase of contactability lists of prospect users coming from list providers.

Eni Plenitude has therefore declared that it uses two list providers, who act as data controllers pursuant to art. 28 of the Regulation and who manage the acquisition of lists from publishers. These suppliers also take care of the subsequent "normalization" activity of the data in order to verify compliance with the privacy compliance requirements identified by Eni Plenitude, before the lists are uploaded to the Company's CoEVO system for processing. The publishers' privacy policy contains the express reference to Eni Plenitude and any consent given, "is considered valid only if collected on the basis of a privacy policy that has these characteristics".

All records contain the consent form used by the publisher, the code of the relevant privacy information, the IP address of the interested party who gave the consent, as well as the date on which the consent was given. The CoEVO system verifies that all the records are complete and in the event of a negative outcome, they are blocked and subsequently deleted from the system.

Before the lists are acquired and uploaded to CoEVO, Eni Plenitude verifies the compliance of the privacy information and the consent forms associated with them and, in case of a positive outcome, approves the list.

The Company, with the help of the CoEVO application, carries out random checks on the details (privacy information and consent collected) contained in the publishers' contact lists. In the event of a negative outcome, the use of the relevant records is inhibited and a specific audit is initiated on the publisher.

Furthermore, the lists of prospect users are subject to verification at the RPO before the start of the campaign and every 14 days, to ensure that only interested parties who have not requested registration in the Public Register of Oppositions are contacted.

1.2.2. Verification at the Public Registry of Oppositions

In order to carry out the necessary checks regarding the correctness of the aforementioned telemarketing activities, on 3 August 2023 (see Prot. no. 117145/23) the Office sent the Ugo Bordoni Foundation, which manages the Public Register of Oppositions , the aforementioned list of telephone numbers contacted by Eni Plenitude as part of the telemarketing activities carried out in the period February-March 2023. With this in mind, information was requested, pursuant to art. 157 of the Code, for each numbering, regarding the possible registration in the Public Register of Oppositions (RPO) no later than 31 January 2023.

With note Prot. n. 122099 of 29 August 2023, the aforementioned Foundation sent its feedback, from the analysis of which they were registered in the Public Register of Oppositions, at the time of the promotional calls made by the Company, no. 746 telephone users, equal to just over 7% of the total number of telephone contacts that led to the activation of the service in the reference period February-March 2023 (no. 10625).

1.2.3. Supplement to the investigation

Pending the investigation, further complaints of the same tenor and content were received by the Office (see files nos. 286608 - 314553 – 322104 – 315372 - 328844).

More specifically, with complaint no. 286608, the applicant complained about the receipt of approximately 248 promotional phone calls since January 2023 on users registered with the RPO, highlighting that "the situation is intolerable, also because being a work user I often have to interrupt myself to answer, even though I have activated filters" and to have filed a complaint with the competent offices. In this case, the applicant states that he has been subjected to unsolicited activations for months and that in addition to his personal data and identity documents, the personal data of his partner have also been stolen or otherwise transferred by Eni Plenitude to call centres.

With report no. 314553 the interested party complained about receiving numerous calls made for promotional purposes, despite registration with the RPO.

With reference to file no. 322104, the complainant stated that he was first contacted by an Eni Plenitude operator - already illegitimately in possession of his personal data - and that he was induced to accept a non-binding proposal relating to an energy supply. In the immediately following days, the interested party was the recipient of further telephone contacts for the marketing of an insurance policy by operators illegitimately aware of his personal data and vicissitudes.

With report no. 315372 the interested party complained about receiving numerous unwanted calls made on behalf of Eni Plenitude. The Company responded to the complaint by noting that the interested party had given consent to receive calls for promotional purposes and for carrying out market research by Eni Plenitude, furthermore the calling number indicated belonged to a partner in charge of carrying out promotional activities . The owner has acknowledged and recorded the revocation of consent on its systems.

Finally, also with report no. 328844 the interested party complained of having been contacted by telephone on behalf of the Company, despite the change of manager.

Considering that the complaints referred to in the aforementioned files were addressed to the same owner and concern issues of the same tenor, in order to promote their organic examination and implement the principles of economy and speed referred to in the art. 9 of internal regulation no. 1/2019 (available for consultation on the website www.gpdp.it, doc-web n. 9107633), it was deemed appropriate to deal with such complaints and reports as part of the investigation already underway pursuant to and for the purposes of the following art. 10, paragraph 4, of the same regulation (joining of proceedings).

Furthermore, in this case, the joint treatment appeared more suitable to guarantee the right of defense and the need not to aggravate the proceedings, also in terms of the lower expenditure of time and resources that it objectively entails for the data controller. .

1.3.  Dispute of violations

At the end of the investigation, the Office adopted the aforementioned communication to initiate the procedure pursuant to art. 166, paragraph 5 of the Code (Prot. no. 170450/23 of 28 December 2023), in which it firstly noted that having contacted 746 telephone numbers as part of the telemarketing activities carried out in the period February-March 2023, equal to just over 7% of the total number of telephone contacts made for promotional purposes, given the registration of the same users in the RPO, and therefore the opt-out mechanism determined by the current legislation, could lead to the violation of the legislation in force regarding the protection of personal data.

This data, moreover, seemed to coincide with that - equally alarming - obtained from the feedback provided by the Company to the request for information pursuant to art. 157 of the Code. In fact, from the arguments provided by Eni Plenitude in relation to the numerous complaints received by the Authority, it emerged that only 13% of telephone contacts had been carried out in the presence of legitimacy requirements and that, on the other hand, the remaining 87% of cases were allegedly attributable to the responsibility of third parties.

In this last percentage, then, the Company included a series of contacts made during the implementation of the measures to adapt to the RPO legislation, although at the time of the contacts the Registry was already fully operational.

The Authority also noted that from the documentation in the documents and from the feedback provided by the Company, it emerged that suitable measures and controls were not put in place to ensure the traceability of the operations carried out on the company systems and to guarantee the legitimacy of the entire processing chain which , starting from the telephone contact, allows you to reach the conclusion of the contract. Nor did a mechanism appear to have been implemented to monitor and block contracts originating from illicit contact ab origine.

Equally critical issues emerged in relation to the fulfillment of the duties of monitoring and supervision of the work of data controllers and remediation initiatives in the event of obvious violations of the current legislation on the protection of personal data by such subjects.

With the same communication, the Office also contested the violation of the principles referred to in the art. 5 of the Regulation due to obvious delays in updating customer records.

Finally, the contradictory nature of the circumstances revealed through the evidence provided was highlighted, given that the Company had declared that it only used two list providers, but then in the body of the various briefs sent it had referred to multiple sub-agencies.

In summary, the Office accused Eni Plenitude of the possible violation of the articles. 5, par. 1, letter. a), d) and letter. f), 5, par. 2, 6, par. 1, letter. a), 24 par. 1, 25 and 28 of the Regulation, as well as art. 130, paragraphs 3 and 3-bis, of the Code, for having carried out processing of personal data of users and contractors in the energy sector in conflict with the principles of lawfulness and responsibility, in the absence of an appropriate legal basis and by implementing technical measures and organizational ones that are not adequate to guarantee, right from the design stage, and be able to demonstrate, that the processing is carried out in compliance with the Regulation.

2. THE DEFENSE OF THE OWNER

With note Prot. n. 569/24 of 03 January 2024, the Company requested a 60-day extension of the deadline for the defense referred to in the art. 166, paragraph 6, of the Code and to be heard by the Authority on a date subsequent to the expiry of this deadline. More specifically, on this occasion Eni Plenitude noted that the granting of a longer deadline than that of 15 days. provided for by the art. 13 of internal regulation no. 1/2019 was justified by the circumstance that the Authority had attached to the communication pursuant to art. 166, paragraph 5 of the Code, new elements (see five complaints and the results of the checks at the FUB), as well as the complexity of the issues covered by the proceedings and the dimensional characteristics of the Company. On this point, Eni Plenitude also highlighted that art. 13, paragraph 3, of internal regulation no. 1/2019 had to «be interpreted in the sense that the extension can be even greater than 15 days in the presence of objective needs represented by the recipient of the provision, in order to guarantee the effectiveness of the right of defense».

With note Prot. n. 3844 of 11 January 2024, the Office partially accepted the request, granting an extension of the deadline referred to in the art. 166, paragraph 6, of the Code up to 15 days. and representing that the files attached to the aforementioned communication of 28 December 2023 and which arrived during the proceedings were objectively small in number and concerned the same issues as those attached to the request for information pursuant to art. 157 of the Code, and in most cases the owner was already aware of it, since it was copied in the reports or because he had already provided feedback to the interested party.

With the same note, the Office also represented that the art. 166, paragraph 6, of the Code and articles. 12 and 13 of regulation no. 1/2019 of the Office of the Guarantor (in www.gpdp.it, web doc. n. 9107633) establish in favor of the owner, as the ordinary deadline for the presentation of defense briefs and request for a hearing, that of 30 days starting from receipt of the dispute. Any "short" extension, normally not exceeding 15 days, can be granted "according to criteria of proportionality also in relation to the operational/dimensional characteristics of the recipients themselves and the complexity of the matter examined". An extension of 60 days, with the effect of extending the overall deadline for sending the defense documents to 90 days (3 months), in the opinion of the Office, did not appear to comply with these proportionality criteria, both for the type of investigation (purely documentary) and in consideration of the operational-dimensional characteristics of the company which represents one of the main economic-corporate realities in the country, equipped with important resources also of a legal and organizational nature. Finally, the Office represented that the granting of such a broad extension did not even appear compatible with the practice consistently followed towards other data controllers, nor with the needs of cost-effectiveness and reasonable duration of the procedure.

With a subsequent request dated 19 January 2024 (see Prot. no. 7707 of 22 January 2024), Eni Plenitude requested access to the procedural documents, with particular reference to the request for information pursuant to art. 157 of the Code sent to the FUB and to the documentation relating to complaints nos. 286606 and 322104.

Thus with note Prot. n. 9274 of 24 January 2024, the Office notified a counter-interested party, granting a deadline for the submission of any observations.

Finally, with subsequent communication Prot. n. 14721 of 6 February 2024, the Office communicated that «having examined the reasons illustrated and considering the lack of opposition and/or transmission of observations by the other interested party, the request for access to the documents contained in file no. is accepted. 322104 (…). With reference to the further documentation requested (...) All the documentation relating to the investigation is already fully available to this Company, as transmitted by the Office together with the request for information pursuant to art. 157 of the Code and the subsequent communication of initiation of the procedure pursuant to art. 166 of the same Code. The only document not sent so far - which is attached to this document, in acceptance of the aforementioned request (annex 2) - is the request for information pursuant to art. 157 of the Code sent by the Authority to the FUB in relation to the list of telephone numbers subject to verification by Eni Plenitude itself (see telephone contacts made in the "sample" week) and of which the results were in any case shared, in the form attached to the aforementioned notification of alleged violations. The documentation relating to file no. 286608 has already been completely sent together with the aforementioned communication pursuant to art. 166 of the Code. In fact, it should be noted that annex no. 3 is reported at the bottom of the file bearing the wording "denunce030723". In any case, the file in question will be sent again."

2.1 Preliminary and procedural objections raised by the data controller

With defense briefs filed on 12 February 2024 (see Prot. no. 17493 of 13 February 2024), the Company preliminarily highlighted the onerousness of the request for information pursuant to art. 157 of the Code due to the "short deadlines assigned for feedback", the extension of the time frame of the request and the further and contemporary requests for information received by the Company from another department of the same Authority.

The Company then noted that the correctness of the governance adopted for the management of telephone contact activities for promotional and sales purposes had already been addressed with the Authority's provision no. 232/2019 and that nevertheless «on the night of 28 December 2023, after six months of silence, the Authority notified Plenitude of the communication of initiation of the procedure», also contesting «totally new elements: (a) five new complaints, on which the Company had to carry out internal investigations, moreover without having had the opportunity to speak with the Guarantor in the preliminary investigation phase of the procedure designated for this purpose; and (b) a response received by the Authority on 29 August 2023 from the Ugo Bordoni Foundation (...) without the knowledge of Plenitude and not shared during the preliminary investigation, asking to verify for each of the telephone numbers provided by Plenitude with the First Feedback "the possible registration in the Public Register of Oppositions".

Eni Plenitude then highlighted that the Office had granted an extension of the deadline referred to in the art. 166, paragraph 5, "of only 15 days" and that the response to the access request presented by the Company had only been sent on 6 February 2024 "a few days after the deadline for submitting written deductions".

Furthermore, the company objected to the violation of the 120-day deadline for notification of the communication pursuant to art. 166, paragraph 5 of the Code, provided for in Table B of internal regulation no. 2/2019 (available for consultation on the website www.gpdp.it, doc-web n. 9107640), identifying the dies a quo with the date «29 June 2023, when Plenitude sent the last response to the request for information of 11 May 2023" and representing that the deadline for notification of the dispute was 27 November 2023.

On this point, Eni Plenitude also noted that the aforementioned deadline could not start from the date of the FUB's response to the request for information, given that the request pursuant to art. 157 of the Code and the confirmation had occurred during the period of suspension of the deadlines (see 1-31 August), that the Company had not been informed of this request and therefore had relied on the passage of the deadlines, which the Authority on the date of the request to the FUB had already benefited more than 30 days. for their own reflections and that therefore the claim to reset "the deadline by making it unilaterally start from the request to the FUB" was not admissible.

Eni Plenitude then objected to the violation of the principle of due process and that the objections raised are the result of misunderstandings of the facts due to the lack of effective cross-examination and collaboration, as the Authority:

the. «he kept the complaints and reports in storage (…) for over a year and a half»;

ii. «with the request for information dated 11 May 2023, it launched autonomous investigations that were largely independent of each other (i.e., the feedback relating to the so-called sample week and the feedback on the individual complaints together with the relevant update to the reporting on the phenomenon of suspicious calls in March 2021)";

iii. «he formulated generic and aseptic questions (…) raising surprise and merely hypothetical objections»;

iv. «while Plenitude was committed to responding in a very short time to the request of 11 May 2023, it simultaneously sent to Plenitude further requests for information relating to completely different issues and the subject of further new investigations on 9 and 14 June 2023»;

v. did not communicate the sending of the request to the FUB and with the objection deduced completely new facts and circumstances, without granting an extension of the defense deadline;

you. granted access to the documents with delay.

Finally, Eni Plenitude disputed the violation of the principle of ne bis in idem and legitimate expectations, noting that the facts covered by the investigation conducted in 2023 had already been examined by the Guarantor during the 2019 investigation, concluded with the adoption of provision no. 232/19 and that the corrective measures implemented in compliance with this provision had been agreed with the Authority itself.

2.2 The substantive objections raised by the data controller

On the merits, the Company requested the dismissal of the proceeding due to the absence of the subjective element of fault, provided for by the art. 3 of Law no. 389/1981, as a minimum requirement for the application of administrative sanctions, as «Plenitude has not only adapted to the measures prescribed by the Authority with provision no. 232/2019 but to date has also had the legitimate expectation that the measures represented at the time during the investigation had been deemed adequate".

With specific reference to the 747 numbers registered in the RPO and related to the purchase proposals that occurred during the so-called. sample week, Eni Plenitude stated that «these numbers, however, do not necessarily correspond to those used for contacts in the context of promotional campaigns, as during telephone contacts various customers ask to include in the contractual proposals telephone numbers other than those on who were contacted." On this point, the Company also noted that not all numbers must be previously verified with the RPO, but that this need depends on the reference target (customers, potential customers, former customers) and the sales channel used.

In the case of promotional campaigns aimed at customers, the Company deems verification with the RPO unnecessary, since for outbound teleselling the contact lists are created on the basis of the specific consent for telemarketing activities issued within the contractual relationship , in line with the provisions of the art. 1, paragraph 5, of Law no. 5/2018. For the assisted web channel, however, it is the customer who has expressed, via the appropriate contact form, the desire to be called for commercial purposes.

Differently in the case of promotional campaigns aimed at potential customers (so-called prospects) and carried out through the outbound teleselling channel, the Company explained that the contact lists are always verified in advance at the RPO, with the exception of co-marketing campaigns, which are carried out towards the customers of Eni Plenitude's commercial partners on the basis of a specific consent provided to the partners by their customers. In the comparator and assisted web channels, however, it is the potential customer who requests telephone contact, which takes place immediately after the request.

In the context of promotional campaigns aimed at former customers, carried out through the outbound teleselling channel and aimed at customers who ceased for less than 30 days, however, the contact is made on the basis of the consent given in the context of the contractual relationship pursuant to art. . 1, paragraph 5 of Law no. 5/2018. Otherwise, the lists of customers who have ceased working for more than thirty days are previously verified at the RPO.

Again, with reference to the 747 contacts made over the course of the so-called. sample week, Eni Plenitude found that:

• 89 numbers do not correspond to those used for telephone contacts;

• 381 numbers were contacted via the comparator channel on the basis of the express consents given on the portals;

• 179 numbers were contacted via the assisted web channel;

• 80 numbers were contacted as part of campaigns aimed at customers on the basis of consents given in the context of contractual relationships;

• 17 numbers were contacted as part of co-marketing campaigns;

• 1 number contacted the Company's partner number directly.

In relation to the complaints received by the Authority, the Company recalled the subdivision into 5 macro-categories carried out during the responses to the request for information pursuant to art. 157 of the Code and with specific reference to the complaints attached to the communication pursuant to art. 166, paragraph 5, of the Code objected that they were not the subject of a specific investigation. On this point, the Company nevertheless noted that files nos. 314553, 315372 and 322104 can be classified as legitimate contacts, file no. 328844 is the result of a so-called. suspicious third party call and file no. 286608 cannot be traced back to any macro-category and therefore cannot be said to be homogeneous with the other complaints.

For the same reasons, Eni Plenitude then objected to the unfoundedness of the complaint relating to the absence of adequate control and monitoring measures for the uploading phase of the contractual proposals, also reiterating that the failure to track the IP address of the workstation which uploaded is not able to demonstrate the general absence of measures aimed at preventing the infiltration into the Company's systems of proposals generated by subjects outside the sales network, that there is no evidence of the presence of illicit proposals in the company systems, which none of the suspicious third-party calls resulted in a purchase offer.

The Company reiterated its commitment to combating the phenomenon of suspicious calls from third parties and that it does not derive any economic advantage from them, as they are made by competitors who illicitly use the name of Eni Plenitude with the intention of offering energy services provided by other operators .

Finally, Eni Plenitude contested the value of best practices attributed to the Code of Conduct for telemarketing and teleselling activities, noting that it constitutes a «consolidation proposal and an attempt to reorganize the guidelines expressed by the Guarantor in a single document. The Code absolutely does not represent the state of the art adopted by all market operators and in any case provides for certain measures, including IP address tracking, for simplifying purposes only".

In this regard, the Company also noted that based on the specifics of its sales chain, it assessed the IP address as "an unnecessarily and excessively invasive measure" compared to the benefit returned by the various safeguards adopted in terms of due diligence and monitoring towards partners (so-called privacy induction).

In relation to the complaints raised on the commercial chain, Eni Plenitude highlighted that in recent years the relationship between the number of agencies and the volume of business has become inversely proportional, that the partners involved in the cases classified as "illegitimate contacts" had been appointed responsible of the processing pursuant to art. 28 of the Regulation and who therefore acted in violation of the instructions given. Furthermore, the same partners had become aware of the illegitimate conduct carried out by their agents and had removed them even before the start of the preliminary investigation by the Guarantor. In any case, thanks to the timely intervention, the agents in question had not generated any contractual proposals.

Eni Plenitude then objected to the unfoundedness of the complaint relating to the lack of separation measures for the databases used by multi-firm agencies, deducing the absence of evidentiary elements and attributing these telephone contacts to human error.

Compared to the contacts made during the so-called sample week and classified as "FUB in the process of being activated", Eni Plenitude has clarified that these are «telephone contacts made to numbers registered in the RPO pending the completion of the internal Plenitude process for adaptation to the new rules on the RPO, which ended with a delay of just around 30 days", due to the delay in the publication of the price lists by the FUB and the timescales necessary for the complete updating of the internal processes.

Finally, with reference to the violation of the principle of accuracy of the data processed (see file 183604), Eni Plenitude contested the findings on the contact times and stated that in this case it was «an exceptional and completely isolated case deriving from the configuration initial CoEVO of 2019, consolidated for years now, which cannot therefore in itself constitute an element to be placed at the basis of the system challenge the Authority addresses to Plenitude, given that evidently no further circumstances emerged from the preliminary investigation capable of demonstrating the existence of critical issues at the process level".

2.3 The hearing pursuant to art. 166, paragraph 6 of the Code.

During the hearing held on 20 February 2024 at the Authority's offices, the Company provided the complete and updated mapping of its commercial supply chain, including the appointments as Data Controller pursuant to art. 28 of the Regulation.

The Company then clarified that in the event of an expression of interest by the customer (via web or telephone) who provides their contact details, they will usually be contacted within a couple of days. Any extensions of this time window are due to the coincidence of holidays, weekends, or in the event that the customer does not respond. The lead is considered "hot", i.e. usable for possible recontacts, for 15 days. expired which no further contacts are made.

As for co-marketing activities, the Company explained that these campaigns are carried out using the customer base of the respective companies, which have previously acquired the customer's consent. By way of example, in the context of campaigns carried out in co-marketing with XX, the list is passed from XX to its teleseller partner. The user is contacted preliminarily on behalf of XX and, if he expresses his interest in adhering to the Eni Plenitude offer, the teleseller at that point no longer acts as an external manager of XX, but in the guise of data controller on behalf of Eni Plenitude and submits the contractual proposal to the customer.

Finally, with reference to the activities of the so-called. win back, it emerged that the Company makes contact attempts with former customers to understand the reasons for changing supplier and verify their interest in a new offer, after verifying the existence of marketing consent. These activities are carried out over 30 days. from the termination of the contract.

3. ASSESSMENTS BY THE AUTHORITY

From the elements that emerged during the investigation and from the examination of the defense deployed by the Company, as will be argued more fully and analytically below, all the hypotheses of violation formulated through the communication of initiation of the procedure pursuant to art. 166, paragraph 6, of the Code.

3.1 Preliminary and procedural questions

The preliminary and formal objections formulated by the Company cannot be accepted as they are specious and clearly unfounded.

In this case, Eni Plenitude preliminarily objected to the violation of the principle of due process and of ne bis in idem, to have the Authority open a new investigation, despite the adoption of the provisions. no. 231 and 232 of 11 December 2019, simultaneously notified multiple requests for information and rejected the request for an extension of the deadlines granted for the purposes of feedback.

The invoked ne bis in idem prohibition, of known criminal origin, can be deduced from the provisions of the art. 649 c.p.p., which establishes the prohibition on subjecting the accused who has been definitively acquitted or convicted for the same fact to a new trial, even if considered differently in terms of title, degree or circumstances.

This principle undoubtedly represents, as well as a canon of civilization, a fundamental right of the person. So much so that even at the level of supranational legislation it is possible to find similar provisions both in the letter of the art. 50 of the Charter of Fundamental Rights of the European Union, which provides that «No one may be prosecuted or convicted for a crime for which he has already been acquitted or convicted in the Union following a final criminal sentence in accordance with the law», which to Prot. n. 7, art. 4 of the ECHR which reads «1. No person may be criminally prosecuted or convicted by the jurisdiction of the same State for an offense for which he has already been acquitted or convicted following a final judgment in accordance with the law and criminal procedure of that State. 2. The provisions of the previous paragraph do not prevent the reopening of the trial, in accordance with the law and criminal procedure of the State concerned, if supervening facts or new revelations or a fundamental flaw in the previous procedure are capable of invalidating the sentence received. 3. No derogation from this Article shall be authorized under Article 15 of the Convention."

By constant orientation of jurisprudence, the identity of the fact exists when there is historical-naturalistic correspondence in the configuration of the crime, considered in all its constituent elements (conduct, event, causal link) and with regard to the circumstances of time, place and person .

With reference to proceedings before independent Administrative Authorities, the question of the applicability of the principle in question has historically arisen with particular reference to the so-called. double track of sanctions and was resolved with the well-known and consolidated jurisprudential orientation which considers the principle of ne bis in idem applicable to proceedings instituted before independent Administrative Authorities, when the sanctions actually imposed are essentially criminal in nature (see ECtHR ruling of 4 March 2014, Grande Stevens v/Italy). 

According to European jurisprudence, therefore, regardless of the nomen iuris, those sanctions which can be considered such in light of the so-called criminal nature are essentially criminal in nature. Engel criteria: internal legal qualification; nature of the offense and function of the consequent provision envisaged, which must be generally applicable and have a preventive and repressive purpose; severity of the sanction.

On this point it is also appropriate to remember that the provisions of the Guarantor, pursuant to articles. 78 of the Regulation and 152 of the Code, can be challenged before the judicial authority through an effective judicial appeal.

It follows that once the deadlines for appealing the Guarantor's decision have expired, or once all the means of appeal provided for by the law have been exhausted, the provisions contained in the provision or in the sentence become definitive and unassailable both for the supervisory Authority and for the recipient thereof.

The described procedural sequence constitutes the normative application of the principle of legal certainty, of which the principle of ne bis in idem is a logical corollary.

Even if in 2019 the Authority adopted two separate measures against Eni Plenitude (then Eni gas and Luce), concerning facts, complaints and the privacy governance implemented at the time by the Company, the alleged violation of the principle of ne bis in idem , in this case cannot be accepted given the evident absence of the requirement of the identity of the naturalistic fact underlying the proceeding.

Today's investigation, in fact, originates from numerous complaints received by the Authority subsequent to the resolution of measures nos. 231 and 232 of 2019 and from the verification carried out as part of a "sample week" (6-13 March 2023) on telephone contacts made during the reference period, which led to the activation of an energy supply.

The identity of the thema decidendum cannot even be artfully invoked on the basis of the fact that some of the provisions referred to in today's dispute were also invoked in the previous proceedings, given that what amounts to violating the principles of legal certainty and the prohibition of ne bis in idem, it is not so much and only the normative basis of the reproach, but - we reiterate - the identity of the naturalistic fact.

Also because if this were not the case, hypothetically, after having been the recipient of an initial provision, the data controller could violate the same provisions again and ad libitum, being exempt from any reprimand and/or sanction.

On the other hand, the observation on the measures to adapt to previous provisions "agreed" with the Authority, which the Company appears to invoke as certification of conformity of its privacy system with current legislation, cannot be accepted as the guidelines expressed by the Office they have limited effectiveness to the object and the historical context in which they were pronounced, also due to the considerable period of time that has passed and the regulatory and socio-economic developments that have occurred in the meantime.

So much so that the Regulation, in more than one rule, requires the data controller to periodically update the security measures and its privacy governance, precisely in order to adapt it to the so-called. "state of the art", "scope" and "context".

The exception regarding the alleged onerousness of the requests sent by the Authority appears equally specious, since Eni Plenitude never mentioned it in any of the previous discussions with the Department, but raised this exception for the first time only during the filing of defense briefs pursuant to art. 166, paragraph 6, of the Code, which took place on 12 February 2024 (see Prot. no. 0017493 of 13 February 2024) and referring to the requests for information sent in June 2023 (i.e. eight months earlier).

In the Company's opinion, the practice followed by the Office of cumulatively investigating complaints received even at different times would also violate the principles of due process and make the investigation onerous.

In this regard, it is worth noting that the joint investigation is not only provided for by the internal regulations, since it responds to the principles of economy and non-exacerbation of the administrative procedure, but also represents a safeguard for the prerogatives of the data controller.

In fact, with reference to the processing of personal data carried out in the context of telemarketing, the Authority receives thousands of reports. The individual treatment of each complaint would not only be practically impossible, but would have the effect of forcing the data controller to invest significant resources in the defense of his own reasons and of infinitely multiplying the proceedings and the consequent sanctions, which would also end to constitute a precedent - and therefore an aggravating circumstance - for the other.

Nor can the alleged onerousness of the procedure and the alleged violation of the procedural rules be traced back to the circumstance that the Office contested for the first time in the communication pursuant to art. 166, paragraph 5, of the Code, what emerged in relation to no. 5 complaints/reports, which arose while the investigation was pending against the same Company. In fact, the prior conversation with the party, e.g. through the request for information pursuant to art. 157 of the Code, constitutes only one of the possible investigation methods provided for by law.

It follows that, in the event that it is not necessary to acquire further investigative elements, the Authority can validly and directly proceed to contest the violation on the basis of the circumstances acquired through complaints and reports. In similar cases, however, the right of defense and the right to be heard are in any case guaranteed by the possibility given to the party to present within the 30-day deadline. starting from the notification of the communication, documents and briefs, as well as the request to be heard by the Authority.

Finally, the alleged violation of the principle of due process and internal regulations, in relation to the failure to grant the extension of the deadline for defense pursuant to art. 166, paragraph 6, of the Code and the alleged delay in accepting the request for access, given that the Company was already in possession of all the preliminary documentation, as the direct recipient of the complaints or because it had already been sent to it by the Authority.

The art. 13 of internal regulation no. 1/2019 provides that normally the deadline for exercising the right of defense is equal to 30 days, but that upon justified request, this deadline can normally be extended up to 15 days, also according to proportionality criteria. in relation to the operational/dimensional characteristics of the recipients themselves and the complexity of the matter examined. It follows that only in exceptional cases can a longer deadline be granted.

In this case, having examined the reasons given by the Company, considering the purely documentary nature of the proceedings and the issues that arose, the dimensional characteristics of the company and that Eni Plenitude was already aware of almost all of the complaints, there is no doubt that no circumstances existed such as to justify the granting of a term longer than the aforementioned 15 days.

In addition, it is worth noting that in multiple completely similar investigations (including the previous one against Eni Gas e Luce - now Eni Plenitude), from which the adoption of provision no. 232 of 11 December 2019) the Office has consistently granted an extension of 15 days. and no exceptions have ever been raised in this regard.

Furthermore, the request appeared ictu oculi specious and intended to pre-establish a possible reason for complaint, not only due to the absence of exceptional reasons and/or circumstances in support, but also because it would have had the effect of tripling the ordinarily deadline granted, in disregard of the principles of equal treatment and reasonable duration of the proceedings.

The exception regarding the alleged delay in accepting the request for access to documents as complained about by the Company is equally specious and designed to pre-establish grounds for complaint.

As proof of this, it would be sufficient in itself to observe the timing of the request forwarded on 19 January 2024 and therefore one week before the expiry of the deadline pursuant to art. 166, paragraph 6 of the Code.

Based on the practice constantly followed by the Office, attached to the request for information pursuant to art. 157 of the Code and the communication of initiation of the procedure pursuant to art. 166, paragraph 5, of the Code, all documents and elements useful for the exercise of the right of defense and the organic examination of the issues covered by the investigation are transmitted, with the exception of documentation that is excessive, irrelevant or covered by secrecy. .

In this case, the only documents that had not been attached to the aforementioned communications were correspondence that were completely irrelevant for the purposes of the defense, considering that:

- all the results of the verification at the FUB had already been shared (i.e. excel files with the analytical indication of the numbers registered in the RPO);

- the documentation relating to file no. 286608 had already been duly sent together with the note pursuant to art. 166 of the Code;

- the further documentation requested relating to file no. 322104 consisted of a contract and a transfer revocation concerning different companies and which have nothing to do with Eni Plenitude.

Furthermore, since the Company requested the presentation of contractual and banking documentation, as represented in the note replying to the request for access, it was necessary to notify the other interested party which led to a physiological extension of response times, certainly not attributable to the 'Office.

Finally, the exception relating to the alleged violation of the 120-day deadline cannot be accepted either. provided for the notification of complaints pursuant to internal regulation no. 2/2019.

In the case in question, the communication pursuant to art. 166, paragraph 5 of the Code was notified on 28 December 2023 and therefore, taking into consideration the holiday suspension period pursuant to the law, within the deadline of 120 days starting from the verification of the violation. 

The moment of ascertainment of the violation dates back, at least (and without wanting to cite the constant jurisprudence of the Supreme Court of Cassation and the Council of State which identifies a date subsequent to that of the material acquisition of information and documents, corresponding to the one in which the investigating officer summarizes these elements to determine the existence and consistency of the violation), on the date of the response by the FUB to the request for information pursuant to art. 157 of the Code (see Prot. no. 122099 of 29 August 2023), when the Office has definitively come into possession of all the objective and subjective elements useful for the classification and qualification of the case.

On this point, the Company criticizes the Office's actions, maintaining that the period of time that elapsed between the last feedback it provided to the Authority and the notification of the dispute would have been such as to generate a legitimate expectation in relation to the filing of the method. This thesis cannot be accepted, since the Authority has requested a series of detailed information on the so-called. sample week, it was very reasonable to expect that the Office would carry out a series of checks and investigations on these activities as well. In any case, the psychological element linked to the acquisition of an erroneous expectation regarding the future decisions of the Authority falls exclusively within the internal sphere of the offender which cannot be relevant for determining the illegitimacy of an administrative act, in the absence of specific violations of procedural rules.

3.2 Substantive issues

Also on the merits, the complaints raised against Eni Plenitude appear fully supported by the elements acquired through the numerous complaints received by the Authority, by the results of the sample investigations conducted and by the circumstances that emerged during the investigation.

First of all, in fact, the violation of the articles appears to be extremely proven. 5 par. 1, letter. a), 5 par. 2 and 6 of the Regulation and art. 130 of the Code for having the Company carried out telemarketing activities in the absence of a suitable legal basis and for having contacted multiple interested parties pending the process of adaptation by the Company to the RPO legislation.

As for the delay found in the operations to adapt to the regulations referred to in art. 130 of the Code, it should be noted that the violation is not only proven by the numerous complaints received by the Guarantor and by the checks carried out, but also by the declarations issued during the procedure by Eni Plenitude itself.

The Company, in fact, with reference to n. 8 complaints received by the Authority, admitted that it had not promptly adapted to the legislation in question, due to the failure to publish the price lists by the FUB. Although the matter is known to the Office, it should be noted that Eni Plenitude could have waited for the publication of the price lists or diversified its advertising activities - as other operators appear to have also done - rather than continuing its marketing campaigns without carrying out the appropriate checks at the RPO.

Likewise, the process of managing contact lists, as represented by the Company, does not appear to be entirely compliant with the letter and spirit of the aforementioned regulations.

With regards to promotional campaigns aimed at customers via the out-bound teleselling channel, the Company has declared that it does not deem it necessary to verify with the RPO and to carry out this processing on the basis of the specific consent given in the context of the contractual relationship pursuant to art. . 1, paragraph 5, of Law no. 5/2018.

But from the documents of the proceedings it does not appear that the Company has implemented the prescribed simplified methods to allow the easy revocation of such consents (see art. 1, paragraph 5, of Law no. 5/2018 «(...) Without prejudice to the consents given in the context of specific contractual relationships in existence, or terminated for no more than thirty days, concerning the supply of goods or services, for which the right of revocation is in any case ensured, with simplified procedures"), It follows that the contact lists could not be used without prior verification with the RPO and that as a result, such telephone contacts were made in violation of the legislation on the protection of personal data.

In relation to the co-marketing campaigns, Eni Plenitude has stated that they are aimed at customers of partner companies who have previously given consent and who show interest in Eni Plenitude offers. In such cases the lists are not subject to verification at the RPO and the telephone contact is made by a person who acts first as data controller of the partner company and then, in case of interest in the offer, as data controller. treatment for Eni Plenitude. The practice just described, which also raises doubts in terms of transparency and correctness of the processing and commercial practice - does not appear legitimate, nor respectful of the regulatory provisions, since it effectively amounts to an expedient invoked to evade the provisions of the art. . 130 of the Code and articles. 5 and 6 of the Regulation, as well as the obligation to consult the RPO before carrying out a marketing campaign.

The processing in question, therefore, appears to have been carried out in the absence of an appropriate legal basis and adequate technical and organizational measures, considering that on the one hand the original consent cannot be used to justify the carrying out of processing for diversified purposes and the transfer of data from one owner to another. On the other hand, it does not appear that suitable security measures have been implemented to ensure the separation of the records of customers belonging exclusively to Eni Ple-nitude, customers attributable to both Eni and partner companies and customers belonging exclusively to partners.

Likewise also the management of CD campaigns. win back presents multiple critical aspects. On this point, the Company declared that pursuant to art. 1, paragraph 5 of Law no. 5/2018 customers who ceased for less than 30 days. are contacted without prior verification with the RPO, while campaigns aimed at customers who have ceased for more than 30 days. provide for such verification.

But similarly to what has already been noted with respect to marketing campaigns carried out towards customers, the rule in question cannot be applied in the absence of the implementation of simplified methods for exercising the right of revocation. It follows that these treatments are also carried out in the absence of an appropriate legal basis and in violation of the legislation on the protection of personal data.

Furthermore, from the feedback provided regarding the individual complaints received by the Authority, further critical issues emerge in relation to the so-called campaigns. win back also in terms of the relative timing and recontact attempts.

In fact, if it is incontrovertible that there may be a basis of legitimacy underlying the contact campaigns aimed at former customers and a mutual interest of both parties, these activities must be contained within reasonable time limits (corresponding to the retention period of the data for processing with promotional purposes) and attempts to recontact, as this could otherwise reveal an undue intrusion into the personal sphere of the interested party which is potentially unlimited in time.

In relation to file no. 185620, for example, the telephone contact being reported occurred on 25 August 2022, even though by Eni Plenitude's own admission the customer had ceased four years earlier (see 2 January 2018).

And again in relation to file no. 185972 the telephone contact being reported occurred on 30 August 2022, even if the customer had ceased to work two years earlier (see 31 August 2020).

According to the Company's declarations, another case study of marketing activities not subject to prior verification by the RPO is that concerning the so-called. hot leads, meaning those individuals who express an interest in receiving a commercial offer from Eni Plenitude by telephone or via the web and who are therefore considered contactable for 15 days. following this expression of interest.

Even this long period of contactability does not appear to be entirely compliant with the regulatory provisions and seems to confuse the pre-contractual interest in the offer with the granting of actual consent to processing for marketing purposes.

Furthermore, if this practice were to be considered legitimate, the interested party would remain without protection because he could not revoke the marketing consent - never given - either with a request presented directly to the owner, or by registering with the RPO. The interested party could, if anything, only object at the moment of contact and therefore to an unwanted call already received, with a consequent and unacceptable lack of protection. This proposition appears all the more paradoxical if we consider that no provision of the Code, the Regulation or Law no. 5/2018 exempts the data controller from reporting to the RPO the data of interested parties intended for promotional contact in the 15 days following the collection of the data themselves, but rather, the aforementioned legislation requires such feedback before carrying out any promotional campaign.

In light of these findings, therefore, with reference to the 747 contacts made during the so-called. sample week, at least the following 657 must be considered illegitimately carried out:

• 381 numbers were contacted via the comparator channel on the basis of the express consents given on the portals;

• 179 numbers were contacted via the assisted web channel;

• 80 numbers were contacted as part of campaigns aimed at customers on the basis of consents given in the context of contractual relationships;

• 17 numbers were contacted as part of co-marketing campaigns.

The data is extremely alarming if we consider that by multiplying 657 contracts stipulated following an illicit contact ab origine which occurred during the so-called. sample week, for the working weeks present in a year, we would obtain that hypothetically the Company would have received the proceeds of approximately 32,850 supplies in a year that should never have been activated.

Equally well-founded were the complaints relating to the failure to implement security measures and an effective monitoring and control structure on the entire commercial chain of processing which "from contact leads to the contract", with consequent violation of the articles. 5, 24, 25 and 28 of the Regulation.

On this point, the exception raised in relation to the failure to implement a tracking system for contracts included in company systems turned out to be completely contradictory, considering that the Company declared that it had set up a work team for compliance with the Code of Conducted and then contested its value as best practices.

In any case, with the entry into force of the Regulation and the principle of accountability, it is no longer the legislation that defines the minimum and mandatory measures that the data controller is required to adopt; In fact, the data controller has the task of identifying the most appropriate technical and organizational security measures in relation to the state of the art, the specificities of his organization and the context and of proving compliance with them (art. 5, § 2 , of the Regulation).

It follows that the measures and precautions provided for by the Code of Conduct (approved by the Guarantor with provision no. 70 of 9 March 2023, in www.gpdp.it, web doc. no. 9868813), in particular those established by art. 5, paragraph 8, assume, regardless of the full effectiveness of the same and the adhesion of the owners, a corpus of best practices to be personalized, integrated and appropriately adapted to the specificities of the individual organization and to the concrete risks for the rights and freedoms of the interested parties .

Therefore, the failure to adopt one of the measures provided for therein cannot automatically constitute a violation of the legislation on the protection of personal data, but on the basis of careful assessments to be conducted on a case-by-case basis, it can be a symptomatic indicator, especially in the event of failure to implement suitable measures to mitigate the same type of risk for which the measure envisaged by the Code was preordained.

In this case, therefore, the Company not only failed to adopt a series of measures and precautions which notoriously amount to best practices, which were also included in a sector Code widely shared with the major exponents of the categories involved, but it did not even demonstrate that it had adopted measures equally suitable to avoid the risk that contracts stipulated on the basis of illicit contact may enter company systems.

From the elements that emerged through the complaints sent to the Authority and from the random checks carried out, however, a serious gap was ascertained precisely in relation to the control and monitoring activities carried out on the agencies and sub-agencies.

The carrying out of purely formal controls, limited only to the removal of the individual agent who has violated the instructions given or to the carrying out of audits only in the case of anomalies, if not accompanied by the implementation of measures aimed at preventing entry into the company systems of contracts stipulated on the basis of telephone contacts that should never have occurred, is not in itself sufficient to guarantee full compliance with the regulatory provisions.

More than one complaint has been attributed by the Company to the actions of agents who were subsequently removed, but this did not result, for example, in any further verification of the contracts entered by the same agent or the same agency, not even in cases of recurring violations.

Likewise, no remedial measure or repressive conduct was adopted against those agents who, by the company's own admission, made telephone contacts "not on behalf of Eni Plenitude", since it appears evident that an illegitimate mixing of databases occurred with consequent unlawful processing of personal data.

Finally, the violation of the art must also be confirmed. 5 of the Regulation in relation to report no. 183604, in the part in which it provides that personal data must be accurate and, if necessary, updated by adopting all reasonable measures to promptly erase or rectify data that are inaccurate in relation to the purposes for which they were processed, attributable to a delay in updating the relevant data on company systems, as admitted by the Company itself in its defense writings.

In relation to the alleged violations and contrary to what is claimed by the Company, the subjective requirement of violation must also be considered to exist, at least in terms of guilt. Considering that Eni Plenitude was the direct recipient of more than one complaint, implemented various reporting channels, was aware of the dismissal of certain agents and in any case gained a significant economic advantage from the conduct subject to censorship, was therefore also aware of the consequent events in the terms described above.

Eni Plenitude's responsibility for the disputed violations must therefore be definitively confirmed through the communication of initiation of proceedings pursuant to art. 166, paragraph 5 of the Code.

4. CONCLUSIONS

For the above, Eni Plenitude's responsibility for the following violations is deemed to be established:

a) articles. 5, par. 1, letter. a), d) and f) and par. 2 of the Regulation for having processed personal data in violation of the principles of lawfulness, correctness, transparency, accuracy and security;

b) articles. 5 par. 1, letter. a), d), 5 par. 2, and 6 of the Regulation and art. 130 of the Code for having carried out telemarketing activities in the absence of a suitable legal basis;

c) articles. 5 par. 1, letter. f), 5 par. 2, 24, 25 and 28 of the Regulation for the failure to implement suitable security measures, as well as monitoring and control over the entire commercial chain which, from contact, allows the contract to be concluded.

Furthermore, having ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to:

- impose on Eni Plenitude, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of complainants and whistleblowers;

- order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 657 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision;

- order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate system implementations, in order to exclude contracts generated by illicit contacts from entering the company assets;

- order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate measures to ensure that the processing of personal data is carried out in compliance with the principles set out in the art. 5 of the Regulation;

- adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Eni Plenitude of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation.

5. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Eni Plenitude of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation (payment of a sum of up to €20,000,000.00 or, for businesses, up to 4% of the annual worldwide turnover of the previous financial year, if higher).

To determine the maximum statutory fine, reference must be made to Eni Plenitude's turnover, as obtained from the ordinary financial statements for the year 2022, in accordance with the previous provisions adopted by the Authority and with the indications contained in the " Guidelines no. 4/2022 on the calculation of administrative pecuniary sanctions pursuant to the GDPR", and therefore this statutory maximum is determined, in the case in question, at €320,981,542.00.

To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last three years, numerous measures which have fully examined the many critical elements, providing data controllers with numerous indications to adapt the processing to current legislation and to mitigate the impact of nuisance calls on the interested parties;   

2) as a mitigating factor, the circumstance that Eni Plenitude promptly complied with the requirements imposed through the approval of the previous provisions (art. 83, par. 2, letter i) of the Regulation);

3) the circumstance that, in the previous sanctioning measures adopted by the Guarantor (n. 231 and 232 of 11 December 2019), Eni Plenitude defined the dispute with a reduced payment, which determines, pursuant to art. 8-bis, paragraph 5, of law no. 681/1989, the non-applicability of the aggravating circumstance referred to in the art. 83, par. 2, letter. And).

Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, it is believed that the administrative sanction of payment of a sum of euro 6,419,631.00 (six million four hundred and nineteen thousand six hundred and thirty-one/00) should be applied to Eni Plenitude, equal to 2% of the maximum sanction imposed.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the Company's processing and conduct, as well as the elements of risk for the rights and freedoms of the interested parties.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) imposes on Eni Plenitude, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of whistleblowers and complainants;

b) orders Eni Plenitude, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 657 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision;

c) orders Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate system implementations, in order to exclude contracts generated by illicit contacts from entering the company assets;

d) order Eni Plenitude, pursuant to art. 58, par. 2, letter. d) to prepare adequate measures to ensure that the processing of personal data is carried out in compliance with the principles established in the art. 5 of the Regulation;

e) orders Eni Plenitude, pursuant to art. 157 of the Code, to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;

ORDER

to Eni Plenitude S.p.A. Benefit company, with registered office in San Donato Milanese (MI), Piazza Vanoni n. 1, VAT no. 12300020158, to pay the sum of euro 6,419,631.00 (six million four hundred and nineteen thousand six hundred and thirty-one/00) as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of euro 6,419,631.00 (six million four hundred and nineteen thousand six hundred and thirty-one/00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts to norm from the art. 27 of law no. 689/1981.

HAS

The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself.

Pursuant to the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, 6 June 2024

PRESIDENT
Stanzione

THE SPEAKER
Stanzione

THE GENERAL SECRETARY
Mattei