Garante per la protezione dei dati personali (Italy) - 10008076
Garante per la protezione dei dati personali - 10008076 | |
---|---|
Authority: | Garante per la protezione dei dati personali (Italy) |
Jurisdiction: | Italy |
Relevant Law: | Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25(1) GDPR Article 28(1) GDPR Article 32(1) GDPR Article 83(2)(a) GDPR Article 83(2)(k) GDPR Article 130(3-bis) d.lgs. 196/2003 Article 130(3) d.lgs. 196/2003 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 31.05.2023 |
Decided: | 11.04.2024 |
Published: | |
Fine: | 100000 EUR |
Parties: | Facile.Energy SRL |
National Case Number/Name: | 10008076 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Italian |
Original Source: | Garante per la protezione dei dati personali (in IT) |
Initial Contributor: | fb |
The DPA fined a company €100,000 for the unlawful processing of phone numbers for telemarketing purposes. The DPA hold that a controller cannot transfer its liability and obligations under GDPR to the processor by means of a contractual clause.
English Summary
Facts
Between January 2022 and March 2023, the DPA received several complaints against an electricity company (Facile.Energy SRL). The data subjects complained that they had received unwanted telemarketing phone calls. According to them, the controller did not collect their consent before performing the phone call.
Moreover, some of them further argued that they had previously signed up for the Italian Public Opt-out Registry (Registro Pubblico delle Opposizioni - RPO). The RPO is an Italian registry extended to all national phone numbers, which allows citizens to opt-out of unwanted telemarketing calls.
Furthermore, they stressed the fact that the controller had, without their request, activated for them an energy supply contract at unfair prices. Therefore, they believe they suffered material and non-material damage as a consequence of the illegal processing of their data.
The controller argued that its processing was lawful. More specifically, it pointed out that the data subjects had not been contacted by the controller itself, but by a “teleseller”, which had the role of finding the phone numbers of potential customers and contacting them on behalf of the controller. The controller explained that it had entered in a “teleselling contract” with the processor. This contract laid down an obligation for the processor to collect data subjects’ consent before contacting them. Moreover, it contained an indemnification clause, so that the controller would not have any liability as for the processor’s compliance with data protection law.
Holding
The DPA criticised the conduct of the controller, arguing that the evidence collected showed a “worrying outline of non-compliance with the GDPR”.
The DPA rejected the controller’s argument leaning on the “teleselling” contract. It was of the view that such an agreement cannot exempt a controller from respecting GDPR and prevent it from being liable if a violation occurs. The DPA’s reasoning is based on several articles of the GDPR. Firstly, as provided for by Article 24(1) GDPR, the controller must implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with GDPR.
Secondly, as for Article 28(1) GDPR, the controller must only choose processors that provides sufficient guarantees to comply with the GDPR and must then constantly supervise the processing activities of the processor. The DPA found this supervision to be purely formal, as it was only based on a contractual clause and no further checks were performed. Therefore, the DPA hold that the controller had violated Article 5(1)(f), 5(2), 24(1), 25(1), 28(1) and 32 GDPR.
As a consequence, this lack of supervision resulted in the absence of any legal basis for the processing of these personal data. The DPA stressed the fact that more than 5000 contracts were concluded through this unlawful processing. Therefore, the DPA found a violation of Article 6(1)(a) in combination with Article 5(1)(a) GDPR.
As for the RPO, the DPA observed that Article 130(3-bis) of the Italian Data Protection Code provides for an “opt-out” mechanism: when a data subject signs up for this registry, data controllers are not allowed anymore to contact them at their phone numbers for marketing purposes. In other words, this registration results in a revocation of the data subject’s consent towards all controllers which would wish to process their data for marketing purposes. Since 106 data subjects who had signed up for the RPO were however contacted, the DPA further hold the controller had violated Article 130(3) and 130(3-bis) of the Italian Data Protection Code and, more generally, Article 5(1)(a) and 6(1)(a) GDPR.
As for the fine calculation, the DPA criticised the behaviour of the controller during the proceedings. It deemed the latter “heedless” of the procedural rules of the authority, as it asked for several deadlines extensions without then providing the DPA with meaningful pleadings. Moreover, the DPA considered the violation particularly serious under Article 83(2)(a) GDPR. On these grounds , the DPA issued a fine of €100,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
Decision of 11 April 2024 Register of measures n. 205 of 11 April 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”); HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code"); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000; SPEAKER Dr. Agostino Ghiglia; 1. THE INVESTIGATORY ACTIVITY CARRIED OUT 1.1. Premise With protected communication. n. 167943 of 19 December 2023 (notified on the same date by certified email), which must be considered reproduced in full here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Facile.Energy S.r.l. (hereinafter “Facile.Energy” or “the Company”), in the person of the legal representative pro tempore, with registered office in Milan (MI), Via Uberto Visconti di Modrone n. 34, VAT number 05175670289. The proceeding originates from an investigation started by the Authority, following 56 reports and 2 complaints against the Company, regarding the receipt of unwanted promotional calls made without the prior acquisition of the interested party's consent or using numbers registered in the Register Opposition Public (hereinafter, “RPO”), which gave rise to the unsolicited activation of energy supplies. 1.2. The conduct of the investigation and the requests for information formulated by the Authority 1.2.1. The request for information pursuant to art. 157 of the Code With a note dated 31 March 2023, the Authority sent Facile.Energy a cumulative request for information, formulated pursuant to art. 157 of the Code (registered in the protocol with no. 55173/23), useful for the evaluation of the 56 reports and 2 complaints received by the Authority in the period between January 2022 and March 2023, relating, for the most part, to the matter of telemarketing. With the same note, the Company was asked to «provide a list of purchase proposals from its sales network which led to the activation of energy services in the period from 6 March 2023 to 13 March 2023 inclusive, divided between "residential" and “business”». With prot. request 63947/23 of 18 April 2023, the Company first requested an extension of the deadline granted for the purposes of feedback and then with a note prot. 66331 of 21 April 2023, provided the list of purchase proposals requested, reporting that "customers' telephone numbers are obtained by telesellers by consulting lists obtained by them under their own personal responsibility". With a request dated 26 April 2023 (prot. 68168), then requested on 9 May 2023 (prot. 74272), Facile.Energy also requested the extension of the deadline granted in order to provide the observations and documentation useful for examining the complaints and reports received by the Authority. Following the aforementioned request and taking note of the reasons given, the Office granted the requested extension (see note prot. n. 75630/23 of 11 May 2023). Thus, with a note sent on 18 May 2023 (prot. no. 79936/23) the Company preliminarily reiterated that «the names and data of potential customers are found by the teleselling service providers who, therefore, have the burden and obligation to contact only subjects not registered in the opposition register and only via telephone numbers registered with the ROC" and highlighted the letter of the art. 2, paragraph 4, of the standard procurement contract stipulated with the telesellers in the part which states that «2.4 The Contractor will find, at his own expense, responsibility and expense, the lists of potential customers to call, taking action, where necessary, in accordance with the legislation in force, directly or through authorized third parties, to register in the public register of contractors who object to the use of their personal data and telephone number for sales or commercial promotions, pursuant to article 1, paragraph 15, of law 11 January 2018, n. 5. (hereinafter "Register") pursuant to Presidential Decree 27 January 2022, n. 26 to communicate to the same Registry the lists of names/telephone numbers that it intends to contact for the teleselling activity covered by this Contract and to recover from the aforementioned Registry the "clean" lists of the names registered in the Objections Registry. Likewise, the Contractor and/or authorized third parties will be responsible for the constant conservation, modification, updating or integration of the lists, guaranteeing and in any case indemnifying the Client with regard to compliance with the provisions of the current provisions on privacy". On the same occasion, with reference to the complaints referred to in files nos. 224989 - 182209 - 182891 - 183776 – 183137, Facile.Energy clarified that «where requested by the applicant, the Vocal Order was provided and where the deletion of the data was requested or opposition to the processing was expressed, the undersigned followed up on the requests for cancellation or opposition to processing in accordance with what was requested and in compliance with the law". In relation to the circumstances represented through reports nos. 177320 – 184725 – 182272 -182775- 183715, the Company observed that they "do not contain any trace of requests or complaints relating to the processing of data". Finally, with reference to the file. n. 217004, Facile.Energy found that «although this protocol and the related request for clarification have no bearing on the processing of personal data, it is specified that the requested invoices were once again sent to the applicant's law firm and the complaint was defined» . 1.2.2. Verification at the Public Registry of Oppositions In order to carry out the necessary checks regarding the correctness of the aforementioned telemarketing activities, on 14 July 2023 (protocol no. 108700) the Office sent the aforementioned list of numbers to the Ugo Bordoni Foundation, which manages the Public Registry of Oppositions telephone calls subject to the aforementioned feedback from Facile.Energy. With this in mind, information was requested, pursuant to art. 157 of the Code, for each numbering, regarding the possible registration in the Public Register of Oppositions (RPO) no later than 31 January 2023. On 21 July 2023, the Foundation sent its response (protocol no. 111770/23), from the analysis of which they were registered in the Public Register of Oppositions, at the time of the promotional calls made by the Company, no. 106 telephone users, equal to 6% of the total number of telephone contacts from which contracts were stipulated, carried out in the reference period (n. 1768). 1.2.3. Supplement to the investigation Pending the investigation, the undersigned Authority has received further reports against the Company of a similar nature and relating to the same case (unsolicited calls and unsolicited activations: file nos. 322107 - 324778 - 322765). Despite the complaints referred to in files nos. 322107 and 324778 were also addressed to Facile.Energy, it does not appear in the documents that the Company provided any feedback. Otherwise, as part of the clarifications provided directly to the interested party in relation to report no. 322765, Facile.Energy found that customer data is transmitted by the contractor, who is required to guarantee its quality and transparency and that «The provision of such data is the guarantee issued by the procurer/agent/contractor regarding the correct origin of the data, constitute the legal basis of the processing carried out by Facile.Energy". 1.3. Dispute of violations Following the investigation, the Office adopted the aforementioned communication to initiate proceedings pursuant to art. 166, paragraph 5 of the Code (prot. no. 167943 of 19 December 2023), in which it preliminarily noted the violation of the principle of accountability and of the rules on processing security, also in relation to the failure to adopt suitable safeguards to prevent and counter the phenomenon of wild telemarketing. From the documentation produced by the Company, a substantial lack of interest on the part of the data controller regarding the origin of the data and contact lists emerged. The complaint also concerned the incorrect identification of subjective roles and the consequent failure to fulfill the supervisory and control obligations incumbent on the data controller, as well as the lack of security measures in relation to the entire commercial and management chain which, originating from the "contact", allows reach the "contract", even though the company was already aware of the phenomenon. In this case, the seriousness of the disputed conduct was made even more clear by the circumstances represented by the complaints received by the Office. In numerous cases, in fact, the interested parties have complained of having suffered patrimonial and non-pecuniary prejudices precisely because of the illegitimate processing of their personal data, which resulted in the unsolicited activation of energy supplies. In addition, having contacted 106 telephone numbers as part of the telemarketing activities carried out in the period February-March 2023, equal to just over 6% of the total number of telephone contacts from which activations of supplies resulted, consistently of the registration of the same users in the RPO - and therefore of the opt-out mechanism determined by the current legislation, seemed to confirm the validity of the circumstances revealed in the numerous reports and complaints received by the Authority. Finally, the Authority noted that from the documentation in the documents and the reasons given by the Company, significant doubts emerged regarding the assimilation of the new regulatory framework by the data controller. The Office, therefore, accused Facile.Energy of the possible violation of the articles. articles 5, par. 1, letter. a) and letter f), 5, par. 2, 6, par. 1, letter. a), 24 par. 1, 25, 28 and 32 of the Regulation, as well as art. 130, paragraphs 3 and 3 bis, of the Code, for having carried out processing of personal data of users and contractors in the energy sector in conflict with the principles of lawfulness and responsibility, in the absence of an appropriate legal basis and by implementing technical and organizational structures that are unsuitable for guaranteeing, right from the design stage, and being able to demonstrate, that the processing is carried out in compliance with the Regulation. 2. THE DEFENSE OF THE OWNER With a request dated 2 January 2024 (prot. no. 556), the Company requested access to all the deeds and documents contained in the file. With a note sent on 11 January 2024 (protocol no. 3817), the Office accepted this request, highlighting that all the documentation relating to the investigation was already fully available to the Company, with the exception of the request for information pursuant to art. 157 of the Code sent to the FUB in relation to the list of telephone numbers subject to verification by Facile Energy itself and for which in any case the results had already been shared, in the form of an attachment to the communication initiating the procedure. Subsequently, with notes sent on 18 January 2024 (see protocol nos. 6831 and 6952) Facile.Energy requested the extension of the deadline referred to in the art. 166, paragraph 6, of the Code as well as to be heard by the Authority, both requests were accepted with consequent extension of the deadline for the transmission of the defense briefs and convocation for the hearing set for the following 13 February 2024. With a defense statement sent on 2 February 2024 (protocol no. 13893) the Company preliminarily represented that «the professional has implemented and is further implementing a series of technical management measures also in light of the guidelines extrapolated from the provision of this Guarantor of the 11 December 2019, doc. web no. 9244358". The Company then objected to the unfoundedness of the charge regarding the contested financial and non-economic prejudices suffered by the interested parties, highlighting that based on the provisions of ARERA resolution no. 302/2016, it is possible to make a switch even if unpaid invoices are pending, without the previous supplier having the opportunity to object and pursuant to art. 66 sexies of the Consumer Code in the event of unfair commercial practices, the supplier is required to renounce any economic claims against the consumer. In relation to the 106 telephone users contacted during the so-called. "sample week" while registering for the RPO, the Company found that «This charge is incorrect and misleading. Merely by way of example, a search carried out at the U. Bordoni foundation, the following users that this Guarantor reports having been contacted when they registered their opposition, were freely contactable between February and March 2023 as the owners registered after the month of March 2023 to the opposition register>>. With specific reference to the choice of commercial partners, Facile.Energy declared that the telesellers are appointed data controllers and are "contractually required to collect the consent of the potential customer contacted in order to obtain a legal basis for the processing" and that "in of stipulation, it is verified that the service providers have an adequate organizational structure also in relation to GDPR by completing questionnaires (Annex B) and interviews with the legal representatives and operational staff of the telesellers themselves. Furthermore, the Facile.Energy company carries out randomized inspections to verify compliance with contractual, legal and GDPR provisions. We reserve the right to produce copies of the reports of these ongoing inspections. As of 2023, only joint-stock companies with a solid capital structure, subject to monitoring, will be contracted as suppliers of the teleselling service". The Company then provided more information in relation to the prodromal procedures for the activation of individual supplies, highlighting that «The stipulation operations are conducted only via OTP so as to be able to uniquely identify the customer, after having obtained their consent to the processing of data. To protect the customer, the same is identified via mobile phone number and internet IP then reported on the contract (Annex B) together with the data of the person who actually made the contact, appointed as data processing manager by Facile.Energy. Company procedures provide for the automatic rejection of contracts that report IP or mobile phone number repeated more than twice, to protect the consumer. (Annex C) All correspondence to end customers is channeled through XX and tracked." Finally, Facile.Energy represented that from October 2023, before proceeding with the activation of the supply, the Company will check the residence of every single potential customer via an XX - Registry/Residence application and that in case of anomalies the activation procedure is not continued. Subsequently, in acceptance of the request sent by the Company, the hearing referred to in art. 166, paragraph 6 of the Code, has been postponed to 27 February 2024. On the occasion of the aforementioned hearing, Facile.Energy preliminarily highlighted the commitment made by the Company to adapt to the Telemarketing Code of Conduct and that to this end it decided to invest in the implementation of a new CRM for the management of company data and documentation . The Company also represented that telesellers are selected exclusively from joint-stock companies and through a standardized procedure, following the administration of a self-assessment questionnaire. In relation to the checks carried out on the work of the telesellers, the Company declared that it carries out random checks (10%-15%) on the contracts concluded with customers, in order to ascertain the lawfulness of the processing: in the event that the telesellers do not provide evidence of a correct legal basis, they can be removed from the Facile.Energy sales network and the contract will still be discarded. The Company then declared that it had changed its corporate practices approximately two months ago with the provision of a double confirmation at the Registry of Oppositions. More specifically, the first check is in turn divided into two phases and is carried out directly by the teleseller, in the two days before the contact. Subsequently, in the period of time between the contact and the activation of the service, the numbers are verified again at the FUB, therefore if in the meantime the interested party has registered with the RPO, the contract is discarded. With reference to these measures, Facile.Energy clarified that they were adopted to reduce complaints and that they are necessary by virtue of the provisions contained in the consumer code, in the part which provide that in the event of unsolicited activation, the final consumer is not required to pay for the supply (see page 2 minutes of the hearing «In practice, Facile.Energy gives the revocation of consent expressed at the Registry of Oppositions close to the signing of an energy contract a value not dissimilar to the right of reconsideration, with a view to maximum protection of the will of the interested party"). The Company then highlighted that even at the time of registration of the contract in the Integrated Information System, a further check is carried out at the FUB and that in the event of registration of the numbering in the RPO, the procedure is blocked, given that «This check allows test the permanence of the interested party's consent, however it must be taken into consideration that the agency accrues its commission regardless of whether the activation procedure continues or not" (see page 2 of the hearing minutes). Facile.Energy then noted that in order to stem the critical issues relating to data collection and contract signing, it decided to proceed with the signing of contracts exclusively through digital subscription, after sending a one time password (OTP). At present, therefore, the stipulation via vocal order has been completely discontinued and, after obtaining consent, the user's indication of the mobile number to which to send the OTP is recorded. The Company also declared that it will send the contractual documentation both directly to the customer's mobile phone via a specific link, and to the residence by tracking the shipment until delivery. With reference to subjective roles, Facile.Energy has represented appointing telesellers as data controllers and using only individuals who have appointed the DPO. With regard to data retention, the Company has highlighted that in case of exercise of the right of cancellation, the request is processed, except in the case in which it is necessary to retain the data for accounting and administrative purposes. The only case in which, after segregation of the data, it is possible to re-access it is when the customer contacts the company again. The company does not carry out profiling, nor does it transfer data to third parties. In addition, the Company has identified that agencies access company systems using a personal username and password, which are updated periodically. In this case, each agency has a single access (so-called room) and indicates the operators who access it. The latter take care of uploading the customer's data and recording the first contact call relating to the communication of the contact telephone number to send the OTP. The system then automatically filters the contracts and, in the event of anomalies (e.g. double contract, suspicious VPN, etc.), the agent receives the rejection notice and can contact the customer again to resolve the problem. Finally, Facile.Energy has reserved the right to produce a summary report by 13 March, as well as the appointment as data controller, the pre-qualification check list of the managers and the audit reports referred to in the defense documents. Lastly, with authorized notes sent on 13 March 2024, the Company declared that it had adopted a configuration of its systems such as to "discard" contracts stipulated using systems that do not allow the identity of the stipulating party to be ascertained (e.g. VPN which conceal the exact IP of the subscriber for example), multiple stipulations with the same address (today a maximum of two contracts can be stipulated with a single telephone number) and subscriptions made through virtual telephone operators or untraceable SIM cards ( e.g. XX etc). With the same note, the Company highlighted that it «carries out periodic random checks on the telesellers regarding the nature of the consent given by the contracted subjects and in some cases not contracted subjects as they are discarded objects as they do not comply with the guidelines (Annex 10) Furthermore, the company carries out periodic audits at individual facilities, without notice, recording the findings of the inspection (Annex 11). Particular attention is paid to verifying the origin of the lists with the data of consumers to be contacted, used by telesellers. Facile.Energy does not limit itself to verifying that the lists are purchased from Italian suppliers responsible for the creation, management and filtering of the same but also requests the delivery of a copy of the purchase contract with the attachments in order to allow the necessary checks regarding the origin of the data and their correct collection and management (Annex 12)". Finally, the Company expressed its desire to organize training meetings in collaboration with the XX association also on the subject of privacy aimed at both its employees and the staff of the sales structures. 3. ASSESSMENTS BY THE AUTHORITY The overall elements and documents acquired during the investigation provide a worrying picture of non-compliance with reference to the legislation on the protection of personal data dating back to the time of the disputed facts and to date not entirely resolved, made even more serious and manifest if considered in light of the constant orientation expressed by the Authority in the context of the numerous measures adopted regarding telemarketing. The Company's defense focused almost exclusively on the allegation and analytical description of a series of measures and processes which - albeit in part, worthy of appreciation - were in fact implemented only during the proceedings and which therefore do not lead to minus the violations being contested. Indeed, today's investigation has its origins in the numerous complaints received by the Authority, also through certain consumer associations, which in an analytical and concordant manner documented a precise modus operandi attributable to Facile.Energy, aimed at the albeit legitimate maximization of profit, but in contempt of any lawfulness safeguard regarding the protection of personal data. From the numerous reports and complaints, an operational practice emerges in customer acquisition activities that appears constant and repeated: the user usually receives a phone call from an operator who does not qualify and who appears to be in possession of all the personal data of the interlocutor and information relating to the supply. Once the activation of the supply has been carried out, often without the customer's knowledge, the latter becomes aware of the existing contract only following the delivery of alarmingly large invoices, when it is now too late to exercise the right to reconsider. In numerous cases, interested parties also complain about the manipulation of vocal orders, required to prove the correct activation of the contract. In relation to the origin of the data, the Company noted that «the undersigned Facile.Energy receives the data of potential customers from teleselling operators and, more generally, from the commercial network (agents, canvassers, etc.). This data, collected and used by the teleseller, is therefore not found by Facile.Energy but is received by the same pursuant to a teleselling contract (in this case) or agency or procurement contract without the possibility of verifying, upstream, the validity of the data itself used by the sales network which is made up of subjects legally distinct from Facile.Energy". But the fact that the contact lists come from third parties does not prevent the Company - as in fact it should do - from verifying, for example, through suitable and complete documentation, the origin of the data and the legal basis of the processing. On the point Facile.Energy limited itself to recalling the obligations incumbent on telesellers by virtue of the procurement contract which in art. 2.4 provides that «The Contractor will find, at his own expense, responsibility and expense, the lists of potential customers to call, arranging, where necessary according to current legislation, directly or through authorized third parties, for registration in the public register of contractors who object to the use of their personal data and telephone number for sales or commercial promotions, pursuant to article 1, paragraph 15, of law 11 January 2018, n. 5. (hereinafter "Register") pursuant to Presidential Decree 27 January 2022, n. 26 to communicate to the same Registry the lists of names/telephone numbers that it intends to contact for the teleselling activity covered by this Contract and to recover from the aforementioned Registry the "clean" lists of the names registered in the Objections Registry. Likewise, the Contractor and/or authorized third parties will be responsible for the constant conservation, modification, updating or integration of the lists, guaranteeing and in any case indemnifying the Client with regard to compliance with the provisions of the current provisions on privacy". This clause in itself reveals a fundamental confusion between the regulation on the Public Register of Oppositions and that on the right to object pursuant to art. 21 of the Regulation. Pursuant to art. 1, second paragraph, of Law no. 5/2018 «They can register, following their specific request, even simultaneously for all telephone numbers, fixed and mobile, registered in their name, also electronically or by telephone, in the public register of oppositions established pursuant to paragraph 1 of the article 3 of the regulation referred to in the decree of the President of the Republic n. 178 of 2010, all interested parties who wish to object to the processing of their telephone numbers carried out by an operator using the telephone". And then pursuant to the following paragraph 5 «With the registration in the register referred to in paragraph 2, all consents previously expressed, by any form or means and to any subject, which authorize the processing of one's fixed or mobile telephone numbers carried out ((...)) for advertising or sales purposes or for carrying out market research or commercial communication and is also precluded, for the same purposes, from using telephone numbers transferred to third parties by the data controller on the based on previously issued consents". Differently, the art. 21, par. 2 of the Regulation recognizes the interested party's right to object to the processing of their personal data for direct marketing purposes. First of all, it follows that while registration with the RPO has the effect of revoking consent erga omnes, the exercise of the right of opposition has instead limited effectiveness to the individual data controller or, at most, also extends to the any other recipients to whom the data may have been transferred. Secondly, the institutions in question give rise to obligations of a different nature on the owner. In fact, pursuant to art. 1, paragraph 12 of Law no. 5/2018 «Operators who use telephone advertising and telephone sales systems or who carry out market research or telephone commercial communications ((with or without the intervention of a human operator)) have the obligation to consult on a monthly basis, and in any case, prior to the start of each promotional campaign, the public register of oppositions and to update their lists". Otherwise, following receipt of an opposition request, the owner is required pursuant to art. 12 of the Regulation to facilitate its exercise, to follow up on the request without unjustified delay and in any case within one month of receipt. In no case, therefore, does the owner or manager have the obligation to provide for the training and updating of the users registered in the RPO, as this is a prerogative reserved only for the interested party. Furthermore, the aforementioned contractual clause cannot be used to release the data controller from the obligations and responsibilities established by current legislation on the protection of personal data. Taking into account the nature, scope, context and purposes of the processing, as well as risks having different probabilities and severity for the rights and freedoms of natural persons, Facile.Energy, as data controller and by virtue of the principle of accountability, pursuant to art. 24 of the Regulation is required to implement adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in compliance with current legislation on the protection of personal data. Furthermore, as a logical consequence of the aforementioned principle of accountability, art. 28 of the Regulation requires on the one hand that if processing must be carried out on behalf of the data controller, the latter must only use data controllers who present sufficient guarantees to implement adequate technical and organizational measures so that the processing satisfies the requirements of this regulation and guarantees the protection of the rights of the interested party (so-called culpa in eligendo). On the other hand, the law in question also places on the owner a series of supervisory and control obligations over the work of the data controller (so-called culpa in vigilando). In this case, the failure to fulfill the aforementioned obligations by Facile.Energy clearly emerges not only from the circumstances analytically reported in the numerous complaints received by the Guarantor, but is also confirmed by the Company's own defense, which claims to be exempted from the obligations regarding data protection only by virtue of an indemnity clause and the fact that the retrieval of contact lists was allegedly left to the telesellers. The thesis illustrated cannot be accepted, since it seems to repudiate the key principles of the current regulatory framework, based on a system of exact definition of roles and responsibilities, as well as essential values with which processing activities must necessarily comply. The reference is certainly to the provisions of the articles. 24, 25 and 28 of the Regulation, as well as the principles of lawfulness, correctness, safety and transparency enshrined in the art. 5 of the Regulation. Furthermore, the Company was perfectly aware and therefore in a position to stem the phenomenon, given that in December 2022 it had already been the recipient of a sanction by the AGCM precisely in relation to unsolicited activations and that almost all of the reports and the complaints received by the Guarantor were also transmitted to Facile.Energy directly by the interested parties themselves. The conduct implemented by the Company must then certainly also be evaluated in light of the circumstances put forward by the whistleblowers and complainants, which serve not only to confirm the validity of the reproaches raised, but also to denote their significant gravity. In almost all of the complaints, in fact, the interested parties represent having suffered a series of both economic and non-pecuniary prejudices strictly related to the illicit processing of their personal data carried out in the context of telemarketing activities and the consequent unsolicited activations . From the first point of view, the plaintiffs complain about the loss of more advantageous rates applied by the previous manager and the receipt of invoices of disproportionate amounts. In some cases (file nos. 177320 – 184725 – 182272 -182775) the interested parties – despite having reneged on the contract with the Company and having promptly exercised the right of reconsideration – would have partially or entirely paid the invoices issued to them and, in one case, the interested party would have received others which were followed by warnings for payment from Facile Energy. In yet another case (file no. 183715), the reporting party declared that she had even suffered a suspension of electricity supply due to non-payment of the invoices debited to her by Facile.Energy. Finally, with regard to file no. 217004, the interested party complained about the demand for payment of invoices that remained unpaid without having ever previously received them. In relation to the second profile, in numerous cases the whistleblowers and complainants represent the anxiety and concern of not knowing who and how came into possession of their data and what they intend to do with it, as well as the frustration of paying undue sums or facing the threat of the possible detachment of a notoriously essential supply. On the point Facile.Energy observes «This charge is denied by ARERA resolution 302/2016 which provides that an operator can provide a point simply by operating a switch in without the previous supplier having the opportunity to object. No existential damage and - much less - no financial damage can be caused to the consumer who, correctly, is protected by current legislation and the consumer code, in particular where he suffers a commercially incorrect practice: in this case, in fact, the code cited in Article 66 sexies provides that the supplier is obliged to renounce any economic claim against the consumer who, therefore, will in any case be amply compensated for any damage suffered". This observation cannot be shared, given that the aforementioned difficulties regarding the change of manager can arise in the case, for example, of invoices that remain unpaid because they were never delivered or are the subject of a dispute between the parties due to unsolicited activation (circumstances noted in the complaints included in the present investigation). Furthermore. the protection referred to in art. 66 sexies of the consumer code is not at all automatic and cannot ignore either the proof of the activation of an unsolicited supply or the declaration by the competent authority. Likewise, the findings that emerged from the verification conducted at the FUB in relation to the list of telephone contacts made during the so-called. sample week, which generated the stipulation of as many contracts in favor of the company, serve to prove the attribution to the company of the persistent carrying out of telemarketing and teleselling activities in open conflict with the obligations established by current legislation. Having contacted 106 telephone numbers as part of telemarketing activities (data limited, it is reiterated, only to the calls from which the activation of a service originated, therefore not extended to the much larger number of unsuccessful contacts) carried out in the February-March period, in accordance with the registration of the same users with the RPO - and therefore with the opt-out mechanism determined by current legislation - entails the violation of the art. 130, paragraphs 3 and 3-bis, of the Code, concerning electronic communications, as well as, more generally, articles. 5, par. 1, letter. a) and 6, par. 1, letter. a) of the Regulation, with regard to the principle of lawfulness and the need for the legal basis of consent to legitimize the processing of the data in question for promotional purposes. On this point, the Company limited itself laconically to observing that «This charge is incorrect and misleading. Merely by way of example, a search carried out at the U. Bordoni foundation, the following users that this Guarantor reports having been contacted when they registered their opposition, were freely contactable between February and March 2023 as the owners registered after the of March 2023 to the register of oppositions" and to report a list of only 16 numbers that would have been registered at the RPO after the month of March 2023. Facile.Energy then reiterates that "Individual telesellers are appointed data controllers (Annex A), are contractually required to collect the consent of the potential customer contacted in order to obtain a legal basis for the processing". The exception is completely groundless and therefore cannot be accepted. In this regard, it is worth first remembering that the findings emerging from the verification at the FUB come from the institution responsible for regularly keeping the Register and that therefore if the Company had wanted to refute its contents, it would have had to proceed with the analytical reporting of any errors found, highlighting the alleged correctness of the telesellers' actions both in terms of the acquisition of consent for processing with promotional-advertising purposes, and in terms of the timely use of contact lists duly verified at the aforementioned Foundation. The observation, then, cannot be shared even on the merits. The Office asked the FUB to indicate «for each numbering, regarding the possible registration in the Public Register of Oppositions no later than 31 January 2023, or the indication of the automatic registrations, which as of 31 January concern the numbers transferred from old to the new RPO on July 27 and which users have not renewed, for which consents have not been cancelled". This circumstance, moreover, is well known to the Company which requested and obtained access to all the preliminary documents of the proceeding. The aforementioned list of (16 out of 106) numbers appears to be a list of RPO registration renewals carried out after March 2023 and therefore does not at all serve to disavow the validity of the charges against the Company, but rather to highlight that the contractors referred to in the aforementioned list have confirmed their intention to oppose any processing of their personal data for marketing purposes. But even hypothetically if one wanted to accept the exception in question, it would appear that the Company in fact during the so-called sample week made at least 90 telephone contacts (limited to the portion of them which then led to the activation of a supply) in the absence of a suitable legal basis. Furthermore, even the reference to the necessary acquisition of consent leads us to believe that the Company's telemarketing and teleselling activities are carried out with the incorrect interpretation and application of the regulatory provisions, also in relation to the provisions of the articles. 129 and 130 of the code on data present in public registers. The findings that have emerged thus far, therefore, provide a picture of the incomplete effectiveness of the controls and safety measures on the entire supply chain which from "contact" leads to the "contract". The preparation of controls, as shown in the documents, of a purely formal and ex ante nature on the partner agencies denotes, in fact, only a formalistic transposition of the regulatory principles and exposes the company to the concrete risk of ineffectiveness of the envisaged measures, as in fact happened. The result is a judgment of overall deficiency with reference to compliance with the principles established to protect the responsibility and accountability of the data controller, as well as the specific rules regarding the security of processing (see articles 5, paragraph 1 letter f) , 5 par. 2, 24, par. 1, 25, par. 1 and 32 of the Regulation). These types of control are also provided for by art. 16 of the Code of Conduct for telemarketing and teleselling activities (available on the website www.garanteprivacy.it doc-web n. 9868813 - GPDP Provision n. 70 of 9 March 2023 - in Official Gazette n.73 of 27-3-2024 ), which regardless of membership, has an undoubted value in terms of best practices, in the part in which it provides that «1. The data controllers adopt organizational and/or technical procedures aimed at proving that the data of the interested party/contractor/user have been acquired in compliance with the principles set out in the art. 5, par. 1, of the Regulation; in particular, taking into account the principle of proportionality, through by default measures, they implement specific procedures in the systems that identify the promotional campaigns, contact lists and operators involved in each contract concluded remotely and are able to prove the correctness of the above information. These procedures prevent the registration of contracts for which the aforementioned information cannot be found (...). 2. The adherents of this Code of Conduct ensure that the entire supply chain processes the data exclusively on the basis of suitable consent to processing for telemarketing and teleselling purposes which is clearly distinct from the manifestation of the will to negotiate. (..) 6. The client develops its own processes so that the contracts stipulated following teleselling activities take place in the presence of unequivocal consent to the original contact, except in cases falling within the scope of application of the art. 130, paragraph 3-bis of the Code. During the first application of this Code of Conduct and for the exclusive protection of the interested party, if following the checks contracts emerge for which the first contact is flawed, these contracts may continue to be executed provided that the client informs the interested party of the the faulty origin of the contract and that the interested party himself confirms his desire to maintain it, without prejudice to residual cases in which the customer does not follow up on proven attempts to contact the customer (..)". Even from this point of view, the assessments of the conduct implemented by the Company cannot ignore the necessary considerations regarding the dimensions of the phenomenon and its consequent economic repercussions. If we tried to multiply the 106 illicit telephone contacts made over the course of the so-called. sample week for the overall weeks of annual operation of the telesellers, one could come to the conclusion that in all likelihood the Company stipulated over 5,000 contracts per year following telephone contacts made in the absence of a suitable legal basis and consequently received income the benefits deriving from as many contracts that should never have been stipulated. It is reiterated once again, however, that the aforementioned 106 telephone contacts made in the CD. sample week are only those that were successful (i.e. that led to the activation of the supply), so that the illicit contacts actually made during the sample week were probably much more numerous. For the purposes of determining the proceedings, the degree of cooperation with the Authority and the remedial actions implemented by the Company during the preliminary investigation must certainly also be taken into due consideration. From the examination of the defense writings and the documentation in the documents, it emerges that Facile.Energy, while the proceedings are pending, has started a radical reorganization of its telemarketing and teleselling activities aimed at greater compliance with the legislation on the protection of personal data (e.g. new CRM configuration, random checks of contracts, audits and questionnaires for data controllers, checks at the FUB, exclusion of partnerships from commercial partners, stipulation of contracts via OTP and tracking of the delivery of the contractual package in paper form, courses training on privacy for employees and telesellers). Although worthy of merit, the initiatives listed are not entirely suitable for guaranteeing a sufficient level of adaptation to current legislation and seem to confirm, also from this point of view, the incomplete assimilation or in any case the erroneous interpretation of the same. In relation to the contact lists, it does not appear that the Company has implemented a procedure aimed at testing the existence of a suitable legal basis for the processing, having limited itself to structuring a verification system limited exclusively to the origin of the data (see «i telesellers act on lists of certain origin, preferably made up of them.Energy verifies that the list is not purchased from a foreign supplier or a third party, thus excluding the possibility of a double transfer of ownership". With specific reference to the checks carried out at the FUB, the recently implemented practices described during the investigation reveal on the one hand the erroneous interpretation of the articles. 129 and 130 of the Code, on the other hand that the Company does not make a correct distinction between the granting of consent to the processing of data for marketing purposes and the prodromal consent to the signing of the contract. Facile.Energy clarified on this point that «The Company also carries out a double check with the Opposition Register. The first is carried out directly by the teleseller, in the two days before the contact. Before activating the service, the numbers are verified again at the FUB, so if the person has registered with the FUB in the meantime, the contract is discarded (...). A second check at the FUB occurs automatically when the teleseller uploads the contract. Subsequently, a third check is carried out at the FUB at the time of registration of the contract at the SII". The verification methods just described appear irrelevant and, obviously, excessive, given that current legislation requires that all numbers must be subjected to a prior verification at the FUB, in order to prevent the occurrence of illicit contacts, and that the registration of one's number in the RPO occurring at a later time than a lawful contact, but before the activation of the supply, cannot be used to invalidate either the validity of the upstream contact, or the lawfulness of the downstream contract. In fact, once the customer relationship has been established with the stipulation of the contract and limited to that contractual relationship, the processing of the personal data of the interested party falls outside the scope of application of the articles. 129 and 130 - with the exception of the hypothesis of the so-called. soft spam - to fall within the scope of articles. 6, 7 and 21 of the Regulation (i.e. legal bases and right of opposition). With reference to the scripts sent in attachment to the authorized notes of 13 March 2024 (see annex 3 ter), it should be noted that although they contain a brief information on the processing of personal data, they do not appear to contemplate the prior acquisition of consent to registration, nor indicate to the interested in how to consult the complete information. Pursuant to and for the purposes of art. 83 of the Regulation, an observation must also be made in relation to the attitude and degree of cooperation with the Authority maintained by the Company during the procedure. In fact, Facile.Energy has shown itself to be particularly careless of the rules on the Guarantor's proceedings having external relevance, on the one hand asking for multiple extensions, which in fact did not result in particular follow-up investigations, and on the other failing to exercise the right of defense in methods and times established by law. The reference is certainly to the art. 166, paragraph 6 of the Code in the part which provides that within 30 days. from receipt of the communication of initiation of the proceedings, the offender can send defensive writings and documents to the Guarantor and can request to be heard. In defiance of the rule in question, however, the Company first produced the defense briefs and some documents, then during the hearing it asked again for the granting of yet another deadline for authorized notes and documents. But the Company ended up artfully exploiting the Office's guarantee spirit, trying to evade the legal deadlines in order to introduce into the proceedings documentation produced ad hoc and on a date subsequent to the hearing itself (see annex 11 authorized notes of 13 March 2024 - inspection report dated 11 March 2024). Finally, in order to correctly modulate the corrective measures to be adopted, the indications contained in the chapter must certainly also be taken into consideration. 7 of the Guidelines 04/2022 on the calculation of administrative fines under the GDPR (available for consultation on the website www.edpb.europa.eu). For the reasons fully illustrated, the responsibility of Facile.Energy must therefore be confirmed in relation to the violations contested through the communication of initiation of the procedure pursuant to art. 166, paragraph 5, of the Code of 19 December 2023. 4. CONCLUSIONS For the above, considering that 2 complaints and 56 reports relating to unwanted contacts and consequent unsolicited activations have been received by the Authority against Facile.Energy; also considered that even following a random check, illicit contacts emerged which involved, in the space of a week, 106 subjects who then concluded a contract with the Company, having taken note of the defense considerations, the responsibility of Facile.Energy regarding the following violations: a) of the articles. 5, par. 1, letter. a) and letter f), 5, par. 2, 6, par. 1, letter. a), 24 par. 1, 25, 28 and 32 of the Regulation for the failure to prepare suitable technical and organizational security measures and controls for the commercial chain and partners; b) of the art. 130, paragraphs 3 and 3-bis, of the Code for articles. 5, par. 1, letter. a) and 6, par. 1, letter. a) of the Regulation for having contacted 106 telephone numbers in the context of telemarketing activities, despite the registration of the same users in the RPO - and therefore the opt-out mechanism - determined by current legislation. Furthermore, having ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to: - impose on Facile.Energy, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of reporters and complainants; - order Facile.Energy, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 106 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision; - order Facile.Energy, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate implementations of the systems, in order to exclude that illicit contacts carried out by parties external to it can lead to the activation of energy services; - adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Facile.Energy of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation. 5. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Facile.Energy of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation (payment of a sum of up to €20,000,000.00 or, for companies with over €500,000,000 in turnover, up to 4% of the annual global turnover of the previous financial year). To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation. In the case in question, the following are relevant: 1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last three years, numerous measures which have fully examined the many critical elements, providing data controllers with numerous indications to adapt the processing to current legislation and to mitigate the impact of nuisance calls on the interested parties; 2) as a mitigating factor (art. 83, par. 2, letter e) of the Regulation) the circumstance that Facile.Energy does not appear to have been the recipient of corrective and/or sanctioning measures by the Guarantor; 3) as a partially mitigating factor (art. 83, par. 2, letter f) of the Regulation) the remedial actions adopted during the procedure, taking into account the circumstance that although the effort made by the owner during the procedure proves worthy of appreciation procedure regarding the adaptation of the corporate structure to the data protection regulations, for the reasons illustrated in the motivating part the actions undertaken are not yet sufficient to guarantee an adequate level of protection and appear partly contrary to the principles and spirit informant of current legislation; 4) as an aggravating factor (art. 83, par. 2, letter k) of the Regulation) the lack of full collaboration provided by the owner during the procedure. Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction should be applied to Facile.Energy of the payment of a sum of €100,000.00 equal to 0.5% of the maximum fine imposed, in accordance with the relevant precedents. In the case in question, it is believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the processing, as well as the elements of risk for the rights and freedoms of the interested parties. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTOR a) imposes on Facile.Energy, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of whistleblowers and complainants; b) orders Facile.Energy, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 106 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision; c) orders Facile.Energy, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate implementations of the systems, in order to exclude that illicit contacts carried out by parties external to it could lead to the activation of energy services; d) orders Facile.Energy, pursuant to art. 157 of the Code, to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation; ORDER to Facile.Energy S.r.l., in the person of the legal representative pro tempore, with registered office in Milan (MI), Via Uberto Visconti di Modrone n. 34, VAT number 05175670289, to pay the sum of 100,000.00 (one hundred thousand/00) euros as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed. ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 100,000.00 (one hundred thousand/00) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the 'art. 27 of law no. 689/1981. HAS The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself. Pursuant to the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. . Messina, 11 April 2024 PRESIDENT Stanzione THE SPEAKER Ghiglia THE GENERAL SECRETARY Mattei SEE ALSO Newsletter of May 21, 2024 [doc. web no. 10008076] Provision of 11 April 2024 Register of measures n. 205 of 11 April 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and the councilor. Fabio Mattei, general secretary; HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”); HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code"); HAVING SEEN the documentation in the documents; GIVEN the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000; SPEAKER Dr. Agostino Ghiglia; 1. THE INVESTIGATORY ACTIVITY CARRIED OUT 1.1. Premise With protected communication. n. 167943 of 19 December 2023 (notified on the same date by certified email), which must be considered reproduced in full here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in the art. 58, par. 2, of the Regulation towards Facile.Energy S.r.l. (hereinafter “Facile.Energy” or “the Company”), in the person of the legal representative pro tempore, with registered office in Milan (MI), Via Uberto Visconti di Modrone n. 34, VAT number 05175670289. The proceeding originates from an investigation started by the Authority, following 56 reports and 2 complaints against the Company, regarding the receipt of unwanted promotional calls made without the prior acquisition of the interested party's consent or using numbers registered in the Register Opposition Public (hereinafter, “RPO”), which gave rise to the unsolicited activation of energy supplies. 1.2. The conduct of the investigation and the requests for information formulated by the Authority 1.2.1. The request for information pursuant to art. 157 of the Code With a note dated 31 March 2023, the Authority sent Facile.Energy a cumulative request for information, formulated pursuant to art. 157 of the Code (registered in the protocol with no. 55173/23), useful for the evaluation of the 56 reports and 2 complaints received by the Authority in the period between January 2022 and March 2023, relating, for the most part, to the matter of telemarketing. With the same note, the Company was asked to «provide a list of purchase proposals from its sales network which led to the activation of energy services in the period from 6 March 2023 to 13 March 2023 inclusive, divided between "residential" and “business”». With prot. request 63947/23 of 18 April 2023, the Company first requested an extension of the deadline granted for the purposes of feedback and then with a note prot. 66331 of 21 April 2023, provided the list of purchase proposals requested, reporting that "customers' telephone numbers are obtained by telesellers by consulting lists obtained by them under their own personal responsibility". With a request dated 26 April 2023 (prot. 68168), then requested on 9 May 2023 (prot. 74272), Facile.Energy also requested the extension of the deadline granted in order to provide the observations and documentation useful for examining the complaints and reports received by the Authority. Following the aforementioned request and taking note of the reasons given, the Office granted the requested extension (see note prot. n. 75630/23 of 11 May 2023). Thus, with a note sent on 18 May 2023 (prot. no. 79936/23) the Company preliminarily reiterated that «the names and data of potential customers are found by the teleselling service providers who, therefore, have the burden and obligation to contact only subjects not registered in the opposition register and only via telephone numbers registered with the ROC" and highlighted the letter of the art. 2, paragraph 4, of the standard procurement contract stipulated with the telesellers in the part which states that «2.4 The Contractor will find, at his own expense, responsibility and expense, the lists of potential customers to call, taking action, where necessary, in accordance with the legislation in force, directly or through authorized third parties, to register in the public register of contractors who object to the use of their personal data and telephone number for sales or commercial promotions, pursuant to article 1, paragraph 15, of law 11 January 2018, n. 5. (hereinafter "Register") pursuant to Presidential Decree 27 January 2022, n. 26 to communicate to the same Registry the lists of names/telephone numbers that it intends to contact for the teleselling activity covered by this Contract and to recover from the aforementioned Registry the "clean" lists of the names registered in the Objections Registry. Likewise, the Contractor and/or authorized third parties will be responsible for the constant conservation, modification, updating or integration of the lists, guaranteeing and in any case indemnifying the Client with regard to compliance with the provisions of the current provisions on privacy". On the same occasion, with reference to the complaints referred to in files nos. 224989 - 182209 - 182891 - 183776 – 183137, Facile.Energy clarified that «where requested by the applicant, the Vocal Order was provided and where the deletion of the data was requested or opposition to the processing was expressed, the undersigned followed up on the requests for cancellation or opposition to processing in accordance with what was requested and in compliance with the law". In relation to the circumstances represented through reports nos. 177320 – 184725 – 182272 -182775- 183715, the Company observed that they "do not contain any trace of requests or complaints relating to the processing of data". Finally, with reference to the file. n. 217004, Facile.Energy found that «although this protocol and the related request for clarification have no relevance to the processing of personal data, it is specified that the requested invoices were once again sent to the applicant's law firm and the complaint was defined» . 1.2.2. Verification at the Public Registry of Oppositions In order to carry out the necessary checks regarding the correctness of the aforementioned telemarketing activities, on 14 July 2023 (protocol no. 108700) the Office sent the aforementioned list of numbers to the Ugo Bordoni Foundation, which manages the Public Register of Oppositions telephone calls subject to the aforementioned feedback from Facile.Energy. With this in mind, information was requested, pursuant to art. 157 of the Code, for each numbering, regarding the possible registration in the Public Register of Oppositions (RPO) no later than 31 January 2023. On 21 July 2023, the Foundation sent its response (protocol no. 111770/23), from the analysis of which they were registered in the Public Register of Oppositions, at the time of the promotional calls made by the Company, no. 106 telephone users, equal to 6% of the total number of telephone contacts from which contracts were stipulated, carried out in the reference period (n. 1768). 1.2.3. Supplement to the investigation Pending the investigation, the undersigned Authority has received further reports against the Company of a similar nature and relating to the same case (unsolicited calls and unsolicited activations: file nos. 322107 - 324778 - 322765). Despite the complaints referred to in files nos. 322107 and 324778 were also addressed to Facile.Energy, it does not appear in the documents that the Company provided any feedback. Otherwise, as part of the clarifications provided directly to the interested party in relation to report no. 322765, Facile.Energy found that customer data is transmitted by the contractor, who is required to guarantee its quality and transparency and that «The provision of such data is the guarantee issued by the procurer/agent/contractor regarding the correct origin of the data, constitute the legal basis of the processing carried out by Facile.Energy". 1.3. Dispute of violations At the end of the investigation, the Office adopted the aforementioned communication to initiate the procedure pursuant to art. 166, paragraph 5 of the Code (prot. no. 167943 of 19 December 2023), in which it preliminarily noted the violation of the principle of accountability and of the rules on processing security, also in relation to the failure to adopt suitable safeguards to prevent and counter the phenomenon of wild telemarketing. From the documentation produced by the Company, a substantial lack of interest on the part of the data controller regarding the origin of the data and contact lists emerged. The complaint also concerned the erroneous identification of subjective roles and the consequent failure to fulfill the supervisory and control obligations incumbent on the data controller, as well as the lack of security measures in relation to the entire commercial and management chain which, originating from the "contact", allows reach the "contract", even though the company was already aware of the phenomenon. In this case, the seriousness of the disputed conduct was made even more clear by the circumstances represented by the complaints received by the Office. In numerous cases, in fact, the interested parties have complained of having suffered patrimonial and non-pecuniary prejudices precisely because of the illegitimate processing of their personal data, which resulted in the unsolicited activation of energy supplies. In addition, having contacted 106 telephone numbers as part of the telemarketing activities carried out in the period February-March 2023, equal to just over 6% of the total number of telephone contacts from which activations of supplies resulted, consistently of the registration of the same users in the RPO - and therefore of the opt-out mechanism determined by the current legislation, seemed to confirm the validity of the circumstances revealed in the numerous reports and complaints received by the Authority. Finally, the Authority noted that from the documentation in the documents and from the reasons given by the Company, significant doubts emerged regarding the assimilation of the new regulatory framework by the data controller. The Office, therefore, accused Facile.Energy of the possible violation of the articles. articles 5, par. 1, letter. a) and letter f), 5, par. 2, 6, par. 1, letter. a), 24 par. 1, 25, 28 and 32 of the Regulation, as well as art. 130, paragraphs 3 and 3 bis, of the Code, for having carried out processing of personal data of users and contractors in the energy sector in conflict with the principles of lawfulness and responsibility, in the absence of an appropriate legal basis and by implementing technical and organizational structures that are unsuitable for guaranteeing, right from the design stage, and being able to demonstrate, that the processing is carried out in compliance with the Regulation. 2. THE DEFENSE OF THE OWNER With a request dated 2 January 2024 (prot. no. 556), the Company requested access to all the deeds and documents contained in the file. With a note sent on 11 January 2024 (protocol no. 3817), the Office accepted this request, highlighting that all the documentation relating to the investigation was already fully available to the Company, with the exception of the request for information pursuant to art. 157 of the Code sent to the FUB in relation to the list of telephone numbers subject to verification by Facile Energy itself and for which in any case the results had already been shared, in the form of an attachment to the communication initiating the procedure. Subsequently, with notes sent on 18 January 2024 (see protocol nos. 6831 and 6952) Facile.Energy requested the extension of the deadline referred to in the art. 166, paragraph 6, of the Code as well as to be heard by the Authority, both requests were accepted with consequent extension of the deadline for the transmission of the defense briefs and convocation for the hearing set for the following 13 February 2024. With a defense statement sent on 2 February 2024 (protocol no. 13893) the Company preliminarily represented that «the professional has implemented and is further implementing a series of technical management measures also in light of the guidelines extrapolated from the provision of this Guarantor of the 11 December 2019, doc. web no. 9244358". The Company then objected to the unfoundedness of the charge regarding the contested financial and non-economic prejudices suffered by the interested parties, highlighting that based on the provisions of ARERA resolution no. 302/2016, it is possible to make a switch even if unpaid invoices are pending, without the previous supplier having the opportunity to object and pursuant to art. 66 sexies of the Consumer Code in the event of unfair commercial practices, the supplier is required to renounce any economic claims against the consumer. In relation to the 106 telephone users contacted during the so-called. "sample week" while registering for the RPO, the Company found that «This charge is incorrect and misleading. Merely by way of example, a search carried out at the U. Bordoni foundation, the following users that this Guarantor reports having been contacted when they registered their opposition, were freely contactable between February and March 2023 as the owners registered after the month of March 2023 to the opposition register>>. With specific reference to the choice of commercial partners, Facile.Energy declared that the telesellers are appointed as data controllers and are «contractually required to collect the consent of the potential customer contacted in order to obtain a legal basis for the processing» and that «in of stipulation, it is verified that the service providers have an adequate organizational structure also in relation to GDPR by completing questionnaires (Annex B) and interviews with the legal representatives and operational staff of the telesellers themselves. Furthermore, the Facile.Energy company carries out randomized inspections to verify compliance with contractual, legal and GDPR provisions. We reserve the right to produce copies of the reports of these ongoing inspections. As of 2023, only joint-stock companies with a solid capital structure, subject to monitoring, will be contracted as suppliers of the teleselling service". The Company then provided more information in relation to the prodromal procedures for the activation of individual supplies, highlighting that «The stipulation operations are conducted only via OTP so as to be able to uniquely identify the customer, after having obtained their consent to the processing of data. To protect the customer, the same is identified via mobile phone number and internet IP then reported on the contract (Annex B) together with the data of the person who actually made the contact, appointed as data processing manager by Facile.Energy. Company procedures provide for the automatic rejection of contracts that report IP or mobile phone number repeated more than twice, to protect the consumer. (Annex C) All correspondence to end customers is channeled through XX and tracked". Finally, Facile.Energy represented that from October 2023, before proceeding with the activation of the supply, the Company will check the residence of every single potential customer via an XX - Registry/Residence application and that in case of anomalies the activation procedure is not continued. Subsequently, in acceptance of the request sent by the Company, the hearing referred to in art. 166, paragraph 6 of the Code, has been postponed to 27 February 2024. On the occasion of the aforementioned hearing, Facile.Energy preliminarily highlighted the commitment made by the Company to adapt to the Telemarketing Code of Conduct and that to this end it decided to invest in the implementation of a new CRM for the management of company data and documentation . The Company also represented that telesellers are selected exclusively from joint-stock companies and through a standardized procedure, following the administration of a self-assessment questionnaire. In relation to the checks carried out on the work of the telesellers, the Company declared that it carries out random checks (10%-15%) on the contracts concluded with customers, in order to ascertain the lawfulness of the processing: in the event that the telesellers do not provide evidence of a correct legal basis, they can be removed from the Facile.Energy sales network and the contract will still be discarded. The Company then declared that it had changed its corporate practices approximately two months ago with the provision of a double confirmation at the Registry of Oppositions. More specifically, the first check is in turn divided into two phases and is carried out directly by the teleseller, in the two days before the contact. Subsequently, in the period of time between the contact and the activation of the service, the numbers are verified again at the FUB, therefore if in the meantime the interested party has registered with the RPO, the contract is discarded. With reference to these measures, Facile.Energy clarified that they were adopted to reduce complaints and that they are necessary by virtue of the provisions contained in the consumer code, in the part which provide that in the event of unsolicited activation, the final consumer is not required to pay for the supply (see page 2 minutes of the hearing «In practice, Facile.Energy gives the revocation of consent expressed at the Registry of Oppositions close to the signing of an energy contract a value not dissimilar to the right of reconsideration, with a view to maximum protection of the will of the interested party"). The Company then highlighted that even at the time of registration of the contract in the Integrated Information System, a further check is carried out at the FUB and that in the event of registration of the numbering in the RPO, the procedure is blocked, given that «This check allows test the permanence of the interested party's consent, however it must be taken into consideration that the agency accrues its commission regardless of whether the activation procedure continues or not" (see page 2 of the hearing minutes). Facile.Energy then noted that in order to limit the critical issues relating to data collection and contract signing, it decided to proceed with the signing of contracts exclusively through digital subscription, after sending a one time password (OTP). At present, therefore, the stipulation via vocal order has been completely discontinued and, after obtaining consent, the user's indication of the mobile number to which to send the OTP is recorded. The Company also declared that it will send the contractual documentation both directly to the customer's mobile phone via a specific link, and to the residence by tracking the shipment until delivery. With reference to subjective roles, Facile.Energy has represented appointing telesellers as data controllers and using only individuals who have appointed the DPO. With regard to data retention, the Company has highlighted that in case of exercise of the right of cancellation, the request is processed, except in the case in which it is necessary to retain the data for accounting and administrative purposes. The only case in which, after segregation of the data, it is possible to re-access it is when the customer contacts the company again. The company does not carry out profiling, nor does it transfer data to third parties. In addition, the Company has identified that agencies access company systems using a personal username and password, which are updated periodically. In this case, each agency has a single access (so-called room) and indicates the operators who access it. The latter take care of uploading the customer's data and recording the first contact call relating to the communication of the contact telephone number to send the OTP. The system then automatically filters the contracts and, in the event of anomalies (e.g. double contract, suspicious VPN, etc.), the agent receives the rejection notice and can contact the customer again to resolve the problem. Finally, Facile.Energy has reserved the right to produce a summary report by 13 March, as well as the appointment as data controller, the pre-qualification check list of the managers and the audit reports referred to in the defense documents. Lastly, with authorized notes sent on 13 March 2024, the Company declared that it had adopted a configuration of its systems such as to "discard" contracts stipulated using systems that do not allow the identity of the stipulating party to be ascertained (e.g. VPN which conceal the exact IP of the subscriber for example), multiple stipulations with the same address (today a maximum of two contracts can be stipulated with a single telephone number) and subscriptions made through virtual telephone operators or untraceable SIM cards ( e.g. XX etc). With the same note, the Company highlighted that it «carries out periodic random checks on the telesellers regarding the nature of the consent given by the contracted subjects and in some cases not contracted subjects as they are discarded objects as they do not comply with the guidelines (Annex 10) Furthermore, the company carries out periodic audits at individual facilities, without notice, recording the findings of the inspection (Annex 11). Particular attention is paid to verifying the origin of the lists with the data of consumers to be contacted, used by telesellers. Facile.Energy does not limit itself to verifying that the lists are purchased from Italian suppliers responsible for the creation, management and filtering of the same but also requests the delivery of a copy of the purchase contract with the attachments in order to allow the necessary checks regarding the origin of the data and their correct collection and management (Annex 12)". Finally, the Company expressed its desire to organize training meetings in collaboration with the XX association also on the subject of privacy aimed at both its employees and the staff of the sales structures. 3. ASSESSMENTS BY THE AUTHORITY The overall elements and documents acquired during the investigation provide a worrying picture of non-compliance with reference to the legislation on the protection of personal data dating back to the time of the disputed facts and to date not entirely resolved, made even more serious and manifest if considered in light of the constant orientation expressed by the Authority in the context of the numerous measures adopted regarding telemarketing. The Company's defense focused almost exclusively on the allegation and analytical description of a series of measures and processes which - albeit in part, worthy of appreciation - were in fact implemented only during the proceedings and which therefore do not lead to minus the violations being contested. Indeed, today's investigation has its origins in the numerous complaints received by the Authority, also through certain consumer associations, which in an analytical and concordant manner documented a precise modus operandi attributable to Facile.Energy, aimed at the albeit legitimate maximization of profit, but in contempt of any lawfulness safeguard regarding the protection of personal data. From the numerous reports and complaints, an operational practice emerges in customer acquisition activities that appears constant and repeated: the user usually receives a phone call from an operator who does not qualify and who appears to be in possession of all the personal data of the interlocutor and information relating to the supply. Once the activation of the supply has been carried out, often without the customer's knowledge, the latter becomes aware of the existing contract only following the delivery of alarmingly large invoices, when it is now too late to exercise the right to reconsider. In numerous cases, interested parties also complain about the manipulation of vocal orders, required to prove the correct activation of the contract. In relation to the origin of the data, the Company noted that «the undersigned Facile.Energy receives the data of potential customers from teleselling operators and, more generally, from the commercial network (agents, canvassers, etc.). This data, collected and used by the teleseller, is therefore not found by Facile.Energy but is received by the same pursuant to a teleselling contract (in this case) or agency or procurement contract without the possibility of verifying, upstream, the validity of the data itself used by the sales network which is made up of subjects legally distinct from Facile.Energy". But the fact that the contact lists come from third parties does not prevent the Company - as in fact it should do - from verifying, for example, through suitable and complete documentation, the origin of the data and the legal basis of the processing. On the point Facile.Energy limited itself to recalling the obligations incumbent on telesellers by virtue of the procurement contract which in art. 2.4 provides that «The Contractor will find, at his own expense, responsibility and expense, the lists of potential customers to call, arranging, where necessary according to current legislation, directly or through authorized third parties, for registration in the public register of contractors who are object to the use of their personal data and telephone number for sales or commercial promotions, pursuant to article 1, paragraph 15, of law 11 January 2018, n. 5. (hereinafter "Register") pursuant to Presidential Decree 27 January 2022, n. 26 to communicate to the same Registry the lists of names/telephone numbers that it intends to contact for the teleselling activity covered by this Contract and to recover from the aforementioned Registry the "clean" lists of the names registered in the Objections Registry. Likewise, the Contractor and/or authorized third parties will be responsible for the constant conservation, modification, updating or integration of the lists, guaranteeing and in any case indemnifying the Client with regard to compliance with the provisions of the current provisions on privacy". This clause in itself reveals a fundamental confusion between the regulation on the Public Register of Oppositions and that on the right to object pursuant to art. 21 of the Regulation. Pursuant to art. 1, second paragraph, of Law no. 5/2018 «They can register, following their specific request, even simultaneously for all telephone numbers, fixed and mobile, registered in their name, also electronically or by telephone, in the public register of oppositions established pursuant to paragraph 1 of the article 3 of the regulation referred to in the decree of the President of the Republic n. 178 of 2010, all interested parties who wish to object to the processing of their telephone numbers carried out by an operator using the telephone". And then pursuant to the following paragraph 5 «With registration in the register referred to in paragraph 2, all consents previously expressed, by any form or means and to any person, which authorize the processing of one's fixed or mobile telephone numbers are deemed to be revoked ((...)) for advertising or sales purposes or for carrying out market research or commercial communication and is also precluded, for the same purposes, from using telephone numbers transferred to third parties by the data controller on the based on previously issued consents". Differently, the art. 21, par. 2 of the Regulation recognizes the interested party's right to object to the processing of their personal data for direct marketing purposes. First of all, it follows that while registration with the RPO has the effect of revoking consent erga omnes, the exercise of the right of opposition has instead limited effectiveness to the individual data controller or, at most, also extends to the any other recipients to whom the data may have been transferred. Secondly, the institutions in question give rise to obligations of a different nature on the owner. In fact, pursuant to art. 1, paragraph 12 of Law no. 5/2018 «Operators who use telephone advertising and telephone sales systems or who carry out market research or telephone commercial communications ((with or without the intervention of a human operator)) have the obligation to consult on a monthly basis, and in any case, prior to the start of each promotional campaign, the public register of oppositions and to update their lists". Otherwise, following receipt of an opposition request, the owner is required pursuant to art. 12 of the Regulation to facilitate its exercise, to follow up on the request without unjustified delay and in any case within one month of receipt. In no case, therefore, does the owner or manager have the obligation to provide for the training and updating of the users registered in the RPO, as this is a prerogative reserved only for the interested party. Furthermore, the aforementioned contractual clause cannot be used to release the data controller from the obligations and responsibilities established by current legislation on the protection of personal data. Taking into account the nature, scope, context and purposes of the processing, as well as risks having different probabilities and severity for the rights and freedoms of natural persons, Facile.Energy, as data controller and by virtue of the principle of accountability, pursuant to art. 24 of the Regulation is required to implement adequate technical and organizational measures to guarantee, and be able to demonstrate, that the processing is carried out in compliance with current legislation on the protection of personal data. Furthermore, as a logical consequence of the aforementioned principle of accountability, art. 28 of the Regulation requires on the one hand that if processing must be carried out on behalf of the data controller, the latter must only use data controllers who present sufficient guarantees to implement adequate technical and organizational measures so that the processing satisfies the requirements of this regulation and guarantees the protection of the rights of the interested party (so-called culpa in eligendo). On the other hand, the law in question also places on the owner a series of supervisory and control obligations over the work of the data controller (so-called culpa in vigilando). In this case, the failure to fulfill the aforementioned obligations by Facile.Energy clearly emerges not only from the circumstances analytically reported in the numerous complaints received by the Guarantor, but is also confirmed by the Company's own defense, which claims to be exempted from the obligations regarding data protection only by virtue of an indemnity clause and the fact that the retrieval of contact lists was allegedly left to the telesellers. The thesis illustrated cannot be accepted, since it seems to repudiate the key principles of the current regulatory framework, based on a system of exact definition of roles and responsibilities, as well as essential values with which processing activities must necessarily comply. The reference is certainly to the provisions of the articles. 24, 25 and 28 of the Regulation, as well as the principles of lawfulness, correctness, safety and transparency enshrined in the art. 5 of the Regulation. Furthermore, the Company was perfectly aware and therefore in a position to stem the phenomenon, given that in December 2022 it had already been the recipient of a sanction by the AGCM precisely in relation to unsolicited activations and that almost all of the reports and the complaints received by the Guarantor were also transmitted to Facile.Energy directly by the interested parties themselves. The conduct implemented by the Company must then certainly also be evaluated in light of the circumstances put forward by the whistleblowers and complainants, which serve not only to confirm the validity of the reproaches raised, but also to denote their significant gravity. In almost all of the complaints, in fact, the interested parties represent having suffered a series of both economic and non-pecuniary prejudices strictly related to the illicit processing of their personal data carried out in the context of telemarketing activities and the consequent unsolicited activations . From the first point of view, the plaintiffs complain about the loss of more advantageous rates applied by the previous manager and the receipt of invoices for disproportionate amounts. In some cases (file nos. 177320 - 184725 - 182272 -182775) the interested parties - despite not recognizing the contract with the Company and having promptly exercised the right of reconsideration - would have partially or entirely paid the invoices issued to them and, in one case, the interested party would have received others which were followed by warnings for payment from Facile Energy. In yet another case (file no. 183715), the reporting party declared that she had even suffered a suspension of electricity supply due to non-payment of the invoices debited to her by Facile.Energy. Finally, with regard to file no. 217004, the interested party complained about the demand for payment of invoices that remained unpaid without having ever previously received them. In relation to the second profile, in numerous cases the whistleblowers and complainants represent the anxiety and concern of not knowing who and how came into possession of their data and what they intend to do with it, as well as the frustration of paying undue sums or facing the threat of the possible detachment of a notoriously essential supply. On the point Facile.Energy observes «This charge is denied by ARERA resolution 302/2016 which provides that an operator can provide a point simply by operating a switch in without the previous supplier having the opportunity to object. No existential damage and - much less - no financial damage can be caused to the consumer who, correctly, is protected by current legislation and the consumer code, in particular where he suffers a commercially incorrect practice: in this case, in fact, the code cited in Article 66 sexies provides that the supplier is obliged to renounce any economic claim against the consumer who, therefore, will in any case be amply compensated for any damage suffered". This observation cannot be shared, given that the aforementioned difficulties regarding the change of manager can arise in the case, for example, of invoices that remain unpaid because they were never delivered or are the subject of a dispute between the parties due to unsolicited activation (circumstances noted in the complaints included in the present investigation). Furthermore. the protection referred to in art. 66 sexies of the consumer code is not at all automatic and cannot ignore either the proof of the activation of an unsolicited supply or the declaration by the competent authority. Likewise, the findings that emerged from the verification conducted at the FUB in relation to the list of telephone contacts made during the so-called. sample week, which generated the stipulation of as many contracts in favor of the company, serve to prove the attribution to the company of the persistent carrying out of telemarketing and teleselling activities in open conflict with the obligations established by current legislation. Having contacted 106 telephone numbers as part of telemarketing activities (data limited, it is reiterated, only to the calls from which the activation of a service originated, therefore not extended to the much larger number of unsuccessful contacts) carried out in the February-March period, in accordance with the registration of the same users with the RPO - and therefore with the opt-out mechanism determined by current legislation - entails the violation of the art. 130, paragraphs 3 and 3-bis, of the Code, concerning electronic communications, as well as, more generally, of the articles. 5, par. 1, letter. a) and 6, par. 1, letter. a) of the Regulation, with regard to the principle of lawfulness and the need for the legal basis of consent to legitimize the processing of the data in question for promotional purposes. On this point, the Company limited itself laconically to observing that «This charge is incorrect and misleading. Merely by way of example, a search carried out at the U. Bordoni foundation, the following users that this Guarantor reports having been contacted when they registered their opposition, were freely contactable between February and March 2023 as the owners registered after the of March 2023 to the register of oppositions" and to report a list of only 16 numbers that would have been registered at the RPO after the month of March 2023. Facile.Energy then reiterates that "Individual telesellers are appointed data controllers (Annex A), are contractually required to collect the consent of the potential customer contacted in order to obtain a legal basis for the processing". The exception is completely groundless and therefore cannot be accepted. In this regard, it is worth first remembering that the findings emerging from the verification at the FUB come from the institution responsible for regularly keeping the Register and that therefore if the Company had wanted to refute its contents, it would have had to proceed with the analytical reporting of any errors found, highlighting the alleged correctness of the telesellers' actions both in terms of the acquisition of consent for processing with promotional-advertising purposes, and in terms of the timely use of contact lists duly verified at the aforementioned Foundation. The observation, then, cannot be shared even on the merits. The Office asked the FUB to indicate «for each numbering, regarding the possible registration in the Public Register of Oppositions no later than 31 January 2023, or the indication of the automatic registrations, which as of 31 January concern the numbers transferred from old to the new RPO on July 27 and which users have not renewed, for which consents have not been cancelled". This circumstance, moreover, is well known to the Company which requested and obtained access to all the preliminary documents of the proceeding. The aforementioned list of (16 out of 106) numbers appears to be a list of RPO registration renewals carried out after March 2023 and therefore in no way serves to disavow the validity of the charges against the Company, but rather to highlight that the contractors included in the aforementioned list have confirmed their intention to oppose any processing of their personal data for marketing purposes. But even hypothetically if one wanted to accept the exception in question, it would appear that the Company in fact during the so-called sample week made at least 90 telephone contacts (limited to the portion of them which then led to the activation of a supply) in the absence of a suitable legal basis. Furthermore, even the reference to the necessary acquisition of consent leads us to believe that the Company's telemarketing and teleselling activities are carried out with the incorrect interpretation and application of the regulatory provisions, also in relation to the provisions of the articles. 129 and 130 of the code on data present in public registers. The findings that have emerged thus far, therefore, provide a picture of the incomplete effectiveness of the controls and safety measures on the entire supply chain which from the "contact" leads to the "contract". The preparation of controls, as appears in the documents, of a merely formal and ex ante nature on the partner agencies denotes, in fact, only a formalistic transposition of the regulatory principles and exposes the company to the concrete risk of ineffectiveness of the envisaged measures, as in fact happened. The result is a judgment of overall deficiency with reference to compliance with the principles established to protect the responsibility and accountability of the data controller, as well as the specific rules regarding the security of processing (see articles 5, paragraph 1 letter f) , 5 par. 2, 24, par. 1, 25, par. 1 and 32 of the Regulation). These types of control are also provided for by art. 16 of the Code of Conduct for telemarketing and teleselling activities (available on the website www.garanteprivacy.it doc-web n. 9868813 - GPDP Provision n. 70 of 9 March 2023 - in Official Gazette n.73 of 27-3-2024 ), which regardless of membership, has an undoubted value in terms of best practices, in the part in which it provides that «1. The data controllers adopt organizational and/or technical procedures aimed at proving that the data of the interested party/contractor/user have been acquired in compliance with the principles set out in the art. 5, par. 1, of the Regulation; in particular, taking into account the principle of proportionality, through by default measures, they implement specific procedures in the systems that identify the promotional campaigns, contact lists and operators involved in each contract concluded remotely and are able to prove the correctness of the above information. These procedures prevent the registration of contracts for which the aforementioned information cannot be found (...). 2. The adherents of this Code of Conduct ensure that the entire supply chain processes the data exclusively on the basis of suitable consent to processing for telemarketing and teleselling purposes which is clearly distinct from the manifestation of the will to negotiate. (..) 6. The client develops its own processes so that the contracts stipulated following teleselling activities take place in the presence of unequivocal consent to the original contact, except in cases falling within the scope of application of the art. 130, paragraph 3-bis of the Code. During the first application of this Code of Conduct and for the exclusive protection of the interested party, if following the checks contracts emerge for which the first contact is flawed, these contracts may continue to be executed provided that the client informs the interested party of the the faulty origin of the contract and that the interested party himself confirms his desire to maintain it, without prejudice to residual cases in which the customer does not follow up on proven attempts to contact the customer (..)". Even from this point of view, the assessments of the conduct implemented by the Company cannot ignore the necessary considerations regarding the dimensions of the phenomenon and its consequent economic repercussions. If we tried to multiply the 106 illicit telephone contacts made over the course of the so-called. sample week for the overall weeks of annual operation of the telesellers, one could come to the conclusion that in all likelihood the Company stipulated over 5,000 contracts per year following telephone contacts made in the absence of a suitable legal basis and consequently received income the benefits deriving from as many contracts that should never have been stipulated. It is reiterated once again, however, that the aforementioned 106 telephone contacts made in the CD. sample week are only those that were successful (i.e. that led to the activation of the supply), so that the illicit contacts actually made during the sample week were probably much more numerous. For the purposes of determining the proceedings, the degree of cooperation with the Authority and the remedial actions implemented by the Company during the preliminary investigation must certainly also be taken into due consideration. From the examination of the defense writings and the documentation in the documents, it emerges that Facile.Energy, while the proceedings are pending, has started a radical reorganization of its telemarketing and teleselling activities aimed at greater compliance with the legislation on the protection of personal data (e.g. new CRM configuration, random checks of contracts, audits and questionnaires for data controllers, checks at the FUB, exclusion of partnerships from commercial partners, stipulation of contracts via OTP and tracking of the delivery of the contractual package in paper form, courses training on privacy for employees and telesellers). Although worthy of merit, the initiatives listed are not entirely suitable for guaranteeing a sufficient level of adaptation to current legislation and seem to confirm, also from this point of view, the incomplete assimilation or in any case the erroneous interpretation of the same. In relation to the contact lists, it does not appear that the Company has implemented a procedure aimed at testing the existence of a suitable legal basis for the processing, having limited itself to structuring a verification system limited exclusively to the origin of the data (see «i telesellers act on lists of certain origin, preferably made up of them.Energy verifies that the list is not purchased from a foreign supplier or a third party, thus excluding the possibility of a double transfer of ownership". With specific reference to the checks carried out at the FUB, the recently implemented practices described during the investigation reveal on the one hand the erroneous interpretation of the articles. 129 and 130 of the Code, on the other hand that the Company does not make a correct distinction between the granting of consent to the processing of data for marketing purposes and the prodromal consent to the signing of the contract. Facile.Energy clarified on this point that «The Company also carries out a double check with the Opposition Register. The first is carried out directly by the teleseller, in the two days before the contact. Before activating the service, the numbers are verified again at the FUB, so if the person has registered with the FUB in the meantime, the contract is discarded (...). A second check at the FUB occurs automatically when the teleseller uploads the contract. Subsequently, a third check is carried out at the FUB at the time of registration of the contract at the SII". The verification methods just described appear irrelevant and, obviously, excessive, given that current legislation requires that all numbers must be subjected to a prior verification at the FUB, in order to prevent the occurrence of illicit contacts, and that the registration of one's number in the RPO occurring at a later time than a lawful contact, but before the activation of the supply, cannot be used to invalidate either the validity of the upstream contact, or the lawfulness of the downstream contract. In fact, once the customer relationship has been established with the stipulation of the contract and limited to that contractual relationship, the processing of the personal data of the interested party falls outside the scope of application of the articles. 129 and 130 - with the exception of the hypothesis of the so-called. soft spam - to fall within the scope of articles. 6, 7 and 21 of the Regulation (i.e. legal bases and right of opposition). With reference to the scripts sent in attachment to the authorized notes of 13 March 2024 (see annex 3 ter), it should be noted that although they contain a brief information on the processing of personal data, they do not appear to contemplate the prior acquisition of consent to registration, nor indicate to the interested in how to consult the complete information. Pursuant to and for the purposes of art. 83 of the Regulation, an observation must also be made in relation to the attitude and degree of cooperation with the Authority maintained by the Company during the procedure. In fact, Facile.Energy has shown itself to be particularly careless of the rules on the Guarantor's proceedings having external relevance, on the one hand asking for multiple extensions, which in fact did not result in particular follow-up investigations, and on the other failing to exercise the right of defense in methods and times established by law. The reference is certainly to the art. 166, paragraph 6 of the Code in the part which provides that within 30 days. from receipt of the communication of initiation of the proceedings, the offender can send defensive writings and documents to the Guarantor and can request to be heard. In defiance of the rule in question, however, the Company first produced the defense briefs and some documents, then during the hearing it asked again for the granting of yet another deadline for authorized notes and documents. But the Company ended up artfully exploiting the Office's guarantee spirit, trying to evade the legal deadlines in order to introduce into the proceedings documentation produced ad hoc and on a date subsequent to the hearing itself (see annex 11 authorized notes of 13 March 2024 - inspection report dated 11 March 2024). Finally, in order to correctly modulate the corrective measures to be adopted, the indications contained in the chapter must certainly also be taken into consideration. 7 of the Guidelines 04/2022 on the calculation of administrative fines under the GDPR (available for consultation on the website www.edpb.europa.eu). For the reasons fully illustrated, the responsibility of Facile.Energy must therefore be confirmed in relation to the violations contested through the communication of initiation of the procedure pursuant to art. 166, paragraph 5, of the Code of 19 December 2023. 4. CONCLUSIONS For the above, considering that 2 complaints and 56 reports relating to unwanted contacts and consequent unsolicited activations have been received by the Authority against Facile.Energy; also considered that even following a random check, illicit contacts emerged which involved, in the space of a week, 106 subjects who then concluded a contract with the Company, having taken note of the defense considerations, the responsibility of Facile.Energy regarding the following violations: a) of the articles. 5, par. 1, letter. a) and letter f), 5, par. 2, 6, par. 1, letter. a), 24 par. 1, 25, 28 and 32 of the Regulation for the failure to prepare suitable technical and organizational security measures and controls for the commercial chain and partners; b) of the art. 130, paragraphs 3 and 3-bis, of the Code for articles. 5, par. 1, letter. a) and 6, par. 1, letter. a) of the Regulation for having contacted 106 telephone numbers in the context of telemarketing activities, despite the registration of the same users in the RPO - and therefore the opt-out mechanism - determined by current legislation. Furthermore, having ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to: - impose on Facile.Energy, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of reporters and complainants; - order Facile.Energy, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 106 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision; - order Facile.Energy, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate implementations of the systems, in order to exclude that illicit contacts carried out by parties external to it could lead to the activation of energy services; - adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Facile.Energy of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation. 5. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Facile.Energy of the pecuniary administrative sanction provided for by the art. 83, par. 3 and 5 of the Regulation (payment of a sum of up to €20,000,000.00 or, for companies with over €500,000,000 in turnover, up to 4% of the annual global turnover of the previous financial year). To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation. In the case in question, the following are relevant: 1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last three years, numerous measures which have fully examined the many critical elements, providing data controllers with numerous indications to adapt the processing to current legislation and to mitigate the impact of nuisance calls on the interested parties; 2) as a mitigating factor (art. 83, par. 2, letter e) of the Regulation) the circumstance that Facile.Energy does not appear to have been the recipient of corrective and/or sanctioning measures by the Guarantor; 3) as a partially mitigating factor (art. 83, par. 2, letter f) of the Regulation) the remedial actions adopted during the procedure, taking into account the circumstance that although the effort made by the owner during the procedure proves worthy of appreciation procedure regarding the adaptation of the corporate structure to the data protection regulations, for the reasons illustrated in the motivating part the actions undertaken are not yet sufficient to guarantee an adequate level of protection and appear partly contrary to the principles and spirit informant of current legislation; 4) as an aggravating factor (art. 83, par. 2, letter k) of the Regulation) the lack of full collaboration provided by the owner during the procedure. Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction should be applied to Facile.Energy of the payment of a sum of €100,000.00 equal to 0.5% of the maximum fine imposed, in accordance with the relevant precedents. In the case in question, it is believed that the accessory sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the processing, as well as the elements of risk for the rights and freedoms of the interested parties. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. ALL THIS CONSIDERING THE GUARANTOR a) imposes on Facile.Energy, pursuant to art. 58, par. 2, letter. f) of the Regulation, the prohibition of any further processing of the data of reporters and complainants; b) orders Facile.Energy, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 106 interested parties, whose personal data entered the Company's systems following illicit contacts, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority during the application of this provision; c) orders Facile.Energy, pursuant to art. 58, par. 2, letter. d) to prepare adequate controls within its sales network and adequate implementations of the systems, in order to exclude that illicit contacts carried out by parties external to it can lead to the activation of energy services; d) orders Facile.Energy, pursuant to art. 157 of the Code, to communicate to the Authority, within 30 days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation; ORDER to Facile.Energy S.r.l., in the person of the legal representative pro tempore, with registered office in Milan (MI), Via Uberto Visconti di Modrone n. 34, VAT number 05175670289, to pay the sum of 100,000.00 (one hundred thousand/00) euros as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed. ORDERS to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of 100,000.00 (one hundred thousand/00) euros, according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the 'art. 27 of law no. 689/1981. HAS The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself. Pursuant to the articles. 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. . Messina, 11 April 2024 PRESIDENT Stanzione THE SPEAKER Ghiglia THE GENERAL SECRETARY Mattei