Garante per la protezione dei dati personali (Italy) - 10097012

The DPA fined E.ON Energia, €892.738,00 for the unlawful processing of personal data data for making marketing calls as they failed to verify data collected via an online form. They also failed to respond to requests by data subjects.

English Summary

Facts

After two different data subjects advanced two different complaints against the energy provider E.ON Energia, the controller, the DPA decided to merge the two complaints.

The first complaint concerned a marketing call to the data subject, during which she found out that the controller was aware of her birth data, as well as contact data, including her work email. During the marketing call, the operator told the data subject that such contact information had been provided by the data subject herself through an advertising campaign on Facebook. However, the data subject does not even have a Facebook account. The data subject advanced an access request with the controller.

The DPA thus contacted the controller to access information relating to the data processing of the first data subject’s data. The controller simply replied that it was likely that the data was collected from a “third party”. In relation to the lack of reply to the data subject, the controller stated that that was a simple human mistake.

Garante per la protezione dei dati personali - 10097012

Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5 GDPR Article 6 GDPR Article 7 GDPR Article 12 GDPR Article 15 GDPR Article 22 GDPR Article 24 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	27.11.2024
Published:
Fine:	892.738,00 EUR
Parties:	E.ON Energia
National Case Number/Name:	10097012
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	elu

The second complaint concerned a data subject that was already a client of the controller. At some point, the data subject started receiving undesired marketing calls from multiple companies. After the data subject advanced an access request, the controller stated that, once again due to a mere human mistake, the forms with data subjects’ consent were mixed up and written down erroneously.

However, even after this reply, the data subject kept receiving advertisement calls from the controller and reiterated the request of stopping these calls to the controller. However, the controller never replied to these messages.

The data subject then complained about this situation to the DPA.

After the DPA contacted the controller, the controller replied that, once again only due to a human error, when transcribing the data of the data subject, an employee switched the consent by accident.

With regards to the their marketing policy, the controller declared that the company to which the marketing is outsourced uses a database filtered regularly.

Holding

The DPA found that the information and explanation given by the controller were insufficient.

Violation of Articles 5, 6, 7 and 24 GDPR

The DPA found a violation of Articles 5, 6, 7, and 24 GDPR as the controller engaged in telemarketing activities in violation of the lawfulness and accountability principle, as not only there was no legal basis for the processing, but also for a lack of technical and organisational measures that could not ensure that the processing of personal data happens in compliance with the GDPR.

In fact, in relation to the telemarketing campaigns, personal data processing collected through an online form cannot be deemed to be legitimate without the presence of measures that ensure the verification of the data subjects’ source of identity. Thus, the collection through an online form without verification is deemed not enough to ensure the data is from the data subject.

The fact that so many “human mistakes” have happened in relation to the telemarketing activities of the controller is indicative of the fact that the processing chain is not effectively operated. More specifically, the controller probably failed to assign roles and responsibilities, especially with regards to cases concerning the ordinary handling of client services.

The omission of measures adapt to ensure that the selected partners of the controller possess the sufficient warranties to enact technical and organizational measures to comply with the GDPR.

Violation of Articles 12, 15-22 GDPR

The DPA further finds a violation of Articles 12, 15-22 GDPR as the controller cannot rely on the claim of a mere human mistake in relation to its failure to reply to the access request advanced by the data subjects.

Fine

Therefore, the DPA deemed it appropriate to fine the controller €89.273.777,20 for the violation of Articles 5, 6, 7, 12, 15 and 22 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Newsletter of January 31, 2025

[web doc. no. 10097012]

Measure of November 27, 2024

Register of measures
no. 736 of November 27, 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, President, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Councillor Fabio Mattei, Secretary General;

SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

HAVING SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018, no. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the “Code”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

REPORTER: Attorney Guido Scorza;

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

1.1. Introduction

With deed of 13 August 2024, no. 98907 (notified on the same date by certified email), which must be considered fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a proceeding for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation against E.ON Energia S.p.A. (hereinafter “E.ON” or “Company” or even “Owner”), in the person of its legal representative pro-tempore, with registered office in Milan (MI), Via dell’Unione n. 1, VAT number 03429130234.

The proceeding originates from an investigation initiated by the Authority, following the receipt of two separate complaints filed against E.ON. More specifically, with complaint no. 352614 the interested party complained about receiving unwanted calls made in the interest of the Company and the failure to respond to the request to exercise the rights pursuant to Articles 15 et seq. of the Regulation. With complaint no. 367993 the interested party reported receiving numerous promotional calls from E.ON made in conjunction with the activation of two energy supplies and that by the Company's own admission, when uploading the agreement to the company systems, the consents granted pursuant to the legislation on the protection of personal data had been valued in a manner different from that reported in the contract.

1.2. Requests for information formulated by the Authority

1.2.1. The request for information relating to complaint no. 352614

With a complaint dated 13 March 2024 (see prot. no. 31258), the applicant complained about E.ON's failure to respond to a request to exercise the rights pursuant to articles 15 et seq. of EU Regulation no. 2016/679 made on 22 January 2024. The request followed the receipt of a promotional call made in the name and on behalf of the aforementioned Company, during which the interested party became aware that E.ON was in possession of her personal and contact details, including her institutional email address. During the telephone conversation, the operator reported that the contact had been requested by the interested party herself by joining an advertising campaign carried out via Facebook, however, she highlighted that she had never activated any account on the aforementioned social platform.

Having examined the complaint and all the documentation attached thereto, with a note dated 29 March 2024 (see Prot. no. 39774), the Office notified the Company of a request for information pursuant to art. 157 of the Code, inviting E.ON to provide its observations in relation to what was represented therein and to communicate whether it intended to adhere to the complainant's requests.

Subsequently, having acknowledged that due to a mere material error the communication had not reached the Company's address, with a note dated 27 May 2024 (see Prot. no. 64326) the Office reiterated the request.

Thus, with a reply dated 14 June 2024 (see Prot. no. 73277 of 17 June 2024), E.ON preliminarily stated that «The Complainant's request to exercise the rights regarding the protection of personal data followed a telephone contact by the same with E.ON staff who, already on 18 January 2024, offered the same some information regarding the personal data processing activities carried out by E.ON: more specifically, during this telephone conversation the Complainant was informed by telephone of the fact that her personal data had been collected following a Facebook campaign which concluded with the possibility of filling out an online form to express interest in the products and services of the Company and to request a telephone contact with E.ON staff for more information on the same».

On this point, the Company also highlighted that «on the basis of agreements relating to the conditions on advertisements to acquire new customers on the Facebook platform, E.ON launched the “ClimaSmart Climatizzatore” advertising campaign to promote its products and services. The campaign included the optional completion of an online form on the Facebook platform in which to enter personal data (name, surname, email and telephone number) and express or deny consent. The Complainant’s personal data were transmitted to the company CRM via API and then processed by E.ON staff, with the purpose of contacting the interested party again».

In light of the aforementioned findings, in the Company’s opinion, the complainant’s data had likely been entered into the form in question by a third party and without the interested party’s authorization.

As for the failure to respond to the request to exercise the rights referred to in Articles 15 et seq. of the Regulation submitted by the complainant, E.ON noted that this omission had been caused by a human error committed by the supplier XX, which the Company uses for "the digitalization of some processes, and, in general, for the scanning of registered letters which are subsequently indexed and transmitted to the competent company functions. In this case, the paper mail management flow did not operate correctly and this resulted in the failure to upload the digitalized document with the Complainant's request".

With reference to the more general management of requests to exercise rights, the Company highlighted that it had made available to interested parties «a series of dedicated channels to allow easy exercise of privacy rights, as also indicated in the privacy policy published on the site, in section 11 How to exercise rights (https://www.eon-energia.com/informazioni-utili/informativa-pri-vacy.html)», that it had implemented specific internal procedures for managing requests, as well as providing for the organization of «periodic training sessions, in person and with digital platforms, both for employees and for the sales network, customizing the contents and always giving great importance to the correct management of personal data».

Finally, with the same note of 14 June 2024, the owner provided feedback to the complainant's requests to exercise their rights. The complainant did not avail itself of the right to submit further observations and/or requests.

1.2.2. The request for information relating to complaint no. 367993

With a complaint dated 2 May 2024 (see Prot. No. 53146), the interested party represented that she had signed two contracts for the supply of electricity and gas with E.ON Energia in November 2023. The complainant complained that starting from 22 November 2023, she had been the recipient of a multitude of unwanted promotional telephone calls from "the most diverse companies intending to offer her various services and products". Taking into account that the telephone calls had started precisely in conjunction with the activation of supplies by E.ON, the interested party attributed these contacts to an illicit transfer of her personal data to third parties carried out by the Company.

Thus, on 29 February 2024, the complainant had contacted the owner in order to obtain documentary evidence of the consents given in relation to the processing of her personal data.

From the documentation submitted by the complainant, it emerged that E.ON had responded to the applicant on March 27, 2024, stating that "during the implementation of the contracts in question on our systems, the privacy consents were reported, due to a mere material error, in a manner different from the authorizations you issued during the stipulation phase". On the same occasion, the Company reassured the complainant by stating that it had recorded the denial on its systems.

Nonetheless, the interested party had continued to receive multiple promotional contacts, therefore on April 7, 2024, she contacted the owner again, asking to "promptly take action so that those to whom you have provided my personal data no longer allow themselves to call me", but the Company did not provide any feedback.

In the complaint, the interested party also stated that the receipt of numerous unwanted phone calls was creating a series of inconveniences in her personal and professional life, also by virtue of the public office she held in the past (see «(…) she confesses to feeling very uncomfortable and ethically conflicted in deciding whether or not to answer these cell phone numbers: in fact, they could be from normal citizens who actually want to talk to her. For these reasons, she often calls the same numbers to make sure they do not really belong to them» and again «Please take into account that the facts in the narrative have significantly lowered the representative's quality of life, creating considerable physical and psychological stress. Furthermore, the phone calls also arrive during moments of rest, such as in the early afternoon»).

Thus, having examined all the circumstances deduced and attached to the complaint, with a note dated 27 May 2024 (see Prot. no. 64362), the Office notified the Company of a request for information pursuant to art. 157 of the Code, inviting E.ON to provide its observations in relation to what was represented therein and to communicate whether it intended to adhere to the complainant's requests.

Subsequently, with a reply dated 14 June 2024 (see Prot. no. 73269 of 17 June 2024), the Company represented that following the receipt of the requests sent by the complainant between the end of February 2024 and the beginning of April 2024, «E.ON Customer Service accessed the Company's IT systems and verified that, due to a mere material error, during the transcription of the Complainant's data on E.ON's CRM Salesforce management system, the consents given by the Complainant had been inverted with respect to those given during the activation phase of the services, resulting, therefore, in the systems a consent given for the transfer of data to E.ON's commercial partners and not the one for the customization of the offers provided during the activation phase of the services. The Customer Service then immediately corrected and updated the Complainant's privacy preferences and communicated this to the Complainant", reiterating that the personal data in question had not "been shared with partners or third parties for their own marketing or co-marketing purposes".

The Company also specified that it had contacted the Complainant on 8 November 2023 in order to formalize the service supply contracts and that it had attempted a further contact (so-called "caring call") after the invoices for the services provided had been issued, when the "consent for "sending communications of initiatives, commercial offers, questionnaires, surveys, polls and market research through ordinary letters and/or telephone calls, e-mails, SMS, MMS, notifications and newsletters" was still valued in E.ON's systems.

As for the contacts useful for exercising rights, E.ON highlighted that «(…) the privacy policy can be found in the “Privacy and Governance” section in the footer of the Site (https://www.eon-energia.com/). The policy has a section specifically dedicated to the “Methods of exercising rights”, in which the various channels established to facilitate the exercise of rights by interested parties are reported (…)».

Finally, with reference to the measures adopted in relation to the performance of telemarketing activities towards the so-called prospects, E.ON declared that «the supplier database on which the Company relies is filtered by eliminating customers already present in the E.ON customer base. Every 15 days a “prospect” list is created for each teleseller. Before sending, all the lists are cross-referenced with the public register of objections to eliminate from the lists the customers who are registered there. Following the outcome of the verification, the list of contactable subjects (therefore not present in the Company's customer base and not registered in the opposition register) is sent via the system called SafeFileTransferProtocol (sftp), one dedicated to each partner. Contact attempts take place in the following 15 days. After 15 days, the lists are again deposited in sftp to return them to the supplier".

Differently, with respect to customers already present in the customer base, E.ON noted that "periodically (usually once a month) a list of contacts chosen from customers who had provided consent to marketing activities is sent to telesellers. Contact attempts are made within the following month. After the month, customers are classified as not contactable for a subsequent specific period of time".

Finally, the complainant, availing herself of the powers recognized by the legal system, with a note dated June 26, 2024 (see 78686 of June 27, 2024) reiterated the receipt of numerous promotional calls and highlighted that although she had had the same telephone number for more than twenty years, before then she had never received so many promotional calls.

1.3. The consolidation of the proceedings

Considering that the complaints in files nos. 352614 and 367993 are addressed to the same owner and concern issues of the same nature, in order to promote their organic examination and implement the principles of economy and speed referred to in art. 9 of the internal regulation no. 1/2019 (in www.gpdp.it, web doc. no. 9107633), it was deemed appropriate to jointly handle complaints pursuant to and for the purposes of the subsequent art. 10 of the same regulation.

In this case, moreover, joint handling appeared more suitable to guarantee the right of defense and the need not to aggravate the proceedings, also in terms of the lower expenditure of time and resources that it entails for the data controller.

1.4. Contestation of violations

The Office, following the investigation, adopted the aforementioned contestation act no. 98907/24 in which, first of all, it was observed that from the findings and the documentation acquired overall, a lack of awareness on the part of the Company seemed to emerge with regard to the obligations incumbent on the data controller as established by the legislation in force on the protection of personal data and, more specifically, by the principle of so-called accountability pursuant to Articles 5, paragraph 2 and 24 of the Regulation.

In fact, in the context of the feedback provided to the Authority's requests, the Company had limited itself to attributing the conduct at issue to third parties or to errors committed by its collaborators and commercial partners, as if they could constitute an exemption from any liability, without fulfilling the burden of alleging and demonstrating that it had adopted all the measures prescribed by law to avoid incurring such violations.

Furthermore, from the elements that emerged during the investigation, it seemed that E.ON could be attributed to carry out telemarketing and teleselling activities in the absence of an appropriate legal basis and therefore in violation of Articles 5, 6 and 7 of the Regulation and Article 130 of the Code.
With specific reference to the promotional activities carried out through social channels, in fact, it emerged that the Company had used the complainant's personal data without adopting adequate measures to verify their legitimate origin, nor the identity of the subjects who provided them.

Further critical profiles had also emerged in relation to the processing of customers' personal data carried out for marketing purposes with particular reference to the procedures for acquiring and managing the consents given by the interested parties.

With reference to complaint no. 367993, E.ON had attributed the conduct at issue to a mere human error in the valorization of the consents. But this statement revealed a twofold order of critical issues. On the one hand, in fact, these statements denoted the failure to implement suitable measures to verify and ensure the correspondence between the consents given by the interested parties and the information recorded on the company systems, thus determining the implementation of telemarketing activities in the absence of an appropriate legal basis.

On the other hand, what happened seemed to presuppose the failure to fulfill the obligations under art. 2 – quaterdecies of the Code on the identification, training, direction and monitoring of the subjects within the organization of the owner and who process personal data in the name and on behalf of the Company.

On the other hand, even the statements provided on the failure to respond to the request to exercise the rights under file no. 352614, attributed to an error committed by a commercial partner, suggested the violation of the obligations incumbent on the owner pursuant to art. 28 of the Regulation (so-called culpa in eligendo and culpa in vigilando).

The Office, therefore, contested E.ON with the following hypotheses of violation:

a) arts. 5, 6, 7 and 24 of the Regulation, as well as art. 130 of the Code, for having processed personal data in breach of the principles of lawfulness and accountability, in the absence of an appropriate legal basis and by implementing technical and organizational measures that are not adequate to guarantee, from the design stage, and to be able to demonstrate, that the processing is carried out in accordance with the Regulation;

b) articles 24 and 28 of the Regulation, also in relation to article 2–quaterdecies of the Code, for having processed personal data using internal and external parties to the company organization, in violation of the obligations incumbent on the data controller in order to identify, train, direct and monitor the work of the designated parties;

c) articles 12 and 15-22 of the Regulation for failure to implement company procedures and measures suitable for ensuring adequate and timely response to requests to exercise rights by interested parties.

2. THE OWNER'S DEFENSE

The party did not avail itself of the right to be heard by the Authority, but presented its briefs and defensive documentation pursuant to art. 166, paragraph 6 of the Code and art. 13 of internal regulation no. 1/2019 (see Prot. no. 107276 of 12 September 2024).

In the defense brief just mentioned, first of all with reference to complaint no. 352614, E.ON indicated the measures implemented in order to improve the level of corporate compliance in the management of digital campaigns. More specifically, based on the new system, "those who fill out the online form with the request to be contacted to receive information on the E.ON product/service will be sent an email with which they can confirm their data and the will expressed online". Furthermore, the numbers will be subjected to verification by the RPO before contact and in any case «before data collection, via the online form, an ad hoc information notice will be issued with respect to this processing activity and the flow described above (completion of the online form, sending of recap and confirmation emails of data and desire to contact, telephone contact with E.ON), the right of the interested parties to revoke the interest expressed and confirmed, according to the procedure above, before actual contact with E.ON, being able to use the channels for exercising the rights made available by the Company, will always remain valid».

With regard to complaint no. 367993, E.ON disavowed the telephone contacts that were the subject of the complaint, reiterating that it had not communicated the complainant's data to third parties and specifying, however, that it had contacted the complainant "for two purposes: a first call (successful) was made to formalize the contracts, while the other attempts at telephone contact occurred between the beginning of January and the beginning of February to make the so-called "first bill caring call". In fact, not having reached the Customer on the first attempt, as required by procedure, three further attempts were made, all recorded with a negative outcome (“no answer” or “failed”, attachment 1) when, moreover, Mrs. XX had not revoked her consent to E.ON marketing activities validly expressed (both in the electricity contract and in the gas supply contract - see attachments 2 of the reply notes of 14 June 2024 to note Prot. no. 64362) and correctly recorded in the E.ON systems».

On the same occasion, the Company also specified that «this type of so-called “caring” call is aimed exclusively at obtaining confirmation that the requested services are in line with the Customer's expectations, both from the economic point of view and in terms of clarity of the information provided during the activation and subscription phase of the same. In the event of a negative outcome of the “caring” call, the contact is recorded as “unavailable” (…) and excluded from subsequent telephone contacts».

The Company then observed that the circumstance declared by the interested party, regarding the fact that the calls at issue were aimed at the marketing of water purifiers, not marketed by the Company, was sufficient to demonstrate that the contacts in question were not attributable to E.ON (see the email of 29 April 2024 attached to the complaint).

With regard to the communications sent by E.ON, the Company observed that during the activation of the services, the complainant had given valid consent for the processing of personal data for marketing purposes to be carried out through ordinary letters and/or telephone calls, e-mails, SMS, MMS, notifications and newsletters.

E.ON also highlighted that «according to E.ON's technical and organizational measures, the personal data of E.ON customers are not accessible to unauthorized third parties; there are no integrations and automatisms that allow "open" access to the database (CRM) towards systems external to the Company and for sharing personal data with third parties for marketing purposes; there are no unauthorized or illicit accesses to E.ON IT systems containing personal data of its customers, including those of the complainant".

On this point, the Company observed that the phenomenon of suspicious calls is to be attributed to third parties with respect to the company organization and who act illegally, highlighting the commitment made to combat the phenomenon and raise awareness among users.

With reference, however, to the methods of uploading contracts to the company systems, E.ON highlighted that although the services in favor of the complainant were activated with the traditional management flow and therefore with the involvement of personnel appointed by the Company, currently "an activity of digitalization of the user acquisition processes is underway through the use of tablets and dedicated apps, which allow the user to directly record their wishes on E.ON IT systems".

Furthermore, in order to «guarantee and increase the quality of the acquisition phase of the commercial activities of the various sales channels, the Acquisition Quality Committee has also been established, which, among its main activities, also deals with: (i) monitoring and controlling the implementation of the resolutions and provisions of the competent authorities regarding unsolicited contracts/services/activations; (ii) controlling and verifying the effectiveness of the operating procedures implemented to satisfy the aforementioned resolutions and measures adopted by the Company; (iii) making communications (such as reports, formal notices, etc.) to channels, sellers, trade associations, regulatory bodies and other interested parties with reference to issues relating to acquisition processes, (iv) cooperating with the various company departments so that the company procedures for the correct processing of personal data are implemented».

In addition, always in relation to the complaints referred to in complaint no. 367993, E.ON reiterated that the unwanted contacts are attributable to the conduct of third parties outside the company structure and that it cannot be excluded that the complainant's data are in the possession of other data controllers, since the public role held in the past by the complainant «may have led her to provide various parties with her personal data in the more than twenty years since she has owned the number».

Finally, the Company has represented the efforts made to prevent the occurrence of human errors also «through the provision of training courses, the assignment of specific privacy authorization tasks for company personnel, the issuing of specific instructions, the use of tablets and apps».

As for the measures adopted to implement the principle of so-called accountability, the Company has declared that it has adopted the following measures: «- a data protection management system (“DPMS”), subject to constant updating, which includes, among others, guidelines and procedures for managing requests from interested parties and the management of data breaches, information pursuant to art. 13 and 14 of the Regulation, tools (such as the Assessment of Data Protection Risks for risk assessment activities pursuant to the Regulation); - the appointment of a DPO for the Italian companies E.ON, who supports and also works in coordination with the other identified supervisory bodies (including the Cyber Security Manager); - the identification of internal figures with specific duties and delegations in terms of privacy, including data privacy coordinators (some company managers who deal mostly with privacy issues), and data protection experts who work in close coordination with the competent IT figures and the Information Security Officer; - procedures, processes and checklists for the accreditation of third parties (e.g.: cyber security checklist, procurement process, Annex 5); - template of contracts for the processing of personal data for the management of privacy relationships with the subjects who qualify as data controllers containing the elements pursuant to art. 28 of the Regulation and indications on the technical and organizational measures guaranteed by the controller (Annex 6); - authorizations with instructions on personal data protection for E.ON personnel during the hiring phase (Annex 7); - the adoption of a package of guidelines (so-called People Guidelines) that specifically indicate how to act on various occasions, including Data Protection guidelines (Annex 8) and Information security guidelines (Annex 8bis) that are in fact instructions for company personnel; - authorizations for those who fall into the role of system administrators (Annex 9); - privacy training procedures for company personnel; - registers of personal data processing activities; - internal checks on the correct application of the procedures and the GDPR in internal processes".

E.ON then contested the groundlessness, generality and lack of evidence in relation to the contested violation of art. 2 -quaterdecies of the Code, reiterating that the Company organizes periodic training sessions, both in person and remotely, aimed at employees and the sales network. More specifically, the Company stated that company policies require that staff take privacy training courses "at the time of hiring (delivered via an e-learning platform) and during the relationship (the second training generally takes place after the first quarter), ad hoc training sessions are organised by the Legal & Compliance Department of E.ON Italia S.p.a. (during which privacy roles, the legal bases of processing, the requirements for the validity of consent, the principles applicable to processing activities, etc. are discussed). Other dedicated training sessions are organised with recurring meetings on a monthly basis, with staff from offices and departments that more than others carry out personal data processing activities, such as those dealing with sales and customer care, with whom further information and instructions are thus shared (for example, regarding the privacy information to be used, the consents to be enhanced in company systems, the management of requests from interested parties). The training material is always accessible on the company intranet where you can consult the policies, procedures, information, guidelines and other elements that are part of the so-called corporate Data Protection Management System».

Furthermore, the staff receives a specific designation, which also contains instructions on the processing of personal data and the company policies are always accessible from the intranet. Each employee, moreover, receives a personalized authorization profile based on the tasks performed.

In relation to the contested violation of art. 28 of the Regulation, E.ON observed that it has adopted the following measures: «supplier accreditation procedure; - use of cybersecurity checklists also for the checks pursuant to art. 24, 25, 28 and 32 GDPR submitted to suppliers during the engagement phase and during the relationship; - verification of service contracts with its suppliers also with a focus on privacy, having to ascertain the need or otherwise to conclude a data processing agreement, as well as correctly defining the privacy roles between the parties and adequate audit clauses; - the use of a model contract for the processing of personal data, which contains specific instructions also with respect to the technical-organizational measures that the data controller must guarantee; - training of personnel also on the contractualization process which includes the acceptance of the DPA, with the attached security measures, before the contractualization of the partner».

The Company also stated that it will monitor the work of external managers during the relationship, for example by updating the agreements concluded pursuant to art. 28 of the Regulation and submitting new and/or additional checklists.

With specific reference to supplier XX, the owner clarified that the same was evaluated positively by virtue of the certifications and accreditations held. E.ON did not deem it appropriate to adopt disciplinary actions against this Manager since "following further internal checks after sending the reply notes of 14 June, it was ascertained that the failure to respond to Mrs. XX's request must be attributed to a material error by E.ON staff and not by the external supplier. More specifically, it was found that the registered letter to exercise the rights was not delivered to the Customer Care office, responsible for managing complaints from interested parties, but to a different department that was unable to index and promptly address the request as the registered letter had a generic recipient". In this regard, the Company highlighted that this was an isolated case due to an error, which could not be avoided, despite the application of technical and organizational measures by the Company.

Likewise, the failure to respond to the request to exercise the rights pursuant to Articles 15 et seq. of the Regulation (see complaint no. 352614) - with respect to which the Company reiterated that the interested party had also received information and clarifications during the telephone conversation with Customer Care - according to the owner's thesis must be attributed "to a human error in the process followed for the management of paper mail. However, unlike what was already reported in the reply notes of 14 June 2024, it is specified that the mistake was made by E.ON staff and not by supplier XX". The Company has clarified on this point that the case must be assessed as an exceptional event, which may occur despite the diligence employed and the adoption of the following compliance measures: "the implementation of different channels to allow interested parties to easily exercise their rights, 2) the designation of a data protection officer and the assignment of specific privacy duties/roles to E.ON staff (the so-called data privacy coordinators); 3) the identification of the persons responsible for managing requests from interested parties (all privacy complaints are managed by a dedicated team); 3) by providing periodic and specific instructions to its staff, through privacy authorizations, training courses, meetings, guidelines, etc., 4) the implementation of a procedure dedicated to the management of requests from interested parties, which is part of the E.ON Data Protection Management System available to company staff, 5) the implementation of a company procedure for the management of paper mail».

In conclusion, the Company also expressed its intention to «integrate the company procedure for managing paper mail; - carry out further training sessions with company staff to further remind the importance of correctly valorizing the privacy wishes of interested parties and the need to follow company procedures; - continue with the digitalization process through the use of tablets, apps and dedicated portals and overcome analog procedures during which material errors by company staff may occur».

3. AUTHORITY'S ASSESSMENTS

First of all, it should be noted that the allegations and documentation provided by the Company as a whole during the proceedings before the Authority have not allowed the objections raised by the Office to be overcome, nor do they allow the burden of demonstrating the implementation of adequate measures of compliance with the provisions on the protection of personal data, which falls on the data controller pursuant to the combined provisions of Articles 5, par. 2 and 24 of the Regulation (on this point see Recital 74 of the Regulation according to which it is noted that «It is appropriate to establish the general responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf. In particular, the controller should be required to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of processing as well as the risk to the rights and freedoms of natural persons»).

While it is true that, in line with its European origins, the legislation on the protection of personal data, with some exceptions, does not impose particular formalities, it is equally clear that the controller must take on the burden of being constantly able to demonstrate compliance with the legislation in force.

On this point, the Authority is aware of the difficulty inherent in the absence of formal indices - for example, similar to what is imposed by national civil law when it regulates the essential elements of a legal transaction or the written form ad substantiam - which in fact gives rise to a particularly rigorous obligation on the part of the data controller in order to choose the methods and times of fulfillment.

However, the absence of particular formalisms, if on the one hand generates greater responsibility on the part of the data controller, on the other hand guarantees a wide freedom of action and power of choice.

A logical corollary of this complex reconstruction is that a universal formula cannot be considered to exist in order to correctly fulfill such obligations and obligations and that, for the effect, a case by case assessment must be conducted, which also takes into account the socio-economic context, the corporate structure, as well as the risks for the rights and freedoms of the interested parties.
In this case, this premise appears necessary in consideration of the circumstance that the examination of the defensive documents and the documentation provided by E.ON shows an incomplete assimilation of the rationale and scope of these obligations.

The circumstances in the proceedings, in fact, if on the one hand give the picture of a corporate organization sensitive to the matter, which as will be discussed in more detail below has implemented a series of measures and is still called upon to implement others, on the other hand have highlighted that the owner has provided declarations that were later retracted, as well as produced incomplete and unfilled forms, most of which lacked temporal references.

This conduct in fact does not meet the burden of demonstrating that the measures and actions for implementing the legislation, even if partly theoretically foreseen, were then actually implemented and subjected to periodic monitoring and updating.

On the merits, then, with reference to both the complaint documents, the violation of articles 157 and 158 of the Civil Code appears fully confirmed. 5, 6, 7 and 24 of the Regulation, as well as art. 130 of the Code, for having carried out telemarketing activities in conflict with the principles of lawfulness and accountability, in the absence of an appropriate legal basis and by implementing technical and organizational measures that are not adequate to guarantee, from the design stage, and be able to demonstrate, that the processing is carried out in accordance with the Regulation.

In fact, with respect to the so-called digital promotional campaigns, the processing of personal data collected through online forms cannot be considered legitimate, in the absence of the implementation of suitable measures to verify the source and identity of the person providing the information. This defect, inherent in the original collection of the data, inevitably also has repercussions on subsequent processing operations carried out on the same personal data.

It should be noted, however, that in the absence of the aforementioned measures, these types of online forms could be surreptitiously exploited to make outbound contacts under the guise of requests for recontact from the interested party.

In other words, the provision of personal data obtained illegally or “non-consented” within online forms would end up conferring an appearance of lawfulness with respect to the processing of personal data and contact lists of illicit origin, effectively creating an inadmissible recycling of personal data and fueling the telemarketing undergrowth.

Moreover, given the pervasive use of this type of form and social platforms, the interested parties reached by unwanted promotional contacts made in the interest of E.ON, similarly to what happened in the case of today's complainant, could have been very numerous.

In this regard, while understanding the economic and temporal costs that the implementation of such measures entails - which the Company has also mentioned - it is represented that such measures not only constitute the result of the due balance between freedom of enterprise and the right to privacy, but at the same time prove useful for the owner, since they allow the preservation of the lawfulness and accuracy of the data, as well as to carry out recontact campaigns only towards users who are actually interested in the services offered.

Likewise, the circumstances that emerged in relation to the recontact methods that are the subject of complaint no. 367993 also confirm the existence of the violations contested in relation to articles 5, 6, 7 and 24 of the Regulation, as well as art. 130 of the Code, since they have revealed on the one hand the non-linear management of the processes for collecting consent to processing for marketing purposes and uploading contracts to company systems, on the other hand the findings provided have highlighted an incomplete assimilation of the legislation in relation to so-called customer caring contacts.

In this regard, E.ON has specified that the so-called customer caring campaigns are aimed exclusively at obtaining confirmation that the requested services are in line with the customer's expectations. However, net of the observation that the insistence and frequency of the contacts suggest a second commercial purpose, even these types of contact, regardless of the means used (telephone, email, text message), must be carried out preserving the interested party's right to object and above all be contained within reasonable time and attempt limits. In the absence of such precautions, the carrying out of these recontact campaigns results in an unacceptable invasion of the customer's personal sphere.

In the case of complaint no. 367993, however, by the Company's own admission, four attempts to contact the interested party were made in the space of two weeks and just under twenty communications (emails and text messages) in the space of four months following activation.

The findings provided by the Company also confirm the violation of the obligations incumbent on the data controller with reference to the actions of the subjects who process personal data on behalf of E.ON, as interpreted also in light of the more general principle of accountability.

In this regard, first of all, it is noted that the retraction carried out during the proceedings - with respect to the subject to whom the alleged human error that would have caused the occurrence of the contested violations is attributed - denotes, in itself, an incomplete mastery of the company flows and the processing carried out.

Correct management of the processing chain, in fact, presupposes that the data controller can effectively and easily reconstruct roles and responsibilities, especially in cases where the investigation pertains to the physiological and ordinary management of customers and so-called prospects.

Furthermore, with respect to the fulfillment of the obligations incumbent on the data controller pursuant to art. 28 of the Regulation (so-called culpa in eligendo and culpa in vigilando), both with reference to XX and to the more general practice of selecting and monitoring suppliers, the investigation carried out shows, on the one hand, the omission of measures to ensure the selection of partners who present sufficient guarantees to implement adequate technical and organizational measures so that the processing satisfies the requirements of the Regulation and guarantees the protection of the rights of the interested party, and on the other hand, the omission of control and supervision over the personal data processing activities carried out by these entities on behalf of the Company.

In fact, with respect to the process of selecting and contracting suppliers, E.ON limited itself to providing a brief management scheme, without date and company references, and a model of appointment as data controller, the last update of which dates back to two years ago. Likewise, with respect to monitoring the work of suppliers, the Company merely mentioned the use of checklists.

However, such allegations and documents, in fact, denote the tendency to merely formally fulfill such obligations, not accompanied by a sufficiently efficient and structured process, which allows ex ante to select suppliers who have adequate skills in privacy matters and ex post to carry out supervision and monitoring of their work.

The events that are the subject of the complaint and the findings provided by the Company confirm, instead, the failure to fulfill the obligations relating to the appointment, management and training of the subjects operating within the organization of the owner carrying out personal data processing.

According to the thesis put forward by the Company, such episodes should be attributed to alleged human errors, which occurred despite the implementation of technical and organizational measures such as internal training on privacy matters and the provision of documented instructions.

However, the absence of any documentary index capable of proving the actual performance of such training, together with the provision of generic and dated instructions, if assessed in the context of the admitted incorrect management of both episodes that are the subject of the complaint, are worth demonstrating the violation of the provisions imposed by art. 2-quaterdecies of the Code, as interpreted also in relation to art. 5 of the Regulation.

On this point, in fact, it is observed that, regardless of the circumstance that the owner has provided only an instruction form without elements capable of proving its actual use, the document in question contains dated references (i.e. reference to sensitive data and to the figure of the data controller) and above all devoid of any customization and/or distinction with respect to the tasks actually performed, the categories of data processed and the specific risks for the rights and freedoms of the interested parties.

For the reasons just stated, the violation of art. 12 and 15-22 of the Regulation, since the human error invoked by the Company cannot have any exculpatory effect.

On this point, the exception advanced by E.ON in relation to the circumstance that the interested party had in any case obtained a telephone clarification in relation to the methods of collection of her personal data cannot be accepted. The complainant's request advanced pursuant to articles 15 et seq. of the Regulation, in fact, had been forwarded at a time subsequent to the telephone clarification provided by Customer Care and was aimed at obtaining more specific and detailed information.

It follows that the owner was required to provide the requested feedback in the manner and within the terms set out in art. 12 of the Regulation, since the exception relating to manifestly unfounded or excessive requests cannot be applied for the reasons just illustrated.
Moreover, pursuant to art. 15 of internal regulation no. 1/2019, complaints regarding rights must be accompanied by the requests previously addressed to the owner and any feedback obtained, so that this obligation in this case constituted a requirement for the admissibility and admissibility of the complaint.

In conclusion, E.ON's liability must be definitively confirmed for all the violations contested.

4. CONCLUSIONS

For the above reasons, E.ON's liability is deemed to be established for the following violations:

- arts. 5, 6, 7 and 24 of the Regulation, as well as art. 130 of the Code, for having processed personal data in conflict with the principles of lawfulness and accountability, in the absence of an appropriate legal basis and by implementing technical and organizational measures that are not adequate to guarantee, from the design stage, and to be able to demonstrate, that the processing is carried out in accordance with the Regulation;

- arts. 24 and 28 of the Regulation, also in relation to art. 2–quaterdecies of the Code, for having processed personal data using internal and external parties to the company organization, in violation of the obligations incumbent on the data controller in order to identify, train, direct and monitor the work of the designated parties;

- articles 12 and 15 to 22 of the Regulation for the failure to implement company procedures and measures suitable for ensuring adequate and timely response to requests to exercise rights by interested parties.

Having also ascertained the unlawfulness of the Company's conduct with reference to the processing under examination, it is necessary to:

- impose on E.ON, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of any further processing of the complainants' personal data;

- order E.ON, pursuant to art. 58, par. 2, letter f) of the Regulation, to: d) of the Regulation to update the forms needed to authorize the processing of personal data by persons operating under their direct authority, pursuant to art. 2-quaterdecies;

- adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to E.ON of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation.

5. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application to E.ON of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5 of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher).

To determine the maximum statutory fine of the pecuniary sanction, it is therefore necessary to refer to the turnover of E.ON, as obtained from the latest available financial statements (December 2023) in accordance with the previous provisions adopted by the Authority, and therefore this maximum statutory fine is determined, in the case in question, at € 89,273,777.20.
To determine the amount of the sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) as an aggravating factor, pursuant to art. 83, par. 2, letter a) of the Regulation, the seriousness of the violations, taking into account the object and purposes of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last five years, numerous measures that have fully examined the multiple critical elements by providing the owners with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the interested parties; 2) as a mitigating factor, pursuant to art. 83, par. 2, letter a) of the Regulation, the degree of cooperation with the Supervisory Authority also by virtue of the commitment made in order to improve, already during the procedure, the company's compliance in relation to the legislation on the protection of personal data.

Based on the set of elements indicated above and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €892,738.00 should be applied to E.ON, equal to 0.04% of the turnover and 1% of the maximum sanction established by law.

In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the nature of the processing and conduct of the Company, as well as the elements of risk for the rights and freedoms of the interested parties.

In implementation of the principles set out in art. 83 of the Regulation, the imposition of this accessory sanction appears reasonable and proportionate in relation to the seriousness and the particular disvalue of the conduct subject to censure, especially with regard to the critical issues found in relation to the implementation of the so-called digital campaigns.

On this point, the peculiar seriousness inherent in the use of recontact forms in order to confer an appearance of legality to the personal data acquired illegally is highlighted and at the same time also attributable to the vast audience of interested parties involved, by virtue of the widespread and pervasive use of social platforms.

Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.

GIVEN ALL THE ABOVE, THE GUARANTOR

a) imposes on E.ON, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of any further processing of the personal data of the complainants;

b) order E.ON, pursuant to art. 58, par. 2, letter d) of the Regulation to update the forms used to authorize the processing of personal data by persons operating under its direct authority, pursuant to art. 2-quaterdecies;

c) order E.ON, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation.

ORDER

to E.ON Energia S.p.A., in the person of its legal representative pro-tempore, with registered office in Milan (MI), Via dell’Unione n. 1, VAT number 03429130234, to pay the sum of Euro 892,738.00 (eight hundred and ninety-two thousand seven hundred and thirty-eight/00) as an administrative pecuniary sanction for the violations indicated in the reasons, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the provisions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €892,738.00 (eight hundred and ninety-two thousand seven hundred and thirty-eight/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981.

ORDERS

a) the publication of this provision, pursuant to art. 154-bis of the Code and 37 of Regulation no. 1/2019, as well as the application of the accessory sanction of the publication on the website of the Guarantor of this injunction order, as provided for by art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019;

b) the annotation of this provision in the internal register of the Authority - provided for by art. 57, par. 1, letter u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor - relating to violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself.

Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.

Rome, 27 November 2024

THE PRESIDENT
Stanzione

THE REPORTER
Scorza

THE GENERAL SECRETARY
Mattei

SEE ALSO Newsletter of 31 January 2025

[web doc. n. 10097012]

Measure of 27 November 2024

Register of measures
n. 736 of 27 November 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, attended by Prof. Pasquale Stanzione, president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councillor Fabio Mattei, general secretary;

HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);

HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter “Code”);

HAVING SEEN the documentation in the files;

HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000;

REPORTER the lawyer Guido Scorza;

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

1.1. Introduction

With deed dated 13 August 2024, no. 98907 (notified on the same date by certified email), which must be considered fully referenced and reproduced here, the Office initiated, pursuant to art. 166, paragraph 5, of the Code, a proceeding for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation against E.ON Energia S.p.A. (hereinafter “E.ON” or “Company” or “Owner”), in the person of its legal representative pro-tempore, with registered office in Milan (MI), Via dell’Unione n. 1, VAT number 03429130234.

The proceeding originates from an investigation initiated by the Authority, following the receipt of two separate complaints filed against E.ON. More specifically, with complaint no. 352614 the interested party complained about the receipt of unwanted calls made in the interest of the Company and the failure to respond to the request to exercise the rights pursuant to Articles 15 et seq. of the Regulation. With complaint no. 367993 the interested party reported the receipt of numerous promotional calls from E.ON made in conjunction with the activation of two energy supplies and that by the Company's own admission, when uploading the agreement to the company systems, the consents granted pursuant to the legislation on the protection of personal data had been valued in a manner different from that reported in the contract.