Garante per la protezione dei dati personali (Italy) - 9771142: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Italy |DPA-BG-Color=background-color:#095d7e; |DPAlogo=LogoIT.png |DPA_Abbrevation=Garante per la protezione dei dati personali |DPA_With_Count...")
 
No edit summary
 
(5 intermediate revisions by 2 users not shown)
Line 63: Line 63:
}}
}}


The Italian DPA sanctions Uber for a total of € 4.240.000 for lack of transparency in the processing of data of over 1.5 million Italian users.
The Italian DPA fined Uber a total of €4,240,000 for violations relating to 1,500,000 data subjects in Italy, including lack of transparency and consent and failure to notify the DPA of a personal data breach.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The Italian DPA has sanctioned Uber B.V. (UBV), with registered office in Amsterdam, and Uber Technologies Inc (UTI), with registered office in San Francisco, both of which were found responsible for violations committed against over 1.5 million Italian users, including drivers and passengers. Inadequate privacy notice, personal data processed without consent, and failure to notify the Authority were the violations found by the Italian DPA during inspections carried out at Uber Italy srl following a data breach made public by the US parent company in 2017.
The Italian DPA launched an investigation into Uber B.V., with registered office in Amsterdam, and Uber Technologies Inc., with registered office in San Francisco, after the US parent company made public a data breach in 2017. The DPA found that the Dutch company Uber BV and the US company Uber Technologies were joint controllers, each responsible for violating the Italian Privacy Code (the Italian implementation of EU Directive 95/46/EC) against data subjects in Italy.
The security incident, which occurred before the full application of the GDPR, had involved the data of around 57 million users worldwide, and had been sanctioned by the Dutch and British DPA on the basis of their respective national regulations. The personal information processed by Uber concerned personal and contact data (name, surname, telephone number, and e-mail), access credentials to the app, location data (those that appeared at the time of registration), and relations with other users (sharing trips, introducing friends, profiling information).
 
The Authority sanctions the Dutch company Uber BV and the US company Uber Technologies, as joint data controllers, each responsible for violations of the "Privacy Code" committed against Italian users. The sanctions relate in particular to the inadequate privacy notice provided to users (insofar as it lacks an indication of joint ownership of the processing) and 'formulated in a generic and approximate manner' with 'unclear and incomplete information' and 'not easy to understand'. In the notice, in fact, the purposes of the processing were not well specified, the references to the rights of the data subjects were vague and incomplete, and it was not even clear whether users were obliged or not to provide their data, nor what the consequences of a possible refusal would be. Uber, moreover, without having obtained valid consent, processed the data of approximately 1.379.000 passengers by profiling them on the basis of the so-called 'fraud risk', assigning them a qualitative rating (e.g. low) and a numerical parameter (from 1 to 100). Finally, the Corporation had not complied with the obligation to notify the Authority of the processing of data for geolocation purposes, as required by the legislation in force before the new EU Regulation.
During their inspections carried out at Uber Italy srl, the DPA found several violations, including inadequate privacy notice, personal data processed without consent and failure to notify the DPA about the data breach.
In defining the amount of the sanctions, applicable in the same measure of € 2.120.000 to both UBV and UTI, the Authority, in addition to the seriousness of the violations ascertained, also took into account the significant number of people involved and the economic conditions of the company.
 
The security incident, which occurred before the GDPR came into effect, involved the data of around 57 million data subjects worldwide, and had been sanctioned by the Dutch and British DPA on the basis of their respective national regulations. The personal data processed by Uber concerned personal and contact data (name, surname, telephone number, and e-mail), access credentials to the app, location data (those that appeared at the time of registration), and relations with other data subjects (sharing trips, introducing friends, profiling information).
 
The controllers had also, without having obtained valid consent, processed the data of approximately 1,379,000 data subjects by profiling them on the basis of the so-called 'fraud risk', assigning them a qualitative rating (e.g., 'low') and a numerical parameter (from 1 to 100). Finally, the controllers had not complied with the obligation to notify the DPA of the processing of personal data for geolocation purposes, as required by the legislation in force before the GDPR came into effect.  


=== Holding ===
=== Holding ===
The Garante ascertained the violation of:
The DPA found violations related in particular to the inadequate privacy notice provided to data subjects (insofar as it lacks an indication of joint ownership of the processing) and 'formulated in a generic and approximate manner' with 'unclear and incomplete information' and 'not easy to understand'. Purposes of the processing were not well specified, the references to the rights of the data subjects were vague and incomplete, and it was not clear whether data subjects were obliged or not to provide their data, nor what the consequences of a possible refusal would be.
 
The DPA found the following violations:


1. Violation of article 13 Privacy Code, for failure to acquire the consent of the data subjects.
1. Violation of article 13 Privacy Code, for failure to acquire the consent of the data subjects.


2. Violation of articles 37 and 163 Privacy Code, for failure to notify the Garante the processing.
2. Violation of articles 37 and 163 Privacy Code, for failure to notify the DPA of the breach.


3. Violation of Article 164-bis (2) Privacy Code, because the violations committed relate to databases of particular relevance or size.
3. Violation of Article 164-bis (2) Privacy Code, because the violations committed relate to databases of particular relevance or size.


Consequently, the DPA fined Uber B.V. (Holland) and Uber Technologies Inc. (USA), €2,120,000 respectively (a total of €4,240,000), for violations relating to 1,5 million data subjects in Italy, including drivers and passengers.


In defining the amount of the sanctions, the DPA, in addition to the seriousness of the violations ascertained, also took into account the significant number of data subjects involved and the economic conditions of the company.
== Comment ==
== Comment ==
Although it does not involve current European legislation (GDPR), this decision is relevant with regard to the general principles on the data protection already contained in Directive 95/46/EC, harmonised in each EU Member State with national legislation: in Italy this legislation is represented by the 'Privacy Code'.
Although it does not involve current European legislation (GDPR), this decision is relevant with regard to the general principles on the data protection already contained in Directive 95/46/EC, harmonised in each EU Member State with national legislation: in Italy this legislation is represented by the 'Privacy Code'.
Line 93: Line 100:


<pre>
<pre>
Order injunction against Enel Energia S.p.a. - December 16, 2021
Injunction Order against Uber B.V. and Uber Technologies Inc. - 24 March 2022


Record of measures
Register of Measures
n. 443 of December 16, 2021
No. 101 of 24 March 2022


THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA


IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and dr. Claudio Filippi, Deputy Secretary General;
AT TODAY'S MEETING, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;
 
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
 
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
 
HAVING REGARD to the documentation on file;
 
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
 
RAPPORTEUR Dr. Agostino Ghiglia;
 
WHEREAS
 
1. THE INVESTIGATION ACTIVITY CARRIED OUT
 
1.1 Introduction
 
With act no. 26890/21 of May 14, 2021 (notified on the same date by certified e-mail), which here must be understood as fully reproduced, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation vis-à-vis Enel Energia S.p.a (hereinafter "EE" or "the Company") in the person of the pro-tempore legal representative at the company's registered office in Rome, Viale Regina Margherita no. 125, Tax Code 06655971007.
 
The proceeding originates from a complex investigation activity initiated by the Authority following the receipt of numerous complaints and reports from interested parties, who complained, primarily but not exclusively (as will be seen better below par. 1.2), the receipt, in in the name and on behalf of Enel, of one or more unwanted promotional phone calls, including via pre-recorded disk, to reserved users or users registered in the public opposition register together, in some cases, with related complaints regarding the exercise of rights and, more generally , for the management of user data in the context of energy supply services.
 
The phenomenon of telemarketing in the energy sector - in which the investigation against Enel is part, despite having already been the subject of the attention of the Guarantor in the past - has undergone a sharp and worrying increase as the deadline set by the legislator approaches. (moreover following multiple extensions) for the definitive transition from the protected market of electricity and natural gas to the free market (see, lastly, Article 12, paragraph 9-bis, letter b) of Law Decree 31 December 2020, n. 183, converted, with modifications, by law February 26, 2021, n. 21). In fact, the Authority was the recipient, in this context, of the complaints of citizens regarding a persistent and disturbing sense of interference in their own sphere of confidentiality due to these practices, often accompanied by behaviors that are not only invasive but also, as complained, particularly aggressive.
 
The Authority's approach, in accordance with the previous investigations relating to other data controllers, was therefore based on an overall observation and evaluation - rather than in a logic, albeit fundamental and necessary, of individual response to the single complaint - of behaviors that reveal a phenomenon already known, to which, the approach of the aforementioned legislative term, has brought elements of chronicity, particular intensity and, consequently, invasiveness in the private sphere of the interested parties.
 
In the context of the regulations on the protection of personal data, the aforementioned systemic and global analytical approach to the problem, which the Guarantor intended to apply, assumes particular relevance for understanding the nature and purpose of the processing, technical and organizational measures adopted by the owner. to ensure compliance with the EU General Regulation 679/2016 (hereinafter "RGPD" or "Regulation") as a whole, as well as, in light of the principle of accountability (Article 5, par. 2, RGPD), methods by which compliance with this regulatory framework is proven.
 
Therefore, the activity of the Guarantor was carried out mainly through unitary investigations and requests for cumulative information. With the entry into force of regulation no. 1/2019, concerning the performance of the tasks and the exercise of the powers delegated to the Authority (in www.gpdp.it, web doc. No. 9107633), the Office was in fact able to avail itself of the option provided for in art. 10, paragraph 4, to carry out the preliminary investigation precisely in relation to multiple complaints and reports having the same object or relating to the same data controller or processor, or to data processing related to each other. This is in order to examine, with greater effectiveness and, at the same time, necessary economy of the means of investigation, the complaints that have concerned a plurality of conducts referable not only directly to Enel but also to some commercial partners which it uses.
 
In this context, Enel S.p.A. and Enel Energia S.p.a. initially received, from December 2018 to July 2020, four separate requests for cumulative information (infra par.1.2) which concerned a total of 135 files and were divided as follows:
 
13 December 2018, relating to 25 reports (file 133144; hereinafter "I cum.") Followed by the company's reply sent to the Guarantor on 21 December 2018;
 
19 August 2019, relating to 32 reports (file 133144; hereinafter "II cum."), With the company's reply sent to the Guarantor on 6 September 2019;
 
December 17, 2019, relating to 25 reports (file 133144; hereinafter "III cum.") With the company's reply sent to the Guarantor on August 21, 2020;
 
10 July 2020, relating to 8 complaints and 45 notifications (file 152287; hereinafter “IV cum.”), Followed by the company's response sent to the Guarantor on 21 August 2020; as well as - on 24 December 2020 a further request for integration of the information provided with regard to the cases already identified in the aforementioned note of 10 July 2020, fasc. 152287, hereinafter “IV-bis cum.”). The response to this last request was received on January 14, 2021. The feedback to the aforementioned requests for information was received only by Enel Energia as a company active in the free market for the sale of electricity and natural gas.
 
The complaints conducted against EE also included the assessments that emerged in the context of investigations carried out with respect to individual cases. The reference is, in particular, to 5 further complaints submitted, pursuant to art. 77 RGPD, before the date of 20 July 2020 (infra par.1.3).
 
1.2. Requests for information and presentation of documents, pursuant to art. 157 of the Code and the feedback provided by Enel
 
The detailed examination of the complaints received by the Authority led, in accordance with the aforementioned logic, to formulate various requests for information, in subsequent times, in relation to the companies concerned, pursuant to the combined provisions of Articles 58, par. 1, lett. a) GDPR and art. 157 of the Code. The respective issue numbers are specified in brackets. The same and the feedback provided by the Company are summarized below, without prejudice, however, to the full and complete reference to what has already been reported in the contestation deed.
 
Request of 13 December 2018 (I cum.): The complaints received by the Guarantor, at the basis of the aforementioned requests for information, concerned, in particular, the processing of personal data of the interested parties in the context of unwanted promotional telephone calls as they were made with respect to users reserved in the absence of the necessary consent of the interested parties (132890, 133076, 132810, 132578, 131243, 131039, 130428, 129707, 122612, 106175), or, with respect to fixed users, despite the registration of the number in the public register of oppositions (132985 , 132792, 131811, 131762, 131444, 131337, 131237, 130644, 130529, 130349, 130197, 130077, 129198), as well as the late reply to requests to exercise the rights of access to personal data or to oppose the related processing for the purpose of marketing (132334, 129416).
 
With regard to the undue promotional contacts made both towards interested parties, whose numbers were confidential and towards interested parties whose users were registered in the ROP at the basis of the request for information of 13 December 2018, the overall response provided in particular by EE highlighted that in all the reported cases the calling numbers did not belong to those in use by the company or its commercial partners and that said numbers, from an online search, were related to "self-styled operators who illegitimately spend the name of Enel Energia itself - or that of other companies also operating in sectors other than the energy one "(see the company's response of 21 December 2018).
 
On the other hand, with reference to the exercise of the rights whose non-response was complained of (files 132334 and 129426), the answers provided by EE, again following the aforementioned request from the Office, effectively accounted for the delay recorded by the company in follow up on the requests of the interested parties.
 
Request of 19 August 2019 (II cum.): With regard to the feedback provided in particular by EE following the second request for information made by the Office on 19 August 2019 (files 116720, 116698, 136284, 137069, 137220, 137655, 137710, 137730, 137772, 137777, 138579, 139334, 140475, 136877, 136921, 136932, 137159, 137360, 138000, 139071, 139222, 139228, 139838, 139930, 140166, 140273, 140301, 138749, 138775, 139131, 139219, 138716) EE again represented that, even in the new complaints presented to the Guarantor, the unwanted promotional telephone calls that the interested parties reported as attributable to EE instead prevented from numbers extraneous to the company and its network of commercial partners.
 
More specifically, the company highlighted that from the computer checks carried out in its company systems, most of the interested parties had never had a contractual relationship with it. Only in five cases the personal data of the reporting persons were found to be present in the EE systems due to existing contractual relationships, while in six cases the contractual relationships were terminated. With respect to two specific cases, however, the company found that the promotional contacts were attributable, in one case, to one of its partners by virtue of an agency contract still in place (136877) and, in the other, they came from a former partner, with which the contractual relations had been concluded prior to the making of the unwanted promotional phone call (137360, 138000).
 
Request dated 17 December 2019 (III cum.): A new request for information was sent to the Company regarding a further 25 reports, relating to users who own both reserved numbers in the absence of the necessary consent (142718, 142745, 142834, 143230, 142718, 143221, 143721, 144373, 144437, 144518) and registered in the public register of oppositions (142833, 143025, 143222, 143688, 143749, 143766, 144316, 144446, 145020).
 
The complaints received also represented the receipt of promotional calls declared in the interest of EE via a pre-recorded disc (143863, 144081, 144296, 144240, 144385;). In one case, the whistleblower, in the face of undue receipt of promotional phone calls, exercised his rights towards EE, in particular that of opposition to processing for direct marketing purposes (144760).
 
In the face of what is represented by the interested parties, the company has not provided, within the deadline, any kind of feedback, so as to induce the Guarantor to reiterate, pursuant to art. 157 of the Code, the request for information regarding the aforementioned files, together with a subsequent request, which became necessary in the face of further reports and complaints subsequently received by the Authority (IV cum.).
 
However, the late overall response provided by the company showed that in all cases the calling numbers did not belong to those used by EE and its partners.
 
In relation to cases in which the whistleblowers have shown that they have been contacted through automated methods, in particular an answering machine, EE has provided its feedback, highlighting that it is not "in the availability of the personal data of the interested parties" (143863; 144240; 144296) , also representing not to make "promotional calls via automated answering machine." (144240). In two other cases, the company did not provide any feedback, apart from the aforementioned generic reference to the extraneousness of the calling numbers (144081; 144385).
 
Similar statements were made by the company in relation to further reports (139123 and 143511), initially subject to independent investigation and, subsequently, merged into the aforementioned main proceeding. In these reports, various unwanted promotional contacts were complained of via pre-recorded disc which, in view of the imminent termination of the protected market, invited the transition to the free market with EE. The company, in the context of subsequent discussions with the whistleblowers, denied any traceability to itself of these contacts.
 
The extraneousness of EE to the complained phenomenon was also reiterated in response to another report (file 139206) in which the interested party, after having complained for the umpteenth time about the continuous phone calls from the "Enel Energia answering machine", acknowledged having selected, at the end of the pre-recorded message, key “3” with the option of being contacted again. Following this action, the reporting party declared that he had actually been contacted by a physical operator in the name of EE and, even, that he had scheduled a subsequent visit and met a self-styled agent of the latter as an Enel appointee, but then verify the involvement of a commercial partner of EE, XX., and receive from the latter company, following the legitimate exercise of its rights, only the indication that it does not manage call center activities or promotional activities.
 
As part of the cumulative requests and the related feedback provided, also with regard to the reports regarding users registered in the public opposition register, the company then reiterated that in some cases the interested parties were holders of contracts that have now ceased (143688, 143766, 144446); or, in others, still outstanding (142833, 143749, 143766, 145020).
 
Request of 10 July 2020 (IV cum): the grievances underlying the fourth request concerned, once again:
 
receiving unwanted promotional calls to numbers registered in the opposition register (136820, 140498, 140527, 140842, 141460, 142199, 143304, 143549, 143610, 146926, 147410, 148139, 151382) and to reserved numbers without prior acquisition the necessary consent (109024, 136529, 139443, 140347, 140821, 141283, 141602, 142057, 145842, 146806, 146898, 147277, 147347, 147737);
 
the use of pre-recorded discs always in the context of promo-commercial calls (138477, 140347, 144213, 147139, 147196, 147750);
 
the failure of Enel Energia to respond to the exercise of the relative rights, as well as the receipt of further promotional telephone calls, including pre-recorded ones, despite the acknowledged opposition to the processing (138729, 140347, 146556, 140058, 143143, 142953, 150137 ).
 
The Authority's requests also pointed to the opportunity to provide clarifications on:
 
to the relations between EE and other companies that would have contacted the interested party on his behalf as well as to the use of the telephone number (136020);
 
the alleged mandatory consent to be issued for marketing and profiling purposes by other companies of the Enel group and commercial partners, in the context of the use of apps for consulting consumption and for paying bills (142396 , 142400, 143619, 144726);
 
sending promotional text messages in the absence of the interested party's consent (150613);
 
the acquisition and automatic association of contact telephone numbers (146166, 138115)
 
sending invoices and other personal data to other users (147284);
 
the improper use by third parties of information available to EE (143728) as well as the related forms (151477).
 
to further and distinct complaints (140103; 140911).
 
In view of the aforementioned framework, EE recalled the sales processes used by it as a company active in the free market for electricity and natural gas, also through its own commercial network and declared that it had also adopted with regard to its sales partners , adequate technical-organizational measures with respect to the processing of personal data involved in these processes.
 
The Company also acknowledged "that it has to manage an important number of complaints which, however, in most cases are not attributable to the commercial conduct adopted by the same", as well as the frequency of abusive use of its name by third parties, that through fraudulent conduct try to gain an economic advantage and undermine its consolidated reputation. In this sense, EE intervened "warning these subjects to cease the illegal activities inherent in the abusive use of their distinctive signs and the unfair commercial practices put in place, also by filing a complaint with the Judicial Authority". The recall in these terms was, in particular with respect to the phenomenon of pre-recorded telephone calls to two exposed persons presented to the Public Prosecutor of Rome on 12.11.2019 and 2.3.2020 respectively.
 
In relation to the complaints about the receipt of promotional phone calls via pre-recorded disc, the company highlighted, once again, its extraneousness to these methods of contact, justifying in any case the availability of the data of the whistleblowers on the basis of the reasons already mentioned in precedence (140347: some automated calls were made by an EE partner; 144213: for complaint management purposes; 147139: perceived quality detection process; 1457750: for reporting purposes).
 
With regard to the complainant obligation to issue a consent for marketing and profiling purposes for accessing and using the online services and via the app for consulting and paying invoices (142396, 144726, 142400, 143619), EE then represented that , to simplify these functions, the so-called Single Profile was implemented consisting of an account for accessing the web portals and apps of the Enel Group companies. The company also stated that "for the purposes of registering the account, only the confirmation of having read the information by the user is required and not the release of consent to the processing of personal data for marketing and profiling purposes [omissis ], as instead erroneously reported by some complainants ". This circumstance, with respect to individual complaints, was communicated directly to the interested party only in one case (142396).
 
With respect, however, to the additional individual cases highlighted, here we are limited to making full and complete reference to what is reconstructed in the contestation deed, referred to here in its entirety.
 
Request dated 24 December 2020 (IV-bis cum.) And assessment carried out by the Office: with reference to the latest reply received from EE (21 August 2020, reply to III cum. And IV cum.), The latter is was the recipient of a further request for information and clarifications with respect to some circumstances that emerged therein, in particular with respect to the role of some commercial partners and the related activity, as well as the actions undertaken and the measures adopted against these subjects. In particular, with regard to the significant phenomenon of pre-recorded telephone calls for promotional purposes, with respect to which the company had previously declared that it was not involved in any way, a more precise response was requested with respect to the initiatives allegedly undertaken and the measures adopted to counter this phenomenon.
 
In providing further feedback to the Guarantor, on 14 January 2021, EE sent the contractual addendum models governing the relations between the latter and some of its commercial partners and also specified, with reference to each case subject to the request for information , to have contested, following the request for information from the Guarantor of 10 July 2020, the illegitimate use of the personal data of the reporting parties and to have notified the contractually envisaged penalty (136820, 140911, 141460) to some partners.
 
In relation to the phenomenon of calls made via automated answering machine, EE communicated, attaching documentary proof, that it had filed two complaints with the Public Prosecutor's Office of Rome, on 12 November 2019 and 2 March 2020, in order to protect its good name, illegally used by third parties as well as "to distance themselves" from this promotional contact method.
 
With regard, then, to online services and in particular to the preparation of an app for consulting energy consumption and for the payment of bills by users, as part of the so-called Unique profile the company was requested to provide clarification elements regarding the operating methods of the aforementioned app, as well as indications on the quantitative dimension of the service.
 
The company responded to this request, highlighting that “In order to access digital services, the Unique ID must be activated. [omissis] Through a single pair of credentials (username and password) it is possible to access all the digital services that the individual companies of the Enel Group make available, without the need to make a new registration in order to access one of the companies of the Enel Group other than the one for which the first registration was made. " Currently, this access method applies only to Enel Energia and Enel X, while the companies of the Enel Group subject to the unbundling legislation are excluded from the Single Profile (as regards Italy, SEN and E-distribution).
 
EE also stated that "Through the Single Profile, companies only share the credentials necessary for access to their respective digital services", specifying that "the personal data that have been given by the digital user to the various companies (for example, for the purposes of management of the existing contractual relationship with them) are not transferred from one company to another ". Since September 2019, the use of the Single Profile is mandatory for all digital users, i.e. users who had previously activated an online account and who have been guided, through a migration process, to the new profile, i.e. for users who did not previously use digital services.
 
Finally, the company provided information on the quantitative dimension of the use of the Single Profile (3,113,254 users) and the App (1,665,969 users).
 
Given the persistent lack of information about the methods of granting consents for marketing purposes in the context of the creation of the Unique Profile and use of the App, despite the complaints of the whistleblowers, fully transmitted to the company, on this specific aspect ( 142396, 144726, 142400, 143619), the Office deemed it appropriate to carry out an investigation directly (see report of investigations carried out, May 7, 2021 and annexes).
 
In this sense, it was possible to see that, following the insertion of the required data (name, surname, contact information, tax code), the user views a first screen for information purposes, in which both Enel Energia and Enel Italia S.p.a. they are indicated as independent data controllers. Subsequently, it is possible to view a second screen relating to the Terms and conditions of the service and the Privacy Policy, accompanied by two boxes that must necessarily be marked in order to proceed with the registration (as described by EE in the reply of 14 January 2021 ). The consent to having read the aforementioned conditions and the information in which the purposes for which the consent, albeit optional, of the interested party is requested, is not, however, followed by an immediate and easy viewing of a specific section dedicated to the collection of any consents referred to in the information itself. Only after completing the registration procedure and accessing the reserved area, in fact, can the user begin a path, which is not easy to understand, which will lead him to express his will or his refusal regarding the processing of own data for the marketing and profiling purposes of EE, Group companies and third parties.
 
1.3. Complaints instructed individually
 
Autonomous investigations merged into this unitary discussion with the main procedure, based on the provisions of Articles 10, paragraph 4, of the regulation of the Guarantor n. 1/2019 and 8, paragraph 2, of the regulation of the Guarantor n. 2/2019, were conducted in relation to various complaints received by the Authority in the period taken into consideration.
 
The issues raised concerned, once again, the phenomenon of unwanted promotional calls, in particular through pre-recorded discs, for the transition to the free market with EE, addressed to both former customers and non-customers of EE, some complaints about the exercise of rights and sending unsolicited promotional communications via e-mail or text message.
 
In particular, in three complaints (files 142298, 144397 and 136321) the receipt of various unwanted telephone contacts was complained, despite having the interested parties already represented this situation on several occasions to EE, requesting the cancellation of their personal data, or communicating the '' opposition to processing for promotional purposes. In two of these cases the calls were made via a pre-recorded disk (fasc. 142298 and 144397) and in particular in one (fasc. 142298) the complainant was even able to accurately report having received, after typing the cd. "Option 3" to be contacted again (option present in the registration), a subsequent telephone call from a call center operator who, presenting himself as EE, proposed the switch to the latter in the free market, confirming, furthermore, behind repeated requests by the interested party to act on behalf of Enel and not of third-party companies.
 
Other specific profiles have pointed out, again in the context of unwanted promotional communications by EE, on the correct management of requests to exercise the rights guaranteed by articles 15-22 of the Regulation, in particular of the request for opposition to the processing of data, exercised during the signing of the contract (file 133249) and / or subsequently through specific communication to the owner (file 133249, 136529 and 136321).
 
Finally, in two cases, the complainants also complained of receiving unsolicited promotional communications via e-mail and / or text message (files 133249 and 136321).
 
In general, in the face of all the complaints about unwanted promotional telephone calls, the Company has always declared itself completely unrelated to the calls reported, specifying that the caller numbers from which the complained contacts were received do not belong to the range of numbers used by EE or to those that can be connected to their partners.
 
Only in one case (file 136321), following the request for information from the Guarantor, did the Company highlight that the complained telephone contact had been made as part of customer satisfaction activities by company XX with which EE had entered into a contract for the performance of this service, appointing you as the data processor.
 
More specifically, with regard to the alleged use of the pre-recorded disk, EE represented, in relation to the two aforementioned complaints (files 142298 and 144397), that it did not have any automated answering machine system to make outbound calls for promotional purposes, or to propose new contracts or acquire new customers.
 
As for the requests relating to the exercise of rights, in one case (file 133249), EE admitted the delay in the management of the request, first attributing it to a technical problem linked to the management of its certified mail, then, in acknowledging the having registered the objection of the complainant in its company systems, attributed the incorrect registration of the latter's will to the operator of the Enel point during the loading phase of the contractual information, with the consequence that "due to this error the 'the email address provided by the customer when signing the aforementioned contract was used as the recipient of email marketing campaigns carried out with the logic of soft spam ". With respect to the communications sent by the complainant, the company then stated that the e-mail address to which they would have been addressed is non-existent and in any case that it subsequently proceeded to correctly register the opposition of the interested party in its company systems. In the face of this representation, the interested party replied, highlighting, in particular, that the contact data was that expressly indicated at the bottom of the promotional e-mails received.
 
With regard to the complaint that also complained of receiving unsolicited promotional communications via e-mail and text message (file 136321), EE highlighted how: a) the e-mail communication concerning the possibility of subscribing to a loyalty program, promoted by the company, " it was sent as "soft spam", since it is a communication relating to services that the customer can benefit from as part of the supply service "; b) the communication received via text message and sent from an energy sales point was found to be attributable to a former partner of EE, warned by the company of the illegitimate use of the Enel trademark.
 
1.4 Closure of the investigation and initiation of the procedure for the adoption of corrective measures
 
Having examined the feedback provided by the Company, the Office, pursuant to art. 166, paragraph 5, of the Code, has adopted the act of initiating the procedure referred to in the introduction, with which it has challenged the Company for violations of the following provisions:
 
1. Art. 31 of the Regulation (Cooperation with the Supervisory Authority), for not having provided any response to the request sent by the Guarantor to the company on 17 December 2019 (III cum.), As a result of which, in order to obtain all the elements useful for an evaluation of the merits, the Office deemed it necessary to repeat the aforementioned communication (IV cum.); equally not respecting art. 31 of the Regulation, the attitude adopted on the occasion of the checks in I, II, III cum. (received, in the latter case, as mentioned, only following a repeated request) and IV cum. (limited to some issues). The company, in fact, limited itself to highlighting how the calling numbers did not belong to the group of those in use by itself or its partners, not providing precise elements of evaluation in support of what was stated, nor offering specific evidence about a necessary activity of verification of these numbers with respect to its own sales network, mostly packaging a series of standardized responses for each of the reports. More specifically, in response to requests III and IV cum. (communication of the Company of 21 August 2020), a specific and analytical response to some of the reports received by the Authority was lacking, as the company limited to a generic exclusion of the calling number from those used by EE and its partners (III cum. 144373, 143221, 143025, 143222, 144316, 144081, 144385; IV cum. 140821, 145842, 146898, 142199, 143304, 146926, 138477, 147196; single inquiries: 136529) without providing, in fact, no element even of general classification of the single cases highlighted.
 
2. Art. 5, par. 2, and 25, par. 1 of the Regulation (Principle of accountability and privacy by design), for not having undertaken an effective counteraction with respect to the phenomenon of undue promotional contacts carried out in its name, exercising (and being able to prove) in a full and conscious way, its attributions, to which the duties of accountability and privacy by design correspond (through elements of prevention, functionality, safety, transparency of treatment and centrality of the interested party).
 
The mere non-traceability of the calling numbers to the shortlist of those in use by the company and its commercial partners, repeated several times by EE as an element of response to the requests sent by the Guarantor, is, in fact, in a critical key due to that '' proactive perspective that defines the principle of accountability of the data controller and that permeates the entire new regulatory framework of data protection.
 
Precisely the significance of the phenomenon and the circumstance that the telephone contacts were made in the name of Enel Energia as well as the primary role it plays as an operator in the energy market and the considerable organizational and management possibilities that characterize it, would have required feedback more in line with the necessary and essential work of constant vigilance and monitoring of the phenomena that emerged as a result of complaints also received directly by the company, especially in the area of telemarketing.
 
Furthermore, there has been no evidence, apart from a generic reference to the contractual clauses through which the company binds its partners to comply with the legislation on the protection of personal data, regarding the adoption of specific technical and organizational measures suitable for contrasting in an effective and resolutive way the complained phenomenon.
 
EE could have exercised towards its commercial partners (and showing to exercise) in a full and conscious way, its powers, which correspond to the duties of accountability and privacy by design (through elements of prevention, functionality, safety, transparency of the treatment and centrality of the interested party) identified by articles 5, par. 2, and 25, par. 1 and 2 of the Regulation. In particular, giving awareness of the introduction of automatic and stable forms of control within the corporate organization both internally (also with regard to personnel) and with respect to the sales network constituted by its commercial partners, as well as on the systems appointed to activate offers and services to its customers. The programming of the latter, for example, could have been designed in a predefined way in order to signal and block in real time the attempts to load supply contracts obtained in an opaque manner or in any case the outcome of treatments performed in violation of the legislation on the protection of personal data.
 
The company should also have taken into account the identification of specific selection criteria and specific audit activities with regard to its partners, as well as timely verification actions, also through automated methods, of its internal processes for managing personal data also under the profile of the correctness and security of access to user data as well as, on the other hand, in relation to the signing and consequent uploading of new contracts.
 
These measures would have contributed to a more appropriate representation of the awareness and corporate choices made, even more so to protect a position that is described as strongly compromised, in terms of image and reputation, by allegedly incorrect third party conduct.
 
3. Art. 5, par. 2 (Principle of accountability), for not having proven compliance with the legislation on data protection in the case of unwanted promotional communication made by a partner. Even in the cases in which the company gave account of the undue telephone contact by one of its partners following information requested by the interested party at an EE point of sale (II cum: 136877), the representation provided to the Office was limited to the generic reserve for the adoption of appropriate measures towards the partner himself, without however providing evidence of the actions taken, especially in a more articulated framework of measures and interventions that, at company level, should be envisaged for the management of these problems. This behavior is not in line with the aforementioned principle of accountability of the data controller (Article 5, paragraph 2 of the RGPD) which requires the latter to prove compliance with the legislation on data protection.
 
4. Art. 5, par. 2 and 24 of the Regulation (Principle of accountability and responsibility of the data controller) for not having controlled the activity of its business partners, including through appropriate technical and organizational measures). With regard to reports that complained of unwanted contacts through automated methods, in particular an answering machine, EE then limited itself to generally declaring that it did not make "promotional calls via automated answering machine." (III cum: 143863, 144296, 144240; 144296; IV cum: 140347, 144213, 147139, 147750; single inquiries: 139206, 143511, 139123, 142298, 144397).
 
Given the above, the company has therefore not provided detailed elements aimed at excluding its own involvement with respect to the formulation of pre-recorded messages which in all the reports have been described as coming from Enel Energia and aimed at facilitating the passage of users to the same. companies in the free market. This proves that the promotional activity was carried out for the benefit of EE, albeit in ways allegedly not authorized by the company itself. Moreover, in two specific circumstances (III cum. 139206; individual inquiries 142298) it clearly emerged that the interested parties, having opted for re-contact after registration (so-called "option 3"), have actually been re-contacted by physical operators qualified as persons in charge of Enel Energia and even subsequently met personally with persons who qualified as agents of the company or in any case connected to its partners (XX).
 
These circumstances denote a lack of control by EE over the activity of its partners who carry out promotional activities to its advantage, including through appropriate technical-organizational measures, thus integrating the violations of Articles 5, par. 2, and 24 of the GDPR.
 
5. Art. 5, par. 1, lett. d) of the Regulation (Principle of accuracy), for having erroneously automatically associated the number from which a call was made to the company's toll-free number (presumably a fixed user used on a one-off basis by the reporting party; (IV cum: 146166).
 
6. Art. 5, par. 1, lett. d) (Principle of accuracy) and 6 of the Regulation (Lawfulness of processing), for having sent personal data via invoices to a user other than the holder of the contract following the association of the tax code of the reporting party to another Enel user, in reason for the alleged similarity between the two codes (IV cum: 147284). From this event it is possible to detect both the profile of the violation of the principle of accuracy, having been associated with the reporting person incorrect personal data, and an undue communication of personal data (in particular name, surname and tax code of a different user to the first, through sending invoices) in the absence of any assumption of legitimacy of the treatment;
 
7. Art. 12 of the Regulation (Transparency and methods of feedback to the exercise of rights), for not having provided the necessary and timely feedback to the interested parties about the legitimate requests for exercising the rights (in this case, the right of right of access and the right to object) formulated by the interested parties (I cum: 132334, 129416; III cum: 144726; IV cum: 138729). The company admitted the delay in following up the requests of the interested parties, justifying, at least in the two cases covered by the first request, this delay with the need to conduct more in-depth and additional investigations following the communication of the Guarantor (I cum: 132334) or still to suspend this activity pending the full applicability of the RGPD (I cum: 129416). In one case (III cum. 144726) the company attributed the failure to respond to a "mere technical problem".
 
8. Art. 5. par. 1, lett. a) (Principle of correctness) and 12, par. 2 of the Regulations, for providing contradictory feedback regarding a further request to exercise the rights advanced by the interested party in relation to the receipt of promotional calls via pre-recorded disk (IV cum: 136020). This is because in an initial response provided to the interested party (as per annex 19 to Enel's communication of 21 August 2020), EE admitted a "typing error" as the cause of the undue promotional contact, while in the representation provided directly to the Authority (page 15 of the response of 21 August 2020) has charged another customer with the responsibility of having provided the data of the reporting party as contact data connected to a supply user;
 
9. Art. 21 of the Regulations and art. 130, paragraphs 1 and 2 of the Code (Unsolicited communications and right of opposition), for having unduly sent promotional communications by e-mail, despite the refusal expressed by the interested party is in the process of signing the energy supply contract with respect to the processing of data for marketing purposes and through the subsequent opposition to the processing expressly addressed to the dedicated e-mail box (single inquiries: 133249);
 
10. Art. 130, paragraph 4, of the Code (Soft spam), for having sent a communication regarding the registration to the EE loyalty program, without having provided any evidence regarding the necessary presence of that objective element of an informative nature which is the basis of a correct dialogue with the interested parties and legitimizes the exemption from the acquisition of the relative consent, together with the presence of the other elements referred to in art. 130, paragraph 4, of the Code as well as by the Provision of the Guarantor of 4 July 2013 (web doc. No. 2542348; single investigations, fasc. 1346321);
 
The Guarantor also charged Enel with the following violations in relation to the Single Profile and the Consumption Management and Consultation App, also following an investigation carried out by the Office on May 7, 2021:
 
11. Art. 31 of the Regulation (Cooperation with the supervisory authority), for having offered insufficient collaboration to the supervisory authority, not having provided - even in the face of two requests to that effect together with the specific reports of the interested parties on the matter - any information about the methods of issuing consents for marketing and profiling purposes in the context of the use of digital services;
 
12. Art. 5, par. 1, lett. a), 12 and 13 of the Regulation (Principle of transparency and disclosure obligations), for having presented website users with two conflicting information as to the identification of the data controller. The user, in fact, who intends to create a Unique Profile, is first redirected to a page where he is informed, through a brief communication, of the fact that Enel Energia and Enel Italia S.p.a. will manage your data as "independent data controllers". Subsequently, from a second more extensive information, whose acknowledgment declaration is mandatory, together with the terms of service, for registration, no reference to Enel Italia S.p.a. emerges, since only Enel Energia is mentioned as independent data controller. Such discordant texts generate confusion in the user and do not reflect the essential principle of information transparency, logically aimed at allowing the interested party also a conscious expression of consent;
 
13. Art. 5, par, 1, lett. c), of the Regulation (Principle of minimization), for having structured a procedure that allows the passage of ultronic and irrelevant data between the companies of the Group. The single Profile, in fact, allows access to the digital services of the various Group companies included in its perimeter and the credentials that the user acquires with a first registration also allow subsequent accesses to the digital services of said companies. However, in the face of the data strictly necessary to create the user profile and access credentials, the mobile telephone number, address and tax code enrich the profile, with unnecessary or, at least, unnecessary information with regard to any future interactions with other Group companies. Furthermore, considering the mandatory use of the Unique Profile to access digital services, the user must provide, upon joining this service, a set of data not strictly relevant to the mere creation of the profile which are then shared, as part of the management of the single profile, between the various member companies of the Group;
 
Again in relation to the Single Profile, the joint reading of the text of the information and the form for the collection of consents (which can be found, however, in a difficult and intuitive way, within the reserved area) led the Office to contest the following further violations,
 
14. Articles 12 and 13 of the Regulation (Information to interested parties), for having issued to the interested parties, in relation to the Single Profile and within the reserved area of the site, a lack of information regarding a necessary identification of the recipients of the data both within the companies belonging to the Enel Group and with reference to a generic range of commercial partners, the generic reference to "Enel Group companies, parent companies, subsidiaries or associates, or commercial partners of Enel Energia" is unclear ;
 
15. Art. 6, par. 1, of the Regulation and 130, paragraphs 1 and 2, of the Code (Lawfulness of processing and unsolicited communications), for not having acquired a specific and suitable consent from the interested parties with regard to processing carried out by different subjects as independent data controllers. The characteristics of the information described in point 14 together with the three generic purposes indicated in association with the boxes for the expression of consent (1. Marketing Enel Energia; 2. Marketing third parties; 3. Profiling) contribute to defining a consent that does not satisfy the granularity and clarity requirements, provided for by current legislation (Article 4, No. 11) of the GDPR). In fact, a single consent to the communication of data for promotional purposes also by group companies, parent companies, subsidiaries and associates and commercial partners of EE, cannot be considered either specific or free and does not constitute a suitable legal basis for the aforementioned treatments. , pursuant to art. 6 GDPR. Likewise, it cannot be considered clear whether the consent required for the marketing activities of the "parent companies, subsidiaries, associates or commercial partners of EE" by the same subjects refers to marketing activities that these companies carry out on behalf of Enel Energia or to a communication of data by Enel to third parties for their marketing purposes, also taking into account that, in the absence of a clear identification of the recipients, a consent linked to processing referable to an indefinite number of subjects cannot be considered suitable. Similar findings have been extended to the request for a single consent for profiling purposes both of Enel Energia and of the subjects already mentioned, as independent data controllers.
 
The aforementioned disputes were formulated by the Office on the basis of the more detailed observations contained in the act of initiating proceedings no. 26890/21 of 14 May 2021, which here must be understood as fully reproduced and to which full and complete reference is made. Likewise referred to here, the report relating to the assessment carried out by the Office on the company's website on 7 May 2021 must be understood.
 
Finally, it should be noted that in the aforementioned act of initiation of the procedure, the Authority also recalled, for the sole and sole purpose of giving further evidence of the pervasiveness of the telemarketing phenomenon, the over 250 requests, including complaints and reports, received by the Guarantor after the last request for information of 20 July 2020 and up to the date of formulation and notification of the deed itself. These further complaints, although not the subject of the aforementioned contestation, highlighted, in fact, a dynamic picture of persistent unease and an even more evident exasperation of the interested parties with respect to the correct processing of their personal data despite the recourse to the registration of telephone numbers in the RPO. , or rather with respect to contact methods, such as calls via pre-recorded disk, which are particularly invasive and unwelcome. The same, therefore, while not merging into the investigation and the related phase of today's procedure, represent an undeniable historical fact that testifies, when still needed, that the phenomenon of nuisance calls is far from being resolved.
 
2. DEFENSIVE OBSERVATIONS AND AUTHORITY ASSESSMENTS
 
2.1. Defense brief and hearing of Enel Energia S.p.A.
 
2.1.1. Premise
 
On June 28, 2021, Enel Energia sent a broad and articulated defense brief to the Authority, accompanied by copious documentation, pursuant to art. 166, paragraph 6, of the Code. Under the same provision, on 7 July 2021 the hearing requested by the party for which a specific report was drawn up was held via videoconference. Both documents are to be understood here, for the protection of the party, fully referred to and reproduced, together with the attachments to the defense brief.
 
Pending the presentation of the defense brief, EE sent the Guarantor, on 26 May 2021, a request for an extension of the deadline for the presentation of the aforementioned briefs, together with a request for access to administrative documents referring to the assessment report of the activity carried out by the Authority on May 7, 2021 and to the approximately 250 instances mentioned in the contestation deed as proof of the persistence and diffusion of the phenomenon.
 
On 18 June 2021 the Authority, after having granted the requested extension, communicated the acceptance of the request relating to the report and the files in question, within the limits of a quantitative and sample verification of the latter, noting that no objection was was formulated to the Company with respect to the individual and specific circumstances referred to in these requests, but precisely to their entirety and their value as an indicator of the persistence and diffusivity of the phenomenon.
 
The Company contested this method of granting access without, however, proceeding with a formal appeal against the related provision, but asking that the files in question not be taken into consideration in the context of this proceeding.
 
In the defense brief, the holder also requested the cancellation or in any case the filing of the proceedings by virtue of the "failure to comply with the regulatory terms for the Dispute" (page 13 et seq. Of the brief). In particular, the sanctioning power of the Authority would have expired after the 120-day deadline for notification of the violation pursuant to art. 166 paragraph 5 of Legislative Decree 196/2003, the dies a quo having to identify, according to EE, in the specific dates referable to each response (including those relating to complaints investigated individually) that the same would have sent to the requests for information sent by from time to time by the Guarantor.
 
Consolidated jurisprudence on the matter of ascertaining administrative offenses denies the reconstruction of the Company based on a logic of mere formal counting of the days following receipt of the feedback to the various requests for information, identifying EE, precisely, in the acquisition of such evidence. constitutive element of the investigation activity and, therefore, the dies a quo.
 
In general as regards the activity of the independent administrative authorities, the Cassation (Cassation Civ. Section 2, n. 31635/2018), taking up the arguments already expressed above, reiterated that "the activity of ascertaining the offense , in relation to which to place the starting date of the deadline for the notification of the details of the violation, cannot coincide with the moment in which the "fact" is acquired in its materiality, but must be understood as including the time necessary to evaluate the data acquired and relating to the (objective and subjective) elements of the infringement and, therefore, of the final phase of deliberation related to the complexity, in this case, of the investigations aimed at ascertaining the existence of the infringement itself and at acquiring full knowledge of the unlawful conduct, in order to assess its consistency for the purposes of the correct formulation of the dispute (see Cass. n. 13050/2014; Cass. n. 1043/2015 and Cass. n. 770/2017, cit.) ".


In confirmation of the consolidated approach of the Supreme Court, recent rulings by the Council of State should also be highlighted (eg, Section VI, no. 4020, of 24 May 2021) where it is noted that "in terms of administrative sanctions, what is relevant to purposes of compliance with the principle of the immediacy of the dispute [...] it is not the news of the sanctionable fact in its materiality, but the acquisition of full knowledge of the unlawful conduct, implying the verification of the existence and consistency of the infringement and its effects; so that, on the one hand, the term for the contestation of the infringement does not start from its consummation, but from the completion of the verification activity of all the elements of the offense, having to consider also the time necessary for the administration to evaluate and weigh adequately the elements acquired and the preliminary acts for the identification of the extremes of administrative responsibility, and on the other hand, the term for the conclusion of the sanctioning procedure begins to run only from the moment in which it is carried out - or should reasonably have been carried out, also in relation to the complexity of the case in point - the administrative activity aimed at verifying the existence of the infringement, including investigations aimed at verifying the existence of all the subjective and objective elements of the infringement itself ".
HAVING REGARD TO Article 1, paragraph 2, of Law No. 689 of 24 November 1981, pursuant to which the laws providing for administrative sanctions apply only in the cases and for the time periods considered therein


Similarly, but with specific reference to the administrative offenses referred to in the privacy code, the Supreme Court has recently reiterated that (Cass. Civ., Section 2, n. 18288/2020). "Being consolidated the position of this Court according to which, in the matter of administrative offenses referred to in the privacy code, the dies a quo for the calculation of the ninety-day deadline for the notification of the complaint report starts from the ascertainment of the violation, which does not coincide with the generic and approximate perception of the fact and with the acquisition of the documentation relating to it, but requires the processing of the data thus obtained in order to identify the constitutive elements of any violations (thus, ex multis, Cass. 14678 / 2018). " While referring to this jurisprudence at the term of 90 days provided for by Article 14 of Law 689/1981, the principles identified therein can well find similar application in relation to art. 166, paragraph 5 of the Privacy Code, since this last provision, following the changes made by Legislative Decree 101/2018, contains the new discipline relating to the procedures for the adoption of corrective and sanctioning measures, previously defined exclusively through the reference made by the Code itself to the aforementioned law 689/1981.
NOTING that the Office of the Guarantor, by deed No. 6254/96792/124735 of 21 February 2019 (notified by registered mail), which is to be deemed herein fully referred to, challenged Uber B.V., in the person of its pro-tempore legal representative, with registered office at Meester Treublan No. 7, Amsterdam (The Netherlands), and Uber Technologies Inc, in the person of its pro-tempore legal representative, with its registered office at 1455 Market Street No. 1455, San Francisco, California, the violations provided for in Articles 161, 162, paragraph 2-bis, 163 and 164-bis, paragraph 2, of the Personal Data Protection Code (Legislative Decree 196/2003, hereinafter referred to as the "Code", in the wording prior to the amendments made following the entry into force of Legislative Decree 101/2018), in relation to Articles 13, 23 and 37 of the same Code;


It follows that the time for data processing and evaluation, when not arbitrarily and unreasonably prolonged, will be directly proportional to the level of complexity of the cases in question, the number of reports and complaints presented and, last but not least, the method analysis applied by the Authority.
NOTING that, upon examination of the records of the sanctioning proceedings, initiated with the above-mentioned notice of objection, it emerged that:


This method, as already anticipated, was based on an overall assessment of numerous complaints, even once recurring profiles and cases were identified, capable of delineating traits of responsibility that would have been more difficult to emerge in a logic of investigation and dispute case by case. Therefore, a modus procedendi de facto imposed by the same characteristics of the principle of accountability was applied, the implementation of which the Authority has precisely investigated, in the face of a consistent and constant number of complaints from the interested parties over time.
- following a data breach, which occurred in the autumn of 2016 and involved the data of approximately 57 million users worldwide, including Italian users, the Garante initiated a complex preliminary investigation against Uber B.V. (hereinafter UBV) and Uber Technologies Inc. (hereinafter UTI) aimed at acquiring elements of assessment regarding the domestic scope of the security incident that had occurred, sending, in this regard, a request for information to Uber Italy s.r.l. (note of 23 November 2017) and subsequently carrying out an inspection at the premises of Uber Italy s.r.l, in Milan, on 9 and 10 April 2018. From the examination of the overall documentation acquired, it emerged that the data breach concerned: personal and contact data (first name, surname, telephone number and e-mail), access credentials to the app, location data (as they appeared at the time of registration), relations with other users (i.e. sharing trips, introducing friends and some profiling information). On the Italian territory, the violation concerned data of 295,000 interested parties (52,000 drivers and 243,000 passengers);


In other words, full knowledge of the unlawful conduct connected, in particular, but not exclusively, to the profiles of responsibility and accountability, as per articles 5, par. 2, 24 and 25 par. 1 of the RGPD, related, moreover, to the activities of a holder of the organizational dimension of EE could only go through a document acquisition and subsequent composite and articulated evaluation, also at a temporal level.
- as a result of the preliminary investigation carried out by the Office, on 13 December 2018, the Garante adopted Order No. 498 (available at www.gpdp.it, web doc. no. 9069046, hereinafter 'Order'), to which reference is made in full;


It is also noted that an investigation, already complex in itself, was certainly not facilitated by the emergence of a sudden and unpredictable event, such as the pandemic and a consequent emergency situation still underway - in consideration of which, moreover, the legislator has provided for the suspension of the terms of administrative proceedings, most recently extended until 30 November 2020 (art.41 of legislative decree 34/2020). Nor, much less, for different profiles, did the lack of cooperation shown by the data controller benefit (amplius infra par. 2.2., N. 1).
- in the aforementioned provision, the Garante declared that the roles played by UBV and UTI, framed in the owner-manager relationship, were not correctly qualified, since the elements acquired during the preliminary investigation and during the inspections carried out at the premises of Uber Italy s.r.l., made it possible to classify the companies UBV and UTI as joint controllers of the processing, each responsible for the processing operations of the personal data of the Italian users (drivers and passengers) which took place in breach of the provisions of the Code


More generally, it should be finally considered that the elements required by art. 83 of the Regulation for a complete assessment of the conducts, which are assumed to be in violation of the provisions on the protection of personal data, are so broad and complex (also from a guarantee point of view) that, in the case in question, it cannot seriously be objected that the Authority has failed in a timely manner in contesting the offenses.
- in particular, on the basis of what was established in the measure, it was ascertained that the information notice provided to the users, pursuant to Article 13 of the Code, was unsuitable, in that it was 'formulated in a generic and approximate manner, containing unclear and incomplete information, not easy to understand for the interested parties and liable to generate confusion on the various aspects of the processing


2.1.2. The individual disputes
- it was also ascertained that with reference to the specific purpose qualified as 'fraud risk indicator', no information had been provided nor valid consent acquired from the data subjects, pursuant to Articles 13 and 23 of the Code


With reference to the individual complaints raised by the Authority, the defensive arguments developed by the Company in its brief and during the hearing are reported below.
- finally, it was found that the processing of data disclosing the geographical location of users was carried out without prior notification to the Garante, as required by Articles 37 and 38 of the Code;


1) With reference to the dispute referred to in number 1 of par. 1.4, the Company did not hide its surprise in front of these disputes, since "EE has always followed up the requests of the Guarantor without receiving in response any request for clarification or further information.". Furthermore, the Company, according to what was declared in the memorandum, "formulated its replies with the intention of not exceeding the requests in order not to incur a violation of the principle of cost-effectiveness of the procedure also sanctioned by art. 7 of Regulation 1/2019 [...] in order to avoid hindering the smooth continuation of the investigation "(point 14). In other passages of the memory, as well as during the hearing, EE recalled the constant and expensive, also in terms of financial commitment, the attention that the Company has always paid to compliance with the regulations on the protection of personal data (point 24 of the defensive memory).
NOTING that, by the aforementioned act of 21 February 2019, the two companies were charged, in their capacity as joint controllers of the processing pursuant to Articles 4(1)(f) and 28 of the Code:


With regard to the failure to reply to the III cum., EE attributed the incident to a "human error" that would have occurred in the "sorting of a certified e-mail" (Point 25).
- the administrative violation provided for by Article 161 of the Code, in relation to Article 13, with reference to the issuance of an unsuitable information notice;


Finally, EE announced that it will implement the possibility for the interested party to check directly from the EE website "the traceability to EE and its partners of the numbers from which he has received commercial calls."; in this regard, the Company has also sent the Guarantor a list containing the calling numbers referable to EE. During the hearing, the owner then communicated that the aforementioned system has already been implemented on the site.
- the administrative violation provided for by Article 162, paragraph 2-bis, of the Code, in relation to Article 23, with reference to the failure to obtain consent;


2-4) The Company has dedicated a large part of its defense brief (points 27-138) to counteract the objections formulated by the Guarantor regarding the responsibility and accountability of the owner and compliance with the principle of privacy by design, as referred to in numbers 2 , 3 and 4 of the previous paragraph.
- the administrative violation provided for in Article 163 of the Code, in relation to Article 37, for failure to notify the Garante;


The Company paused to illustrate how its choices regarding promotional contacts can be divided between an approach followed until the onset of the pandemic and one following it.
- lastly, the breach provided for by Article 164-bis, paragraph 2, of the Code, with reference to the circumstance that the breaches committed relate to databases of particular relevance or size;


Before the epidemiological emergency and the consequent containment measures, EE did not use or commission any telemarketing or teleselling channel to third parties, and more generally any outbound telephone channel for commercial purposes. The commercial promotion of EE took place exclusively through physical points (shops managed by EE partners with commercial collaboration contracts) and “door to door” contacts, carried out by authorized agencies. Even with regard to the activities carried out by these agencies (all selected through a precise scouting procedure), the use of teleselling and telemarketing was expressly prohibited within the contracts stipulated by the Company. The procedure for the acquisition of new contracts following an availability recovered by the agencies during the "door to door" was structured according to an ex post control system (in two phases, by telephone and by mail; Quality call, following precise scripts, and Quality letter) to obtain confirmation of the identity of the subject, of the personal data referable to him / her and of the effective will to contract. The Company stated that this system has enabled it to keep under control and limit the phenomenon of the revocation of utilities activated on the basis of the proposals of the agencies. What is stated and described in the brief regarding the management method of the pre-pandemic commercial channel is, therefore, to be considered applicable, according to the representation provided by EE, to all cases subject to investigation and dispute by the Guarantor, since the latter are all prior to January 2021 (date of reintroduction, as will be seen shortly, of outbound calls).
HAVING NOTED from the report prepared by the Office pursuant to Article 17 of Law No. 689/1981 that no reduced payment has been made in respect of the breaches referred to in Articles 161, 162, paragraph 2-bis, and 163 of the Code


The epidemiological emergency made it necessary to reintroduce the telephone contact methods so that: a) starting from May 2020 there was the possibility for the agencies authorized by EE to arrange meetings by means of a prior telephone appointment (this activity is aimed at stipulating supply contracts with "remote" mode and the digitalization of processes); b) starting from January 2021, the teleselling channel was introduced. This last activity is carried out, according to EE, through "numbering limitations for telesellers, ex ante checks on contact lists and ex post on the goodness of the expression of will of customers and on the initial contact methods, in order to exclude the use of aggressive marketing practices and unwanted calls. " (Point 70 of the memorandum).
HAVING CONSIDERED the defence briefs, sent pursuant to Article 18 of Law No. 689/1981 on 3 April 2019, which refer in full to the pleadings submitted to the Civil Court of Rome, in opposition to the Garante's order, in which the party has, in summary


The Company has made it clear that the procedures and activities for agencies and for telesellers are completely different: only telesellers acquire contact lists and conclude contracts on behalf of EE (sale by telephone of products and services through vocal order ); the agencies do not carry out teleselling activities but limit themselves to phoning potential customers to arrange subsequent appointments.
- contested the applicability of Italian law to the present case. This is because, according to Article 5 of Legislative Decree No. 196/2003, in the wording prior to the amendments introduced by Legislative Decree No. 101/2018, and taking into account Opinion No. 8/2010 rendered by the Art. 29 Group, the Italian law would be applicable "only if Uber Italy's processing activities in Italy were deemed to be carried out by an establishment of UBV and in the context of Uber Italy's activities (and not UBV)". Instead, it is undisputed that Uber Italy acts only as a data processor on behalf of UBV, providing mere customer support and marketing services, as was documented in the course of the investigation. The Garante, which had been aware since 2015 (on the occasion of an initial invitation to provide information addressed to the company) of Uber Italy's role as data controller, considered, in any case, the Italian legislation (and not the Dutch one) to be applicable "without any justification resulting in the Decision being vitiated by an absolute lack of motivation";


In the context, therefore, prior to the pandemic and the choices made by EE, in the presence of the aforementioned absolute ban on making commercial calls by the Company and its agencies, the only obligation to be recognized by the same, according to the relative representation sentiment, would have been to verify that one's partners did not make promotional calls tout court and therefore, in cases of unauthorized calls, to exclude that the calling numbers could be attributable to any of them. No other burden deriving from the principle of accountability or from that of privacy by design would have been attributable to EE, since the possibility of carrying out telemarketing and teleselling activities was not at all contemplated. It was therefore not the task of EE, according to what was stated in the defense brief, to hypothesize and introduce measures and procedures aimed at controlling the formation of lists of telephone users whose use was completely prohibited. Therefore, all the obligations and measures identified by the Guarantor in the case of owners who actually carried out teleselling and telemarketing activities would not be applicable to Enel Energia. The reference is to the measures / orders of injunction against Fastweb S.p.A. (provision of 25 March 2021, web doc. 9570997) or also of ENI S.p.A. (provision of 1 December 2019, web doc. 9244358) or Vodafone S.p.A. (provision 12 November 2020, web doc. 9485681).
- in the notice of appeal in opposition to the decision, it is amply argued that UBV acts as data controller with regard to the processing of the personal data of the users of the Uber app outside the United States, including those of the users of the Uber app in Italy; in this regard, it is stated that 'UTI acts as UBV's data controller with regard to the data of the users of the Uber app outside the United States', as regulated in the Data Processing Agreement. Consequently, the conclusions reached by the Garante, in the contested measure, as to the co-ownership of the processing of the personal data of UBV and UTI are not correct and constitute a premise for upholding the unfounded nature of the complaint relating to the inadequate information;


The Company therefore reiterated its complete extraneousness to unwanted calls subject to the complaints presented to the Guarantor and stressed that as it was completely unrelated to the phenomenon, EE did not have any power to verify this phenomenon and about subjects unrelated to its check.
- in particular, with regard to the infringement of Article 13 of the Code, the party, in its notice of appeal, argued at length that the objections raised in the Provvedimento concerning the unsuitability of the information provided were unfounded. In fact, not only the privacy policy (which is constantly updated by the company), but all the documents and forms made available to the user, provide detailed information on the purposes of the processing, the mandatory nature of the provision of certain information, and the exercise of the rights of the data subjects. Among other things, the information notice that the Garante deemed 'generic and approximate' was available online and, therefore, knowable to the Authority at least since 2015. Nonetheless, the Authority, on the occasion of its previous contacts with the company, has never questioned Uber's practices concerning the information provided, which, among other things, does not appear to have been challenged by the interested parties through reports or complaints;


More specifically, the Company then returned to the subject, reiterating, according to him, the non-existence of the violation of art. 25, since EE's privacy by-design before the measures adopted following the pandemic was based "on the set of preliminary checks of the seriousness of the agencies and subsequent checks aimed at verifying the execution of commercial calls tout court by its own agencies following complaints or reports from users (as happened with all complaints covered by the Requests) also by reporting the illegal conduct to the judicial authority and to the Guarantor. On the other hand, it would not have been reasonable and consistent with a correct privacy by-design to implement procedures for regulating and verifying the formation of telephone contact lists, given that telephone contacts were excluded and prohibited upstream from the contracts concluded with the agencies. ". (paragraph 122).
- as regards the failure to obtain the consent of the data subjects in relation to the processing carried out for the so-called 'fraud risk' purpose, the company pointed out that Uber had not used the 'fraud risk indicator' for more than two years. In any case, under Dutch law (applicable to the processing activities carried out by Uber) consent is not required for such processing operations, as the company showed that it had a legitimate interest in protecting its platform;


In this context, the main defensive thesis presented by the Company, namely the fraudulent and incorrect use of the name of Enel Energia by unidentified subjects who aim to ensnare customers to conclude contracts "without the contractors being true aware of what is happening "(point 64 and, in general, the thesis set out in points 55 to 64).
- the failure to notify the Garante in relation to the processing of geolocation data cannot be contested, as this is conduct of which the Authority was aware as early as 2015. Therefore, 'if the Garante really had considered that Uber's conduct was in breach of some rule, the Garante could and should have informed Uber of this in 2015', which never happened;


EE believes it is the victim of "braggart" and "scammers", who would work for competing companies by illegally spending the name of the country's first energy operator as an element of reassurance and in order to arouse the user's attention. Only subsequently, as reconstructed by the Company, in the event of a continuation of the phone call and manifestation of interest, would these subjects suggest that they are an agency and deem it more convenient the offer of a competitor of EE. The Company therefore argued that it does not derive any advantage from this practice but, on the contrary, that it receives significant damage also to its image.
- finally, there are no grounds for the application of the sanction referred to in Article 164-bis, paragraph 2, of the Code, given that the company has always acted in good faith and cooperated proactively with the Italian Authority since 2015, providing all the information requested also during inspections, as well as with the Dutch Authority in order to ensure compliance with the applicable law, regarding the processing of personal data;


EE argued this thesis by presenting in support: a) a provision of the AGCM of 24 October 2018 with which the incorrect commercial practice of the company Switch Power Srl was sanctioned, which tried to ensnare customers by telephone by pretending to be a company of the Enel group (annex 21 to the memorandum). At the hearing, the Company expanded this argument by also referring to a complaint presented in April 2021 against another company for the same unfair commercial practice; b) some cases, including those reported by some Enel executives and others subject to press articles (annex 23 to the brief); c) the statements in favor of Enel made by Federconsumatori, provincial section of Taranto, which specified how EE personnel visit customers at domestic users only following calls for "making an appointment"; d) the complaints (12 from 2017 to May 2021) relating to a plurality of conduct carried out by subjects identified as competitors of EE or completely unrelated to the activities of the Enel group or completely unknown (see point 132 of the brief and . 24 to the memory).
READ the minutes of the hearing of 8 October 2019, pursuant to Article 18 of Law No. 689/1981, in which the party referred to what it had already argued in its defence briefs and in the appeal filed to challenge the Measure. In particular, it pointed out that it had notified the processing of geolocation data to the Dutch Authority and not to the Italian Authority as well, considering, in good faith, that the Italian legislation was not applicable. The party therefore requested that, where it was considered that the conditions for proceeding with the dismissal of the sanctioning proceedings did not exist, the sanctions be applied to the extent of the minimum edict, taking into account the criteria laid down in Article 11 of Law No 689/1981;


5) With reference to the dispute referred to in number 5 (Article 5, paragraph 1, letter d), of the Regulations, the Company has highlighted that there has been no automatic association on the personal data of the reporting party with the number from which a call had been made to the company's toll-free number (IV cum: fasc. 146166). The error would have been attributable to the manual intervention of an operator. The Company pointed out that "following the report, EE immediately canceled the data and challenged its partner for the incorrect practice" (point 172).
CONSIDERED that the arguments put forward are not suitable to exclude the liability of the party in respect of the contested charges.


6) Again in relation to the accuracy profiles of the data emerged in relation to the sending of invoices to an incorrect person (IV cum: 147284), as referred to in number 6 (articles 5, paragraph 1, letter d), EE highlighted a "clerical error" due to the similarity of the tax codes of the two customers and, reported that, once it became aware of the error, it promptly remedied it (paragraph 173).
Preliminary to any other observation on the merits of the case, is the question relating to the rules applicable to the case in question. On this point, the Authority considers that there are all the prerequisites to assert the competence of the Italian legislation to the processing of personal data carried out by Uber, on the basis of the provisions of art. 5, par. 1, of the Code, of art. 4, par. 1, lett. a), of the Directive 95/46/EC, (applicable at the time when the facts occurred), as well as of what was clarified by the Art. 29 Group in its Opinion no. 8/2010 of 16.12.2010 on the subject of applicable law. In particular, the application of the Italian national law to the case under consideration rests on the clear assumption that Uber Italy s.r.l. represents a stable organisation of Uber on the national territory and that the processing activities carried out by that entity are 'inextricably linked' to the processing carried out by UBV and UTI, i.e. carried out 'in the context of the activities of the establishment' of the data controller. In this regard, the circumstance that Uber Italy s.r.l. acts as data controller (rather than as data owner) is not relevant, since it is established that the activities carried out by the latter are aimed at enabling the data subjects, whose personal data are collected on the national territory, to take full advantage of the service offered by the group, by providing the support activities (to customers and drivers) necessary for the correct and regular performance of the service. The Art. 29 Working Party in its above-mentioned Opinion No. 8/2010 noted that 'in order to determine whether one or more laws apply to the different stages of processing, it is important to bear in mind the overall picture of processing activity: a set of operations carried out in a number of different Member States, but all intended to serve a single purpose (...)'. The Garante, therefore, making use of this contribution, already on previous occasions, has had the opportunity to clarify that the applicable law is not that of the Member State where the data controller resides, but that of the country where the processing activities are actually carried out, also taking into account the persons to whom they are actually addressed (see, in this regard, injunction order against Facebook Ireland Ltd and Facebook Italy s.r.l., provv. no. 134 of 14.06.2019, in www.garanteprivacy.it, web doc no. 9121486; injunction order against Yahoo Emea Limited, prov. no. 144 of 8.3.2018, web doc no. 9072702). It is also worth recalling the judgments of the Court of Justice of the EU on the cases "Google Spain and Google" (Case C-131/12 of 13 May 2014) and "Weltimmo" (Case C-230/14 of 1 October 2015), which affirm the principle that, when processing is carried out in the context of the activities of an establishment of the data controller in the territory of a Member State, the national law of that Member State is applicable pursuant to Art. 4(1)(a) of Directive 95/46/EC; therefore, the supervisory authority of that Member State may exercise, pursuant to Art. 28(1) and (3) of the Directive, all the powers which that right confers on it vis-à-vis that establishment in order to ensure compliance with the data protection rules in that territory, and this irrespective of the fact that the data controller also has establishments in other Member States (in this sense, see also the Article 29 Working Party, Opinion No. 179 - "Update of the Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain"-, of 16 December 2015).


7) As for the disputes referred to in number 7 (Article 12 of the Regulations, (I cum: 132334, 129416; III cum: 144726; IV cum: 138729). the delay in following up the requests of the interested parties, justifying, at least in the two cases subject to the first request for information (I cum: 132334, 129416), this delay with the need to conduct more in-depth and additional investigations following the communication of the Guarantor (I cum: 132334) or to suspend this activity pending the full applicability of the RGPD (I cum: 129416). The Company, however, stressed that in both cases referred to I cum. the interested parties had been informed of the need for this This information would have been provided in one case 33 days after the request (I cum. 132334) and in a second case, within the 30th day of receipt of the request.
That being said, it follows that the arguments put forward by the party with regard to the inapplicability of the Italian regulations to the various aspects of the processing of personal data, carried out by the company, are unfounded, including the observations made with reference to the fact that the processing is carried out solely by UBV. In this respect, it should be noted that the elements gathered during the preliminary investigation phase, also by means of inspections, provided a representation of the roles of UBV and UTI that did not correspond to what was described by the company. The Garante considered that the ownership of the processing should be attributed to both UTI and UBV on the basis of a series of elements that were adequately reported in the measure of 13 December 2018. These included, in particular, the decisions taken with respect to the purposes and means of the processing, which were not prepared solely by UBV; instead, it emerged that the policies relating to the operation and management of the service were prepared solely by UTI, in its capacity as parent company. On this point, the company pointed out, in the course of the preliminary investigation, that the choice of entrusting the management of the policies and the adoption of technical and organisational security measures to a single entity (in this case, the UTI) was aimed at guaranteeing the same level of protection of personal data within the group, similarly to what was done by other companies operating globally. In the case at hand, however, it appears that UTI exercises an autonomous decision-making power on such aspects that cannot be considered merely formal, as, inter alia, also confirmed by Uber, in its note of 30 April 2018, in which it states that 'UBV has instructed its data controller, UTI, to decide and implement the technical and organisational security measures necessary for the protection of personal data relating to Italian (and other non-US) passengers and drivers'. It is worth emphasising that the issue of the ownership of the processing of personal data was the subject of in-depth analysis and was at the centre of similar investigations carried out by the Authorities of the other EU countries that were involved in the examination of the data breach occurred to the company. The conclusions reached by the Authorities concerned were, in this respect, unequivocal, all agreeing on the co-ownership of the processing of personal data by UBV and UTI (in this regard, the Délibération n°SAN-2018-011 adopted by the CNIL on 19.12.2018, the Decision adopted by the Dutch PA on 8.11.2018 and the Decision of the ICO on 26.11.2018).


With regard to another case (III cum. 144726), the Company reiterated in defense what it had already argued in response to the requests of the Guarantor or recognized the occurrence of a "mere technical misunderstanding". Finally, with regard to file 138729 (IV cum.), EE did not provide any further information with respect to that contained in the acknowledgment communications during the investigation phase.
At the outcome of the investigation conducted by the Office, in the context of which all the documentation inherent to the processing operations carried out by the company was acquired, it was found that the information provided to approximately 1,513,431 users (including drivers and passengers) was not suitable, not only with regard to the lack of indication of the co-ownership of the processing operations carried out, but also in other aspects that are decisive in guaranteeing the transparency and correctness of the processing operations themselves to the interested parties. Given that the same information notice was prepared in respect of the drivers and passengers, providing an indistinct representation of the processing operations carried out, their purposes and methods. Moreover, it was ascertained that the information notice described, in a generic and approximate manner, the purposes of the processing in relation to the categories of personal data collected; it did not indicate the compulsory nature of the provision of the data, in relation to the various operations carried out and the consequences of any refusal to provide them; the information notice was also unsuitable in relation to the exercise of the rights of the data subjects (with reference, for example, to the right to update and to object on legitimate grounds). These critical issues, assessed overall by the Office at the outcome of the preliminary investigation, are relevant regardless of the fact that no reports and/or complaints were filed by the data subjects in relation to an infringement of their rights.


8) Likewise, with respect to a similar dispute, but referring to the different case in point, referred to in number 8 (articles 5. par. 1, lett. A), and 12, par. 2 of the Regulations), EE denied the contradiction between the response provided to the interested party and that provided to the Authority (IV cum: 136020). According to the Company, in fact, even though the two findings were formulated differently (in the response to the customer a "typing error" was mentioned), in reality they are both true. This is because the contact details of the whistleblower were provided by another customer and, due to this overlap, the operator then "erroneously registered the data of the whistleblower in the client's master data".
With regard to the violations relating to the failure to obtain specific consent in relation to the processing carried out for the assessment of the so-called "fraud risk" and the failure to notify the Guarantor in relation to the processing of geolocation data, the additional arguments put forward by the company in its defence are not relevant, since, for both processing operations carried out, the applicable regulations (referring to Legislative Decree 196/2003 in force at the time when the violations occurred) provided for the fulfilment of certain obligations by the data controller that were not fulfilled. In particular, on the basis of the documents in the file, it appears that no consent "freely and specifically expressed in relation to a clearly identified processing operation" was acquired in relation to the pursuit of the purpose relating to the so-called "fraud risk" indicator, reported on the profiles of approximately 1,379,000 customers (passengers), and consisting in the assignment of a qualitative judgement (e.g. "low") and a numerical parameter (from 1 to 100).


9) Again with regard to the exercise of the rights of the interested parties, the Company, with regard to the dispute referred to in number 9 (Article 21 of the Regulation and Article 130, paragraphs 1 and 2 of the Code), acknowledged that it had committed a further error in having indicated a wrong email address at the bottom of the communication sent to the interested party (single inquiries fasc. 133249) but also highlighted the easy online availability of the correct address for sending requests to exercise rights (privacy. enelenergia@enel.com). As proof of this ease in communication, there would have been, according to EE, the circumstance for which the same complainant would then subsequently have addressed a second instance of opposition to the correct address, finding full and prompt satisfaction.
Similarly, with respect to the processing of geolocation data, the rules applicable at the time of the inspection provided (Article 37(1)(a) of the Code) for the prior notification of the processing to the Garante, in accordance with the procedures set out in Article 38 below. Although the notification is no longer provided for in EU Regulation 679/2016, under the former legislation it constituted a particularly important fulfilment that required the data controller to communicate to the Garante a series of information relating to the processing that it intended to initiate and relating to the data controller itself; this was done in order to provide every guarantee for the protection of data subjects.


10) With reference to the contestation of the violation of art. 130, paragraph 4, of the Code, referred to in number 10, (single investigations: 136321), EE reiterated, detailing its arguments, what had already been argued in the preliminary phase, recalling, in relation to the three cases complained of by the complainant: a) '' sending of communication similar to soft spam as a prerequisite capable of excluding the necessary acquisition of consent; b) the fact that the call received by the complainant was made to verify the quality of the service offered and not for commercial purposes; c) the sending of the promotional SMS was carried out not by EE but by a former partner, an XX, no longer contractually linked to the Company at the time the communication was sent to the person concerned.
Finally, as regards the application of the sanction referred to in Article 164-bis, paragraph 2, of the Code, it should be noted that this was ordered in view of the significant number of data subjects (approximately 1,514,000 drivers and passengers, and approximately 1,379,000 passengers in relation to the failure to obtain consent) whose personal data were subject to the processing operations carried out by both companies in breach of the provisions of the Code. On this point, it should be noted that in a recent jurisprudential ruling, the Court of Cassation reiterated that the case provided for by Article 164-bis, paragraph 2, of the Code is not an aggravated hypothesis with respect to the other contested violations, but rather an entirely autonomous figure of unlawful conduct (Civil cassation, section II Ord., 03/09/2020, no. 18288);


11) With regard to the contestation of the violation of art. 31, referred to in number 11, also in relation to the information provided regarding the functioning of the Single Profile or the failure to attach the documentation relating to consents (in response to IV cum. And IV-bis cum.), EE has deemed it exhaustive. According to the Company, in fact, the Guarantor would not have expressly requested to receive more details about the consents but would only have formulated requests for clarification on the operating methods of the app and indications on the quantitative dimension of the service.
TAKEN NOTE of judgement no. 11803/2019 R.G. issued by the Court of Rome on 29/11/2021 by which the opposition proposed by the two Companies against the Guarantor's Order no. 498 of 20/12/2018 was declared inadmissible. In particular, the judge held that "the substantive rules applicable ratione temporis are those in force prior to the entry into force of the RGPD, while those of a procedural and procedural nature, immediately applicable, are those subsequent to the entry into force of the Regulations and Legislative Decree no. 101/2018";


12) As regards the disputes connected to the Single Profile and the app for consultation and consumption management, reported in number 12 (articles 5, paragraph 1, letter a), 12 and 13 of the Regulation), EE denied that there was a discrepancy between the two information on the website with reference to the identification of the data controller. In the defense phase, the Company explained how the information of the two parties (Enel Energia S.p.A. and Enel Italia S.p.A.) exist on the same page and how "only part of the information and sections on the site concern both entities". The Company added that the information is "recalled from a single touchpoint (the footer of the homepage) but have a distinct and separate structure, form and content". The navigation data of visitors to the site is processed by Enel Italia S.p.A., which, however, is not the data controller as regards the management of the single profile (which appears to be Enel Energia); on the contrary, Enel Italia S.p.A. together with a third company, Enel Global Services s.r.l., acts as data controller for the data provided at the time of registration and to provide the authentication service.
NOTED, therefore, that UBV and UTI, in their capacity as co-processors pursuant to Articles 4(1)(f) and 28 of the Code appear to have committed the violations referred to in Articles 161, 162(2-bis) and 163 of the same Code, as indicated in the notice of objection No. 6254/96792/124735 of 21 February 2019, as well as the violation referred to in Article 164-bis(2) in relation to databases of particular relevance and size;


13) Again with regard to the Single Profile, with respect to the dispute referred to in number 13 (Article 5, par, 1, letter c), of the Regulation, EE highlighted that "the companies enabled for the Single Profile (for Italy EE and Enel X Italia Srl - "EX") do not have access to the data of users who have created the Unique Profile with the other authorized company. " (Paragraph 185). Consequently, according to what was reported in the defensive phase, it is possible that two hypotheses may occur: 1) new user who has not yet created an account through the Unique Profile; 2) access to a reserved area with an existing profile.
NOTED, moreover, that in relation to their status as joint data controllers, responsibility for the contested violations must be attributed separately to each of the companies;


In the first case, the user registers, on the EE website or on the EX website as the case may be, providing his / her data (name, surname, social security number, telephone number, e-mail. The latter two are subject to validation) and create a personal password.
CONSIDERED that, for the purposes of determining the amount of the pecuniary sanctions, it is necessary to take into account, pursuant to Article 11 of Law No. 689/1981, the work performed by the agent to eliminate or mitigate the consequences of the violation, the seriousness of the violation, and the personality and economic conditions of the offender


In the second case, the user, with the same credentials created at the company with which he first created the account, can access the reserved area of the other company ("For example, first the user created the Unique Profile account on the site and for the reserved area of EE and then wants to access the reserved area of EX "). EE maintained that there was a clear technical and content separation between the two reserved areas and that "no data relating to the reserved areas of the companies authorized to use the Single Profile is exchanged between them.".
WHEREAS, in the case under consideration


After having illustrated the technical characteristics of the system, the Company went on to explain how both the mobile number (for the purpose of validating the temporary password mechanism) and the tax code must be considered as indispensable data for the purposes of correct identification to prevent the creation of multiple profiles (Points 194-198). EE then underlined that the measure of authentication via mobile phone number was implemented following some vulnerabilities (creation of multiple accounts) that emerged, with reference to another group company, as part of a previous and separate investigation conducted by 'Office of the Guarantor. The indispensability, therefore, of such data for the purposes of the functionality of the service, according to EE, should lead to believe that the dispute regarding the alleged violation of the principle of minimization can be overcome.
- with regard to the aspect of seriousness, the elements relating to the intensity of the psychological element and the extent of the danger and harm must be assessed in view of the fact that the infringements were committed in relation to a significant number of persons concerned


14) With respect to the disputes referred to in number 14) (articles 12 and 13 of the Regulations, the Company has represented that, without prejudice to the fact that no consent for marketing purposes is collected during the creation of the Unique Profile, "the different marketing purposes are instead described, as indicated by the Guarantor in the Contestation, in the specific section "Marketing and / or profiling purposes". "In any case, the Company has communicated that it has revised the information" by making more clear. "(Points 199-204).
- for the purposes of assessing the work performed by the agent, it must be pointed out that, in view of the new requirements laid down by the Regulation, changes have been made, especially with reference to the information


15) As to the granularity and specificity of the consents, with regard to processing carried out by different subjects as independent controllers referred to in number 15 (articles 6, paragraph 1, of the Regulation and 130, paragraphs 1 and 2, of the Code) , EE recalled the three purposes identified, namely: 1) direct marketing carried out by EE for EE products; 2) third party marketing; 3) profiling, arguing that this distinction is in compliance with the Guidelines of the Guarantor on the fight against spam adopted in 2013. The Company has specified that it has never carried out profiling activities nor has it ever transferred data to third parties for marketing purposes. Furthermore, EE has never done direct marketing by advertising third party products, including group companies.The Company, finally, has proposed its intention in the future to seek the consent of interested parties for marketing and profiling purposes, reshaping the tripartite structure of consents and better specifying the different purposes with respect to the various owners (attachment 38 to the memorandum) and communicated that he had submitted the related information to a work of revision "with a view to ever more direct communication".
- with regard to the personality of the author of the violation, it must be considered that there are no previous sanctioning proceedings against UBV and IOUs;


2.2 Considerations in fact and in law
- with regard to the economic conditions of the agent, the operating budget for the year 2019 was taken into consideration;


The defensive arguments presented by EE do not allow to exclude the liability of the Company in relation to the alleged violations for the following reasons, to be considered in one with the observations already expressed in the aforementioned contestation deed:
CONSIDERED, therefore, that it is necessary to determine, pursuant to Article 11 of Law no. 689/1981, the amount of the pecuniary sanctions, on the basis of the aforementioned elements assessed as a whole, in the amount of:


1) As regards the dispute relating to art. 31 of the Regulation (Cooperation with the supervisory authority), referred to in number 1, it is an incontrovertible fact that the Company has not provided any response, except after having been requested to do so, to the third request for information from part of the Guarantor. The laconic, concise and undocumented reference to human error in sorting does not, in fact, negate the criticality profile.
- euro 30,000.00 (thirty thousand) for the breach referred to in Article 161 of the Code, in relation to Article 13;


Likewise in the context of the feedback, the attitude of EE did not give account, in a collaborative and proactive perspective, of analytical and detailed responses about the different cases subject to reporting, so as to facilitate any more appropriate assessment by the Authority. As is known, in fact, the feedback to requests for information from the Guarantor should be provided immediately in the most detailed and complete way possible and the elements useful for defining the investigation framework should therefore be presented already in the preliminary investigation rather than in a defensive phase as solicited. These behaviors, already sanctioned by the Guarantor (injunction order against Iren Mercato SpA of 13 May 2021, web doc. 9670025), risk causing the lengthening and burdening of the procedural process, which the Company has declared its intention to to avoid. Nor to the reference to internal regulation no. 1/2019 (Article 7, paragraph 5), no relevance can be attributed in this context, given that the provision clearly refers to the defensive phase and not to the preliminary phase.
- euro 100,000.00 (one hundred thousand) for the breach referred to in Article 162, paragraph 2-bis, of the Code, in relation to Article 23;


Moreover, the aforementioned circumstance according to which the Guarantor would not have provided any response or requested further clarifications once received the re-confrontations from EE is not valid as an exemption, given that it is clearly evident that the duty of collaboration, provided for by cited art. 31 of the Regulations, serious to the owner, even in his own interest, and not already to the supervisory authority.
- euro 100,000.00 (one hundred thousand) for the breach referred to in Article 163 of the Code, in relation to Article 37;


2-4) With reference to the complaints formulated by the Guarantor with regard to the responsibility profiles of the owner and the respect of the principle of privacy by design, as referred to in numbers from 2 to 4 (articles 5, par. 2, and 25, par. 1 of the Regulations; art. 5, par. 2 and art. 5, par. 2 and 24 of the Regulations) the arguments presented by the Company are not convincing and are not capable of overcoming the Authority's findings.
- Euro 300,000.00 (three hundred thousand) for the breach referred to in Article 164-bis, paragraph 2, of the Code;
for a total amount of Euro 530,000.00 (five hundred and thirty thousand);


The main argument raised by the Company in defense of its position, through the reference to an undue spending of its name, is not supported by elements capable of excluding the liability of the owner and remains, as such, a purely hypothetical reconstruction. This is because in none of the argumentative passages developed by the Company was the activity of competitors aimed at acquiring customers by presenting themselves as Enel Energia proven.
CONSIDERING, moreover, that in consideration of the economic conditions of the offender, having regard to the data relative to the overall turnover and the number of users, the above mentioned fine is ineffective and must therefore be increased by four times, as provided by Article 164-bis, paragraph 4, of the Code, for a total amount equal to Euro 2,120,000.00 (two million one hundred and twenty thousand)


In fact, the press articles reported mainly refer to episodes that have nothing to do with the disputed hypotheses, given that the spending of Enel's name is used to try to access, through fraud, inside the users' homes. order to perpetrate illegal actions to the detriment of the unfortunate (mainly elderly and lonely people).
HAVING REGARD TO the documentation in the files


Similarly, the reference to the trade association Federconsumatori - moreover not relating to a public position taken by the national bodies of the association but rather to an interview given by a local representative (Taranto Section) - refers to the phenomenon of scams and attempts to break into homes. It is therefore irrelevant with respect to the case in question and does not represent a significant profile for the purposes of the Guarantor's assessment and in particular with respect to the issue of accountability.
HAVING REGARD TO law no. 689/1981 and subsequent amendments and supplements


In this regard, it is necessary to premise that the regulatory provisions (articles 5, paragraph 2, and 25, paragraph 1 of the Regulation; article 5, paragraph 2 and article 5, paragraphs 2 and 24 of the Regulation) outline a precise framework of general responsibility weighing on the data controller, not only in the sense of requiring the latter to adopt adequate and effective measures to ensure compliance with the regulations on the protection of personal data but also in the sense of requiring the the owner demonstrates, concretely and with evidence, the compliance of any processing activity that it has carried out directly or that others have carried out on its behalf (see also recital 74, RGPD). It is therefore necessary to provide evidence of overall assessments carried out on the characteristics of the treatments, on the risks connected to them and on the effectiveness and adequacy of the measures adopted on a case-by-case basis. Effectiveness and adequacy that can only be tested and demonstrated except through structured and systematic verification mechanisms.
HAVING REGARD TO the observations of the Office formulated by the Secretary General pursuant to Article 15 of the Supervisor's Regulation No. 1/2000, adopted by resolution of 28 June 2000;


The rationale of the aforementioned provisions lies in the need to ensure that the complex of privacy obligations is not reduced to a purely paper-based assembly and that the "chain" of responsibilities in the context of the processing does not provide for undue "blameworthiness" but is always, ultimately, attributable to the owner. These, in fact, are the primary engine of the complex mechanisms that determine the compatibility of the various activities carried out with the provisions of the Regulation and the Code aimed at allowing the interested party to fully govern their data and to fully exercise their rights and freedoms. .
BE IT RESOLVED by Mr Guido Scorza, lawyer;


The principle of accountability, therefore, outlined both in a legal perspective (Article 5, paragraph 2 and Article 24) and in a more modern technological dimension (Article 25) involves the overcoming of an exclusively formalistic logic of adaptation to the data regulatory, requiring the data controller to prepare systematic verification mechanisms, including ex ante and ex post, of compliance with the legislation on the protection of personal data by all the subjects involved in the processing chain concerning him, which may be attributable to it or which may also bring advantages of an economic nature to the holder.
ORDERED


In this regard, the Guarantor observes, as a preliminary, that the holder provided elements of a formal nature only during the defensive phase, mostly related to the dimension of the contractual lawfulness between EE and its partners - which, moreover, does not prove anything from the point of view of the correct processing of personal data - without producing the necessary evidence of concrete initiatives taken as data controller, in the face of the spread of such an invasive and worrying phenomenon over the years, which should have acted as a true and precisely "alarm bell".
Uber B.V., in the person of its pro-tempore legal representative, with registered office at Meester Treublan No. 7, Amsterdam (The Netherlands), and Uber Technologies Inc., in the person of its pro-tempore legal representative, with registered office at Market Street No. 1455, San Francisco, California, to pay each the sum of EUR 2,120,000.00 (two million one hundred and twenty thousand) by way of administrative fine for the violations indicated in the grounds;


The history, structure and organizational dimension of Enel Energia would have allowed this company, leader in the Italian energy market and always a protagonist of the economic-productive life of the country, albeit with different forms and methods, to prepare with due diligence measures state-of-the-art organization in the protection of data subjects, as well as appropriate and effective control tools on the entire supply chain involved in the processing of personal data. This, all the more so, in consideration, on the one hand, of the amount of personal data held by the company, precisely by virtue of its position and its history (currently 9 million customers - see defensive writings, paragraph 173 ), on the other hand, of the high number of reports received every month directly by EE (defensive writings, point 167: a monthly average, from April 2020 to April 2021, of approximately 740 requests for the exercise of rights, largely relating to right to object), as well as the numerous and repeated requests for information sent by the Guarantor.
INSTRUCTS


Having said all this, with reference to the specific profile that emerged in the defense on the methods of managing promotional activities in the phase prior to the pandemic, when the EE sales network was prohibited from using telephone lists, it should be noted that the Company would have due, in the face of the growing number of reports relating to unwanted telephone contacts, to verify that this pressing prohibition had been adequately observed, furthermore proving the existence of verification tools. This also by means of suitable checks to outline and document the origin of the data underlying any contractual proposal and / or the methods of "first contact" of the potential customer. This type of control is completely different from a verification of personal data lists (recalled in the defensive memory), which appears, in fact, irrelevant compared to what is contested by the Authority.
the aforesaid companies to pay, each one, the sum of EUR 2,120,000.00 (two million one hundred and twenty thousand), according to the modalities indicated in the annex, within 30 days from the notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of law no. 689 of 24 November 1981.


These checks could, first of all, be easily carried out if the methods of first contact and / or the origin of the customer data had, for example, expressly formed the subject of analytical indication in the contract registration system, also using the channel information of the Quality call which, on the other hand, from what emerged from the documents, does not contain specific references with respect to the verification of the lawfulness of the original acquisition of the data and / or of the first contact, focusing only on the verification of the regularity of the contractual profiles.
Pursuant to Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an objection to this measure may be lodged with the ordinary judicial authority, by lodging an appeal with the ordinary court of the place where the data controller resides, within thirty days from the date of notification of the measure itself, or sixty days if the applicant resides abroad.


Similarly, from the documentation provided by the Company and examined by the Guarantor, the characteristics of the methods of access to the systems used to activate the offers and services, through which the agencies can convey the result of their activities, do not emerge with unambiguous clarity. It is on this step, in fact, that the subsequent controls by the owner should focus, especially in a complex and stratified commercial system such as the one presented by EE. In fact, if in a passage of the memory reference is made to the receipt, by EE, of the "contract proposal from the agencies" (Point 37) and in the attached contractual schemes, we read how the agencies undertake to "use exclusively the information system authorized or made available by the Principal ", however, no incontrovertible evidence was provided regarding the effective functioning of this system and the monitoring and control activity carried out by EE, in order to represent the Authority suitability of the measures. This, all the more so, when we consider that, as emerged from the documentation in the documents, the Company is rather delegating the preventive control on the lawfulness of the first contact in full to the agencies: "Any pre-loading checks in the IT systems performed through the use the telephone contact also falls under the direct and exclusive responsibility of the Agency. " (Agency Contract, Annex 13 to the memorandum, point 2.2).
Rome, 24 March 2022


Similarly, within the contract between EE and the partner stores (physical points) a sort of indemnity is identified in favor of EE when we read: "The Partner will be solely responsible for the work of the Enel Points and the Staff, whatever the relationships legal relationships with the same, committing to hold Enel Energia harmless from any claim or request made, in relation to the performance of the activities covered by the Contract, by the Enel Point, by the Staff or by third parties, including those relating to compensation damages, salary obligations, indemnities and social security and / or insurance contributions, as well as those relating to any further obligation or fulfillment deriving from the current legislation on self-employed and subordinate work, from the legislation aimed at protecting the privacy , from the tax legislation. " (PENP contract, Annex 12 to the pleading, point 5.3).
THE CHAIRMAN
 
Finally, it notes the fact that EE has a series of information regarding the correct management, even by the single operator, of the promotional activities, during the validation of the contracts, being in the condition of being able to easily identify for each contract the sales channel and the appointee (the reference is to the contract code, appointee code, channel code, all present in the application form, freely downloadable on the Company's website). However, it is clear that the Company does not carry out this kind of checks or at least it has not provided evidence of it to the Guarantor, as can be seen both from the aforementioned absence in the Quality call of specific references to verifying the lawfulness of the origin of the data, and from the referral that is made to the activity of the partners and, finally, by the same statements of the company made explicit in the defense when we read: "If some agencies have in hypothesis endorsed commercial calls, extraneous in and of themselves (and not simply for the modalities ) to the activities envisaged by EE, EE could not be expected to carry out ex ante controls on activities totally hidden and unrelated to its own commercial chain, activities that EE obviously could not even foresee. Investigations of that type concern the material conduct of the employees of the agencies, behind the agencies themselves and of EE, and do not fall within the powers of the data controller [omissis] When an illegal activity is completely unrelated and invisible to the owner of the treatment, the latter - if he has subsequent evidence of such violations - can only invoke the intervention of the judicial authority and close relations with those who have become protagonists. Nor does the Complaint indicate reasonable measures aimed at mitigating such a risk, given that the Complaint illustrates failed measures relating to the management of telemarketing and teleselling activities not envisaged by EE. " (defensive writings, paragraphs 51 and 53).
 
Therefore, having the information necessary to link each contract proposal even with the single operator, the verification of the sales volumes of each operator in relation to other variables, such as, by way of example, the geographical area, the density of population relating to the commercial area of reference and other similar numerical indicators would have made it possible to identify incorrect practices and in violation of the legislation on data protection. Equally essential is the aforementioned verification, to be carried out directly at the customer, of the lawfulness of the origin of the personal data underlying the contractual proposal. Enel Energia had all the necessary tools to counteract "undergrowth" phenomena in the bud, which, moreover, it was aware of well before the intervention of the Guarantor.
 
Measures, such as those described here, if adopted and if represented to the Guarantor (which certainly cannot be attributed for the failure to indicate in the notice of dispute) would have given appropriate knowledge of a not merely formalistic and conservative approach based on the contract and its characteristics but, on the contrary, would have brought out an appreciable proactive approach to protect the complex of consumer and data subject rights.
 
In conclusion, the absence of a concrete link between the information relating to the promotional activities that are put in place, in any way and in any form, based on the different sales channels, by EE and the platform delegated to validation and registration of contracts, so that the two different phases (the promotional and the contractual one) remain substantially separate and this makes it possible for agents who intend to convey the contractual proposals without following the provisions of the owner, to insert the also in case of illegal or unwanted promotional contact. This makes it not only possible but also highly probable, given the weakness of the "defenses" put in place, that the large amount of unwanted contacts brought to the attention of the Authority were put in place in the context of the promotion of products and services of society.
 
In view of the requirements of art. 5, par. 2, of the Regulation, which requires the holder to prove the lawfulness of the treatments, precisely the absence of measures, in the official registration system, which verify full compliance with the rules and rights of the interested parties, users and consumers from the moment of first contact, it is a suitable condition to represent the gateway for any "unofficial procurers" of contracts capable of "capturing" the recipients of the complained promotional phone calls, who constantly report a contact in the name of the Company (similarly as already represented in the aforementioned provisions against Vodafone Italia SpA and Fastweb SpA).
 
Moreover, to tackle the problem at its root, it is not sufficient to act exclusively on the "official" sales network, precisely in the face of the reputational damage that the Company complains with so much conviction, but rather to foresee, as the Authority has already had the opportunity to highlight, effective mechanisms aimed at monitoring and countering, also in consideration of the organizational and business capacities of the main Italian energy company, a phenomenon that impacts in such a significant and pervasive way on the private dimension of interested parties who complain of unwanted promotional contacts by Enel Energia and to exclude at the root the possibility of contact by telephone in the Enel Energia sales network.
 
In this sense, the Authority has not failed, on other occasions, to recall, precisely in a preventive logic and respect for privacy by design, the possibility of resorting to corporate and organizational choices aimed, for example, at inhibiting the contractual activation of offers or services when they are certainly not attributable to activities carried out in compliance with the rules and rights of the interested parties, users and consumers from the moment of first contact and the origin of the data (see the already mentioned measures against of Vodafone Italia SpA, 12 November 2020, web doc. 9485681, and Fastweb SpA, 25 March 2021, web doc. 9570997).
 
These same conditions should also be applied to telemarketing campaigns that EE has admittedly resumed following the pandemic emergency. These activities, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts takes place only at following promotional contacts carried out by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and without prejudice to the necessary verification of the contact lists, as repeatedly reiterated by the Guarantor (most recently see Order of injunction against Iren Mercato SpA, May 13, 2021, web doc. no. 9670025).
 
5-6) With reference to the disputes referred to in numbers 5 and 6 (art. 5, par. 1, letter d); articles 5, par. 1, lett. d), and 6 of the Regulation, Lawfulness of processing), the references to a "manual error of the operator", in the first case, and to a material error, in the second, are not valid to relieve the Company of responsibility resulting from the violation of the aforementioned provisions nor do they allow to apply the exemption pursuant to art. 3 of the law n. 689/1981 on the subject of good faith, all the more so because they are not analytically documented and in relation to which EE has not been able to demonstrate the inevitability. However, the Authority takes note of Enel's declaration that it has promptly remedied the error in one of the two cases (cum IV: 147284).
 
As for the disputes referred to in numbers 7 to 9 in relation to the requests for the exercise of rights, it is necessary to put forward some considerations. While taking note of what was stated by the Company in the defense brief (Point VI.G of the brief and annexed table) regarding the substantial volume of requests for the exercise of rights that are managed by the same, both on a monthly basis and on on an annual basis, it must in any case be reiterated that, although the misalignments represented with respect to the ordinary operating methods in terms of exercising the rights constitute a statistic expression that is not significantly relevant in relation to the activities of Enel Energia, this element cannot eliminate the need to ensure to the interested parties the individual protection that the Regulation provides, through the adoption of corrective and sanctioning measures.
 
7) with regard to the disputes referred to in number 7 (Article 12 of the Regulation, the arguments provided regarding the delay in the findings in the cases referred to in files 132334 and 129416 (I cum.) Do not allow to overcome the observation regarding the violation of the rules governing the necessary timeliness of the feedback that must be provided to the interested parties following requests for the exercise of rights.
 
This, in the present case (132334), also taking into account the circumstance for which the previous discipline dictated by the Code already provided for the institution of the so-called "Preventive ruling" and, therefore, the fact that, at the time, full and complete applicability to the new European legislation could not have been relevant. In the same way, the circumstance for which the request made by the interested party was contextually the subject of a request for information from the Guarantor, should, if anything, have induced the owner to behave virtuously and not, as it happened, reticent about the reply (129416) . In both cases, it is believed that the delay, as communicated to the interested parties, was neither justified nor justifiable, since the owner was undoubtedly able to provide a complete and exhaustive response to their requests right away.
 
In relation, then, to the case in point reported in file 144726 (III cum.), The reference to a "mere technical misunderstanding" is found in the memory. This circumstance does not relieve the Company of the liability deriving from the violation of Article 12 nor does it allow, in this as in the previous cases, to apply the exemption pursuant to art. 3 of the law n. 689/1981 on the subject of good faith, since no proof was provided that the error did not derive from fault. This, all the more so, because the technical drawback has not been documented in any way, nor has its inevitability been demonstrated.
 
Finally, with reference to file 138729 (IV cum.), Since the owner has not provided any further elements aimed at justifying the failure to respond to a request for the exercise of rights, the violation of art. 12 of the Regulation;
 
8) likewise, with reference to the similar dispute, but referring to a different case (IV cum. Fasc. 136020), referred to in number 8 (art. 5. par. 1, lett. of a typing error, does not exceed the observations of the Authority, since the interested party did not receive a clear and unequivocal response in the first instance with respect to the case in point of the complaint. It should be noted that the circumstance of the typing error, if clarified from the beginning and not only in defense and at the request of the Guarantor, would have allowed the Authority to verify, by having more specific elements, the possible existence of a more relevant violation of non-compliance with the principle of accuracy; moreover, in this context it should be pointed out that, in order for the typing error to be considered excusable, the Company, for example, would have had to provide proof of its willingness to contact a different numbering of a few numerical elements from the one actually called in the same context of the campaign advertising;
 
9) with regard to the dispute referred to in number 9 (Article 21 of the Regulation and Article 130, paragraphs 1 and 2 of the Code), the error committed and recognized by the Company in having indicated an incorrect email address in a communication the interested party has, in fact, hindered the exercise of the right of opposition (single inquiries: 133249) as well as the arguments offered by the Company regarding the failure to register the denial during the signing of the contract confirm the existence of the Company's responsibility for the sending promotional communications by e-mail without the prior consent of the interested party;
 
10) in relation to the complaint referred to in number 10 (Article 130, paragraph 4, of the Code), the holder has not produced any documentary evidence capable of demonstrating that the complainant had received the necessary, adequate information about the possibility of receiving communications on similar services and products, through their e-mail coordinates and, therefore, about the presence of that objective element of an informative nature which is fundamental for a correct dialogue with the interested parties and which legitimizes the exemption from the acquisition of the relative consent, in addition to the additional elements referred to in art. 130, paragraph 4, of the Code as well as by the Provision of the Guarantor of 4 July 2013 (web doc. No. 2542348) (single investigations: 136321); in the absence of these fundamental elements of an informative nature, the violation of art. 130, paragraph 4, is integrated;
 
11) with reference to the dispute profile relating to the failure to attach documentation on the structuring of consents within the Single Profile (requests IV cum. And IV-bis cum.), The aforementioned defense by the party has no basis. The requests of the Guarantor aimed at understanding the functioning of the Single Profile involved, as a natural corollary, the illustrative documentation of the method of acquiring consents for marketing and profiling purposes;
 
12) with regard to the disputes reported in number 12 (articles 5, paragraph 1, letter a), 12 and 13 of the Regulation) in relation to the information provided to the interested parties, although the Company has clarified the existing interaction between Enel Energia srl and Enel Italia and despite having changed the information on the site by absorbing the findings of the Guarantor, the information communication previously provided by the Company to the users of the website was not able to meet the requirements of correctness and transparency for the benefit of the interested parties. ;
 
13) again in relation to the Single Profile, with respect to the dispute referred to in number 13 (Article 5, par, 1, letter c), of the Regulation), the Guarantor takes note of the explanations provided by EE in the defense phase and believes that the collected elements are relevant and suitable to relieve the Company of responsibility for a failure to comply with the principle of minimization, without prejudice to the necessary re-evaluation, by the data controller, of compliance with the principle of minimization in the event that the current structure changes represented to the Guarantor, for example through an increase in the number of companies that use the single Profile and a consequent change in the purposes of the processing;
 
14) with respect to the disputes referred to in number 14 (Articles 12 and 13 of the Regulations), although the Company represented has revised the information "by making clearer legal choices." (Points 199-204), the information provided so far cannot be considered complete and exhaustive with respect to the identification of the third parties recipients of the data, given the generic reference to "Enel Group companies, parent companies, subsidiaries or associates, or partners like -market of Enel Energia ". With reference to the period prior to June 2021, the information issued to interested parties by EE in the context of its portal was lacking precisely with regard to a necessary identification of the recipients of the data, at least with reference to the product categories, both within the companies belonging to the Enel Group and with reference to a generic range of commercial partners. For these aspects, the information was therefore deficient and inadequate with reference to the requirements set out in Articles 12 and 13 of the GDPR;
 
15) as to the granularity and specificity of the consents, with regard to processing carried out by different subjects as independent controllers referred to in number 15 (articles 6, paragraph 1, of the Regulation and 130, paragraphs 1 and 2, of the Code) , given that during the hearing EE communicated that it had already adopted some measures to accept the observations made by the Guarantor (including a revision of the wording of the consents for a better reformulation of the same), the Authority's findings are confirmed. The provision of a consent within the terms ascertained by the Guarantor in the act of initiating the procedure does not meet the requirements of granularity and clarity, obtainable from the regulatory legislation. In fact, a single consent to the communication of data for promotional purposes also by group companies, parent companies, subsidiaries and associates and commercial partners of EE, cannot be considered either specific or free and does not constitute a suitable legal basis for the aforementioned treatments. , pursuant to art. 6 GDPR.
 
The information provided by the Company in the defensive phase would seem to have made it clear that the consent required for the marketing activities of the "parent companies, subsidiaries, associates or commercial partners of EE" by the same subjects does not refer to a communication of data from Enel to third parties for their marketing purposes. However, in the absence of a clear identification of the recipients, a consent linked to treatments referable to an indeterminate number of subjects cannot be considered suitable.
 
Similar observations can extend to the request for a single consent for profiling purposes both of Enel Energia and of the subjects already mentioned, as autonomous data controllers, since, even in this case, a lawfully acquired consent must be specific and distinct in order to constitute a suitable legal basis, pursuant to the aforementioned regulatory provision.
 
Therefore, with reference to the aspects, including factual, highlighted above and taking into account the statements of the Company, for which the declarant responds pursuant to art. 168 of the Code, as well as the additional documentation produced, the following assessments are formulated regarding the profiles concerning the regulations on the protection of personal data.
 
3. CONCLUSIONS
 
For the foregoing, while the dispute referred to in number 13 can be considered overcome) due to the reasons set out in the considerations in law in number 13 (par. 2.2.). Enel is deemed to be responsible for the following violations:
 
1) Art. 31 of the Regulations, for the reasons described in number 1 of the previous paragraph 2.2;
 
2) Articles 5, par. 2, and 25, par. 1 of the Regulations, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
3) Articles 5, par. 2, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
4) Art. 5, par. 2 and 24 of the Regulations, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
5) Art. 5, par. 1, lett. d), for the reasons described in number 5 of paragraph 2.2 above;
 
6) Articles 5, par. 1, lett. d), for the reasons described in number 6 of paragraph 2.2 above;
 
7) Art. 12 of the Regulations, for the reasons described in number 7 of paragraph 2.2 above;
 
8) Art. 5. par. 1, lett. a) and 12, par. 2 of the Regulations, for the reasons described in number 8 of paragraph 2.2 above;
 
9) Art. 21 of the Regulation and art. 130, paragraphs 1 and 2 of the Code, for the reasons described in number 9 of paragraph 2.2 above;
 
10) art. 130, paragraph 4, of the Code, for the reasons described in number 10 of paragraph 2.2 above;
 
11) Art. 31 of the Regulations, for the reasons described in number 11 of paragraph 2.2 above;
 
12) Articles 5, par. 1, lett. a), 12 and 13 of the Regulations, for the reasons described in number 12 of paragraph 2.2 above;
 
13) Articles 12 and 13 of the Regulations, for the reasons described in number 14 of the previous paragraph 2.2;
 
14) Articles 6, par. 1, of the Regulation and 130, paragraphs 1 and 2, of the Code, for the reasons described in number 15 of the previous paragraph 2.2;
 
From this ascertainment of the illegality of the Company's conduct with reference to the treatments taken into consideration, it is necessary, vis-à-vis Enel Energia S.p.A:
 
- issue a warning, pursuant to art. 58, par. 2, lett. a), of the Regulations, regarding promotional campaigns through telesellers which, according to the defensive statements, EE resumed following the pandemic emergency. These campaigns, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts take place only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and after the necessary verification of the contact lists;
 
- issue a warning, pursuant to art. 58, par. 2, lett. b), of the Regulation, regarding the circumstance for which to provide an incomplete and unsuitable representation and evidential documentation regarding elements of assessment by the Authority as well as to omit the response to a request for information formulated by the latter, during the preliminary phase of the procedure integrates the violation of those duties of collaboration with the supervisory authority to which the data controller is required pursuant to art. 31 of the Regulation;
 
- to order, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt each treatment carried out by its sales network, to methods and measures suitable for providing and proving that the activation of offers and services and the registration of contracts takes place only following promotional contacts that , if they have been operated by telephone, they have been carried out by the aforementioned sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and in compliance with the provisions of art. 130 of the Code;
 
- to order, pursuant to art. 58, par. 2, lett. d), to implement all the additional technical and organizational measures necessary for the management of the requests to exercise the rights of the interested parties - and in particular the right to object to promotional purposes - which allow to give feedback to the interested parties, as well as identify and correctly acknowledge their effective will, without undue delay, and in any case, at the latest, within 30 days of receiving the requests, without prejudice to overriding legitimate reasons and without prejudice to the need, promptly communicated to the interested parties, of any extension for feedback;
 
- request to communicate what initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, pursuant to art. 157 of the Code, within 40 days from the notification of this provision; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation;
 
- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application to Enel Energia S.p.A. of the administrative pecuniary sanctions provided for by art. 83, par. 4 and 5, of the Regulation.
 
4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
 
The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application to Enel Energia S.p.a. of the pecuniary administrative sanction provided for by art. 83, para. 3, 4 and 5, of the Regulation (payment of a sum up to € 10,000,000 or, for companies, up to 2% of the annual worldwide turnover of the previous year, if higher and payment of a sum up to € 20,000,000 or, for companies, up to 4% of the annual worldwide turnover of the previous year, if higher);
 
To determine the maximum legal sanction of the pecuniary sanction, it is therefore necessary to refer to the turnover of Enel Energia SpA, in accordance with the previous provisions adopted by the Authority, and therefore to have to determine this maximum edict, in the case in question, in euros. 530.279.555.
 
For the purposes of determining the amount of the penalty, the elements indicated in art. 83, par. 2, of the Regulations;
 
In the case in question, the following are relevant:
 
1) the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation) - with reference to the disputes referred to in numbers 2, 3 and 4 due to the particular pervasiveness of il-lawful contacts made in the name of the owner (detrimental to various fundamental rights and, in particular, in addition to the right to the protection of personal data, the right to privacy and the right to individual tranquility), of the level of damage actually suffered by the data subjects, who have been incessantly exposed to nuisance calls, the growing difficulties they encounter to stem the phenomenon, the multiplicity of conducts put in place by EE in violation of several provisions of the Regulations and the Code;
 
2) as an aggravating factor, the duration of the violations (Article 83, paragraph 2, letter a) of the Regulation), due to the repeated nature of the violations referred to in numbers from 2 to 4, lasting more than six months of violations of numbers 2 to 4, considering that the first reports refer to unwanted calls in 2018; similarly, the Single Profile was active in the manner illustrated in numbers 12 to 15 until June 2021, when, according to the statements made by the Company, the information and consent box were modified;
 
3) as an aggravating factor, the high number of parties involved (Article 83, paragraph 2, letter a) of the Regulation) which, for the violation referred to in numbers 2 to 4, must take into account not only the numerous whistleblowers and claimants (140); similarly extensive is the audience of interested parties whose data are processed in the context of the Single Profile. According to what the Company reported during the re-confrontation, this would involve over 3 million Enel Digital users;
 
4) as an aggravating factor, the negligent nature of the conduct (Article 83, paragraph 2, letter b) of the Regulation) in consideration of the wide and constant dialogue with the Guarantor on all aspects of telemarketing, as well as the relevant provisional activities of the Authority, elements which, also in the light of recent Authority measures, should have constituted a valid support in the organizational choices of the Company but which, in particular with reference to the violations referred to in numbers 2 to 4, were largely disregarded.
 
5) as aggravating factors the specific recurrence of the conduct (Article 83, paragraph 2, letter e) of the Regulation) and the previous adoption by the Authority of similar corrective and sanctioning measures with reference to similar treatments (Article 83, par. 2, letter i) of the Regulation);
 
6) as a mitigating factor, the adoption of measures aimed at mitigating the consequences of violations (Article 83, paragraph 2, letter c) of the Regulation), with reference, in particular: a) to the implementation of the possibility for the interested party to check directly from the EE website "the traceability to EE and its partners of the numbers from which he has received commercial calls."; b) the modification of the information on the site, including that relating to the Single Profile; c) the reformulation of the illustrative captions in the vicinity of the boxes for the acquisition of consents, always within the scope of the Single Profile;
 
7) as additional factors to take into consideration to parameterize the sanction (Article 83, paragraph 2, letter k) of the Regulation), the large time margin granted to all data controllers in order to allow them a completed and consistent adaptation of systems and procedures to the new European legislation, in force since 25 May 2016 and fully applicable from 25 May 2018; the particular attention that the legislator has dedicated to the regulation of the telemarketing phenomenon, also with recently adopted regulatory interventions (e.g., law no. 5/2018); Enel Energia's primary market position in the telecommunications sector and the overall economic value of the Company; the need to promptly introduce adequate measures, in the face of a clear and perceptible increase in the phenomenon of promotional communications, of which the Company has shown to be fully aware, as the deadline set by the legislator for the definitive transition from the protected market for electricity and natural gas to the free market.
 
On the basis of all the elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, in the initial application of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction on the needs organizational, functional and employment aspects of the Company, it is believed that it should apply to Enel Energia Spa the administrative sanction for the payment of a sum of € 26,513,977 (twenty six million, 513,977), equal to 5% of the maximum legal sanction, in line with other recent measures adopted by the Authority in the field of tele-marketing.
 
In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the conduct of the Company as well as the high number of subjects potentially involved in the treatments examined;
 
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
 
ALL OF THIS GIVEN THE GUARANTOR
 
a) issues a warning to Enel Energia S.p.A., pursuant to art. 58, par. 2, lett. a), of the Regulations on promotional campaigns through telesellers which, according to the defensive declarations, the owner has resumed following the pandemic emergency; such campaigns, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts take place only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and after the necessary verification of the contact lists;
 
b) issues a warning to Enel Energia S.p.A., pursuant to art. 58, par. 2, lett. b), of the Regulation, regarding the circumstance for which to provide an incomplete and unsuitable representation and evidential documentation regarding elements of assessment by the Authority as well as omitting the response to a request for information formulated by the latter, during the preliminary phase of the procedure integrates the violation of those duties of collaboration towards the supervisory authority to which the holder of the treatment is required pursuant to art. 31 of the Regulation;
 
c) orders Enel Energia S.p.A, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt any processing carried out by its sales network to methods and measures suitable for providing and proving that the activation of offers and services and the registration of contracts takes place only following promotional contacts which, if operated by telephone, have been carried out by the aforementioned sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and in compliance with the provisions of art. 130 of the Code;
 
d) orders Enel Energia S.p.a, pursuant to art. 58, par. 2, lett. d), to implement all the additional technical and organizational measures necessary for the management of the requests to exercise the rights of the interested parties - and in particular the right to object to the promotional purposes - which allow to give feedback to the interested parties, as well as identify and correctly acknowledge their actual will, without undue delay, and in any case, at the latest, within 30 days of receipt of the requests, without prejudice to overriding legitimate reasons and without prejudice to the need, promptly communicated to the interested parties, for a possible extension for the reply ;
 
e) orders Enel Energia S.p.a., pursuant to art. 157 of the Code, to communicate to the Authority, within 40 days of notification of this provision, the initiatives undertaken in order to implement the provisions and prohibitions adopted, as well as the requests of the complainants; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation
 
ORDER
 
to Enel Energia S.p.a., in the person of the pro-tempore legal representative, with registered office in Rome, Viale Regina Margherita n. 125, Tax Code 06655971007, to pay the sum of € 26,513,977 (twenty six million, 513,977) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
 
INJUNCES
 
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 26,513,977 (twenty-six million, 513,977), according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.
 
HAS
 
The application of the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
 
Pursuant to art. 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision, opposition may be proposed to the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself.
 
Rome, December 16, 2021
 
PRESIDENT
Stanzione
Stanzione


THE RAPPORTEUR
THE REPORTER
Ghiglia
Scorza
 
THE DEPUTY SECRETARY GENERAL
Philippi
 
 
 
 
 
 
 
 
 
 
 
 
 
 
SEE ALSO
 
Press release dated January 19, 2022
 
 
 
[doc. web n. 9735672]
 
Order injunction against Enel Energia S.p.a. - December 16, 2021
 
Record of measures
n. 443 of December 16, 2021
 
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
 
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and dr. Claudio Filippi, Deputy Secretary General;
 
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
 
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
 
HAVING REGARD to the documentation on file;
 
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
 
RAPPORTEUR Dr. Agostino Ghiglia;
 
WHEREAS
 
1. THE INVESTIGATION ACTIVITY CARRIED OUT
 
1.1 Introduction
 
With act no. 26890/21 of May 14, 2021 (notified on the same date by certified e-mail), which here must be understood as fully reproduced, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation vis-à-vis Enel Energia S.p.a (hereinafter "EE" or "the Company") in the person of the pro-tempore legal representative at the company's registered office in Rome, Viale Regina Margherita no. 125, Tax Code 06655971007.
 
The proceeding originates from a complex investigation activity initiated by the Authority following the receipt of numerous complaints and reports from interested parties, who complained, primarily but not exclusively (as will be seen better below par. 1.2), the receipt, in in the name and on behalf of Enel, of one or more unwanted promotional phone calls, including via pre-recorded disk, to reserved users or users registered in the public opposition register together, in some cases, with related complaints regarding the exercise of rights and, more generally , for the management of user data in the context of energy supply services.
 
The phenomenon of telemarketing in the energy sector - in which the investigation against Enel is part, despite having already been the subject of the attention of the Guarantor in the past - has undergone a sharp and worrying increase as the deadline set by the legislator approaches. (moreover following multiple extensions) for the definitive transition from the protected market of electricity and natural gas to the free market (see, lastly, Article 12, paragraph 9-bis, letter b) of Law Decree 31 December 2020, n. 183, converted, with modifications, by law February 26, 2021, n. 21). In fact, the Authority was the recipient, in this context, of the complaints of citizens regarding a persistent and disturbing sense of interference in their own sphere of confidentiality due to these practices, often accompanied by behaviors that are not only invasive but also, as complained, particularly aggressive.
 
The Authority's approach, in accordance with the previous investigations relating to other data controllers, was therefore based on an overall observation and evaluation - rather than in a logic, albeit fundamental and necessary, of individual response to the single complaint - of behaviors that reveal a phenomenon already known, to which, the approach of the aforementioned legislative term, has brought elements of chronicity, particular intensity and, consequently, invasiveness in the private sphere of the interested parties.
 
In the context of the regulations on the protection of personal data, the aforementioned systemic and global analytical approach to the problem, which the Guarantor intended to apply, assumes particular relevance for understanding the nature and purpose of the processing, technical and organizational measures adopted by the owner. to ensure compliance with the EU General Regulation 679/2016 (hereafter "RGPD" or "Regulation") as a whole, as well as, in light of the principle of accountability (Article 5, par. 2, RGPD), methods by which compliance with this regulatory framework is proven.
 
Therefore, the activity of the Guarantor was carried out mainly through unitary investigations and requests for cumulative information. With the entry into force of regulation no. 1/2019, concerning the performance of the tasks and the exercise of the powers delegated to the Authority (in www.gpdp.it, web doc. No. 9107633), the Office was in fact able to avail itself of the option provided for in art. 10, paragraph 4, to carry out the preliminary investigation precisely in relation to multiple complaints and reports having the same object or relating to the same data controller or processor, or to data processing related to each other. This is in order to examine, with greater effectiveness and, at the same time, necessary economy of the means of investigation, the complaints that have concerned a plurality of conducts referable not only directly to Enel but also to some commercial partners which it uses.
 
In this context, Enel S.p.A. and Enel Energia S.p.a. initially received, from December 2018 to July 2020, four separate requests for cumulative information (infra par.1.2) which concerned a total of 135 files and were divided as follows:
 
13 December 2018, relating to 25 reports (file 133144; hereinafter "I cum.") Followed by the company's reply sent to the Guarantor on 21 December 2018;
 
19 August 2019, relating to 32 reports (file 133144; hereinafter "II cum."), With the company's reply sent to the Guarantor on 6 September 2019;
 
December 17, 2019, relating to 25 reports (file 133144; hereinafter "III cum.") With the company's reply sent to the Guarantor on August 21, 2020;
 
10 July 2020, relating to 8 complaints and 45 notifications (file 152287; hereinafter “IV cum.”), Followed by the company's response sent to the Guarantor on 21 August 2020; as well as - on 24 December 2020 a further request for integration of the information provided with regard to the cases already identified in the aforementioned note of 10 July 2020, fasc. 152287, hereinafter “IV-bis cum.”). The response to this last request was received on January 14, 2021. The feedback to the aforementioned requests for information was received only by Enel Energia as a company active in the free market for the sale of electricity and natural gas.
 
The complaints conducted against EE also included the assessments that emerged in the context of investigations carried out with respect to individual cases. The reference is, in particular, to 5 further complaints submitted, pursuant to art. 77 RGPD, before the date of 20 July 2020 (infra par.1.3).
 
1.2. Requests for information and presentation of documents, pursuant to art. 157 of the Code and the feedback provided by Enel
 
The detailed examination of the complaints received by the Authority led, in accordance with the aforementioned logic, to formulate various requests for information, in subsequent times, in relation to the companies concerned, pursuant to the combined provisions of Articles 58, par. 1, lett. a) GDPR and art. 157 of the Code. The respective issue numbers are specified in brackets. The same and the feedback provided by the Company are summarized below, without prejudice, however, to the full and complete reference to what has already been reported in the contestation deed.
 
Request of 13 December 2018 (I cum.): The complaints received by the Guarantor, at the basis of the aforementioned requests for information, concerned, in particular, the processing of personal data of the interested parties in the context of unwanted promotional telephone calls as they were made with respect to users reserved in the absence of the necessary consent of the interested parties (132890, 133076, 132810, 132578, 131243, 131039, 130428, 129707, 122612, 106175), or, with respect to fixed users, despite the registration of the number in the public register of oppositions (132985 , 132792, 131811, 131762, 131444, 131337, 131237, 130644, 130529, 130349, 130197, 130077, 129198), as well as the late reply to requests to exercise the rights of access to personal data or to oppose the related processing for the purpose of marketing (132334, 129416).
 
With regard to the undue promotional contacts made both towards interested parties, whose numbers were confidential and towards interested parties whose users were registered in the ROP at the basis of the request for information of 13 December 2018, the overall response provided in particular by EE highlighted that in all the reported cases the calling numbers did not belong to those in use by the company or its commercial partners and that said numbers, from an online search, were related to "self-styled operators who illegitimately spend the name of Enel Energia itself - or that of other companies also operating in sectors other than the energy one "(see the company's response of 21 December 2018).
 
On the other hand, with reference to the exercise of the rights whose non-response was complained of (files 132334 and 129426), the answers provided by EE, again following the aforementioned request from the Office, effectively accounted for the delay recorded by the company in follow up on the requests of the interested parties.
 
Request of 19 August 2019 (II cum.): With regard to the feedback provided in particular by EE following the second request for information made by the Office on 19 August 2019 (files 116720, 116698, 136284, 137069, 137220, 137655, 137710, 137730, 137772, 137777, 138579, 139334, 140475, 136877, 136921, 136932, 137159, 137360, 138000, 139071, 139222, 139228, 139838, 139930, 140166, 140273, 140301, 138749, 138775, 139131, 139219, 138716) EE again represented that, even in the new complaints presented to the Guarantor, the unwanted promotional telephone calls that the interested parties reported as attributable to EE instead prevented from numbers extraneous to the company and its network of commercial partners.
 
More specifically, the company highlighted that from the computer checks carried out in its company systems, most of the interested parties had never had a contractual relationship with it. Only in five cases the personal data of the reporting persons were found to be present in the EE systems due to existing contractual relationships, while in six cases the contractual relationships were terminated. With respect to two specific cases, however, the company found that the promotional contacts were attributable, in one case, to one of its partners by virtue of an agency contract still in place (136877) and, in the other, they came from a former partner, with which the contractual relations had been concluded prior to the making of the unwanted promotional phone call (137360, 138000).
 
Request dated 17 December 2019 (III cum.): A new request for information was sent to the Company regarding a further 25 reports, relating to users who own both reserved numbers in the absence of the necessary consent (142718, 142745, 142834, 143230, 142718, 143221, 143721, 144373, 144437, 144518) and registered in the public register of oppositions (142833, 143025, 143222, 143688, 143749, 143766, 144316, 144446, 145020).
 
The complaints received also represented the receipt of promotional calls declared in the interest of EE via a pre-recorded disc (143863, 144081, 144296, 144240, 144385;). In one case, the whistleblower, in the face of undue receipt of promotional phone calls, exercised his rights towards EE, in particular that of opposition to processing for direct marketing purposes (144760).
 
In the face of what is represented by the interested parties, the company has not provided, within the deadline, any kind of feedback, so as to induce the Guarantor to reiterate, pursuant to art. 157 of the Code, the request for information regarding the aforementioned files, together with a subsequent request, which became necessary in the face of further reports and complaints subsequently received by the Authority (IV cum.).
 
However, the late overall response provided by the company showed that in all cases the calling numbers did not belong to those used by EE and its partners.
 
In relation to cases in which the whistleblowers have shown that they have been contacted through automated methods, in particular an answering machine, EE has provided its feedback, highlighting that it is not "in the availability of the personal data of the interested parties" (143863; 144240; 144296) , also representing not to make "promotional calls via automated answering machine." (144240). In two other cases, the company did not provide any feedback, apart from the aforementioned generic reference to the extraneousness of the calling numbers (144081; 144385).
 
Similar statements were made by the company in relation to further reports (139123 and 143511), initially subject to independent investigation and, subsequently, merged into the aforementioned main proceeding. In these reports, various unwanted promotional contacts were complained of via pre-recorded disc which, in view of the imminent termination of the protected market, invited the transition to the free market with EE. The company, in the context of subsequent discussions with the whistleblowers, denied any traceability to itself of these contacts.
 
The extraneousness of EE to the complained phenomenon was also reiterated in response to another report (file 139206) in which the interested party, after having complained for the umpteenth time about the continuous phone calls from the "Enel Energia answering machine", acknowledged having selected, at the end of the pre-recorded message, key “3” with the option of being contacted again. Following this action, the reporting party declared that he had actually been contacted by a physical operator in the name of EE and, even, that he had scheduled a subsequent visit and met a self-styled agent of the latter as an Enel appointee, but then verify the involvement of a commercial partner of EE, XX., and receive from the latter company, following the legitimate exercise of its rights, only the indication that it does not manage call center activities or promotional activities.
 
As part of the cumulative requests and the relative feedback provided, also with regard to the reports regarding users registered in the public register of oppositions, the company then reiterated that in some cases the interested parties were holders of contracts that have now ceased (143688, 143766, 144446); or, in others, still outstanding (142833, 143749, 143766, 145020).
 
Request of 10 July 2020 (IV cum): the grievances underlying the fourth request concerned, once again:
 
receiving unwanted promotional calls to numbers registered in the opposition register (136820, 140498, 140527, 140842, 141460, 142199, 143304, 143549, 143610, 146926, 147410, 148139, 151382) and to reserved numbers without prior acquisition the necessary consent (109024, 136529, 139443, 140347, 140821, 141283, 141602, 142057, 145842, 146806, 146898, 147277, 147347, 147737);
 
the use of pre-recorded discs always in the context of promo-commercial calls (138477, 140347, 144213, 147139, 147196, 147750);
 
the failure of Enel Energia to respond to the exercise of the relative rights, as well as the receipt of further promotional telephone calls, including pre-recorded ones, despite the acknowledged opposition to the processing (138729, 140347, 146556, 140058, 143143, 142953, 150137 ).
 
The Authority's requests also pointed to the opportunity to provide clarifications on:
 
to the relations between EE and other companies that would have contacted the interested party on his behalf as well as to the use of the telephone number (136020);
 
the alleged mandatory consent to be issued for marketing and profiling purposes by other companies of the Enel group and commercial partners, in the context of the use of apps for consulting consumption and for paying bills (142396 , 142400, 143619, 144726);
 
sending promotional text messages in the absence of the interested party's consent (150613);
 
the acquisition and automatic association of contact telephone numbers (146166, 138115)
 
sending invoices and other personal data to other users (147284);
 
the improper use by third parties of information available to EE (143728) as well as the related forms (151477).
 
to further and distinct complaints (140103; 140911).
 
In view of the aforementioned framework, EE recalled the sales processes used by it as a company active in the free market for electricity and natural gas, also through its own commercial network and declared that it had also adopted with regard to its sales partners , adequate technical-organizational measures with respect to the processing of personal data involved in these processes.
 
The Company also acknowledged "that it has to manage an important number of complaints which, however, in most cases are not attributable to the commercial conduct adopted by the same", as well as the frequency of abusive use of its name by third parties, that through fraudulent conduct try to gain an economic advantage and undermine its consolidated reputation. In this sense, EE intervened "warning these subjects to cease the illegal activities inherent in the abusive use of their distinctive signs and the unfair commercial practices put in place, also by filing a complaint with the Judicial Authority". The recall in these terms was, in particular with respect to the phenomenon of pre-recorded telephone calls to two exposed persons presented to the Public Prosecutor of Rome on 12.11.2019 and 2.3.2020 respectively.
 
In relation to the complaints about the receipt of promotional phone calls via pre-recorded disc, the company highlighted, once again, its extraneousness to these methods of contact, justifying in any case the availability of the data of the whistleblowers on the basis of the reasons already mentioned in precedence (140347: some automated calls were made by an EE partner; 144213: for complaint management purposes; 147139: perceived quality detection process; 1457750: for reporting purposes).
 
With regard to the complainant obligation to issue a consent for marketing and profiling purposes for accessing and using the online services and via the app for consulting and paying invoices (142396, 144726, 142400, 143619), EE then represented that , to simplify these functions, the so-called Single Profile was implemented consisting of an account for accessing the web portals and apps of the Enel Group companies. The company also stated that "for the purposes of registering the account, only the confirmation of having read the information by the user is required and not the release of consent to the processing of personal data for marketing and profiling purposes [omissis ], as instead erroneously reported by some complainants ". This circumstance, with respect to individual complaints, was communicated directly to the interested party only in one case (142396).
 
With respect, however, to the additional individual cases highlighted, here we are limited to making full and complete reference to what is reconstructed in the contestation deed, referred to here in its entirety.
 
Request dated 24 December 2020 (IV-bis cum.) And assessment carried out by the Office: with reference to the latest reply received from EE (21 August 2020, reply to III cum. And IV cum.), The latter is was the recipient of a further request for information and clarifications with respect to some circumstances that emerged therein, in particular with respect to the role of some commercial partners and the related activity, as well as the actions undertaken and the measures adopted against these subjects. In particular, with regard to the significant phenomenon of pre-recorded telephone calls for promotional purposes, with respect to which the company had previously declared that it was not involved in any way, a more precise response was requested with respect to the initiatives allegedly undertaken and the measures adopted to counter this phenomenon.
 
In providing further feedback to the Guarantor, on 14 January 2021, EE sent the contractual addendum models governing the relations between the latter and some of its commercial partners and also specified, with reference to each case subject to the request for information , to have contested, following the request for information from the Guarantor of 10 July 2020, the illegitimate use of the personal data of the reporting parties and to have notified the contractually envisaged penalty (136820, 140911, 141460) to some partners.
 
In relation to the phenomenon of calls made via automated answering machine, EE communicated, attaching documentary proof, that it had filed two complaints with the Public Prosecutor's Office of Rome, on 12 November 2019 and 2 March 2020, in order to protect its good name, illegally used by third parties as well as "to distance themselves" from this promotional contact method.
 
With regard, then, to online services and in particular to the preparation of an app for consulting energy consumption and for the payment of bills by users, as part of the so-called Unique profile the company was requested to provide clarification elements regarding the operating methods of the aforementioned app, as well as indications on the quantitative dimension of the service.
 
The company responded to this request, highlighting that “In order to access digital services, the Unique ID must be activated. [omissis] Through a single pair of credentials (username and password) it is possible to access all the digital services that the individual companies of the Enel Group make available, without the need to make a new registration in order to access one of the companies of the Enel Group other than the one for which the first registration was made. " Currently, this access method applies only to Enel Energia and Enel X, while the companies of the Enel Group subject to the unbundling legislation are excluded from the Single Profile (as regards Italy, SEN and E-distribution).
 
EE also stated that "Through the Single Profile, companies only share the credentials necessary for access to their respective digital services", specifying that "the personal data that have been given by the digital user to the various companies (for example, for the purposes of management of the existing contractual relationship with them) are not transferred from one company to another ". Since September 2019, the use of the Single Profile is mandatory for all digital users, i.e. users who had previously activated an online account and who have been guided, through a migration process, to the new profile, i.e. for users who did not previously use digital services.
 
Finally, the company provided information on the quantitative dimension of the use of the Single Profile (3,113,254 users) and the App (1,665,969 users).
 
Given the persistent lack of information about the methods of granting consents for marketing purposes in the context of the creation of the Unique Profile and use of the App, despite the complaints of the whistleblowers, fully transmitted to the company, on this specific aspect ( 142396, 144726, 142400, 143619), the Office deemed it appropriate to carry out an investigation directly (see report of investigations carried out, May 7, 2021 and annexes).
 
In this sense, it was possible to see that, following the insertion of the required data (name, surname, contact information, tax code), the user views a first screen for information purposes, in which both Enel Energia and Enel Italia S.p.a. they are indicated as independent data controllers. Subsequently, it is possible to view a second screen relating to the Terms and conditions of the service and the Privacy Policy, accompanied by two boxes that must necessarily be marked in order to proceed with the registration (as described by EE in the reply of 14 January 2021 ). The consent to having read the aforementioned conditions and the information in which the purposes for which the consent, albeit optional, of the interested party is requested, is not, however, followed by an immediate and easy viewing of a specific section dedicated to the collection of any consents referred to in the information itself. Only after completing the registration procedure and accessing the reserved area, in fact, can the user begin a path, which is not easy to understand, which will lead him to express his will or his refusal regarding the processing of own data for the marketing and profiling purposes of EE, Group companies and third parties.
 
1.3. Complaints instructed individually
 
Autonomous investigations merged into this unitary discussion with the main procedure, based on the provisions of Articles 10, paragraph 4, of the regulation of the Guarantor n. 1/2019 and 8, paragraph 2, of the regulation of the Guarantor n. 2/2019, were conducted in relation to various complaints received by the Authority in the period taken into consideration.
 
The issues raised concerned, once again, the phenomenon of unwanted promotional calls, in particular through pre-recorded discs, for the transition to the free market with EE, addressed to both former customers and non-customers of EE, some complaints about the exercise of rights and sending unsolicited promotional communications via e-mail or text message.
 
In particular, in three complaints (files 142298, 144397 and 136321) the receipt of various unwanted telephone contacts was complained, despite having the interested parties already represented this situation on several occasions to EE, requesting the cancellation of their personal data, or communicating the '' opposition to processing for promotional purposes. In two of these cases the calls were made via a pre-recorded disk (fasc. 142298 and 144397) and in particular in one (fasc. 142298) the complainant was even able to accurately report having received, after typing the cd. "Option 3" to be contacted again (option present in the registration), a subsequent telephone call from a call center operator who, presenting himself as EE, proposed the switch to the latter in the free market, confirming, furthermore, behind repeated requests by the interested party to act on behalf of Enel and not of third-party companies.
 
Other specific profiles have pointed out, again in the context of unwanted promotional communications by EE, on the correct management of requests to exercise the rights guaranteed by articles 15-22 of the Regulation, in particular of the request for opposition to the processing of data, exercised during the signing of the contract (file 133249) and / or subsequently through specific communication to the owner (file 133249, 136529 and 136321).
 
Finally, in two cases, the complainants also complained of receiving unsolicited promotional communications via e-mail and / or text message (files 133249 and 136321).
 
In general, in the face of all the complaints about unwanted promotional telephone calls, the Company has always declared itself completely unrelated to the calls reported, specifying that the caller numbers from which the complained contacts were received do not belong to the range of numbers used by EE or to those that can be connected to their partners.
 
Only in one case (file 136321), following the request for information from the Guarantor, did the Company highlight that the complained telephone contact had been made as part of customer satisfaction activities by company XX with which EE had entered into a contract for the performance of this service, appointing you as the data processor.
 
More specifically, with regard to the alleged use of the pre-recorded disk, EE represented, in relation to the two aforementioned complaints (files 142298 and 144397) that it did not have any automated answering machine system to make outbound calls for promotional purposes, or to propose new contracts or acquire new customers.
 
As for the requests relating to the exercise of rights, in one case (file 133249), EE admitted the delay in the management of the request, first attributing it to a technical problem linked to the management of its certified mail, then, in acknowledging the having registered the objection of the complainant in its company systems, attributed the incorrect registration of the latter's will to the operator of the Enel point during the loading phase of the contractual information, with the consequence that "due to this error the 'the email address provided by the customer when signing the aforementioned contract was used as the recipient of email marketing campaigns carried out with the logic of soft spam ". With respect to the communications sent by the complainant, the company then stated that the e-mail address to which they would have been addressed is non-existent and in any case that it subsequently proceeded to correctly register the opposition of the interested party in its company systems. In the face of this representation, the interested party replied, highlighting, in particular, that the contact data was that expressly indicated at the bottom of the promotional e-mails received.
 
With regard to the complaint that also complained of receiving unsolicited promotional communications via e-mail and text message (file 136321), EE highlighted how: a) the e-mail communication concerning the possibility of subscribing to a loyalty program, promoted by the company, " it was sent as "soft spam", since it is a communication relating to services that the customer can benefit from as part of the supply service "; b) the communication received via text message and sent from an energy sales point was found to be attributable to a former partner of EE, warned by the company of the illegitimate use of the Enel trademark.
 
1.4 Closure of the investigation and initiation of the procedure for the adoption of corrective measures
 
Having examined the feedback provided by the Company, the Office, pursuant to art. 166, paragraph 5, of the Code, has adopted the act of initiating the procedure referred to in the introduction, with which it has challenged the Company for violations of the following provisions:
 
1. Art. 31 of the Regulation (Cooperation with the Supervisory Authority), for not having provided any response to the request sent by the Guarantor to the company on 17 December 2019 (III cum.), As a result of which, in order to obtain all the elements useful for an evaluation of the merits, the Office deemed it necessary to repeat the aforementioned communication (IV cum.); equally not respectful of art. 31 of the Regulation, the attitude adopted on the occasion of the checks in I, II, III cum. (received, in the latter case, as mentioned, only following a repeated request) and IV cum. (limited to some issues). The company, in fact, limited itself to highlighting how the calling numbers did not belong to the group of those in use by itself or its partners, not providing precise elements of evaluation in support of what was stated, nor offering specific evidence about a necessary activity of verifies these numbers with respect to its own sales network, mostly packaging a series of standardized responses for each of the reports. More specifically, in response to requests III and IV cum. (communication of the Company of 21 August 2020), a specific and analytical response to some of the reports received by the Authority was lacking, as the company limited to a generic exclusion of the calling number from those used by EE and its partners (III cum. 144373, 143221, 143025, 143222, 144316, 144081, 144385; IV cum. 140821, 145842, 146898, 142199, 143304, 146926, 138477, 147196; single inquiries: 136529) without providing, in fact, no element even of general classification of the single cases highlighted.
 
2. Art. 5, par. 2, and 25, par. 1 of the Regulation (Principle of accountability and privacy by design), for not having undertaken an effective counteraction with respect to the phenomenon of undue promotional contacts carried out in its name, exercising (and being able to prove) in a full and conscious way, its attributions, to which the duties of accountability and privacy by design correspond (through elements of prevention, functionality, security, transparency of treatment and centrality of the interested party).
 
The mere non-traceability of the calling numbers to the shortlist of those in use by the company and its commercial partners, repeated several times by EE as an element of response to the requests sent by the Guarantor, is, in fact, in a critical key due to that '' proactive perspective that defines the principle of accountability of the data controller and that permeates the entire new regulatory framework of data protection.
 
Precisely the significance of the phenomenon and the circumstance that the telephone contacts were made in the name of Enel Energia as well as the primary role it plays as an operator in the energy market and the considerable organizational and management possibilities that characterize it, would have required feedback more in line with the necessary and essential work of constant vigilance and monitoring of the phenomena that emerged as a result of complaints also received directly by the company, especially in the area of telemarketing.
 
Furthermore, there has been no evidence, apart from a generic reference to the contractual clauses through which the company binds its partners to comply with the legislation on the protection of personal data, regarding the adoption of specific technical and organizational measures suitable to contrast in an effective and resolutive way the complained phenomenon.
 
EE could have exercised its duties towards its commercial partners (and showing that it has fully and consciously exercised it), which correspond to the duties of accountability and privacy by design (through elements of prevention, functionality, safety, transparency of the treatment and centrality of the interested party) identified by articles 5, par. 2, and 25, par. 1 and 2 of the Regulation. In particular, giving awareness of the introduction of automatic and stable forms of control within the corporate organization both internally (also with regard to personnel) and with respect to the sales network constituted by its commercial partners, as well as on the systems appointed to activate offers and services to its customers. The programming of the latter, for example, could have been designed in a predefined way in order to signal and block in real time the attempts to load supply contracts obtained in a non-transparent manner or in any case the outcome of treatments performed in violation of the legislation on the protection of personal data.
 
The company should also have taken into account the identification of specific selection criteria and specific audit activities with regard to its partners, as well as timely verification actions, also through automated methods, of its internal processes for managing personal data also under the profile of the correctness and security of access to user data as well as, on the other hand, in relation to the signing and consequent uploading of new contracts.
 
These measures would have contributed to a more appropriate representation of the awareness and corporate choices made, even more so to protect a position that is described as strongly compromised, in terms of image and reputation, by allegedly incorrect third party conduct.
 
3. Art. 5, par. 2 (Principle of accountability), for not having proven compliance with the legislation on data protection in the case of unwanted promotional communication made by a partner. Even in the cases in which the company gave account of the undue telephone contact by one of its partners following information requested by the interested party at an EE point of sale (II cum: 136877), the representation provided to the Office was limited to the generic reserve for the adoption of appropriate measures towards the partner himself, without however providing evidence of the actions taken, especially in a more articulated framework of measures and interventions that, at company level, should be envisaged for the management of these problems. This behavior is not in line with the aforementioned principle of accountability of the data controller (Article 5, paragraph 2 of the RGPD) which requires the latter to prove compliance with the legislation on data protection.
 
4. Art. 5, par. 2 and 24 of the Regulation (Principle of accountability and responsibility of the data controller) for not having controlled the activity of its business partners, including through appropriate technical and organizational measures). With regard to reports that complained of unwanted contacts through automated methods, in particular an answering machine, EE then limited itself to generally declaring that it did not make "promotional calls via automated answering machine." (III cum: 143863, 144296, 144240; 144296; IV cum: 140347, 144213, 147139, 147750; single inquiries: 139206, 143511, 139123, 142298, 144397).
 
Given the above, the company has therefore not provided detailed elements aimed at excluding its own involvement with respect to the formulation of pre-recorded messages which in all the reports have been described as coming from Enel Energia and aimed at facilitating the passage of users to the same. companies in the free market. This proves that the promotional activity was carried out for the benefit of EE, albeit in ways allegedly not authorized by the company itself. Moreover, in two specific circumstances (III cum. 139206; single inquiries 142298) it clearly emerged that the interested parties, having opted for re-contact after registration (so-called "option 3"), have actually been re-contacted by physical operators qualified as persons in charge of Enel Energia and even subsequently met personally with persons who qualified as agents of the company or in any case connected to its partners (XX).
 
These circumstances denote a lack of control by EE over the activity of its partners who carry out promotional activities to its advantage, including through appropriate technical-organizational measures, thus integrating the violations of Articles 5, par. 2, and 24 of the GDPR.
 
5. Art. 5, par. 1, lett. d), of the Regulation (Principle of accuracy), for having erroneously automatically associated the number from which a call was made to the company's toll-free number (presumably a fixed user used one-off by the reporting party; (IV cum: 146166).
 
6. Art. 5, par. 1, lett. d) (Principle of accuracy) and 6 of the Regulation (Lawfulness of processing), for having sent personal data via invoices to a user other than the holder of the contract following the association of the reporting party's tax code to another Enel user, in reason for the alleged similarity between the two codes (IV cum: 147284). From this event it is possible to detect both the profile of the violation of the principle of accuracy, having been associated with the reporting person incorrect personal data, and an undue communication of personal data (in particular name, surname and tax code of a different user to the first, through sending invoices) in the absence of any assumption of legitimacy of the treatment;
 
7. Art. 12 of the Regulation (Transparency and methods of feedback to the exercise of rights), for not having provided the necessary and timely feedback to the interested parties about the legitimate requests for exercising the rights (in this case, the right of right of access and the right to object) formulated by the interested parties (I cum: 132334, 129416; III cum: 144726; IV cum: 138729). The company admitted the delay in following up the requests of the interested parties, justifying, at least in the two cases covered by the first request, this delay with the need to conduct more in-depth and additional investigations following the communication of the Guarantor (I cum: 132334) or still to suspend this activity pending the full applicability of the RGPD (I cum: 129416). In one case (III cum. 144726) the company attributed the failure to respond to a "mere technical problem".
 
8. Art. 5. par. 1, lett. a) (Principle of correctness) and 12, par. 2 of the Regulations, for providing contradictory feedback regarding a further request to exercise the rights advanced by the interested party in relation to the receipt of promotional calls via pre-recorded disk (IV cum: 136020). This is because in an initial response provided to the interested party (as per annex 19 to Enel's communication of 21 August 2020), EE admitted a "typing error" as the cause of the undue promotional contact, while in the representation provided directly to the Authority (page 15 of the response of 21 August 2020) has charged another customer with the responsibility of having provided the data of the reporting party as contact data connected to a supply user;
 
9. Art. 21 of the Regulations and art. 130, paragraphs 1 and 2 of the Code (Unwanted communications and right of opposition), for having unduly sent promotional communications by e-mail, despite the denial expressed by the interested party is in the process of signing the energy supply contract with respect to the processing of data for marketing purposes and through the subsequent opposition to the processing expressly addressed to the dedicated e-mail box (single inquiries: 133249);
 
10. Art. 130, paragraph 4, of the Code (Soft spam), for having sent a communication regarding the registration to the EE loyalty program, without having provided any evidence regarding the necessary presence of that objective element of an informative nature which is the basis of a correct dialogue with the interested parties and legitimizes the exemption from the acquisition of the relative consent, together with the presence of the other elements referred to in art. 130, paragraph 4, of the Code as well as by the Provision of the Guarantor of 4 July 2013 (web doc. No. 2542348; single investigations, fasc. 1346321);
 
The Guarantor also charged Enel with the following violations in relation to the Single Profile and the Consumption Management and Consultation App, also following an investigation carried out by the Office on May 7, 2021:
 
11. Art. 31 of the Regulation (Cooperation with the supervisory authority), for having offered insufficient collaboration to the supervisory authority, not having provided - even in the face of two requests to that effect together with the specific reports of the interested parties on the matter - any information about the methods of issuing consents for marketing and profiling purposes in the context of the use of digital services;
 
12. Art. 5, par. 1, lett. a), 12 and 13 of the Regulation (Principle of transparency and disclosure obligations), for having presented website users with two conflicting information as to the identification of the data controller. The user, in fact, who intends to create a Unique Profile, is first redirected to a page where he is informed, through a brief communication, of the fact that Enel Energia and Enel Italia S.p.a. will manage your data as "independent data controllers". Subsequently, from a second more extensive information, whose acknowledgment declaration is mandatory, together with the terms of service, for registration, no reference to Enel Italia S.p.a. emerges, since only Enel Energia is mentioned as independent data controller. Such discordant texts generate confusion in the user and do not reflect the essential principle of information transparency, logically aimed at allowing the interested party also a conscious expression of consent;
 
13. Art. 5, par, 1, lett. c), of the Regulation (Principle of minimization), for having structured a procedure that allows the passage of ultronic and irrelevant data between the companies of the Group. The single Profile, in fact, allows access to the digital services of the various Group companies included in its perimeter and the credentials that the user acquires with a first registration also allow subsequent accesses to the digital services of said companies. However, in the face of the data strictly necessary to create the user profile and access credentials, the mobile telephone number, address and tax code enrich the profile, with unnecessary or, at least, unnecessary information with regard to any future interactions with other Group companies. Furthermore, considering the mandatory use of the Unique Profile to access digital services, the user must provide, upon joining this service, a set of data not strictly relevant to the mere creation of the profile which are then shared, as part of the management of the single profile, between the various member companies of the Group;
 
Again in relation to the Single Profile, the joint reading of the text of the information and the form for the collection of consents (which can be found, however, in a difficult and intuitive way, within the reserved area) led the Office to contest the following further violations,
 
14. Articles 12 and 13 of the Regulation (Information to interested parties), for having issued to the interested parties, in relation to the Single Profile and within the reserved area of the site, a lack of information regarding a necessary identification of the recipients of the data both within the companies belonging to the Enel Group and with reference to a generic range of commercial partners, the generic reference to "Enel Group companies, parent companies, subsidiaries or associates, or commercial partners of Enel Energia" is unclear ;
 
15. Art. 6, par. 1, of the Regulation and 130, paragraphs 1 and 2, of the Code (Lawfulness of processing and unsolicited communications), for not having acquired a specific and suitable consent from the interested parties with regard to processing carried out by different subjects as independent data controllers. The characteristics of the information described in point 14 together with the three generic purposes indicated in association with the boxes for the expression of consent (1. Marketing Enel Energia; 2. Marketing third parties; 3. Profiling) contribute to defining a consent that does not satisfy the granularity and clarity requirements, provided for by current legislation (Article 4, No. 11) of the GDPR). In fact, a single consent to the communication of data for promotional purposes also by group companies, parent companies, subsidiaries and associates and commercial partners of EE, cannot be considered either specific or free and does not constitute a suitable legal basis for the aforementioned treatments. , pursuant to art. 6 GDPR. Likewise, it cannot be considered clear whether the consent required for the marketing activities of the "parent companies, subsidiaries, associates or commercial partners of EE" by the same subjects refers to marketing activities that these companies carry out on behalf of Enel Energia or to a communication of data by Enel to third parties for their marketing purposes, also taking into account that, in the absence of a clear identification of the recipients, a consent linked to processing referable to an indefinite number of subjects cannot be considered suitable. Similar findings have been extended to the request for a single consent for profiling purposes both of Enel Energia and of the subjects already mentioned, as independent data controllers.
 
The aforementioned disputes were formulated by the Office on the basis of the more detailed observations contained in the act of initiating proceedings no. 26890/21 of 14 May 2021, which here must be understood as fully reproduced and to which full and complete reference is made. Likewise referred to here, the report relating to the assessment carried out by the Office on the company's website on 7 May 2021 must be understood.
 
Finally, it should be noted that in the aforementioned act of initiation of the procedure, the Authority also recalled, for the sole and sole purpose of giving further evidence of the pervasiveness of the telemarketing phenomenon, the over 250 requests, including complaints and reports, received by the Guarantor after the last request for information of 20 July 2020 and up to the date of formulation and notification of the deed itself. These further complaints, although not the subject of the aforementioned act of dispute, in fact highlighted a dynamic picture of persistent unease and an even more evident exasperation of the interested parties with respect to the correct processing of their personal data despite the recourse to the registration of telephone numbers in the RPO. , or rather with respect to contact methods, such as calls via pre-recorded disk, which are particularly invasive and unwelcome. The same, therefore, while not merging into the investigation and the related phase of today's procedure, represent an undeniable historical fact that testifies, when still needed, that the phenomenon of nuisance calls is far from being resolved.
 
2. DEFENSIVE OBSERVATIONS AND AUTHORITY ASSESSMENTS
 
2.1. Defense brief and hearing of Enel Energia S.p.A.
 
2.1.1. Premise
 
On June 28, 2021, Enel Energia sent a broad and articulated defense brief to the Authority, accompanied by copious documentation, pursuant to art. 166, paragraph 6, of the Code. Under the same provision, on 7 July 2021 the hearing requested by the party for which a specific report was drawn up was held via videoconference. Both documents are to be understood here, for the protection of the party, fully referred to and reproduced, together with the attachments to the defense brief.
 
Pending the presentation of the defense brief, EE sent the Guarantor, on 26 May 2021, a request for an extension of the deadline for the presentation of the aforementioned briefs, together with a request for access to administrative documents referring to the assessment report of the activity carried out by the Authority on May 7, 2021 and to the approximately 250 instances mentioned in the contestation deed as proof of the persistence and diffusion of the phenomenon.
 
On 18 June 2021 the Authority, after having granted the requested extension, communicated the acceptance of the request relating to the report and the files in question, within the limits of a quantitative and sample verification of the latter, noting that no objection was was formulated to the Company with respect to the individual and specific circumstances referred to in these requests, but precisely to their entirety and their value as an indicator of the persistence and diffusivity of the phenomenon.
 
The Company contested this method of granting access without, however, proceeding with a formal appeal against the related provision, but asking that the files in question not be taken into consideration in the context of this proceeding.
 
In the defense brief, the holder also requested the cancellation or in any case the filing of the proceedings by virtue of the "failure to comply with the regulatory terms for the Dispute" (page 13 et seq. Of the brief). In particular, the sanctioning power of the Authority would have expired after the 120-day deadline for notification of the violation pursuant to art. 166 paragraph 5 of Legislative Decree 196/2003, the dies a quo having to identify, according to EE, in the specific dates referable to each response (including those relating to complaints investigated individually) that the same would have sent to the requests for information sent by from time to time by the Guarantor.
 
Consolidated jurisprudence on the matter of ascertaining administrative offenses denies the reconstruction of the Company based on a logic of mere formal counting of the days following receipt of the feedback to the various requests for information, identifying EE, precisely, in the acquisition of such evidence. constitutive element of the investigation activity and, therefore, the dies a quo.
 
In general as regards the activity of the independent administrative authorities, the Cassation (Cassation Civ. Section 2, n. 31635/2018), taking up the arguments already expressed above, reiterated that " , in relation to which to place the starting date of the term for the notification of the details of the violation, cannot coincide with the moment in which the "fact" is acquired in its materiality, but must be understood as including the time necessary to evaluate the data acquired and relating to the (objective and subjective) elements of the infringement and, therefore, of the final phase of deliberation related to the complexity, in this case, of the investigations aimed at ascertaining the existence of the infringement itself and at acquiring full knowledge of the unlawful conduct, in order to assess its consistency for the purposes of the correct formulation of the dispute (see Cass. n. 13050/2014; Cass. n. 1043/2015 and Cass. n. 770/2017, cit.) ".
 
In confirmation of the consolidated approach of the Supreme Court, recent rulings by the Council of State should also be highlighted (for example, Section VI, no. 4020, of 24 May 2021) where it is noted that "in terms of administrative sanctions, what purposes of compliance with the principle of the immediacy of the dispute [...] it is not the news of the sanctionable fact in its materiality, but the acquisition of full knowledge of the unlawful conduct, implying the verification of the existence and consistency of the infringement and its effects; so that, on the one hand, the term for the contestation of the infringement does not start from its consummation, but from the completion of the verification of all the elements of the offense, having to consider also the time necessary for the administration to evaluate and weigh adequately the elements acquired and the preliminary acts for the identification of the extremes of administrative responsibility, and on the other hand, the term for the conclusion of the sanctioning procedure begins to run only from the moment in which it is carried out - or should reasonably have been carried out, also in relation to the complexity of the case in point - the administrative activity aimed at verifying the existence of the infringement, including investigations aimed at verifying the existence of all the subjective and objective elements of the infringement itself ".
 
Similarly, but with specific reference to the administrative offenses referred to in the privacy code, the Supreme Court has recently reiterated that (Cass. Civ., Section 2, n. 18288/2020). "Being consolidated the position of this Court according to which, in the matter of administrative offenses referred to in the privacy code, the dies a quo for the calculation of the ninety-day deadline for the notification of the complaint report starts from the ascertainment of the violation, which does not coincide with the generic and approximate perception of the fact and with the acquisition of the documentation relating to it, but requires the processing of the data thus obtained in order to identify the constitutive elements of any violations (thus, ex multis, Cass. 14678 / 2018). " While referring to this jurisprudence at the term of 90 days provided for by Article 14 of Law 689/1981, the principles identified therein can well find similar application in relation to art. 166, paragraph 5 of the Privacy Code, since this last provision, following the changes made by Legislative Decree 101/2018, contains the new discipline relating to the procedures for the adoption of corrective and sanctioning measures, previously defined exclusively through the reference made by the Code itself to the aforementioned law 689/1981.
 
It follows that the time for data processing and evaluation, when not arbitrarily and unreasonably prolonged, will be directly proportional to the level of complexity of the cases in question, the number of reports and complaints presented and, last but not least, the method analysis applied by the Authority.
 
This method, as already mentioned, was based on an overall assessment of numerous complaints, even once recurring profiles and cases have been identified, capable of delineating traits of responsibility that would have been more difficult to emerge in a logic of investigation and dispute case by case. Therefore, a modus procedendi de facto imposed by the same characteristics of the principle of accountability was applied, the implementation of which the Authority has precisely investigated, in the face of a consistent and constant number of complaints from the interested parties over time.
 
In other words, full knowledge of the unlawful conduct connected, in particular, but not exclusively, to the profiles of responsibility and accountability, as per articles 5, par. 2, 24 and 25 par. 1 of the RGPD, related, moreover, to the activities of a holder of the organizational dimension of EE could only go through a document acquisition and subsequent composite and articulated evaluation, also at a temporal level.
 
It is also noted that an investigation, already complex in itself, was certainly not facilitated by the emergence of a sudden and unpredictable event, such as the pandemic and a consequent emergency situation still underway - in consideration of which, moreover, the legislator has provided for the suspension of the terms of administrative proceedings, most recently extended until 30 November 2020 (art.41 of legislative decree 34/2020). Nor, much less, for different profiles, did the lack of cooperation shown by the data controller benefit (amplius infra par. 2.2., N. 1).
 
More generally, it should be finally considered that the elements required by art. 83 of the Regulation for a complete assessment of the conducts, which are assumed to be in violation of the provisions on the protection of personal data, are so broad and complex (also from a guarantee point of view) that, in the case in question, it cannot seriously be objected that the Authority has failed in a timely manner in contesting the offenses.
 
2.1.2. The individual disputes
 
With reference to the individual complaints raised by the Authority, the defensive arguments developed by the Company in its brief and during the hearing are reported below.
 
1) With reference to the dispute referred to in number 1 of par. 1.4, the Company did not hide its surprise in front of these disputes, since "EE has always followed up the requests of the Guarantor without receiving in response any request for clarification or further information.". Furthermore, the Company, according to what was declared in the memorandum, "formulated its replies with the intention of not exceeding the requests in order not to incur a violation of the principle of cost-effectiveness of the procedure also sanctioned by art. 7 of Regulation 1/2019 [...] in order to avoid hindering the smooth continuation of the investigation "(point 14). In other passages of the memory, as well as during the hearing, EE recalled the constant and expensive, also in terms of financial commitment, the attention that the Company has always paid to compliance with the regulations on the protection of personal data (point 24 of the defensive memory).
 
With regard to the failure to reply to the III cum., EE attributed the incident to a "human error" that would have occurred in the "sorting of a certified e-mail" (Point 25).
 
Finally, EE announced that it will implement the possibility for the interested party to check directly from the EE website "the traceability to EE and its partners of the numbers from which he has received commercial calls."; in this regard, the Company has also sent the Guarantor a list containing the calling numbers referable to EE. During the hearing, the owner then communicated that the aforementioned system has already been implemented on the site.
 
2-4) The Company has dedicated a large part of its defense brief (points 27-138) to counteract the objections formulated by the Guarantor regarding the responsibility and accountability of the owner and compliance with the principle of privacy by design, as referred to in numbers 2 , 3 and 4 of the previous paragraph.
 
The Company paused to illustrate how its choices regarding promotional contacts can be divided between an approach followed until the onset of the pandemic and one subsequent to it.
 
Before the epidemiological emergency and the consequent containment measures, EE did not use or commission any telemarketing or teleselling channel to third parties, and more generally any outbound telephone channel for commercial purposes. The commercial promotion of EE took place exclusively through physical points (shops managed by EE partners with commercial collaboration contracts) and “door to door” contacts, carried out by authorized agencies. Even with regard to the activities carried out by these agencies (all selected through a precise scouting procedure), the use of teleselling and telemarketing was expressly prohibited within the contracts stipulated by the Company. The procedure for the acquisition of new contracts following an availability recovered by the agencies during the "door to door" was structured according to an ex post control system (in two phases, by telephone and by mail; Quality call, following precise scripts, and Quality letter) to obtain confirmation of the identity of the subject, of the personal data referable to him / her and of the effective will to contract. The Company affirmed that this system has enabled it to keep under control and limit the phenomenon of the revocation of users activated on the basis of the proposals of the agencies. What is stated and described in the brief regarding the management method of the pre-pandemic commercial channel is, therefore, to be considered applicable, according to the representation provided by EE, to all cases subject to investigation and dispute by the Guarantor, since the latter are all prior to January 2021 (date of reintroduction, as will be seen shortly, of outbound calls).
 
The epidemiological emergency made it necessary to reintroduce the methods of telephone contact so that: a) starting from May 2020 there was the possibility for the agencies authorized by EE to arrange meetings by means of a prior telephone appointment (this activity is aimed at stipulating supply contracts with "remote" mode and the digitalization of processes); b) starting from January 2021, the teleselling channel was introduced. This last activity is carried out, according to EE, through "numbering limitations for telesellers, ex ante checks on contact lists and ex post on the goodness of the expression of will of customers and on the initial contact methods, in order to exclude the use of aggressive marketing practices and unwanted calls. " (Point 70 of the memorandum).
 
The Company has made it clear that the procedures and activities for agencies and for telesellers are completely different: only telesellers acquire contact lists and conclude contracts on behalf of EE (sale by telephone of products and services through vocal order ); the agencies do not carry out teleselling activities but limit themselves to phoning potential customers to arrange subsequent appointments.
 
In the context, therefore, prior to the pandemic and the choices made by EE, in the presence of the aforementioned absolute ban on making commercial calls by the Company and its agencies, the only obligation to be recognized by the same, according to the relative representation sentiment, would have been to verify that one's partners did not make promotional calls tout court and therefore, in cases of unauthorized calls, to exclude that the calling numbers could be attributable to any of them. No other burden deriving from the principle of accountability or from that of privacy by design would have been attributable to EE, since the possibility of carrying out telemarketing and teleselling activities was not at all contemplated. It was therefore not the task of EE, according to what was stated in the defense brief, to hypothesize and introduce measures and procedures aimed at controlling the formation of lists of telephone users whose use was completely prohibited. Therefore, all the obligations and measures identified by the Guarantor in the case of owners who actually carried out teleselling and telemarketing activities would not be applicable to Enel Energia. The reference is to the measures / orders of injunction against Fastweb S.p.A. (provision of 25 March 2021, web doc. 9570997) or also of ENI S.p.A. (provision of 1 December 2019, web doc. 9244358) or Vodafone S.p.A. (provision 12 November 2020, web doc. 9485681).
 
The Company therefore reiterated its complete extraneousness to unwanted calls subject to the complaints presented to the Guarantor and stressed that as it was completely unrelated to the phenomenon, EE did not have any power to verify this phenomenon and about subjects unrelated to its check.
 
More specifically, the Company then returned to the subject, reiterating, according to him, the non-existence of the violation of art. 25, since EE's privacy by-design before the measures adopted following the pandemic was based "on the set of preliminary checks of the seriousness of the agencies and subsequent checks aimed at verifying the execution of commercial calls tout court by its own agencies following complaints or reports from users (as happened with all complaints covered by the Requests) also by reporting the illegal conduct to the judicial authority and to the Guarantor. On the other hand, it would not have been reasonable and consistent with a correct privacy by-design to implement procedures for regulating and verifying the formation of telephone contact lists, given that telephone contacts were excluded and prohibited upstream from the contracts concluded with the agencies. ". (paragraph 122).
 
In this context, the main defensive thesis presented by the Company, namely the fraudulent and incorrect use of the name of Enel Energia by unidentified subjects who aim to ensnare customers to conclude contracts "without the contractors being true aware of what is happening "(point 64 and, in general, the thesis set out in points 55 to 64).
 
EE believes it is the victim of "braggart" and "scammers", who would work for competing companies by illegally spending the name of the country's first energy operator as an element of reassurance and in order to arouse the user's attention. Only subsequently, as reconstructed by the Company, in case of continuation of the phone call and manifestation of interest, would these subjects suggest that they are an agency and that they deem it more convenient the offer of a competitor of EE. The Company therefore argued that it does not derive any advantage from this practice but, on the contrary, that it receives significant damage also to its image.
 
EE argued this thesis by presenting as support: a) a provision of the AGCM of 24 October 2018 with which the incorrect commercial practice of the company Switch Power Srl was sanctioned, which tried to ensnare customers by telephone by pretending to be a company of the Enel group (annex 21 to the memorandum). At the hearing, the Company expanded this argument by also referring to a complaint presented in April 2021 against another company for the same unfair commercial practice; b) some cases, including those reported by some Enel executives and others subject to press articles (annex 23 to the brief); c) the statements in favor of Enel made by Federconsumatori, provincial section of Taranto, which specified how EE personnel visit customers at domestic users only following calls for "making an appointment"; d) the complaints (12 from 2017 to May 2021) relating to a plurality of conduct carried out by subjects identified as competitors of EE or completely unrelated to the activities of the Enel group or completely unknown (see point 132 of the brief and . 24 to the memory).
 
5) With reference to the dispute referred to in number 5 (Article 5, paragraph 1, letter d), of the Regulations, the Company has highlighted that there has been no automatic association on the personal data of the reporting party with the number from which a call had been made to the company's toll-free number (IV cum: fasc. 146166). The error would have been attributable to the manual intervention of an operator. The Company pointed out that "following the report, EE immediately canceled the data and challenged its partner for the incorrect practice" (point 172).
 
6) Again in relation to the accuracy profiles of the data emerged in relation to the sending of invoices to an incorrect person (IV cum: 147284), as referred to in number 6 (articles 5, paragraph 1, letter d), EE highlighted a "clerical error" due to the similarity of the tax codes of the two customers and, reported that, once it became aware of the error, it promptly remedied it (paragraph 173).
 
7) As for the disputes referred to in number 7 (Article 12 of the Regulations, (I cum: 132334, 129416; III cum: 144726; IV cum: 138729). the delay in following up the requests of the interested parties, justifying, at least in the two cases subject to the first request for information (I cum: 132334, 129416), this delay with the need to conduct more in-depth and additional investigations following the communication of the Guarantor (I cum: 132334) or to suspend this activity pending the full applicability of the RGPD (I cum: 129416). The Company, however, stressed that in both cases referred to I cum. the interested parties had been informed of the need for this This information would have been provided in one case 33 days after the request (I cum. 132334) and in a second case, within the 30th day of receipt of the request.
 
With regard to another case (III cum. 144726), the Company reiterated in defense what it had already argued in response to the requests of the Guarantor or recognized the occurrence of a "mere technical misunderstanding". Finally, with regard to file 138729 (IV cum.), EE did not provide any further information with respect to that contained in the acknowledgment communications during the investigation phase.
 
8) Likewise, with respect to a similar dispute, but referring to the different case in point, referred to in number 8 (articles 5. par. 1, lett. A), and 12, par. 2 of the Regulations), EE denied the contradiction between the response provided to the interested party and that provided to the Authority (IV cum: 136020). According to the Company, in fact, even though the two findings were formulated differently (in the response to the customer a "typing error" was mentioned), in reality they are both true. This is because the contact details of the whistleblower were provided by another customer and, due to this overlap, the operator then "erroneously registered the data of the whistleblower in the client's master data".
 
9) Again with regard to the exercise of the rights of the interested parties, the Company, with regard to the dispute referred to in number 9 (Article 21 of the Regulation and Article 130, paragraphs 1 and 2 of the Code), acknowledged that it had committed a further error in having indicated a wrong email address at the bottom of the communication sent to the interested party (single inquiries fasc. 133249) but also highlighted the easy online availability of the correct address for sending requests to exercise rights (privacy. enelenergia@enel.com). As proof of this ease in communication, there would have been, according to EE, the circumstance for which the same complainant would then subsequently have addressed a second instance of opposition to the correct address, finding full and prompt satisfaction.
 
10) With reference to the contestation of the violation of art. 130, paragraph 4, of the Code, referred to in number 10, (single investigations: 136321), EE reiterated, detailing its arguments, what had already been argued in the preliminary phase, recalling, in relation to the three cases complained of by the complainant: a) '' sending of communication similar to soft spam as a prerequisite capable of excluding the necessary acquisition of consent; b) the fact that the call received by the complainant was made to verify the quality of the service offered and not for commercial purposes; c) the sending of the promotional SMS was carried out not by EE but by a former partner, an XX, no longer contractually linked to the Company at the time the communication was sent to the person concerned.
 
11) With regard to the contestation of the violation of art. 31, referred to in number 11, also in relation to the information provided regarding the functioning of the Single Profile or the failure to attach the documentation relating to consents (in response to IV cum. And IV-bis cum.), EE has deemed it exhaustive. According to the Company, in fact, the Guarantor would not have expressly requested to receive more details about the consents but would only have formulated requests for clarification on the operating methods of the app and indications on the quantitative dimension of the service.
 
12) As regards the disputes connected to the Single Profile and the app for consultation and consumption management, reported in number 12 (articles 5, paragraph 1, letter a), 12 and 13 of the Regulation), EE denied that there was a discrepancy between the two information on the website with reference to the identification of the data controller. In the defense phase, the Company explained how the information of the two parties (Enel Energia S.p.A. and Enel Italia S.p.A.) exist on the same page and how "only part of the information and sections on the site concern both entities". The Company added that the information is "recalled from a single touchpoint (the footer of the homepage) but have a distinct and separate structure, form and content". The navigation data of visitors to the site is processed by Enel Italia S.p.A., which, however, is not the data controller as regards the management of the single profile (which appears to be Enel Energia); on the contrary, Enel Italia S.p.A. together with a third company, Enel Global Services s.r.l., acts as data controller for the data provided at the time of registration and to provide the authentication service.
 
13) Again with regard to the Single Profile, with respect to the dispute referred to in number 13 (Article 5, par, 1, letter c), of the Regulation, EE highlighted that "the companies enabled for the Single Profile (for Italy EE and Enel X Italia Srl - "EX") do not have access to the data of users who have created the Unique Profile with the other authorized company. " (Paragraph 185). Consequently, according to what was reported in the defensive phase, it is possible that two hypotheses may occur: 1) new user who has not yet created an account through the Unique Profile; 2) access to a reserved area with an existing profile.
 
In the first case, the user registers, on the EE website or on the EX website as the case may be, providing his / her data (name, surname, social security number, telephone number, e-mail. The latter two are subject to validation) and create a personal password.
 
In the second case, the user, with the same credentials created at the company with which he first created the account, can access the reserved area of the other company ("For example, first the user created the Unique Profile account on the site and for the reserved area of EE and then wants to access the reserved area of EX "). EE maintained that there was a clear technical and content separation between the two reserved areas and that "no data relating to the reserved areas of the companies authorized to use the Single Profile is exchanged between them.".
 
After having illustrated the technical characteristics of the system, the Company went on to explain how both the mobile number (for the purpose of validating the temporary password mechanism) and the tax code must be considered as indispensable data for the purposes of correct identification to prevent the creation of multiple profiles (Points 194-198). EE then underlined that the measure of authentication via mobile phone number was implemented following some vulnerabilities (creation of multiple accounts) that emerged, with reference to another group company, as part of a previous and separate investigation conducted by 'Office of the Guarantor. The indispensability, therefore, of such data for the purposes of the functionality of the service, according to EE, should lead to believe that the dispute regarding the alleged violation of the principle of minimization can be overcome.
 
14) With respect to the disputes referred to in number 14) (articles 12 and 13 of the Regulations, the Company has represented that, without prejudice to the fact that no consent for marketing purposes is collected during the creation of the Unique Profile, "the different marketing purposes are instead described, as indicated by the Guarantor in the Contestation, in the specific section "Marketing and / or profiling purposes". "In any case, the Company has communicated that it has revised the information" by making more clear. "(Points 199-204).
 
15) As to the granularity and specificity of the consents, with regard to processing carried out by different subjects as independent controllers referred to in number 15 (articles 6, paragraph 1, of the Regulation and 130, paragraphs 1 and 2, of the Code) , EE recalled the three purposes identified, namely: 1) direct marketing carried out by EE for EE products; 2) third party marketing; 3) profiling, arguing that this distinction is in compliance with the Guidelines of the Guarantor on the fight against spam adopted in 2013. The Company has specified that it has never carried out profiling activities nor has it ever transferred data to third parties for marketing purposes. Furthermore, EE has never done direct marketing by advertising third party products, including group companies.The Company, finally, has proposed its intention in the future to seek the consent of interested parties for marketing and profiling purposes, reshaping the tripartite structure of consents and better specifying the different purposes with respect to the various owners (attachment 38 to the memorandum) and communicated that he had submitted the related information to a work of revision "with a view to ever more direct communication".
 
2.2 Considerations in fact and in law
 
The defensive arguments presented by EE do not allow to exclude the liability of the Company in relation to the alleged violations for the following reasons, to be considered in one with the observations already expressed in the aforementioned contestation deed:
 
1) As regards the dispute relating to art. 31 of the Regulation (Cooperation with the supervisory authority), referred to in number 1, it is an incontrovertible fact that the Company has not provided any response, except after having been requested to do so, to the third request for information from part of the Guarantor. The laconic, concise and undocumented reference to human error in sorting does not, in fact, eliminate the criticality profile.
 
Likewise in the context of the feedback, the attitude of EE did not give account, in a collaborative and proactive perspective, of analytical and detailed responses about the different cases subject to reporting, so as to facilitate any more appropriate assessment by the Authority. As is known, in fact, the feedback to requests for information from the Guarantor should be provided immediately in the most detailed and complete way possible and the elements useful for defining the investigation framework should therefore be presented already in the preliminary investigation rather than in a defensive phase as solicited. These behaviors, already sanctioned by the Guarantor (injunction order against Iren Mercato SpA of 13 May 2021, web doc. 9670025), risk causing the lengthening and burdening of the procedural process, which the Company has declared its intention to to avoid. Nor to the reference to internal regulation no. 1/2019 (Article 7, paragraph 5), no relevance can be attributed in this context, given that the provision clearly refers to the defensive phase and not to the preliminary phase.
 
Moreover, the aforementioned circumstance according to which the Guarantor would not have provided any response or requested further clarifications once received the re-confrontations from EE is not valid as an exemption, given that it is clearly evident that the duty of collaboration, provided for by cited art. 31 of the Regulations, serious to the owner, even in his own interest, and not already to the supervisory authority.
 
2-4) With reference to the complaints formulated by the Guarantor with regard to the responsibility profiles of the owner and the respect of the principle of privacy by design, as referred to in numbers from 2 to 4 (articles 5, par. 2, and 25, par. 1 of the Regulations; art. 5, par. 2 and art. 5, par. 2 and 24 of the Regulations) the arguments presented by the Company are not convincing and are not capable of overcoming the Authority's findings.
 
The main argument raised by the Company in defense of its position, through the reference to an undue spending of its name, is not supported by elements capable of excluding the liability of the owner and remains, as such, a purely hypothetical reconstruction. This is because in none of the argumentative passages developed by the Company was the activity of competitors aimed at acquiring customers by presenting themselves as Enel Energia proven.
 
In fact, the press articles reported mainly refer to episodes that have nothing to do with the disputed hypotheses, given that the spending of Enel's name is used to try to access, through fraud, inside the users' homes. order to perpetrate illegal actions to the detriment of the unfortunate (mainly elderly and lonely people).
 
Similarly, the reference to the trade association Federconsumatori - moreover not relating to a public position taken by the national bodies of the association but rather to an interview given by a local representative (Taranto Section) - refers to the phenomenon of scams and attempts to break into homes. It is therefore irrelevant with respect to the case in question and does not represent a significant profile for the purposes of the Guarantor's assessment and in particular with respect to the issue of accountability.
 
In this regard, it is necessary to premise that the regulatory provisions (articles 5, paragraph 2, and 25, paragraph 1 of the Regulation; article 5, paragraph 2 and article 5, paragraphs 2 and 24 of the Regulation) outline a precise framework of general responsibility weighing on the data controller, not only in the sense of requiring the latter to adopt adequate and effective measures to ensure compliance with the rules on the protection of personal data but also in the sense of requiring the the owner demonstrates, concretely and with evidence, the compliance of any processing activity that it has carried out directly or that others have carried out on its behalf (see also recital 74, RGPD). It is therefore necessary to provide evidence of overall assessments carried out on the characteristics of the treatments, on the risks connected to them and on the effectiveness and adequacy of the measures adopted on a case-by-case basis. Effectiveness and adequacy that can only be tested and demonstrated except through structured and systematic verification mechanisms.
 
The rationale of the aforementioned provisions lies in the need to ensure that the complex of privacy obligations is not reduced to a purely paper-based assembly and that the "chain" of responsibilities in the context of the processing does not provide for undue "blameworthiness" but is always, ultimately, attributable to the owner. These, in fact, are the primary engine of the complex mechanisms that determine the compatibility of the various activities carried out with the provisions of the Regulation and the Code aimed at allowing the interested party to fully govern their data and to fully exercise their rights and freedoms. .
 
The principle of accountability, therefore, outlined both in a legal perspective (Article 5, paragraph 2 and Article 24) and in a more modern technological dimension (Article 25) involves the overcoming of an exclusively formalistic logic of adaptation to the data regulatory, requiring the data controller to prepare systematic verification mechanisms, including ex ante and ex post, of compliance with the legislation on the protection of personal data by all the subjects involved in the processing chain concerning him, which may be attributable to it or which may also bring advantages of an economic nature to the holder.
 
In this regard, the Guarantor observes, as a preliminary, that the holder provided elements of a formal nature only during the defensive phase, mostly related to the dimension of the contractual lawfulness between EE and its partners - which, moreover, does not prove anything from the point of view of the correct processing of personal data - without producing the necessary evidence of concrete initiatives taken as data controller, in the face of the spread of such an invasive and worrying phenomenon over the years, which should have acted as a true and precisely "alarm bell".
 
The history, structure and organizational dimension of Enel Energia would have allowed this company, leader in the Italian energy market and always a protagonist of the economic-productive life of the country, albeit with different forms and methods, to prepare with due diligence measures state-of-the-art organization in the protection of data subjects, as well as appropriate and effective control tools on the entire supply chain involved in the processing of personal data. This, all the more so, in consideration, on the one hand, of the amount of personal data held by the company, precisely by virtue of its position and its history (currently 9 million customers - see defensive writings, paragraph 173 ), on the other hand, of the high number of reports received every month directly by EE (defensive writings, point 167: a monthly average, from April 2020 to April 2021, of approximately 740 requests for the exercise of rights, largely relating to right to object), as well as the numerous and repeated requests for information sent by the Guarantor.
 
Having said all this, with reference to the specific profile that emerged in the defense on the methods of managing promotional activities in the phase prior to the pandemic, when the EE sales network was prohibited from using telephone lists, it should be pointed out that the Company would have due, in the face of the growing number of reports relating to unwanted telephone contacts, to verify that this pressing prohibition had been adequately observed, also proving the existence of verification tools. This also by means of suitable checks to outline and document the origin of the data underlying any contractual proposal and / or the methods of "first contact" of the potential customer. This type of control is completely different from a verification of personal data lists (recalled in the defensive memory), which appears, in fact, irrelevant compared to what is contested by the Authority.
 
These checks could, first of all, be easily carried out if the methods of first contact and / or the origin of the customer data had, for example, expressly formed the subject of analytical indication in the contract registration system, also using the channel information of the Quality call which, on the other hand, from what emerged from the documents, does not contain specific references with respect to the verification of the lawfulness of the original acquisition of the data and / or of the first contact, focusing rather on the verification of the regularity of the contractual profiles.
 
Similarly, from the documentation provided by the Company and examined by the Guarantor, the characteristics of the methods of access to the systems used to activate the offers and services, through which the agencies can convey the result of their activities, do not emerge with unambiguous clarity. It is on this step, in fact, that the subsequent controls by the owner should focus, especially in a complex and stratified commercial system such as the one presented by EE. In fact, if in a passage of the memory reference is made to the receipt, by EE, of the "contract proposal from the agencies" (Point 37) and in the attached contractual schemes, we read how the agencies undertake to "use exclusively the information system authorized or made available by the Principal ", however, no incontrovertible evidence was provided regarding the effective functioning of this system and the monitoring and control activity carried out by EE, in order to represent the Authority suitability of the measures. This, all the more so, when we consider that, as emerged from the documentation in the documents, the Company is rather delegating the preventive control on the lawfulness of the first contact in full to the agencies: "Any pre-loading checks in the IT systems performed through the use the telephone contact also falls under the direct and exclusive responsibility of the Agency. " (Agency Contract, Annex 13 to the memorandum, point 2.2).
 
Similarly, within the contract between EE and the partner stores (physical points) a sort of indemnity is identified in favor of EE when we read: "The Partner will be solely responsible for the work of the Enel Points and the Staff, whatever the relationships with the same, committing to hold Enel Energia harmless from any claim or request made, in relation to the performance of the activities covered by the Contract, by the Enel Point, by the Staff or by third parties, including those relating to compensation damages, wage obligations, indemnities and social security and / or insurance contributions, as well as those relating to any further obligation or fulfillment deriving from the current legislation on self-employed and subordinate work, from the legislation aimed at protecting the privacy , from the tax legislation. " (PENP contract, Annex 12 to the pleading, point 5.3).
 
Finally, it notes the fact that EE has a series of information regarding the correct management, even by the single operator, of the promotional activities, during the validation of the contracts, being in the condition of being able to easily identify for each contract the sales channel and the appointee (the reference is to the contract code, appointee code, channel code, all present in the application form, freely downloadable on the Company's website). However, it is clear that the Company does not carry out this kind of checks or at least it has not provided evidence of it to the Guarantor, as can be seen both from the aforementioned absence in the Quality call of specific references to verifying the lawfulness of the origin of the data, and from the referral that is made to the activity of the partners and, finally, by the same statements of the company made explicit in the defense when we read: "If some agencies have in hypothesis endorsed commercial calls, extraneous in and of themselves (and not simply for the modalities ) to the activities envisaged by EE, EE could not be expected to carry out ex ante controls on activities totally hidden and unrelated to its own commercial chain, activities that EE obviously could not even foresee. Investigations of that type concern the material conduct of the employees of the agencies, behind the agencies themselves and of EE, and do not fall within the powers of the data controller [omissis] When an illegal activity is completely unrelated and invisible to the owner of the treatment, the latter - if he has subsequent evidence of such violations - can only invoke the intervention of the judicial authority and close relations with those who have become protagonists. Nor does the Complaint indicate reasonable measures aimed at mitigating such a risk, given that the Complaint illustrates failed measures relating to the management of telemarketing and teleselling activities not envisaged by EE. " (defensive writings, paragraphs 51 and 53).
 
Therefore, having the information necessary to link each contract proposal even with the single operator, the verification of the sales volumes of each operator in relation to other variables, such as, by way of example, the geographical area, the density of population relating to the commercial area of reference and other similar numerical indicators would have made it possible to identify incorrect practices and in violation of the legislation on data protection. Equally indispensable is the aforementioned verification, to be carried out directly at the customer, of the lawfulness of the origin of the personal data underlying the contractual proposal. Enel Energia had all the tools necessary to counteract "undergrowth" phenomena in the bud, which, moreover, it was aware of well before the intervention of the Guarantor.
 
Measures, such as those described here, if adopted and if represented to the Guarantor (which certainly cannot be attributed for the failure to indicate in the notice of dispute) would have given appropriate knowledge of a not merely formalistic and conservative approach based on the contract and its characteristics but, on the contrary, would have brought out an appreciable proactive approach to protect the complex of consumer and data subject rights.
 
In conclusion, the absence of a concrete link between the information relating to the promotional activities that are put in place, in any way and in any form, based on the different sales channels, by EE and the platform delegated to validation and registration of contracts, so that the two different phases (the promotional and the contractual one) remain substantially separate and this makes it possible for agents who intend to convey the contractual proposals without following the provisions of the owner, to insert the also in case of illegal or unwanted promotional contact. This makes it not only possible but also highly probable, given the weakness of the "defenses" put in place, that the large amount of unwanted contacts brought to the attention of the Authority were put in place in the context of the promotion of products and services of society.
 
In view of the requirements of art. 5, par. 2, of the Regulation, which requires the holder to prove the lawfulness of the treatments, precisely the absence of measures, in the official registration system, which verify full compliance with the rules and rights of the interested parties, users and consumers from the moment of first contact, it is a suitable condition to represent the gateway for any "unofficial procurers" of contracts capable of "capturing" the recipients of the complained promotional phone calls, who constantly report a contact in the name of the Company (similarly as already represented in the aforementioned provisions against Vodafone Italia SpA and Fastweb SpA).
 
Moreover, to tackle the problem at its root, it is not sufficient to act exclusively on the "official" sales network, precisely in the face of the reputational damage that the Company complains with so much conviction, but rather to foresee, as the Authority has already had the opportunity to highlight, effective mechanisms aimed at monitoring and countering, also in consideration of the organizational and business capacities of the main Italian energy company, a phenomenon that impacts in such a significant and pervasive way on the private dimension of interested parties who complain of unwanted promotional contacts by Enel Energia and to exclude at the root the possibility of contact by telephone in the Enel Energia sales network.
 
In this sense, the Authority has not failed, on other occasions, to recall, precisely in a preventive logic and respect for privacy by design, the possibility of resorting to corporate and organizational choices aimed, for example, at inhibiting the contractual activation of offers or services when they are certainly not attributable to activities carried out in compliance with the rules and rights of the interested parties, users and consumers from the moment of first contact and the origin of the data (see the already mentioned measures against of Vodafone Italia SpA, 12 November 2020, web doc. 9485681, and Fastweb SpA, 25 March 2021, web doc. 9570997).
 
These same conditions should also be applied to telemarketing campaigns that EE has admittedly resumed following the pandemic emergency. These activities, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts takes place only at following promotional contacts carried out by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and without prejudice to the necessary verification of the contact lists, as repeatedly reiterated by the Guarantor (most recently see Order of injunction against Iren Mercato SpA, May 13, 2021, web doc. no. 9670025).
 
5-6) With reference to the disputes referred to in numbers 5 and 6 (art. 5, par. 1, letter d); articles 5, par. 1, lett. d), and 6 of the Regulation, Lawfulness of processing), the references to a "manual error of the operator", in the first case, and to a material error, in the second, are not valid to relieve the Company of responsibility resulting from the violation of the aforementioned provisions nor do they allow to apply the exemption pursuant to art. 3 of the law n. 689/1981 on the subject of good faith, all the more so because they are not analytically documented and in relation to which EE has not been able to demonstrate the inevitability. However, the Authority takes note of Enel's declaration that it has promptly remedied the error in one of the two cases (cum IV: 147284).
 
As for the disputes referred to in numbers 7 to 9 in relation to the requests for the exercise of rights, it is necessary to put forward some considerations. While taking note of what was stated by the Company in the defense brief (Point VI.G of the brief and annexed table) regarding the substantial volume of requests for the exercise of rights that are managed by the same, both on a monthly basis and on on an annual basis, it must in any case be reiterated that, although the misalignments represented with respect to the ordinary operating methods in terms of exercising the rights constitute a statistic expression that is not significantly relevant in relation to the activities of Enel Energia, this element cannot eliminate the need to ensure to the interested parties the individual protection that the Regulation provides, through the adoption of corrective and sanctioning measures.
 
7) with regard to the disputes referred to in number 7 (Article 12 of the Regulation, the arguments provided regarding the delay in the findings in the cases referred to in files 132334 and 129416 (I cum.) Do not allow to overcome the observation regarding the violation of the rules governing the necessary timeliness of the feedback that must be provided to the interested parties following requests for the exercise of rights.
 
This, in the present case (132334), also taking into account the circumstance for which the previous discipline dictated by the Code already provided for the institution of the so-called "Preventive ruling" and, therefore, the fact that, at the time, full and complete applicability to the new European legislation could not have been relevant. In the same way, the circumstance for which the request made by the interested party was contextually the subject of a request for information from the Guarantor, should, if anything, have induced the owner to behave virtuously and not, as it happened, reticent about the reply (129416) . In both cases, it is believed that the delay, as communicated to the interested parties, was neither justified nor justifiable, since the owner was undoubtedly able to provide a complete and exhaustive response to their requests right away.
 
In relation, then, to the case in point reported in file 144726 (III cum.), The reference to a "mere technical misunderstanding" is found in the memory. This circumstance does not relieve the Company of the liability deriving from the violation of Article 12 nor does it allow, in this as in the previous cases, to apply the exemption pursuant to art. 3 of the law n. 689/1981 on the subject of good faith, since no proof was provided that the error did not derive from fault. This, all the more so, because the technical drawback has not been documented in any way, nor has its inevitability been demonstrated.
 
Finally, with reference to file 138729 (IV cum.), Since the owner has not provided any further elements aimed at justifying the failure to respond to a request for the exercise of rights, the violation of art. 12 of the Regulation;
 
8) likewise, with reference to the similar dispute, but referring to a different case (IV cum. Fasc. 136020), referred to in number 8 (art. 5. par. 1, lett. of a typing error, does not exceed the observations of the Authority, since the interested party did not receive a clear and unequivocal response in the first instance with respect to the case in point of the complaint. It should be noted that the circumstance of the typing error, if clarified from the beginning and not only in defense and at the request of the Guarantor, would have allowed the Authority to verify, by having more specific elements, the possible existence of a more relevant violation of non-compliance with the principle of accuracy; moreover, in this context it should be pointed out that, in order for the typing error to be considered excusable, the Company, for example, would have had to provide proof of its willingness to contact a different numbering of a few numerical elements from the one actually called in the same context of the campaign advertising;
 
9) with regard to the dispute referred to in number 9 (Article 21 of the Regulation and Article 130, paragraphs 1 and 2 of the Code), the error committed and recognized by the Company in having indicated an incorrect email address in a communication the interested party has, in fact, hindered the exercise of the right of opposition (single inquiries: 133249) as well as the arguments offered by the Company regarding the failure to register the denial during the signing of the contract confirm the existence of the Company's responsibility for the sending promotional communications by e-mail without the prior consent of the interested party;
 
10) in relation to the complaint referred to in number 10 (Article 130, paragraph 4, of the Code), the holder has not produced any documentary evidence capable of demonstrating that the complainant had received the necessary, adequate information about the possibility of receiving communications on similar services and products, through their e-mail coordinates and, therefore, about the presence of that objective element of an informative nature which is fundamental for a correct dialogue with the interested parties and which legitimizes the exemption from the acquisition of the relative consent, in addition to the additional elements referred to in art. 130, paragraph 4, of the Code as well as by the Provision of the Guarantor of 4 July 2013 (web doc. No. 2542348) (single investigations: 136321); in the absence of these fundamental elements of an informative nature, the violation of art. 130, paragraph 4, is integrated;
 
11) with reference to the dispute profile relating to the failure to attach documentation on the structuring of consents within the Single Profile (requests IV cum. And IV-bis cum.), The aforementioned defense by the party has no basis. The requests of the Guarantor aimed at understanding the functioning of the Single Profile involved, as a natural corollary, the illustrative documentation of the method of acquiring consents for marketing and profiling purposes;
 
12) as regards the disputes reported in number 12 (art. 5, par. 1, lett. a), 12 and 13 of the Regulation) in relation to the information provided to the interested parties, although the Company has clarified the existing interaction between Enel Energia s.r.l. and Enel Italia and despite having changed the information on the site by absorbing the findings of the Guarantor, the information communication previously provided by the Company to the users of the website was not able to meet the requirements of correctness and transparency for the benefit of the interested parties. ;
 
13) again in relation to the Single Profile, with respect to the dispute referred to in number 13 (Article 5, par, 1, letter c), of the Regulation), the Guarantor takes note of the explanations provided by EE in the defense phase and believes that the collected elements are relevant and suitable to relieve the Company of responsibility for a failure to comply with the principle of minimization, without prejudice to the necessary re-evaluation, by the data controller, of compliance with the principle of minimization in the event that the current structure changes represented to the Guarantor, for example through an increase in the number of companies that use the single Profile and a consequent change in the purposes of the processing;
 
14) with respect to the disputes referred to in number 14 (Articles 12 and 13 of the Regulations), although the Company represented has revised the information "by making clearer legal choices." (Points 199-204), the information provided so far cannot be considered complete and exhaustive with respect to the identification of the third parties recipients of the data, given the generic reference to "Enel Group companies, parent companies, subsidiaries or associates, or partners like -market of Enel Energia ". With reference to the period prior to June 2021, the information issued to interested parties by EE in the context of its portal was lacking precisely with regard to a necessary identification of the recipients of the data, at least with reference to the product categories, both within the companies belonging to the Enel Group and with reference to a generic range of commercial partners. For these aspects, the information was therefore deficient and inadequate with reference to the requirements set out in Articles 12 and 13 of the GDPR;
 
15) as to the granularity and specificity of the consents, with regard to processing carried out by different subjects as independent controllers referred to in number 15 (articles 6, paragraph 1, of the Regulation and 130, paragraphs 1 and 2, of the Code) , given that during the hearing EE communicated that it had already adopted some measures to accept the observations made by the Guarantor (including a revision of the wording of the consents for a better reformulation of the same), the Authority's findings are confirmed. The provision of a consent within the terms ascertained by the Guarantor in the act of initiating the procedure does not meet the requirements of granularity and clarity, obtainable from the regulatory legislation. In fact, a single consent to the communication of data for promotional purposes also by group companies, parent companies, subsidiaries and associates and commercial partners of EE, cannot be considered either specific or free and does not constitute a suitable legal basis for the aforementioned treatments. , pursuant to art. 6 GDPR.
 
The information provided by the Company in the defensive phase would seem to have made it clear that the consent required for the marketing activities of the "parent companies, subsidiaries, associates or commercial partners of EE" by the same subjects does not refer to a communication of data from Enel to third parties for their marketing purposes. However, in the absence of a clear identification of the recipients, a consent linked to treatments referable to an indeterminate number of subjects cannot be considered suitable.
 
Similar observations can extend to the request for a single consent for profiling purposes both of Enel Energia and of the subjects already mentioned, as independent data controllers, since, even in this case, a lawfully acquired consent must be specific and distinct in order to constitute a suitable legal basis, pursuant to the aforementioned regulatory provision.
 
Therefore, with reference to the aspects, including factual, highlighted above and taking into account the statements of the Company, for which the declarant responds pursuant to art. 168 of the Code, as well as the additional documentation produced, the following assessments are formulated regarding the profiles concerning the regulations on the protection of personal data.
 
3. CONCLUSIONS
 
For the foregoing, while the dispute referred to in number 13 can be considered overcome) due to the reasons set out in the considerations in law in number 13 (par. 2.2.). Enel is deemed to be responsible for the following violations:
 
1) Art. 31 of the Regulations, for the reasons described in number 1 of the previous paragraph 2.2;
 
2) Articles 5, par. 2, and 25, par. 1 of the Regulations, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
3) Articles 5, par. 2, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
4) Art. 5, par. 2 and 24 of the Regulations, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
5) Art. 5, par. 1, lett. d), for the reasons described in number 5 of paragraph 2.2 above;
 
6) Articles 5, par. 1, lett. d), for the reasons described in number 6 of paragraph 2.2 above;
 
7) Art. 12 of the Regulations, for the reasons described in number 7 of paragraph 2.2 above;
 
8) Art. 5. par. 1, lett. a) and 12, par. 2 of the Regulations, for the reasons described in number 8 of paragraph 2.2 above;
 
9) Art. 21 of the Regulations and art. 130, paragraphs 1 and 2 of the Code, for the reasons described in number 9 of paragraph 2.2 above;
 
10) art. 130, paragraph 4, of the Code, for the reasons described in number 10 of paragraph 2.2 above;
 
11) Art. 31 of the Regulations, for the reasons described in number 11 of paragraph 2.2 above;
 
12) Articles 5, par. 1, lett. a), 12 and 13 of the Regulations, for the reasons described in number 12 of paragraph 2.2 above;
 
13) Articles 12 and 13 of the Regulations, for the reasons described in number 14 of the previous paragraph 2.2;
 
14) Articles 6, par. 1, of the Regulation and 130, paragraphs 1 and 2, of the Code, for the reasons described in number 15 of the previous paragraph 2.2;
 
From this ascertainment of the illegality of the Company's conduct with reference to the treatments taken into consideration, it is necessary, vis-à-vis Enel Energia S.p.A:
 
- issue a warning, pursuant to art. 58, par. 2, lett. a), of the Regulations, regarding promotional campaigns through telesellers which, according to the defensive statements, EE resumed following the pandemic emergency. These campaigns, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts take place only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and after the necessary verification of the contact lists;
 
- issue a warning, pursuant to art. 58, par. 2, lett. b), of the Regulation, regarding the circumstance for which to provide an incomplete and unsuitable representation and evidential documentation regarding elements of assessment by the Authority as well as to omit the response to a request for information formulated by the latter, during the preliminary phase of the procedure integrates the violation of those duties of collaboration with the supervisory authority to which the data controller is required pursuant to art. 31 of the Regulation;
 
- to order, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt each treatment carried out by its sales network, to methods and measures suitable for providing and proving that the activation of offers and services and the registration of contracts takes place only following promotional contacts that , if they have been operated by telephone, they have been carried out by the aforementioned sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and in compliance with the provisions of art. 130 of the Code;
 
- to order, pursuant to art. 58, par. 2, lett. d), to implement all the additional technical and organizational measures necessary for the management of the requests to exercise the rights of the interested parties - and in particular the right to object to promotional purposes - which allow to give feedback to the interested parties, as well as identify and correctly acknowledge their effective will, without undue delay, and in any case, at the latest, within 30 days of receiving the requests, without prejudice to overriding legitimate reasons and without prejudice to the need, promptly communicated to the interested parties, of any extension for feedback;
 
- request to communicate what initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, pursuant to art. 157 of the Code, within 40 days from the notification of this provision; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation;
 
- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application to Enel Energia S.p.A. of the administrative pecuniary sanctions provided for by art. 83, par. 4 and 5, of the Regulation.
 
4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
 
The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application to Enel Energia S.p.a. of the pecuniary administrative sanction provided for by art. 83, para. 3, 4 and 5, of the Regulation (payment of a sum up to € 10,000,000 or, for companies, up to 2% of the annual worldwide turnover of the previous year, if higher and payment of a sum up to € 20,000,000 or, for companies, up to 4% of the annual worldwide turnover of the previous year, if higher);
 
To determine the maximum legal sanction of the pecuniary sanction, it is therefore necessary to refer to the turnover of Enel Energia SpA, in accordance with the previous provisions adopted by the Authority, and therefore to have to determine this maximum edict, in the case in question, in euros. 530.279.555.
 
For the purposes of determining the amount of the penalty, the elements indicated in art. 83, par. 2, of the Regulations;
 
In the case in question, the following are relevant:
 
1) the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation) - with reference to the disputes referred to in numbers 2, 3 and 4 due to the particular pervasiveness of il-lawful contacts made in the name of the owner (detrimental to various fundamental rights and, in particular, in addition to the right to the protection of personal data, the right to privacy and the right to individual tranquility), of the level of damage actually suffered by the data subjects, who have been incessantly exposed to nuisance calls, the growing difficulties they encounter to stem the phenomenon, the multiplicity of conducts put in place by EE in violation of several provisions of the Regulations and the Code;
 
2) as an aggravating factor, the duration of the violations (Article 83, paragraph 2, letter a) of the Regulation), due to the repeated nature of the violations referred to in numbers from 2 to 4, lasting more than six months of violations of numbers 2 to 4, considering that the first reports refer to unwanted calls in 2018; similarly, the Single Profile was active in the manner illustrated in numbers 12 to 15 until June 2021, when, according to the statements made by the Company, the information and consent box were modified;
 
3) as an aggravating factor, the high number of parties involved (Article 83, paragraph 2, letter a) of the Regulation) which, for the violation referred to in numbers 2 to 4, must take into account not only the numerous whistleblowers and claimants (140); similarly extensive is the audience of interested parties whose data are processed in the context of the Single Profile. According to what the Company reported during the re-confrontation, this would involve over 3 million Enel Digital users;
 
4) as an aggravating factor, the negligent nature of the conduct (Article 83, paragraph 2, letter b) of the Regulation) in consideration of the wide and constant dialogue with the Guarantor on all aspects of telemarketing, as well as the relevant provisional activities of the Authority, elements which, also in the light of recent Authority measures, should have constituted a valid support in the organizational choices of the Company but which, in particular with reference to the violations referred to in numbers 2 to 4, were largely disregarded.
 
5) as aggravating factors the specific recurrence of the conduct (Article 83, paragraph 2, letter e) of the Regulation) and the previous adoption by the Authority of similar corrective and sanctioning measures with reference to similar treatments (Article 83, par. 2, letter i) of the Regulation);
 
6) as a mitigating factor, the adoption of measures aimed at mitigating the consequences of violations (Article 83, paragraph 2, letter c) of the Regulation), with reference, in particular: a) to the implementation of the possibility for the interested party to check directly from the EE website "the traceability to EE and its partners of the numbers from which he has received commercial calls."; b) the modification of the information on the site, including that relating to the Single Profile; c) the reformulation of the illustrative captions in the vicinity of the boxes for the acquisition of consents, always within the scope of the Single Profile;
 
7) as additional factors to take into consideration to parameterize the sanction (Article 83, paragraph 2, letter k) of the Regulation), the large time margin granted to all data controllers in order to allow them a completed and consistent adaptation of systems and procedures to the new European legislation, in force since 25 May 2016 and fully applicable from 25 May 2018; the particular attention that the legislator has dedicated to the regulation of the telemarketing phenomenon, also with recently adopted regulatory interventions (e.g., law no. 5/2018); Enel Energia's primary market position in the telecommunications sector and the overall economic value of the Company; the need to promptly introduce adequate measures, in the face of a clear and perceptible increase in the phenomenon of promotional communications, of which the Company has shown to be fully aware, as the deadline set by the legislator for the definitive transition from the protected market for electricity and natural gas to the free market.
 
On the basis of all the elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, in the initial application of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction on the needs organizational, functional and employment aspects of the Company, it is believed that it should apply to Enel Energia Spa the administrative sanction for the payment of a sum of € 26,513,977 (twenty six million, 513,977), equal to 5% of the maximum legal sanction, in line with other recent measures adopted by the Authority in the field of tele-marketing.
 
In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the conduct of the Company as well as the high number of subjects potentially involved in the treatments examined;
 
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
 
ALL OF THIS GIVEN THE GUARANTOR
 
a) issues a warning to Enel Energia S.p.A., pursuant to art. 58, par. 2, lett. a), of the Regulations on promotional campaigns through telesellers which, according to the defensive declarations, the owner has resumed following the pandemic emergency; such campaigns, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts take place only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and after the necessary verification of the contact lists;
 
b) issues a warning to Enel Energia S.p.A., pursuant to art. 58, par. 2, lett. b), of the Regulation, regarding the circumstance for which to provide an incomplete and unsuitable representation and evidential documentation regarding elements of assessment by the Authority as well as omitting the response to a request for information formulated by the latter, during the preliminary phase of the procedure integrates the violation of those duties of collaboration towards the supervisory authority to which the holder of the treatment is required pursuant to art. 31 of the Regulation;
 
c) orders Enel Energia S.p.A, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt any processing carried out by its sales network to methods and measures suitable for providing and proving that the activation of offers and services and the registration of contracts takes place only following promotional contacts which, if operated by telephone, have been carried out by the aforementioned sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and in compliance with the provisions of art. 130 of the Code;
 
d) orders Enel Energia S.p.a, pursuant to art. 58, par. 2, lett. d), to implement all the additional technical and organizational measures necessary for the management of the requests to exercise the rights of the interested parties - and in particular the right to object to the promotional purposes - which allow to give feedback to the interested parties, as well as identify and correctly acknowledge their actual will, without undue delay, and in any case, at the latest, within 30 days of receipt of the requests, without prejudice to overriding legitimate reasons and without prejudice to the need, promptly communicated to the interested parties, for a possible extension for the reply ;
 
e) orders Enel Energia S.p.a., pursuant to art. 157 of the Code, to communicate to the Authority, within 40 days of notification of this provision, the initiatives undertaken in order to implement the provisions and prohibitions adopted, as well as the requests of the complainants; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation
 
ORDER
 
to Enel Energia S.p.a., in the person of the pro-tempore legal representative, with registered office in Rome, Viale Regina Margherita n. 125, Tax Code 06655971007, to pay the sum of € 26,513,977 (twenty six million, 513,977) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
 
INJUNCES
 
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 26,513,977 (twenty-six million, 513,977), according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.
 
HAS
 
The application of the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
 
Pursuant to art. 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision, opposition may be proposed to the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself.
 
Rome, December 16, 2021
 
PRESIDENT
Stanzione
 
THE RAPPORTEUR
Ghiglia
 
THE DEPUTY SECRETARY GENERAL
Philippi
 
 
 
 
 
 
 
 
 
 
 
  function printDiv (divIdToPrint, title)
{
var divToPrint = document.getElementById (divIdToPrint);
var newWin = window.open ('', 'Print-Window');
newWin.document.open ();
newWin.document.write ('<html> <body> <img style = "width: 100%;" src = "/ o / guarantor-privacy-theme / images / topdoc.gif" /> <h2 class = "internal -title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> ');
newWin.document.close ();
newWin.addEventListener ("load", function () {
// ....
this.focus ();
this.print ();
this.close ();
});
//newWin.print ();
//newWin.close ();
//newWin.document.close ();
//setTimeout(function()(newWin.close(); 58,1,10);
}
 
 
 
 
 
 
SEE ALSO
 
Press release dated January 19, 2022
 
 
 
[doc. web n. 9735672]
 
Order injunction against Enel Energia S.p.a. - December 16, 2021
 
Record of measures
n. 443 of December 16, 2021
 
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
 
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, professor Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and dr. Claudio Filippi, Deputy Secretary General;
 
GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95/46 / EC (General Data Protection Regulation, hereinafter the "Regulation");
 
GIVEN the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n.196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter the "Code");
 
HAVING REGARD to the documentation on file;
 
HAVING REGARD to the observations made by the Secretary General pursuant to art. 15 of the regulation of the Guarantor n. 1/2000;
 
RAPPORTEUR Dr. Agostino Ghiglia;
 
WHEREAS
 
1. THE INVESTIGATION ACTIVITY CARRIED OUT
 
1.1 Introduction
 
With act no. 26890/21 of May 14, 2021 (notified on the same date by certified e-mail), which here must be understood as fully reproduced, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation vis-à-vis Enel Energia S.p.a (hereinafter "EE" or "the Company") in the person of the pro-tempore legal representative at the company's registered office in Rome, Viale Regina Margherita no. 125, Tax Code 06655971007.
 
The proceeding originates from a complex investigation activity initiated by the Authority following the receipt of numerous complaints and reports from interested parties, who complained, primarily but not exclusively (as will be seen better below par. 1.2), the receipt, in in the name and on behalf of Enel, of one or more unwanted promotional phone calls, including via pre-recorded disk, to reserved users or users registered in the public opposition register together, in some cases, with related complaints regarding the exercise of rights and, more generally , for the management of user data in the context of energy supply services.
 
The phenomenon of telemarketing in the energy sector - in which the investigation against Enel is part, despite having already been the subject of the attention of the Guarantor in the past - has undergone a sharp and worrying increase as the deadline set by the legislator approaches. (moreover following multiple extensions) for the definitive transition from the protected market of electricity and natural gas to the free market (see, lastly, Article 12, paragraph 9-bis, letter b) of Law Decree 31 December 2020, n. 183, converted, with modifications, by law February 26, 2021, n. 21). In fact, the Authority was the recipient, in this context, of the complaints of citizens regarding a persistent and disturbing sense of interference in their own sphere of confidentiality due to these practices, often accompanied by behaviors that are not only invasive but also, as complained, particularly aggressive.
 
The Authority's approach, in accordance with the previous investigations relating to other data controllers, was therefore based on an overall observation and evaluation - rather than in a logic, albeit fundamental and necessary, of individual response to the single complaint - of behaviors that reveal a phenomenon already known, to which, the approach of the aforementioned legislative term, has brought elements of chronicity, particular intensity and, consequently, invasiveness in the private sphere of the interested parties.
 
In the context of the regulations on the protection of personal data, the aforementioned systemic and global analytical approach to the problem, which the Guarantor intended to apply, assumes particular relevance for understanding the nature and purpose of the processing, technical and organizational measures adopted by the owner. to ensure compliance with the EU General Regulation 679/2016 (hereinafter "RGPD" or "Regulation") as a whole, as well as, in light of the principle of accountability (Article 5, par. 2, RGPD), methods by which compliance with this regulatory framework is proven.
 
Therefore, the activity of the Guarantor was carried out mainly through unitary investigations and requests for cumulative information. With the entry into force of regulation no. 1/2019, concerning the performance of the tasks and the exercise of the powers delegated to the Authority (in www.gpdp.it, web doc. No. 9107633), the Office was in fact able to avail itself of the option provided for in art. 10, paragraph 4, to carry out the preliminary investigation precisely in relation to multiple complaints and reports having the same object or relating to the same data controller or processor, or to data processing related to each other. This is in order to examine, with greater effectiveness and, at the same time, necessary economy of the means of investigation, the complaints that have concerned a plurality of conducts referable not only directly to Enel but also to some commercial partners which it uses.
 
In this context, Enel S.p.A. and Enel Energia S.p.a. initially received, from December 2018 to July 2020, four separate requests for cumulative information (infra par.1.2) which concerned a total of 135 files and were divided as follows:
 
13 December 2018, relating to 25 reports (file 133144; hereinafter "I cum.") Followed by the company's reply sent to the Guarantor on 21 December 2018;
 
19 August 2019, relating to 32 reports (file 133144; hereinafter "II cum."), With the company's reply sent to the Guarantor on 6 September 2019;
 
December 17, 2019, relating to 25 reports (file 133144; hereinafter "III cum.") With the company's reply sent to the Guarantor on August 21, 2020;
 
10 July 2020, relating to 8 complaints and 45 notifications (file 152287; hereinafter “IV cum.”), Followed by the company's response sent to the Guarantor on 21 August 2020; as well as - on 24 December 2020 a further request for integration of the information provided with regard to the cases already identified in the aforementioned note of 10 July 2020, fasc. 152287, hereinafter “IV-bis cum.”). The response to this last request was received on January 14, 2021. The feedback to the aforementioned requests for information was received only by Enel Energia as a company active in the free market for the sale of electricity and natural gas.
 
The complaints conducted against EE also included the assessments that emerged in the context of investigations carried out with respect to individual cases. The reference is, in particular, to 5 further complaints submitted, pursuant to art. 77 RGPD, before the date of 20 July 2020 (infra par.1.3).
 
1.2. Requests for information and presentation of documents, pursuant to art. 157 of the Code and the feedback provided by Enel
 
The detailed examination of the complaints received by the Authority led, in accordance with the aforementioned logic, to formulate various requests for information, in subsequent times, in relation to the companies concerned, pursuant to the combined provisions of Articles 58, par. 1, lett. a) GDPR and art. 157 of the Code. The respective issue numbers are specified in brackets. The same and the feedback provided by the Company are summarized below, without prejudice, however, to the full and complete reference to what has already been reported in the contestation deed.
 
Request of 13 December 2018 (I cum.): The complaints received by the Guarantor, at the basis of the aforementioned requests for information, concerned, in particular, the processing of personal data of the interested parties in the context of unwanted promotional telephone calls as they were made with respect to users reserved in the absence of the necessary consent of the interested parties (132890, 133076, 132810, 132578, 131243, 131039, 130428, 129707, 122612, 106175), or, with respect to fixed users, despite the registration of the number in the public register of oppositions (132985 , 132792, 131811, 131762, 131444, 131337, 131237, 130644, 130529, 130349, 130197, 130077, 129198), as well as the late reply to requests to exercise the rights of access to personal data or to oppose the related processing for the purpose of marketing (132334, 129416).
 
With regard to the undue promotional contacts made both towards interested parties, whose numbers were confidential and towards interested parties whose users were registered in the ROP at the basis of the request for information of 13 December 2018, the overall response provided in particular by EE highlighted that in all the reported cases the calling numbers did not belong to those in use by the company or its commercial partners and that said numbers, from an online search, were related to "self-styled operators who illegitimately spend the name of Enel Energia itself - or that of other companies also operating in sectors other than the energy one "(see the company's response of 21 December 2018).
 
On the other hand, with reference to the exercise of the rights whose non-response was complained of (files 132334 and 129426), the answers provided by EE, again following the aforementioned request from the Office, effectively accounted for the delay recorded by the company in follow up on the requests of the interested parties.
 
Request of 19 August 2019 (II cum.): With regard to the feedback provided in particular by EE following the second request for information made by the Office on 19 August 2019 (files 116720, 116698, 136284, 137069, 137220, 137655, 137710, 137730, 137772, 137777, 138579, 139334, 140475, 136877, 136921, 136932, 137159, 137360, 138000, 139071, 139222, 139228, 139838, 139930, 140166, 140273, 140301, 138749, 138775, 139131, 139219, 138716) EE again represented that, even in the new complaints presented to the Guarantor, the unwanted promotional telephone calls that the interested parties reported as attributable to EE instead prevented from numbers extraneous to the company and its network of commercial partners.
 
More specifically, the company highlighted that from the computer checks carried out in its company systems, most of the interested parties had never had a contractual relationship with it. Only in five cases the personal data of the reporting persons were found to be present in the EE systems due to existing contractual relationships, while in six cases the contractual relationships were terminated. With respect to two specific cases, however, the company found that the promotional contacts were attributable, in one case, to one of its partners by virtue of an agency contract still in place (136877) and, in the other, they came from a former partner, with which the contractual relations had been concluded prior to the making of the unwanted promotional phone call (137360, 138000).
 
Request dated 17 December 2019 (III cum.): A new request for information was sent to the Company regarding a further 25 reports, relating to users who own both reserved numbers in the absence of the necessary consent (142718, 142745, 142834, 143230, 142718, 143221, 143721, 144373, 144437, 144518) and registered in the public register of oppositions (142833, 143025, 143222, 143688, 143749, 143766, 144316, 144446, 145020).
 
The complaints received also represented the receipt of promotional calls declared in the interest of EE via a pre-recorded disc (143863, 144081, 144296, 144240, 144385;). In one case, the whistleblower, in the face of undue receipt of promotional phone calls, exercised his rights towards EE, in particular that of opposition to processing for direct marketing purposes (144760).
 
In the face of what is represented by the interested parties, the company has not provided, within the deadline, any kind of feedback, so as to induce the Guarantor to reiterate, pursuant to art. 157 of the Code, the request for information regarding the aforementioned files, together with a subsequent request, which became necessary in the face of further reports and complaints subsequently received by the Authority (IV cum.).
 
However, the late overall response provided by the company showed that in all cases the calling numbers did not belong to those used by EE and its partners.
 
In relation to cases in which the whistleblowers have shown that they have been contacted through automated methods, in particular an answering machine, EE has provided its feedback, highlighting that it is not "in the availability of the personal data of the interested parties" (143863; 144240; 144296) , also representing not to make "promotional calls via automated answering machine." (144240). In two other cases, the company did not provide any feedback, apart from the aforementioned generic reference to the extraneousness of the calling numbers (144081; 144385).
 
Similar statements were made by the company in relation to further reports (139123 and 143511), initially subject to independent investigation and, subsequently, merged into the aforementioned main proceeding. In these reports, various unwanted promotional contacts were complained of via pre-recorded disc which, in view of the imminent termination of the protected market, invited the transition to the free market with EE. The company, in the context of subsequent discussions with the whistleblowers, denied any traceability to itself of these contacts.
 
The extraneousness of EE to the complained phenomenon was also reiterated in response to another report (file 139206) in which the interested party, after having complained for the umpteenth time about the continuous phone calls from the "Enel Energia answering machine", acknowledged having selected, at the end of the pre-recorded message, key “3” with the option of being contacted again. Following this action, the reporting party declared that he had actually been contacted by a physical operator in the name of EE and, even, that he had scheduled a subsequent visit and met a self-styled agent of the latter as an Enel appointee, but then verify the involvement of a commercial partner of EE, XX., and receive from the latter company, following the legitimate exercise of its rights, only the indication that it does not manage call center activities or promotional activities.
 
As part of the cumulative requests and the related feedback provided, also with regard to the reports regarding users registered in the public opposition register, the company then reiterated that in some cases the interested parties were holders of contracts that have now ceased (143688, 143766, 144446); or, in others, still outstanding (142833, 143749, 143766, 145020).
 
Request of 10 July 2020 (IV cum): the grievances underlying the fourth request concerned, once again:
 
receiving unwanted promotional calls to numbers registered in the opposition register (136820, 140498, 140527, 140842, 141460, 142199, 143304, 143549, 143610, 146926, 147410, 148139, 151382) and to reserved numbers without prior acquisition the necessary consent (109024, 136529, 139443, 140347, 140821, 141283, 141602, 142057, 145842, 146806, 146898, 147277, 147347, 147737);
 
the use of pre-recorded discs always in the context of promo-commercial calls (138477, 140347, 144213, 147139, 147196, 147750);
 
the failure of Enel Energia to respond to the exercise of the relative rights, as well as the receipt of further promotional telephone calls, including pre-recorded ones, despite the acknowledged opposition to the processing (138729, 140347, 146556, 140058, 143143, 142953, 150137 ).
 
The Authority's requests also pointed to the opportunity to provide clarifications on:
 
to the relations between EE and other companies that would have contacted the interested party on his behalf as well as to the use of the telephone number (136020);
 
the alleged mandatory consent to be issued for marketing and profiling purposes by other companies of the Enel group and commercial partners, in the context of the use of apps for consulting consumption and for paying bills (142396 , 142400, 143619, 144726);
 
sending promotional text messages in the absence of the interested party's consent (150613);
 
the acquisition and automatic association of contact telephone numbers (146166, 138115)
 
sending invoices and other personal data to other users (147284);
 
the improper use by third parties of information available to EE (143728) as well as the related forms (151477).
 
to further and distinct complaints (140103; 140911).
 
In view of the aforementioned framework, EE recalled the sales processes used by it as a company active in the free market for electricity and natural gas, also through its own commercial network and declared that it had also adopted with regard to its sales partners , adequate technical-organizational measures with respect to the processing of personal data involved in these processes.
 
The Company also acknowledged "that it has to manage an important number of complaints which, however, in most cases are not attributable to the commercial conduct adopted by the same", as well as the frequency of abusive use of its name by third parties, that through fraudulent conduct try to gain an economic advantage and undermine its consolidated reputation. In this sense, EE intervened "warning these subjects to cease the illegal activities inherent in the abusive use of their distinctive signs and the unfair commercial practices put in place, also by filing a complaint with the Judicial Authority". The recall in these terms was, in particular with respect to the phenomenon of pre-recorded telephone calls to two exposed persons presented to the Public Prosecutor of Rome on 12.11.2019 and 2.3.2020 respectively.
 
In relation to the complaints about the receipt of promotional phone calls via pre-recorded disc, the company highlighted, once again, its extraneousness to these methods of contact, justifying in any case the availability of the data of the whistleblowers on the basis of the reasons already mentioned in precedence (140347: some automated calls were made by an EE partner; 144213: for complaint management purposes; 147139: perceived quality detection process; 1457750: for reporting purposes).
 
With regard to the compulsory issue of consent for marketing and profiling purposes for accessing and using the online services and via the app for consulting and paying invoices (142396, 144726, 142400, 143619), EE then represented that , to simplify these functions, the so-called Single Profile was implemented consisting of an account for accessing the web portals and apps of the Enel Group companies. The company also stated that "for the purposes of registering the account, only the confirmation of having read the information by the user is required and not the release of consent to the processing of personal data for marketing and profiling purposes [omissis ], as instead erroneously reported by some complainants ". This circumstance, with respect to individual complaints, was communicated directly to the interested party only in one case (142396).
 
With respect, however, to the additional individual cases highlighted, here we are limited to making full and complete reference to what is reconstructed in the contestation deed, referred to here in its entirety.
 
Request dated 24 December 2020 (IV-bis cum.) And assessment carried out by the Office: with reference to the latest reply received from EE (21 August 2020, reply to III cum. And IV cum.), The latter is was the recipient of a further request for information and clarifications with respect to some circumstances that emerged therein, in particular with respect to the role of some commercial partners and the related activity, as well as the actions undertaken and the measures adopted against these subjects. In particular, with regard to the significant phenomenon of pre-recorded telephone calls for promotional purposes, with respect to which the company had previously declared that it was not involved in any way, a more precise response was requested with respect to the initiatives allegedly undertaken and the measures adopted to counter this phenomenon.
 
In providing further feedback to the Guarantor, on 14 January 2021, EE sent the contractual addendum models governing the relations between the latter and some of its commercial partners and also specified, with reference to each case subject to the request for information , to have contested, following the request for information from the Guarantor of 10 July 2020, the illegitimate use of the personal data of the reporting parties and to have notified the contractually envisaged penalty (136820, 140911, 141460) to some partners.
 
In relation to the phenomenon of calls made via automated answering machine, EE communicated, attaching documentary proof, that it had filed two complaints with the Public Prosecutor's Office of Rome, on 12 November 2019 and 2 March 2020, in order to protect its good name, illegally used by third parties as well as "to distance themselves" from this promotional contact method.
 
With regard, then, to online services and in particular to the preparation of an app for consulting energy consumption and for the payment of bills by users, as part of the so-called Unique profile the company was requested to provide clarification elements regarding the operating methods of the aforementioned app, as well as indications on the quantitative dimension of the service.
 
The company responded to this request, highlighting that “In order to access digital services, the Unique ID must be activated. [omissis] Through a single pair of credentials (username and password) it is possible to access all the digital services that the individual companies of the Enel Group make available, without the need to make a new registration in order to access one of the companies of the Enel Group other than the one for which the first registration was made. " Currently, this access method applies only to Enel Energia and Enel X, while the companies of the Enel Group subject to the unbundling legislation are excluded from the Single Profile (as regards Italy, SEN and E-distribution).
 
EE also stated that "Through the Single Profile, companies only share the credentials necessary for access to their respective digital services", specifying that "the personal data that have been given by the digital user to the various companies (for example, for the purposes of management of the existing contractual relationship with them) are not transferred from one company to another ". Since September 2019, the use of the Single Profile is mandatory for all digital users, i.e. users who had previously activated an online account and who have been guided, through a migration process, to the new profile, i.e. for users who did not previously use digital services.
 
Finally, the company provided information on the quantitative dimension of the use of the Single Profile (3,113,254 users) and the App (1,665,969 users).
 
Given the persistent lack of information about the methods of granting consents for marketing purposes in the context of the creation of the Unique Profile and use of the App, despite the complaints of the whistleblowers, fully transmitted to the company, on this specific aspect ( 142396, 144726, 142400, 143619), the Office deemed it appropriate to carry out an investigation directly (see report of investigations carried out, May 7, 2021 and annexes).
 
In this sense, it was possible to see that, following the insertion of the required data (name, surname, contact information, tax code), the user views a first screen for information purposes, in which both Enel Energia and Enel Italia S.p.a. they are indicated as independent data controllers. Subsequently, it is possible to view a second screen relating to the Terms and conditions of the service and the Privacy Policy, accompanied by two boxes that must necessarily be marked in order to proceed with the registration (as described by EE in the reply of 14 January 2021 ). The consent to having read the aforementioned conditions and the information in which the purposes for which the consent, albeit optional, of the interested party is requested, is not, however, followed by an immediate and easy viewing of a specific section dedicated to the collection of any consents referred to in the information itself. Only after completing the registration procedure and accessing the reserved area, in fact, can the user begin a path, which is not easy to understand, which will lead him to express his will or his refusal regarding the processing of own data for the marketing and profiling purposes of EE, Group companies and third parties.
 
1.3. Complaints instructed individually
 
Autonomous investigations merged into this unitary discussion with the main procedure, based on the provisions of Articles 10, paragraph 4, of the regulation of the Guarantor n. 1/2019 and 8, paragraph 2, of the regulation of the Guarantor n. 2/2019, relative to various complaints received by the Authority in the period under consideration were conducted.
 
The issues raised concerned, once again, the phenomenon of unwanted promotional calls, in particular through pre-recorded discs, for the transition to the free market with EE, addressed to both former customers and non-customers of EE, some complaints about the exercise of rights and sending unsolicited promotional communications via e-mail or text message.
 
In particular, in three complaints (files 142298, 144397 and 136321) the receipt of various unwanted telephone contacts was complained, despite having the interested parties already represented this situation on several occasions to EE, requesting the cancellation of their personal data, or communicating the '' opposition to processing for promotional purposes. In two of these cases the calls were made via a pre-recorded disk (fasc. 142298 and 144397) and in particular in one (fasc. 142298) the complainant was even able to accurately report having received, after typing the cd. "Option 3" to be contacted again (option present in the registration), a subsequent telephone call from a call center operator who, presenting himself as EE, proposed the switch to the latter in the free market, confirming, furthermore, behind repeated requests by the interested party to act on behalf of Enel and not of third-party companies.
 
Other specific profiles have pointed out, again in the context of unwanted promotional communications by EE, on the correct management of requests to exercise the rights guaranteed by articles 15-22 of the Regulation, in particular of the request for opposition to the processing of data, exercised during the signing of the contract (file 133249) and / or subsequently through specific communication to the owner (file 133249, 136529 and 136321).
 
Finally, in two cases, the complainants also complained of receiving unsolicited promotional communications via e-mail and / or text message (file 133249 and 136321).
 
In general, in the face of all the complaints about unwanted promotional telephone calls, the Company has always declared itself completely unrelated to the calls reported, specifying that the caller numbers from which the complained contacts were received do not belong to the range of numbers used by EE or to those that can be connected to their partners.
 
Only in one case (file 136321), following the request for information from the Guarantor, did the Company highlight that the complained telephone contact had been made as part of customer satisfaction activities by company XX with which EE had entered into a contract for the performance of this service, appointing you as the data processor.
 
More specifically, with regard to the alleged use of the pre-recorded disk, EE represented, in relation to the two aforementioned complaints (files 142298 and 144397), that it did not have any automated answering machine system to make outbound calls for promotional purposes, or to propose new contracts or acquire new customers.
 
As for the requests relating to the exercise of rights, in one case (file 133249), EE admitted the delay in the management of the request, first attributing it to a technical problem linked to the management of its certified mail, then, in acknowledging the having registered the objection of the complainant in its company systems, attributed the incorrect registration of the latter's will to the operator of the Enel point during the loading phase of the contractual information, with the consequence that "due to this error the 'the email address provided by the customer when signing the aforementioned contract was used as the recipient of email marketing campaigns carried out with the logic of soft spam ". With respect to the communications sent by the complainant, the company then stated that the e-mail address to which they would have been addressed is non-existent and in any case that it subsequently proceeded to correctly register the opposition of the interested party in its company systems. In the face of this representation, the interested party replied, highlighting, in particular, that the contact data was that expressly indicated at the bottom of the promotional e-mails received.
 
With regard to the complaint that also complained of receiving unsolicited promotional communications via e-mail and text message (file 136321), EE highlighted how: a) the e-mail communication concerning the possibility of subscribing to a loyalty program, promoted by the company, " it was sent as "soft spam", since it is a communication relating to services that the customer can benefit from as part of the supply service "; b) the communication received via text message and sent by an energy store was found to be attributable to a former partner of EE, warned by the company of the illegitimate use of the Enel trademark.
 
1.4 Closure of the investigation and initiation of the procedure for the adoption of corrective measures
 
Having examined the feedback provided by the Company, the Office, pursuant to art. 166, paragraph 5, of the Code, has adopted the act of initiating the procedure referred to in the introduction, with which it has challenged the Company for violations of the following provisions:
 
1. Art. 31 of the Regulation (Cooperation with the Supervisory Authority), for not having provided any response to the request sent by the Guarantor to the company on 17 December 2019 (III cum.), As a result of which, in order to obtain all the elements useful for an evaluation of the merits, the Office deemed it necessary to repeat the aforementioned communication (IV cum.); equally not respectful of art. 31 of the Regulation, the attitude adopted on the occasion of the checks in I, II, III cum. (received, in the latter case, as mentioned, only following a repeated request) and IV cum. (limited to some issues). The company, in fact, limited itself to highlighting how the calling numbers did not belong to the group of those in use by itself or its partners, not providing precise elements of evaluation in support of what was stated, nor offering specific evidence about a necessary activity of verification of these numbers with respect to its own sales network, mostly packaging a series of standardized responses for each of the reports. More specifically, in response to requests III and IV cum. (communication of the Company of 21 August 2020), a specific and analytical response to some of the reports received by the Authority was lacking, as the company limited to a generic exclusion of the calling number from those used by EE and its partners (III cum. 144373, 143221, 143025, 143222, 144316, 144081, 144385; IV cum. 140821, 145842, 146898, 142199, 143304, 146926, 138477, 147196; single inquiries: 136529) without providing, in fact, no element even of general classification of the single cases highlighted.
 
2. Art. 5, par. 2, and 25, par. 1 of the Regulation (Principle of accountability and privacy by design), for not having undertaken an effective counteraction with respect to the phenomenon of undue promotional contacts carried out in its name, exercising (and being able to prove) in a full and conscious way, its attributions, to which the duties of accountability and privacy by design correspond (through elements of prevention, functionality, safety, transparency of treatment and centrality of the interested party).
 
The mere non-traceability of the calling numbers to the shortlist of those in use by the company and its commercial partners, repeated several times by EE as an element of response to the requests sent by the Guarantor, is, in fact, in a critical key due to that '' proactive perspective that defines the principle of accountability of the data controller and that permeates the entire new regulatory framework of data protection.
 
Precisely the significance of the phenomenon and the circumstance that the telephone contacts were made in the name of Enel Energia as well as the primary role it plays as an operator in the energy market and the considerable organizational and management possibilities that characterize it, would have required feedback more in line with the necessary and essential work of constant vigilance and monitoring of the phenomena that emerged as a result of complaints also received directly by the company, especially in the area of telemarketing.
 
Furthermore, there has been no evidence, apart from a generic reference to the contractual clauses through which the company binds its partners to comply with the legislation on the protection of personal data, regarding the adoption of specific technical and organizational measures suitable for contrasting in an effective and resolutive way the complained phenomenon.
 
EE could have exercised towards its commercial partners (and showing to exercise) in a full and conscious way, its powers, which correspond to the duties of accountability and privacy by design (through elements of prevention, functionality, safety, transparency of the treatment and centrality of the interested party) identified by articles 5, par. 2, and 25, par. 1 and 2 of the Regulation. In particular, giving awareness of the introduction of automatic and stable forms of control within the corporate organization both internally (also with regard to personnel) and with respect to the sales network constituted by its commercial partners, as well as on the systems appointed to activate offers and services to its customers. The programming of the latter, for example, could have been designed in a predefined way in order to signal and block in real time the attempts to load supply contracts obtained in an opaque manner or in any case the outcome of treatments performed in violation of the legislation on the protection of personal data.
 
The company should also have taken into account the identification of specific selection criteria and specific audit activities with regard to its partners, as well as timely verification actions, also through automated methods, of its internal processes for managing personal data also under the profile of the correctness and security of access to user data as well as, on the other hand, in relation to the signing and consequent uploading of new contracts.
 
These measures would have contributed to a more appropriate representation of the awareness and corporate choices made, even more so to protect a position that is described as strongly compromised, in terms of image and reputation, by allegedly incorrect third party conduct.
 
3. Art. 5, par. 2 (Principle of accountability), for not having proven compliance with the legislation on data protection in the case of unwanted promotional communication made by a partner. Even in the cases in which the company gave account of the undue telephone contact by one of its partners following information requested by the interested party at an EE point of sale (II cum: 136877), the representation provided to the Office was limited to the generic reserve for the adoption of appropriate measures towards the partner himself, without however providing evidence of the actions taken, especially in a more articulated framework of measures and interventions that, at company level, should be envisaged for the management of these problems. This behavior is not in line with the aforementioned principle of accountability of the data controller (Article 5, paragraph 2 of the RGPD) which requires the latter to prove compliance with the legislation on data protection.
 
4. Art. 5, par. 2 and 24 of the Regulation (Principle of accountability and responsibility of the data controller) for not having controlled the activity of its business partners, including through appropriate technical and organizational measures). With regard to reports that complained of unwanted contacts through automated methods, in particular an answering machine, EE then limited itself to generally declaring that it did not make "promotional calls via automated answering machine." (III cum: 143863, 144296, 144240; 144296; IV cum: 140347, 144213, 147139, 147750; single inquiries: 139206, 143511, 139123, 142298, 144397).
 
Given the above, the company has therefore not provided detailed elements aimed at excluding its own involvement with respect to the formulation of pre-recorded messages which in all the reports have been described as coming from Enel Energia and aimed at facilitating the passage of users to the same. companies in the free market. This proves that the promotional activity was carried out for the benefit of EE, albeit in ways allegedly not authorized by the company itself. Moreover, in two specific circumstances (III cum. 139206; single inquiries 142298) it clearly emerged that the interested parties, having opted for re-contact after registration (so-called "option 3"), have actually been re-contacted by physical operators qualified as persons in charge of Enel Energia and even subsequently met personally with persons who qualified as agents of the company or in any case connected to partners of the same (XX).
 
These circumstances denote a lack of control by EE over the activity of its partners who carry out promotional activities to its advantage, including through appropriate technical-organizational measures, thus integrating the violations of Articles 5, par. 2, and 24 of the GDPR.
 
5. Art. 5, par. 1, lett. d) of the Regulation (Principle of accuracy), for having erroneously automatically associated the number from which a call was made to the company's toll-free number (presumably a fixed user used on a one-off basis by the reporting party; (IV cum: 146166).
 
6. Art. 5, par. 1, lett. d) (Principle of accuracy) and 6 of the Regulation (Lawfulness of processing), for having sent personal data via invoices to a user other than the holder of the contract following the association of the tax code of the reporting party to another Enel user, in reason for the alleged similarity between the two codes (IV cum: 147284). From this event it is possible to detect both the profile of the violation of the principle of accuracy, having been associated with the reporting person incorrect personal data, and an undue communication of personal data (in particular name, surname and tax code of a different user to the first, through sending invoices) in the absence of any assumption of legitimacy of the treatment;
 
7. Art. 12 of the Regulation (Transparency and methods of feedback to the exercise of rights), for not having provided the necessary and timely feedback to the interested parties about the legitimate requests for exercising the rights (in this case, the right of right of access and the right to object) formulated by the interested parties (I cum: 132334, 129416; III cum: 144726; IV cum: 138729). The company admitted the delay in following up the requests of the interested parties, justifying, at least in the two cases covered by the first request, this delay with the need to conduct more in-depth and additional investigations following the communication of the Guarantor (I cum: 132334) or still to suspend this activity pending the full applicability of the RGPD (I cum: 129416). In one case (III cum. 144726) the company attributed the failure to respond to a "mere technical problem".
 
8. Art. 5. par. 1, lett. a) (Principle of correctness) and 12, par. 2 of the Regulations, for providing contradictory feedback regarding a further request to exercise the rights advanced by the interested party in relation to the receipt of promotional calls via pre-recorded disk (IV cum: 136020). This is because in an initial response provided to the interested party (as per annex 19 to Enel's communication of 21 August 2020), EE admitted a "typing error" as the cause of the undue promotional contact, while in the representation provided directly to the Authority (page 15 of the response of 21 August 2020) has charged another customer with the responsibility of having provided the data of the reporting party as contact data connected to a supply user;
 
9. Art. 21 of the Regulations and art. 130, paragraphs 1 and 2 of the Code (Unsolicited communications and right of opposition), for having unduly sent promotional communications by e-mail, despite the refusal expressed by the interested party is in the process of signing the energy supply contract with respect to the processing of data for marketing purposes and through the subsequent opposition to the processing expressly addressed to the dedicated e-mail box (single inquiries: 133249);
 
10. Art. 130, paragraph 4, of the Code (Soft spam), for having sent a communication regarding the registration to the EE loyalty program, without having provided any evidence regarding the necessary presence of that objective element of an informative nature which is the basis of a correct dialogue with the interested parties and legitimizes the exemption from the acquisition of the relative consent, together with the presence of the other elements referred to in art. 130, paragraph 4, of the Code as well as by the Provision of the Guarantor of 4 July 2013 (web doc. No. 2542348; single investigations, fasc. 1346321);
 
The Guarantor also charged Enel with the following violations in relation to the Single Profile and the Consumption Management and Consultation App, also following an investigation carried out by the Office on May 7, 2021:
 
11. Art. 31 of the Regulation (Cooperation with the supervisory authority), for having offered insufficient collaboration to the supervisory authority, not having provided - even in the face of two requests to that effect together with the specific reports of the interested parties on the matter - any information about the methods of issuing consents for marketing and profiling purposes in the context of the use of digital services;
 
12. Art. 5, par. 1, lett. a), 12 and 13 of the Regulation (Principle of transparency and disclosure obligations), for having presented website users with two conflicting information as to the identification of the data controller. The user, in fact, who intends to create a Unique Profile, is first redirected to a page where he is informed, through a brief communication, of the fact that Enel Energia and Enel Italia S.p.a. will manage your data as "independent data controllers". Subsequently, from a second more extensive information, whose acknowledgment declaration is mandatory, together with the terms of service, for registration, no reference to Enel Italia S.p.a. emerges, since only Enel Energia is mentioned as independent data controller. Such discordant texts generate confusion in the user and do not reflect the essential principle of information transparency, logically aimed at allowing the interested party also a conscious expression of consent;
 
13. Art. 5, par, 1, lett. c), of the Regulation (Principle of minimization), for having structured a procedure that allows the passage of ultronic and irrelevant data between the companies of the Group. The single Profile, in fact, allows access to the digital services of the various Group companies included in its perimeter and the credentials that the user acquires with a first registration also allow subsequent accesses to the digital services of said companies. However, in the face of the data strictly necessary to create the user profile and access credentials, the mobile telephone number, address and tax code enrich the profile, with unnecessary or, at least, unnecessary information with regard to any future interactions with other Group companies. Furthermore, considering the mandatory use of the Unique Profile to access digital services, the user must provide, upon joining this service, a set of data not strictly relevant to the mere creation of the profile which are then shared, as part of the management of the single profile, between the various member companies of the Group;
 
Again in relation to the Single Profile, the joint reading of the text of the information and the form for the collection of consents (which can be found, however, in a difficult and intuitive way, within the reserved area) led the Office to contest the following further violations,
 
14. Articles 12 and 13 of the Regulation (Information to interested parties), for having issued to the interested parties, in relation to the Single Profile and within the reserved area of the site, a lack of information regarding a necessary identification of the recipients of the data both within the companies belonging to the Enel Group and with reference to a generic range of commercial partners, the generic reference to "Enel Group companies, parent companies, subsidiaries or associates, or commercial partners of Enel Energia" is unclear ;
 
15. Art. 6, par. 1, of the Regulation and 130, paragraphs 1 and 2, of the Code (Lawfulness of processing and unsolicited communications), for not having acquired a specific and suitable consent from the interested parties with regard to processing carried out by different subjects as independent data controllers. The characteristics of the information described in point 14 together with the three generic purposes indicated in association with the boxes for the expression of consent (1. Marketing Enel Energia; 2. Marketing third parties; 3. Profiling) contribute to defining a consent that does not satisfy the granularity and clarity requirements, provided for by current legislation (Article 4, No. 11) of the GDPR). In fact, a single consent to the communication of data for promotional purposes also by group companies, parent companies, subsidiaries and associates and commercial partners of EE, cannot be considered either specific or free and does not constitute a suitable legal basis for the aforementioned treatments. , pursuant to art. 6 GDPR. Likewise, it cannot be considered clear whether the consent required for the marketing activities of the "parent companies, subsidiaries, associates or commercial partners of EE" by the same subjects refers to marketing activities that these companies carry out on behalf of Enel Energia or to a communication of data by Enel to third parties for their marketing purposes, also taking into account that, in the absence of a clear identification of the recipients, a consent linked to processing referable to an indefinite number of subjects cannot be considered suitable. Similar findings have been extended to the request for a single consent for profiling purposes both of Enel Energia and of the subjects already mentioned, as independent data controllers.
 
The aforementioned disputes were formulated by the Office on the basis of the more detailed observations contained in the act of initiating proceedings no. 26890/21 of 14 May 2021, which here must be understood as fully reproduced and to which full and complete reference is made. Likewise referred to here, the report relating to the assessment carried out by the Office on the company's website on 7 May 2021 must be understood.
 
Finally, it should be noted that in the aforementioned act of initiation of the procedure, the Authority also recalled, for the sole and sole purpose of giving further evidence of the pervasiveness of the telemarketing phenomenon, the over 250 requests, including complaints and reports, received by the Guarantor after the last request for information of 20 July 2020 and up to the date of formulation and notification of the deed itself. These further complaints, although not the subject of the aforementioned act of dispute, in fact highlighted a dynamic picture of persistent unease and an even more evident exasperation of the interested parties with respect to the correct processing of their personal data despite the recourse to the registration of telephone numbers in the RPO. , or rather with respect to contact methods, such as calls via pre-recorded disk, which are particularly invasive and unwelcome. The same, therefore, while not merging into the investigation and the related phase of today's procedure, represent an undeniable historical fact that testifies, when still needed, that the phenomenon of nuisance calls is far from being resolved.
 
2. DEFENSIVE OBSERVATIONS AND AUTHORITY ASSESSMENTS
 
2.1. Defense brief and hearing of Enel Energia S.p.A.
 
2.1.1. Premise
 
On June 28, 2021, Enel Energia sent a broad and articulated defense brief to the Authority, accompanied by copious documentation, pursuant to art. 166, paragraph 6, of the Code. On the basis of the same provision, on 7 July 2021 the hearing requested by the party for which a specific report was drawn up was held via videoconference. Both documents are to be understood here, for the protection of the party, fully referred to and reproduced, together with the attachments to the defense brief.
 
Pending the presentation of the defense brief, EE sent the Guarantor, on 26 May 2021, a request for an extension of the deadline for the presentation of the aforementioned briefs, together with a request for access to administrative documents referring to the assessment report of the activity carried out by the Authority on May 7, 2021 and to the approximately 250 instances mentioned in the contestation deed as proof of the persistence and diffusion of the phenomenon.
 
On 18 June 2021 the Authority, after having granted the requested extension, communicated the acceptance of the request relating to the report and the files in question, within the limits of a quantitative and sample verification of the latter, noting that no objection was was formulated to the Company with respect to the individual and specific circumstances referred to in these requests, but precisely to their entirety and their value as an indicator of the persistence and diffusivity of the phenomenon.
 
The Company contested this method of granting access without, however, proceeding with a formal appeal against the related provision, but asking that the files in question not be taken into consideration in the context of this proceeding.
 
In the defense brief, the holder also requested the cancellation or in any case the filing of the proceedings by virtue of the "failure to comply with the regulatory terms for the Dispute" (page 13 et seq. Of the brief). In particular, the sanctioning power of the Authority would have expired after the term of 120 days for the notification of the violation pursuant to art. 166 paragraph 5 of Legislative Decree 196/2003, the dies a quo having to identify, according to EE, in the specific dates referable to each response (including those relating to complaints investigated individually) that the same would have sent to the requests for information sent by from time to time by the Guarantor.
 
Consolidated jurisprudence on the matter of ascertaining administrative offenses denies the reconstruction of the Company based on a logic of mere formal counting of the days following receipt of the feedback to the various requests for information, identifying EE, precisely, in the acquisition of such evidence. constitutive element of the investigation activity and, therefore, the dies a quo.
 
In general as regards the activity of the independent administrative authorities, the Cassation (Cassation Civ. Section 2, n. 31635/2018), taking up the arguments already expressed above, reiterated that "the activity of ascertaining the offense , in relation to which to place the starting date of the deadline for the notification of the details of the violation, cannot coincide with the moment in which the "fact" is acquired in its materiality, but must be understood as including the time necessary to evaluate the data acquired and relating to the (objective and subjective) elements of the infringement and, therefore, of the final phase of deliberation related to the complexity, in this case, of the investigations aimed at ascertaining the existence of the infringement itself and at acquiring full knowledge of the unlawful conduct, in order to assess its consistency for the purposes of the correct formulation of the dispute (see Cass. n. 13050/2014; Cass. n. 1043/2015 and Cass. n. 770/2017, cit.) ".
 
In confirmation of the consolidated approach of the Supreme Court, recent rulings by the Council of State should also be highlighted (eg, Section VI, no. 4020, of 24 May 2021) where it is noted that "in terms of administrative sanctions, what is relevant to purposes of compliance with the principle of the immediacy of the dispute [...] it is not the news of the sanctionable fact in its materiality, but the acquisition of full knowledge of the unlawful conduct, implying the verification of the existence and consistency of the infringement and its effects; so that, on the one hand, the term for the contestation of the infringement does not start from its consummation, but from the completion of the verification activity of all the elements of the offense, having to consider also the time necessary for the administration to evaluate and weigh adequately the elements acquired and the preliminary acts for the identification of the extremes of administrative responsibility, and on the other hand, the term for the conclusion of the sanctioning procedure begins to run only from the moment in which it is carried out - or should reasonably have been carried out, also in relation to the complexity of the case in point - the administrative activity aimed at verifying the existence of the infringement, including investigations aimed at verifying the existence of all the subjective and objective elements of the infringement itself ".
 
Similarly, but with specific reference to the administrative offenses referred to in the privacy code, the Supreme Court has recently reiterated that (Cass. Civ., Section 2, n. 18288/2020). "Being consolidated the position of this Court according to which, in the matter of administrative offenses referred to in the privacy code, the dies a quo for the calculation of the ninety-day deadline for the notification of the complaint report starts from the ascertainment of the violation, which does not coincide with the generic and approximate perception of the fact and with the acquisition of the documentation relating to it, but requires the processing of the data thus obtained in order to identify the constitutive elements of any violations (thus, ex multis, Cass. 14678 / 2018). " While referring to this jurisprudence at the term of 90 days provided for by Article 14 of Law 689/1981, the principles identified therein can well find similar application in relation to art. 166, paragraph 5 of the Privacy Code, since this last provision, following the changes made by Legislative Decree 101/2018, contains the new discipline relating to the procedures for the adoption of corrective and sanctioning measures, previously defined exclusively through the reference made by the Code itself to the aforementioned law 689/1981.
 
It follows that the time for data processing and evaluation, when not arbitrarily and unreasonably prolonged, will be directly proportional to the level of complexity of the cases in question, the number of reports and complaints presented and, last but not least, the method analysis applied by the Authority.
 
This method, as already mentioned, was based on an overall assessment of numerous complaints, even once recurring profiles and cases have been identified, capable of delineating traits of responsibility that would have been more difficult to emerge in a logic of investigation and dispute case by case. Therefore, a modus procedendi de facto imposed by the same characteristics of the principle of accountability was applied, the implementation of which the Authority has precisely investigated, in the face of a consistent and constant number of complaints from the interested parties over time.
 
In other words, full knowledge of the unlawful conduct connected, in particular, but not exclusively, to the profiles of responsibility and accountability, as per articles 5, par. 2, 24 and 25 par. 1 of the RGPD, related, moreover, to the activities of a holder of the organizational dimension of EE could only go through a document acquisition and subsequent composite and articulated evaluation, also at a temporal level.
 
It is also noted that an investigation, already complex in itself, was certainly not facilitated by the emergence of a sudden and unpredictable event, such as the pandemic and a consequent emergency situation still underway - in consideration of which, moreover, the legislator has provided for the suspension of the terms of administrative proceedings, most recently extended until November 30, 2020 (Article 41 of Legislative Decree 34/2020). Nor, much less, for different profiles, did the lack of cooperation shown by the data controller benefit (amplius infra par. 2.2., N. 1).
 
More generally, it should be finally considered that the elements required by art. 83 of the Regulation for a complete assessment of the conducts, which are assumed to be in violation of the provisions on the protection of personal data, are so broad and complex (also from a guarantee point of view) that, in the case in question, one cannot seriously object that the Authority has failed in a timely manner in contesting the offenses.
 
2.1.2. The individual disputes
 
With reference to the individual complaints raised by the Authority, the defensive arguments developed by the Company in its brief and during the hearing are reported below.
 
1) With reference to the dispute referred to in number 1 of par. 1.4, the Company did not hide its surprise in front of these disputes, since "EE has always followed up the requests of the Guarantor without receiving in response any request for clarification or further information.". Furthermore, the Company, according to what was declared in the memorandum, "formulated its replies with the intention of not exceeding the requests in order not to incur a violation of the principle of cost-effectiveness of the procedure also sanctioned by art. 7 of Regulation 1/2019 [...] in order to avoid hindering the smooth continuation of the investigation "(point 14). In other passages of the memory, as well as during the hearing, EE recalled the constant and expensive, also in terms of financial commitment, the attention that the Company has always paid to compliance with the regulations on the protection of personal data (point 24 of the defensive memory).
 
With regard to the failure to reply to the III cum., EE attributed the incident to a "human error" that would have occurred in the "sorting of a certified e-mail" (Point 25).
 
Finally, EE announced that it will implement the possibility for the interested party to check directly from the EE website "the traceability to EE and its partners of the numbers from which he has received commercial calls."; in this regard, the Company has also sent the Guarantor a list containing the calling numbers referable to EE. During the hearing, the owner then communicated that the aforementioned system has already been implemented on the site.
 
2-4) The Company has dedicated a large part of its defense brief (points 27-138) to counteract the objections formulated by the Guarantor regarding the responsibility and accountability of the owner and compliance with the principle of privacy by design, as referred to in numbers 2 , 3 and 4 of the previous paragraph.
 
The Company paused to illustrate how its choices regarding promotional contacts can be divided between an approach followed until the onset of the pandemic and one subsequent to it.
 
Before the epidemiological emergency and the consequent containment measures, EE did not use or commission any telemarketing or teleselling channel to third parties, and more generally any outbound telephone channel for commercial purposes. The commercial promotion of EE took place exclusively through physical points (shops managed by EE partners with commercial collaboration contracts) and “door to door” contacts, carried out by authorized agencies. Even with regard to the activities carried out by these agencies (all selected through a precise scouting procedure), the use of teleselling and telemarketing was expressly prohibited within the contracts stipulated by the Company. The procedure for the acquisition of new contracts following an availability recovered by the agencies during the "door to door" was structured according to an ex post control system (in two phases, by telephone and by mail; Quality call, following precise scripts, and Quality letter) to obtain confirmation of the identity of the subject, of the personal data referable to him / her and of the effective will to contract. The Company affirmed that this system has enabled it to keep under control and limit the phenomenon of the revocation of users activated on the basis of the proposals of the agencies. What is stated and described in the brief regarding the management method of the pre-pandemic commercial channel is, therefore, to be considered applicable, according to the representation provided by EE, to all cases subject to investigation and dispute by the Guarantor, since the latter are all prior to January 2021 (date of reintroduction, as will be seen shortly, of outbound calls).
 
The epidemiological emergency made it necessary to reintroduce the methods of telephone contact so that: a) starting from May 2020 there was the possibility for the agencies authorized by EE to arrange meetings by means of a prior telephone appointment (this activity is aimed at stipulating supply contracts with "remote" mode and the digitalization of processes); b) starting from January 2021, the teleselling channel was introduced. This last activity is carried out, according to EE, through "numbering limitations for telesellers, ex ante checks on contact lists and ex post on the goodness of the expression of will of customers and on the initial contact methods, in order to exclude the use of aggressive marketing practices and unwanted calls. " (Point 70 of the memorandum).
 
The Company has made it clear that the procedures and activities for agencies and for telesellers are completely different: only telesellers acquire contact lists and conclude contracts on behalf of EE (sale by telephone of products and services through vocal order ); the agencies do not carry out teleselling activities but limit themselves to phoning potential customers to arrange subsequent appointments.
 
In the context, therefore, prior to the pandemic and the choices made by EE, in the presence of the aforementioned absolute ban on making commercial calls by the Company and its agencies, the only obligation to be recognized by the same, according to the relative representation sentiment, would have been to verify that one's partners did not make promotional calls tout court and therefore, in cases of unauthorized calls, to exclude that the calling numbers could be attributable to any of them. No other burden deriving from the principle of accountability or from that of privacy by design would have been attributable to EE, since the possibility of carrying out telemarketing and teleselling activities was not at all contemplated. It was therefore not the task of EE, according to what was stated in the defense brief, to hypothesize and introduce measures and procedures aimed at controlling the formation of lists of telephone users whose use was completely prohibited. Therefore, all the obligations and measures identified by the Guarantor in the case of owners who actually carried out teleselling and telemarketing activities would not be applicable to Enel Energia. The reference is to the measures / orders of injunction against Fastweb S.p.A. (provision of 25 March 2021, web doc. 9570997) or also of ENI S.p.A. (provision of 1 December 2019, web doc. 9244358) or Vodafone S.p.A. (provision 12 November 2020, web doc. 9485681).
 
The Company therefore reiterated its complete extraneousness to unwanted calls subject to the complaints presented to the Guarantor and stressed that as it was completely unrelated to the phenomenon, EE did not have any power to verify this phenomenon and about subjects unrelated to its check.
 
More specifically, the Company then returned to the subject, reiterating, according to him, the non-existence of the violation of art. 25, since EE's privacy by-design before the measures adopted following the pandemic was based "on the set of preliminary checks of the seriousness of the agencies and subsequent checks aimed at verifying the execution of commercial calls tout court by its own agencies following complaints or reports from users (as happened with all complaints covered by the Requests) also by reporting the illegal conduct to the judicial authority and to the Guarantor. On the other hand, it would not have been reasonable and consistent with a correct privacy by-design to implement procedures for regulating and verifying the formation of telephone contact lists, given that telephone contacts were excluded and prohibited upstream from the contracts concluded with the agencies. ". (paragraph 122).
 
In this context, the main defensive thesis presented by the Company, namely the fraudulent and incorrect use of the name of Enel Energia by unidentified subjects who aim to ensnare customers to conclude contracts "without the contractors being true aware of what is happening "(point 64 and, in general, the thesis set out in points 55 to 64).
 
EE believes it is the victim of "braggart" and "scammers", who would work for competing companies by illegally spending the name of the country's first energy operator as an element of reassurance and in order to arouse the user's attention. Only subsequently, as reconstructed by the Company, in the event of a continuation of the phone call and manifestation of interest, would these subjects suggest that they are an agency and deem it more convenient the offer of a competitor of EE. The Company therefore argued that it does not derive any advantage from this practice but, on the contrary, that it receives significant damage also to its image.
 
EE argued this thesis by presenting as support: a) a provision of the AGCM of 24 October 2018 with which the incorrect commercial practice of the company Switch Power Srl was sanctioned, which tried to ensnare customers by telephone by pretending to be a company of the Enel group (annex 21 to the memorandum). At the hearing, the Company expanded this argument by also referring to a complaint presented in April 2021 against another company for the same unfair commercial practice; b) some cases, including those reported by some Enel executives and others subject to press articles (annex 23 to the brief); c) the statements in favor of Enel made by Federconsumatori, provincial section of Taranto, which specified how EE personnel visit customers at domestic users only following calls for "making an appointment"; d) the complaints (12 from 2017 to May 2021) relating to a plurality of conduct carried out by subjects identified as competitors of EE or completely unrelated to the Enel group's business or completely unknown (see point 132 of the brief and . 24 to the memory).
 
5) With reference to the dispute referred to in number 5 (Article 5, paragraph 1, letter d), of the Regulations, the Company has highlighted that there has been no automatic association on the personal data of the reporting party with the number from which a call had been made to the company's toll-free number (IV cum: fasc. 146166). The error would have been attributable to the manual intervention of an operator. The Company pointed out that "following the report, EE immediately canceled the data and challenged its partner for the incorrect practice" (point 172).
 
6) Again in relation to the accuracy profiles of the data emerged in relation to the sending of invoices to an incorrect person (IV cum: 147284), as referred to in number 6 (articles 5, paragraph 1, letter d), EE highlighted a "clerical error" due to the similarity of the tax codes of the two customers and, reported that, once it became aware of the error, it promptly remedied it (paragraph 173).
 
7) As for the disputes referred to in number 7 (Article 12 of the Regulations, (I cum: 132334, 129416; III cum: 144726; IV cum: 138729). the delay in following up the requests of the interested parties, justifying, at least in the two cases subject to the first request for information (I cum: 132334, 129416), this delay with the need to conduct more in-depth and additional investigations following the communication of the Guarantor (I cum: 132334) or to suspend this activity pending the full applicability of the RGPD (I cum: 129416). The Company, however, stressed that in both cases referred to I cum. the interested parties had been informed of the need for this This information would have been provided in one case 33 days after the request (I cum. 132334) and in a second case, within the 30th day of receipt of the request.
 
With regard to another case (III cum. 144726), the Company reiterated in defense what it had already argued in response to the requests of the Guarantor or recognized the occurrence of a "mere technical misunderstanding". Finally, with regard to file 138729 (IV cum.), EE did not provide any further information with respect to that contained in the acknowledgment communications during the investigation phase.
 
8) Likewise, with respect to a similar dispute, but referring to the different case in point, referred to in number 8 (articles 5. par. 1, lett. A), and 12, par. 2 of the Regulations), EE denied the contradiction between the response provided to the interested party and that provided to the Authority (IV cum: 136020). According to the Company, in fact, even though the two findings were formulated differently (in the response to the customer a "typing error" was mentioned), in reality they are both true. This is because the contact details of the whistleblower were provided by another customer and, due to this overlap, the operator then "erroneously registered the data of the whistleblower in the client's master data".
 
9) Again with regard to the exercise of the rights of the interested parties, the Company, with regard to the dispute referred to in number 9 (Article 21 of the Regulation and Article 130, paragraphs 1 and 2 of the Code), acknowledged that it had committed a further error in having indicated a wrong email address at the bottom of the communication sent to the interested party (single inquiries fasc. 133249) but also highlighted the easy online availability of the correct address for sending requests to exercise rights (privacy. enelenergia@enel.com). As proof of this ease in communication, there would have been, according to EE, the circumstance for which the same complainant would then subsequently have addressed a second instance of opposition to the correct address, finding full and prompt satisfaction.
 
10) With reference to the contestation of the violation of art. 130, paragraph 4, of the Code, referred to in number 10, (single investigations: 136321), EE reiterated, detailing its arguments, what had already been argued in the preliminary phase, recalling, in relation to the three cases complained of by the complainant: a) '' sending of communication similar to soft spam as a prerequisite capable of excluding the necessary acquisition of consent; b) the fact that the call received by the complainant was made to verify the quality of the service offered and not for commercial purposes; c) the sending of the promotional SMS was carried out not by EE but by a former partner, an XX, no longer contractually linked to the Company at the time the communication was sent to the person concerned.
 
11) With regard to the contestation of the violation of art. 31, referred to in number 11, also in relation to the information provided regarding the functioning of the Single Profile or the failure to attach the documentation relating to consents (in response to IV cum. And IV-bis cum.), EE has deemed it exhaustive. According to the Company, in fact, the Guarantor would not have expressly requested to receive more details about the consents but would only have formulated requests for clarification on the operating methods of the app and indications on the quantitative dimension of the service.
 
12) As regards the disputes connected to the Single Profile and the app for consultation and consumption management, reported in number 12 (articles 5, paragraph 1, letter a), 12 and 13 of the Regulation), EE denied that there was a discrepancy between the two information on the website with reference to the identification of the data controller. In the defense phase, the Company explained how the information of the two parties (Enel Energia S.p.A. and Enel Italia S.p.A.) exist on the same page and how "only part of the information and sections on the site concern both entities". The Company added that the information is "recalled from a single touchpoint (the footer of the homepage) but have a distinct and separate structure, form and content". The navigation data of visitors to the site is processed by Enel Italia S.p.A., which, however, is not the data controller as regards the management of the single profile (which appears to be Enel Energia); on the contrary, Enel Italia S.p.A. together with a third company, Enel Global Services s.r.l., acts as data controller for the data provided at the time of registration and to provide the authentication service.
 
13) Again with regard to the Single Profile, with respect to the dispute referred to in number 13 (Article 5, par, 1, letter c), of the Regulation, EE highlighted that "the companies enabled for the Single Profile (for Italy EE and Enel X Italia Srl - "EX") do not have access to the data of users who have created the Unique Profile with the other authorized company. " (Paragraph 185). Consequently, according to what was reported in the defensive phase, it is possible that two hypotheses may occur: 1) new user who has not yet created an account through the Unique Profile; 2) access to a reserved area with an existing profile.
 
In the first case, the user registers, on the EE website or on the EX website as the case may be, providing his / her data (name, surname, social security number, telephone number, e-mail. The latter two are subject to validation) and create a personal password.
 
In the second case, the user, with the same credentials created at the company with which he first created the account, can access the reserved area of the other company ("For example, first the user created the Unique Profile account on the site and for the reserved area of EE and then wants to access the reserved area of EX "). EE maintained that there was a clear technical and content separation between the two reserved areas and that "no data relating to the reserved areas of the companies authorized to use the Single Profile is exchanged between them.".
 
After having illustrated the technical characteristics of the system, the Company went on to explain how both the mobile number (for the purpose of validating the temporary password mechanism) and the tax code must be considered as indispensable data for the purposes of correct identification to prevent the creation of multiple profiles (Points 194-198). EE then underlined that the measure of authentication via mobile phone number was implemented following some vulnerabilities (creation of multiple accounts) that emerged, with reference to another group company, as part of a previous and separate investigation conducted by 'Office of the Guarantor. The indispensability, therefore, of such data for the purposes of the functionality of the service, according to EE, should lead to believe that the dispute regarding the alleged violation of the principle of minimization can be overcome.
 
14) With respect to the disputes referred to in number 14) (articles 12 and 13 of the Regulations, the Company has represented that, without prejudice to the fact that no consent for marketing purposes is collected during the creation of the Unique Profile, "the different marketing purposes are instead described, as indicated by the Guarantor in the Contestation, in the specific section "Marketing and / or profiling purposes". "In any case, the Company has communicated that it has revised the information" by making more clear. "(Points 199-204).
 
15) As to the granularity and specificity of the consents, with regard to processing carried out by different subjects as independent controllers referred to in number 15 (articles 6, paragraph 1, of the Regulation and 130, paragraphs 1 and 2, of the Code) , EE recalled the three purposes identified, namely: 1) direct marketing carried out by EE for EE products; 2) third party marketing; 3) profiling, arguing that this distinction is in compliance with the Guidelines of the Guarantor on the fight against spam adopted in 2013. The Company has specified that it has never carried out profiling activities nor has it ever transferred data to third parties for marketing purposes. Furthermore, EE has never done direct marketing by advertising third party products, including group companies.The Company, finally, has proposed its intention in the future to seek the consent of interested parties for marketing and profiling purposes, reshaping the tripartite structure of consents and better specifying the different purposes with respect to the various owners (attachment 38 to the memorandum) and communicated that he had submitted the related information to a work of revision "with a view to ever more direct communication".
 
2.2 Considerations in fact and in law
 
The defensive arguments presented by EE do not allow to exclude the liability of the Company in relation to the alleged violations for the following reasons, to be considered in one with the observations already expressed in the aforementioned contestation deed:
 
1) As regards the dispute relating to art. 31 of the Regulation (Cooperation with the supervisory authority), referred to in number 1, it is an incontrovertible fact that the Company has not provided any response, except after having been requested to do so, to the third request for information from part of the Guarantor. The laconic, concise and undocumented reference to human error in sorting does not, in fact, negate the criticality profile.
 
Likewise in the context of the feedback, the attitude of EE did not give account, in a collaborative and proactive perspective, of analytical and detailed responses about the different cases subject to reporting, so as to facilitate any more appropriate assessment by the Authority. As is known, in fact, the feedback to requests for information from the Guarantor should be provided immediately in the most detailed and complete way possible and the elements useful for defining the investigation framework should therefore be presented already in the preliminary investigation rather than in a defensive phase as solicited. These behaviors, already sanctioned by the Guarantor (injunction order against Iren Mercato SpA of 13 May 2021, web doc. 9670025), risk causing the lengthening and burdening of the procedural process, which the Company has declared its intention to to avoid. Nor to the reference to internal regulation no. 1/2019 (Article 7, paragraph 5), no relevance can be attributed in this context, given that the provision clearly refers to the defensive phase and not to the preliminary phase.
 
Moreover, the aforementioned circumstance according to which the Guarantor would not have provided any response or requested further clarifications once received the re-confrontations from EE is not valid as an exemption, given that it is clearly evident that the duty of collaboration, provided for by cited art. 31 of the Regulations, serious to the owner, even in his own interest, and not already to the supervisory authority.
 
2-4) With reference to the complaints formulated by the Guarantor with regard to the responsibility profiles of the owner and the respect of the principle of privacy by design, as referred to in numbers from 2 to 4 (articles 5, par. 2, and 25, par. 1 of the Regulations; art. 5, par. 2 and art. 5, par. 2 and 24 of the Regulations) the arguments presented by the Company are not convincing and are not capable of overcoming the Authority's findings.
 
The main argument raised by the Company in defense of its position, through the reference to an undue spending of its name, is not supported by elements capable of excluding the liability of the owner and remains, as such, a purely hypothetical reconstruction. This is because in none of the argumentative passages developed by the Company was the activity of competitors aimed at acquiring customers by presenting themselves as Enel Energia proven.
 
In fact, the press articles reported mainly refer to episodes that have nothing to do with the disputed hypotheses, given that the spending of Enel's name is used to try to access, through fraud, inside the users' homes. order to perpetrate illegal actions to the detriment of the unfortunate (mainly elderly and lonely people).
 
Similarly, the reference to the trade association Federconsumatori - moreover not relating to a public position taken by the national bodies of the association but rather to an interview given by a local representative (Taranto Section) - refers to the phenomenon of scams and attempts to break into homes. It is therefore irrelevant with respect to the case in question and does not represent a significant profile for the purposes of the Guarantor's assessment and in particular with respect to the issue of accountability.
 
In this regard, it is necessary to premise that the regulatory provisions (articles 5, paragraph 2, and 25, paragraph 1 of the Regulation; article 5, paragraph 2 and article 5, paragraphs 2 and 24 of the Regulation) outline a precise framework of general responsibility weighing on the data controller, not only in the sense of requiring the latter to adopt adequate and effective measures to ensure compliance with the rules on the protection of personal data but also in the sense of requiring the the owner demonstrates, concretely and with evidence, the compliance of any processing activity that it has carried out directly or that others have carried out on its behalf (see also recital 74, RGPD). It is therefore necessary to provide evidence of overall assessments carried out on the characteristics of the treatments, on the risks connected to them and on the effectiveness and adequacy of the measures adopted on a case-by-case basis. Effectiveness and adequacy that can only be tested and demonstrated except through structured and systematic verification mechanisms.
 
The rationale of the aforementioned provisions lies in the need to ensure that the complex of privacy obligations is not reduced to a purely paper-based assembly and that the "chain" of responsibilities in the context of the processing does not provide for undue "blameworthiness" but is always, ultimately, attributable to the owner. These, in fact, are the primary engine of the complex mechanisms that determine the compatibility of the various activities carried out with the provisions of the Regulation and the Code aimed at allowing the interested party to fully govern their data and to fully exercise their rights and freedoms. .
 
The principle of accountability, therefore, outlined both in a legal perspective (Article 5, paragraph 2 and Article 24) and in a more modern technological dimension (Article 25) involves the overcoming of an exclusively formalistic logic of adaptation to the data regulatory, requiring the data controller to prepare systematic verification mechanisms, including ex ante and ex post, of compliance with the legislation on the protection of personal data by all the subjects involved in the processing chain concerning him, which may be attributable to it or which may also bring advantages of an economic nature to the holder.
 
In this regard, the Guarantor observes, as a preliminary, that the holder provided elements of a formal nature only during the defensive phase, mostly related to the dimension of the contractual lawfulness between EE and its partners - which, moreover, does not prove anything from the point of view of the correct processing of personal data - without producing the necessary evidence of concrete initiatives taken as data controller, in the face of the spread of such an invasive and worrying phenomenon over the years, which should have acted as a true and precisely "alarm bell".
 
The history, structure and organizational dimension of Enel Energia would have allowed this company, leader in the Italian energy market and always a protagonist of the economic-productive life of the country, albeit with different forms and methods, to prepare with due diligence measures state-of-the-art organization in the protection of data subjects, as well as appropriate and effective control tools on the entire supply chain involved in the processing of personal data. This, all the more so, in consideration, on the one hand, of the amount of personal data held by the company, precisely by virtue of its position and its history (currently 9 million customers - see defensive writings, paragraph 173 ), on the other hand, of the high number of reports received every month directly by EE (defensive writings, point 167: a monthly average, from April 2020 to April 2021, of approximately 740 requests for the exercise of rights, largely relating to right to object), as well as the numerous and repeated requests for information sent by the Guarantor.
 
Having said all this, with reference to the specific profile that emerged in the defense on the methods of managing promotional activities in the phase prior to the pandemic, when the EE sales network was prohibited from using telephone lists, it should be noted that the Company would have due, in the face of the growing number of reports relating to unwanted telephone contacts, to verify that this pressing prohibition had been adequately observed, furthermore proving the existence of verification tools. This also by means of suitable checks to outline and document the origin of the data underlying any contractual proposal and / or the methods of "first contact" of the potential customer. This type of control is completely different from a verification of personal data lists (recalled in the defensive memory), which appears, in fact, irrelevant compared to what is contested by the Authority.
 
These checks could, first of all, be easily carried out if the methods of first contact and / or the origin of the customer data had, for example, expressly formed the subject of analytical indication in the contract registration system, also using the channel information of the Quality call which, on the other hand, from what emerged from the documents, does not contain specific references with respect to the verification of the lawfulness of the original acquisition of the data and / or of the first contact, focusing only on the verification of the regularity of the contractual profiles.
 
Similarly, from the documentation provided by the Company and examined by the Guarantor, the characteristics of the methods of access to the systems used to activate the offers and services, through which the agencies can convey the result of their activities, do not emerge with unambiguous clarity. It is on this step, in fact, that the subsequent controls by the owner should focus, especially in a complex and stratified commercial system such as the one presented by EE. In fact, if in a passage of the memory reference is made to the receipt, by EE, of the "contract proposal from the agencies" (Point 37) and in the attached contractual schemes, we read how the agencies undertake to "use exclusively the information system authorized or made available by the Principal ", however, no incontrovertible evidence was provided regarding the effective functioning of this system and the monitoring and control activity carried out by EE, in order to represent the Authority suitability of the measures. This, all the more so, when we consider that, as emerged from the documentation in the documents, the Company is rather delegating the preventive control on the lawfulness of the first contact in full to the agencies: "Any pre-loading checks in the IT systems performed through the use the telephone contact also falls under the direct and exclusive responsibility of the Agency. " (Agency Contract, Annex 13 to the memorandum, point 2.2).
 
Similarly, within the contract between EE and the partner stores (physical points) a sort of indemnity is identified in favor of EE when we read: "The Partner will be solely responsible for the work of the Enel Points and the Staff, whatever the relationships with the same, committing to hold Enel Energia harmless from any claim or request made, in relation to the performance of the activities covered by the Contract, by the Enel Point, by the Staff or by third parties, including those relating to compensation damages, wage obligations, indemnities and social security and / or insurance contributions, as well as those relating to any further obligation or fulfillment deriving from the current legislation on self-employed and subordinate work, from the legislation aimed at protecting the privacy , from the tax legislation. " (PENP contract, Annex 12 to the pleading, point 5.3).
 
Finally, it notes the fact that EE has a series of information regarding the correct management, even by the single operator, of the promotional activities, during the validation of the contracts, being in the condition of being able to easily identify for each contract the sales channel and the appointee (the reference is to the contract code, appointee code, channel code, all present in the application form, freely downloadable on the Company's website). However, it is clear that the Company does not carry out this kind of checks or at least it has not provided evidence of it to the Guarantor, as can be seen both from the aforementioned absence in the Quality call of specific references to verifying the lawfulness of the origin of the data, and from the referral that is made to the activity of the partners and, finally, by the same statements of the company made explicit in the defense when we read: "If some agencies have in hypothesis endorsed commercial calls, extraneous in and of themselves (and not simply for the modalities ) to the activities envisaged by EE, EE could not be expected to carry out ex ante controls on activities totally hidden and unrelated to its commercial chain, activities that EE obviously could not even foresee. Investigations of that type concern the material conduct of the employees of the agencies, behind the agencies themselves and of EE, and do not fall within the powers of the data controller [omissis] When an illegal activity is completely unrelated and invisible to the owner of the treatment, the latter - if he has subsequent evidence of such violations - can only invoke the intervention of the judicial authority and close relations with those who have become protagonists. Nor does the Complaint indicate reasonable measures aimed at mitigating such a risk, given that the Complaint illustrates failed measures relating to the management of telemarketing and teleselling activities not envisaged by EE. " (defensive writings, paragraphs 51 and 53).
 
Therefore, having the information necessary to link each contract proposal even with the single operator, the verification of the sales volumes of each operator in relation to other variables, such as, by way of example, the geographical area, the density of population relating to the commercial area of reference and other similar numerical indicators would have made it possible to identify incorrect practices and in violation of the legislation on data protection. Equally essential is the aforementioned verification, to be carried out directly at the customer, of the lawfulness of the origin of the personal data underlying the contractual proposal. Enel Energia had all the necessary tools to counteract "undergrowth" phenomena in the bud, which, moreover, it was aware of well before the intervention of the Guarantor.
 
Measures, such as those described here, if adopted and if represented to the Guarantor (which certainly cannot be attributed for the failure to indicate in the notice of dispute) would have given appropriate knowledge of a not merely formalistic and conservative approach based on the contract and its characteristics but, on the contrary, would have brought out an appreciable proactive approach to protect the complex of consumer and data subject rights.
 
In conclusion, the absence of a concrete link between the information relating to the promotional activities that are put in place, in any way and in any form, based on the different sales channels, by EE and the platform delegated to validation and registration of contracts, so that the two different phases (the promotional and the contractual one) remain substantially separate and this makes it possible for agents who intend to convey the contractual proposals without following the provisions of the owner, to insert the also in case of illegal or unwanted promotional contact. This makes it not only possible but also highly probable, given the weakness of the "defenses" put in place, that the large amount of unwanted contacts brought to the attention of the Authority were put in place in the context of the promotion of products and services of society.
 
In view of the requirements of art. 5, par. 2, of the Regulation, which requires the holder to prove the lawfulness of the treatments, precisely the absence of measures, in the official registration system, which verify full compliance with the rules and rights of the interested parties, users and consumers from the moment of first contact, it is a suitable condition to represent the gateway for any "unofficial procurers" of contracts capable of "capturing" the recipients of the complained promotional phone calls, who constantly report a contact in the name of the Company (similarly as already represented in the aforementioned provisions against Vodafone Italia SpA and Fastweb SpA).
 
Moreover, to tackle the problem at its root, it is not sufficient to act exclusively on the "official" sales network, precisely in the face of the reputational damage that the Company complains with so much conviction, but rather to foresee, as the Authority has already had the opportunity to highlight, effective mechanisms aimed at monitoring and countering, also in consideration of the organizational and business capacities of the main Italian energy company, a phenomenon that impacts in such a significant and pervasive way on the private dimension of interested parties who complain of unwanted promotional contacts by Enel Energia and to exclude at the root the possibility of contact by telephone in the Enel Energia sales network.
 
In this sense, the Authority has not failed, on other occasions, to recall, precisely in a preventive logic and respect for privacy by design, the possibility of resorting to corporate and organizational choices aimed, for example, at inhibiting the contractual activation of offers or services when they are certainly not attributable to activities carried out in compliance with the rules and rights of the interested parties, users and consumers from the moment of first contact and the origin of the data (see the already mentioned measures against of Vodafone Italia SpA, 12 November 2020, web doc. 9485681, and Fastweb SpA, 25 March 2021, web doc. 9570997).
 
These same conditions should also be applied to telemarketing campaigns that EE has admittedly resumed following the pandemic emergency. These activities, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts takes place only at following promotional contacts carried out by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and without prejudice to the necessary verification of the contact lists, as repeatedly reiterated by the Guarantor (most recently see Order of injunction against Iren Mercato SpA, May 13, 2021, web doc. no. 9670025).
 
5-6) With reference to the disputes referred to in numbers 5 and 6 (art. 5, par. 1, letter d); articles 5, par. 1, lett. d), and 6 of the Regulation, Lawfulness of processing), the references to a "manual error of the operator", in the first case, and to a material error, in the second, are not valid to relieve the Company of responsibility resulting from the violation of the aforementioned provisions nor do they allow to apply the exemption pursuant to art. 3 of the law n. 689/1981 on the subject of good faith, all the more so because they are not analytically documented and in relation to which EE has not been able to demonstrate the inevitability. However, the Authority takes note of Enel's declaration that it has promptly remedied the error in one of the two cases (cum IV: 147284).
 
As for the disputes referred to in numbers 7 to 9 in relation to the requests for the exercise of rights, it is necessary to put forward some considerations. While taking note of what was stated by the Company in the defense brief (Point VI.G of the brief and annexed table) regarding the substantial volume of requests for the exercise of rights that are managed by the same, both on a monthly basis and on on an annual basis, it should in any case be reiterated that, although the misalignments represented with respect to the ordinary operating methods in terms of exercising the rights constitute a statistic expression that is not significantly relevant in relation to the activities of Enel Energia, this element cannot eliminate the need to ensure to the interested parties the individual protection that the Regulation provides, through the adoption of corrective and sanctioning measures.
 
7) with regard to the disputes referred to in number 7 (Article 12 of the Regulation, the arguments provided regarding the delay in the findings in the cases referred to in files 132334 and 129416 (I cum.) Do not allow to overcome the observation regarding the violation of the rules governing the necessary timeliness of the feedback that must be provided to the interested parties following requests for the exercise of rights.
 
This, in the present case (132334), also taking into account the circumstance for which the previous discipline dictated by the Code already provided for the institution of the so-called "Preventive ruling" and, therefore, the fact that, at the time, full and complete applicability to the new European legislation could not have been relevant. In the same way, the circumstance for which the request made by the interested party was contextually the subject of a request for information from the Guarantor, should, if anything, have induced the owner to behave virtuously and not, as it happened, reticent about the reply (129416) . In both cases, it is believed that the delay, as communicated to the interested parties, was neither justified nor justifiable, since the owner was undoubtedly able to provide a complete and exhaustive response to their requests right away.
 
In relation, then, to the case in point reported in file 144726 (III cum.), The reference to a "mere technical misunderstanding" is found in the memory. This circumstance does not relieve the Company of the liability deriving from the violation of Article 12 nor does it allow, in this as in the previous cases, to apply the exemption pursuant to art. 3 of the law n. 689/1981 on the subject of good faith, since no proof was provided that the error did not derive from fault. This, all the more so, because the technical drawback has not been documented in any way, nor has its inevitability been demonstrated.
 
Finally, with reference to file 138729 (IV cum.), Since the owner has not provided any further elements aimed at justifying the failure to respond to a request for the exercise of rights, the violation of art. 12 of the Regulation;
 
8) likewise, with reference to the similar dispute, but referring to a different case (IV cum. Fasc. 136020), referred to in number 8 (art. 5. par. 1, lett. of a typing error, does not exceed the observations of the Authority, since the interested party did not receive a clear and unequivocal response in the first instance with respect to the case in point of the complaint. It should be noted that the circumstance of the typing error, if clarified from the beginning and not only in defense and at the request of the Guarantor, would have allowed the Authority to verify, by having more specific elements, the possible existence of a more relevant violation of non-compliance with the principle of accuracy; moreover, in this context it should be pointed out that, in order for the typing error to be considered excusable, the Company, for example, would have had to provide proof of its willingness to contact a different numbering of a few numerical elements from the one actually called in the same context of the campaign advertising;
 
9) with regard to the dispute referred to in number 9 (Article 21 of the Regulation and Article 130, paragraphs 1 and 2 of the Code), the error committed and recognized by the Company in having indicated an incorrect email address in a communication the interested party has, in fact, hindered the exercise of the right of opposition (single inquiries: 133249) as well as the arguments offered by the Company regarding the failure to register the denial during the signing of the contract confirm the existence of the Company's responsibility for the sending promotional communications by e-mail without the prior consent of the interested party;
 
10) in relation to the complaint referred to in number 10 (Article 130, paragraph 4, of the Code), the holder has not produced any documentary evidence capable of demonstrating that the complainant had received the necessary, adequate information about the possibility of receiving communications on similar services and products, through their e-mail coordinates and, therefore, about the presence of that objective element of an informative nature which is fundamental for a correct dialogue with the interested parties and which legitimizes the exemption from the acquisition of the relative consent, in addition to the additional elements referred to in art. 130, paragraph 4, of the Code as well as by the Provision of the Guarantor of 4 July 2013 (web doc. No. 2542348) (single investigations: 136321); in the absence of these fundamental elements of an informative nature, the violation of art. 130, paragraph 4, is integrated;
 
11) with reference to the dispute profile relating to the failure to attach documentation on the structuring of consents within the Single Profile (requests IV cum. And IV-bis cum.), The aforementioned defense by the party has no basis. The requests of the Guarantor aimed at understanding the functioning of the Single Profile involved, as a natural corollary, the illustrative documentation of the method of acquiring consents for marketing and profiling purposes;
 
12) with regard to the disputes reported in number 12 (articles 5, paragraph 1, letter a), 12 and 13 of the Regulation) in relation to the information provided to the interested parties, although the Company has clarified the existing interaction between Enel Energia srl and Enel Italia and despite having changed the information on the site by absorbing the findings of the Guarantor, the information communication previously provided by the Company to the users of the website was not able to meet the requirements of correctness and transparency for the benefit of the interested parties. ;
 
13) again in relation to the Single Profile, with respect to the dispute referred to in number 13 (Article 5, par, 1, letter c), of the Regulation), the Guarantor takes note of the explanations provided by EE in the defense phase and believes that the collected elements are relevant and suitable to relieve the Company of responsibility for a failure to comply with the principle of minimization, without prejudice to the necessary re-evaluation, by the data controller, of compliance with the principle of minimization in the event that the current structure changes represented to the Guarantor, for example through an increase in the number of companies that use the single Profile and a consequent change in the purposes of the processing;
 
14) with respect to the disputes referred to in number 14 (Articles 12 and 13 of the Regulations), although the Company represented has revised the information "by making clearer legal choices." (Points 199-204), the information provided so far cannot be considered complete and exhaustive with respect to the identification of the third parties recipients of the data, given the generic reference to "Enel Group companies, parent companies, subsidiaries or associates, or partners like -market of Enel Energia ". With reference to the period prior to June 2021, the information issued to interested parties by EE in the context of its portal was lacking precisely with regard to a necessary identification of the recipients of the data, at least with reference to the product categories, both within the companies belonging to the Enel Group and with reference to a generic range of commercial partners. For these aspects, the information was therefore deficient and inadequate with reference to the requirements set out in Articles 12 and 13 of the GDPR;
 
15) as to the granularity and specificity of the consents, with regard to processing carried out by different subjects as independent controllers referred to in number 15 (articles 6, paragraph 1, of the Regulation and 130, paragraphs 1 and 2, of the Code) , given that during the hearing EE communicated that it had already adopted some measures to accept the observations made by the Guarantor (including a revision of the wording of the consents for a better reformulation of the same), the Authority's findings are confirmed. The provision of a consent within the terms ascertained by the Guarantor in the act of initiating the procedure does not meet the requirements of granularity and clarity, obtainable from the regulatory legislation. In fact, a single consent to the communication of data for promotional purposes also by group companies, parent companies, subsidiaries and associates and commercial partners of EE, cannot be considered either specific or free and does not constitute a suitable legal basis for the aforementioned treatments. , pursuant to art. 6 GDPR.
 
The information provided by the Company in the defensive phase would seem to have made it clear that the consent required for the marketing activities of the "parent companies, subsidiaries, associates or commercial partners of EE" by the same subjects does not refer to a communication of data from Enel to third parties for their marketing purposes. However, in the absence of a clear identification of the recipients, a consent linked to treatments referable to an indeterminate number of subjects cannot be considered suitable.
 
Similar observations can extend to the request for a single consent for profiling purposes both of Enel Energia and of the subjects already mentioned, as autonomous data controllers, since, even in this case, a lawfully acquired consent must be specific and distinct in order to constitute a suitable legal basis, pursuant to the aforementioned regulatory provision.
 
Therefore, with reference to the aspects, including factual, highlighted above and taking into account the statements of the Company, for which the declarant responds pursuant to art. 168 of the Code, as well as the additional documentation produced, the following assessments are formulated regarding the profiles concerning the regulations on the protection of personal data.
 
3. CONCLUSIONS
 
For the foregoing, while the dispute referred to in number 13 can be considered overcome) due to the reasons set out in the considerations in law in number 13 (par. 2.2.). Enel is deemed to be responsible for the following violations:
 
1) Art. 31 of the Regulations, for the reasons described in number 1 of the previous paragraph 2.2;
 
2) Articles 5, par. 2, and 25, par. 1 of the Regulations, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
3) Articles 5, par. 2, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
4) Art. 5, par. 2 and 24 of the Regulations, for the reasons described in numbers 2 to 4 of the previous paragraph 2.2;
 
5) Art. 5, par. 1, lett. d), for the reasons described in number 5 of paragraph 2.2 above;
 
6) Articles 5, par. 1, lett. d), for the reasons described in number 6 of paragraph 2.2 above;
 
7) Art. 12 of the Regulations, for the reasons described in number 7 of paragraph 2.2 above;
 
8) Art. 5. par. 1, lett. a) and 12, par. 2 of the Regulations, for the reasons described in number 8 of paragraph 2.2 above;
 
9) Art. 21 of the Regulations and art. 130, paragraphs 1 and 2 of the Code, for the reasons described in number 9 of paragraph 2.2 above;
 
10) art. 130, paragraph 4, of the Code, for the reasons described in number 10 of paragraph 2.2 above;
 
11) Art. 31 of the Regulations, for the reasons described in number 11 of paragraph 2.2 above;
 
12) Articles 5, par. 1, lett. a), 12 and 13 of the Regulations, for the reasons described in number 12 of paragraph 2.2 above;
 
13) Articles 12 and 13 of the Regulations, for the reasons described in number 14 of the previous paragraph 2.2;
 
14) Articles 6, par. 1, of the Regulation and 130, paragraphs 1 and 2, of the Code, for the reasons described in number 15 of the previous paragraph 2.2;
 
From this ascertainment of the illegality of the Company's conduct with reference to the treatments taken into consideration, it is necessary, vis-à-vis Enel Energia S.p.A:
 
- issue a warning, pursuant to art. 58, par. 2, lett. a), of the Regulations, regarding promotional campaigns through telesellers which, according to the defensive statements, EE resumed following the pandemic emergency. These campaigns, in order not to violate the provisions of the Regulation, must be conducted in full compliance with the principles of accountability and privacy by design, having to prove at any time that the activation of offers and services and the registration of contracts take place only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and after the necessary verification of the contact lists;
 
- issue a warning, pursuant to art. 58, par. 2, lett. b), of the Regulation, regarding the circumstance for which to provide an incomplete and unsuitable representation and evidential documentation regarding elements of assessment by the Authority as well as to omit the response to a request for information formulated by the latter, during the preliminary phase of the procedure integrates the violation of those duties of collaboration with the supervisory authority to which the data controller is required pursuant to art. 31 of the Regulation;
 
- to order, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt each treatment carried out by its sales network, to methods and measures suitable for providing and proving that the activation of offers and services and the registration of contracts takes place only following promotional contacts that , if they have been operated by telephone, they have been carried out by the aforementioned sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and in compliance with the provisions of art. 130 of the Code;
 
- to order, pursuant to art. 58, par. 2, lett. d), to implement all the further technical and organizational measures necessary for the management of the requests to exercise the rights of the interested parties - and in particular the right to object to promotional purposes - which allow to give feedback to the interested parties, as well as identify and correctly acknowledge their effective will, without undue delay, and in any case, at the latest, within 30 days of receipt of the requests, without prejudice to overriding legitimate reasons and without prejudice to the need, promptly communicated to the interested parties, of any extension for feedback;
 
- request to communicate what initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, pursuant to art. 157 of the Code, within 40 days from the notification of this provision; any non-response may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation;
 
- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application to Enel Energia S.p.A. of the administrative pecuniary sanctions provided for by art. 83, par. 4 and 5, of the Regulation.
 
4. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
 
The violations indicated above require the adoption of an injunction order, pursuant to Articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for application to Enel Energia S.p.a. of the pecuniary administrative sanction provided for by art. 83, para. 3, 4 and 5, of the Regulation (payment of a sum up to € 10,000,000 or, for companies, up to 2% of the annual worldwide turnover of the previous year, if higher and payment of a sum up to € 20,000,000 or, for companies, up to 4% of the annual worldwide turnover of the previous year, if higher);
 
For the determination of the maximum legal sanction of the pecuniary sanction, it is therefore necessary to refer to the turnover of Enel Energia SpA, in accordance with the previous provisions adopted by the Authority, and therefore to have to determine this maximum edict, in the case in question, in euros 530.279.555.
 
For the purposes of determining the amount of the penalty, the elements indicated in art. 83, par. 2, of the Regulations;
 
In the case in question, the following are relevant:
 
1) the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation) - with reference to the disputes referred to in numbers 2, 3 and 4 due to the particular pervasiveness of il-lawful contacts made in the name of the owner (detrimental to various fundamental rights and, in particular, in addition to the right to the protection of personal data, the right to privacy and the right to individual tranquility), of the level of damage actually suffered by the data subjects, who have been incessantly exposed to nuisance calls, the growing difficulties they encounter to stem the phenomenon, the multiplicity of conducts put in place by EE in violation of several provisions of the Regulations and the Code;
 
2) as an aggravating factor, the duration of the violations (Article 83, paragraph 2, letter a) of the Regulation), due to the repeated nature of the violations referred to in numbers from 2 to 4, lasting more than six months of violations of numbers 2 to 4, considering that the first reports refer to unwanted calls in 2018; similarly, the Single Profile was active in the manner illustrated in numbers 12 to 15 until June 2021, when, according to the statements made by the Company, the information and consent box were modified;
 
3) as an aggravating factor, the high number of parties involved (Article 83, paragraph 2, letter a) of the Regulation) which, for the violation referred to in numbers 2 to 4, must take into account not only the numerous whistleblowers and claimants (140); similarly extensive is the audience of interested parties whose data are processed in the context of the Single Profile. According to what the Company reported during the re-confrontation, this would involve over 3 million Enel Digital users;
 
4) as an aggravating factor, the negligent nature of the conduct (Article 83, paragraph 2, letter b) of the Regulation) in consideration of the wide and constant dialogue with the Guarantor on all aspects of telemarketing, as well as the relevant provisional activities of the Authority, elements which, also in the light of recent Authority measures, should have constituted a valid support in the organizational choices of the Company but which, in particular with reference to the violations referred to in numbers 2 to 4, were largely disregarded.
 
5) as aggravating factors the specific recurrence of the conduct (Article 83, paragraph 2, letter e) of the Regulation) and the previous adoption by the Authority of similar corrective and sanctioning measures with reference to similar treatments (Article 83, par. 2, letter i) of the Regulation);
 
6) as a mitigating factor, the adoption of measures aimed at mitigating the consequences of violations (Article 83, paragraph 2, letter c) of the Regulation), with reference, in particular: a) to the implementation of the possibility for the interested party to check directly from the EE website "the traceability to EE and its partners of the numbers from which he has received commercial calls."; b) the modification of the information on the site, including that relating to the Single Profile; c) the reformulation of the illustrative captions in the vicinity of the boxes for the acquisition of consents, always within the scope of the Single Profile;
 
7) as additional factors to take into consideration to parameterize the sanction (Article 83, paragraph 2, letter k) of the Regulation), the large time margin granted to all data controllers in order to allow them a completed and consistent adaptation of systems and procedures to the new European legislation, in force since 25 May 2016 and fully applicable from 25 May 2018; the particular attention that the legislator has dedicated to the regulation of the telemarketing phenomenon, also with recently adopted regulatory interventions (e.g., law no. 5/2018); Enel Energia's primary market position in the telecommunications sector and the overall economic value of the Company; the need to promptly introduce adequate measures, in the face of a clear and perceptible increase in the phenomenon of promotional communications, of which the Company has shown to be fully aware, as the deadline set by the legislator for the definitive transition from the protected market for electricity and natural gas to the free market.
 
On the basis of all the elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, in the first application of the administrative pecuniary sanctions provided for by the Regulation, also in order to limit the economic impact of the sanction on the needs organizational, functional and employment aspects of the Company, it is believed that it should apply to Enel Energia Spa the administrative sanction for the payment of a sum of € 26,513,977 (twenty six million, 513,977), equal to 5% of the maximum legal sanction, in line with other recent measures adopted by the Authority in the field of tele-marketing.
 
In the case in question, it is believed that the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the conduct of the Company as well as the high number of subjects potentially involved in the treatments examined;
 
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
 
ALL OF THIS GIVEN THE GUARANTOR
 
a) issues a warning to Enel Energia S.p.A., pursuant to art. 58, par. 2, lett. a), of the Regulations on promotional campaigns through telesellers which, according to the defensive declarations, the owner has resumed following the pandemic emergency; such campaigns, in order not to violate the provisions of the Regulation, will be conducted in full compliance with the principles of accountability and privacy by design, the owner having to prove at any time that the activation of offers and services and the registration of contracts take place only following promotional contacts made by the Company's sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and after the necessary verification of the contact lists;
 
b) issues a warning to Enel Energia S.p.A., pursuant to art. 58, par. 2, lett. b), of the Regulation, regarding the circumstance for which to provide an incomplete and unsuitable representation and evidential documentation regarding the elements of assessment by the Authority as well as omitting the response to a request for information formulated by the latter, during the preliminary phase of the procedure integrates the violation of those duties of collaboration towards the supervisory authority to which the holder of the treatment is required pursuant to art. 31 of the Regulation;
 
c) orders Enel Energia S.p.A, pursuant to art. 58, par. 2, lett. d) of the Regulations, to adapt any processing carried out by its sales network to methods and measures suitable for providing and proving that the activation of offers and services and the registration of contracts takes place only following promotional contacts which, if operated by telephone, have been carried out by the aforementioned sales network through telephone numbers registered and registered in the ROC - Register of Communication Operators and in compliance with the provisions of art. 130 of the Code;
 
d) orders Enel Energia S.p.a, pursuant to art. 58, par. 2, lett. d), to implement all the additional technical and organizational measures necessary for the management of the requests to exercise the rights of the interested parties - and in particular the right to object to the promotional purposes - which allow to give feedback to the interested parties, as well as identify and correctly acknowledge their effective will, without undue delay, and in any case, at the latest, within 30 days of receipt of the requests, without prejudice to overriding legitimate reasons and without prejudice to the need, promptly communicated to the interested parties, for a possible extension for the reply ;
 
e) orders Enel Energia S.p.a., pursuant to art. 157 of the Code, to communicate to the Authority, within 40 days of notification of this provision, the initiatives undertaken in order to implement the provisions and prohibitions adopted, as well as the requests of the complainants; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by art. 83, paragraph 5, of the Regulation
 
ORDER
 
to Enel Energia S.p.a., in the person of the pro-tempore legal representative, with registered office in Rome, Viale Regina Margherita n. 125, Tax Code 06655971007, to pay the sum of € 26,513,977 (twenty six million, 513,977) as a fine for the violations indicated in the motivation, representing that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute, with the fulfillment of the prescribed requirements and the payment, within thirty days, of an amount equal to half of the sanction imposed.
 
INJUNCES
 
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of € 26,513,977 (twenty-six million, 513,977), according to the methods indicated in the annex, within 30 days from the notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.
 
HAS
 
The application of the ancillary sanction of the publication on the website of the Guarantor of this provision, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, and believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
 
Pursuant to art. 152 of the Code and 10 of Legislative Decree n. 150/2011, against this provision, opposition may be proposed to the ordinary judicial authority, with an appeal lodged with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself.
 
Rome, December 16, 2021
 
PRESIDENT
Stanzione
 
THE RAPPORTEUR
Ghiglia
 
THE DEPUTY SECRETARY GENERAL
Philippi
 
 


THE SECRETARY GENERAL
Mattei
</pre>
</pre>

Latest revision as of 11:07, 1 June 2022

Garante per la protezione dei dati personali - 9771142
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law:
Art. 4 (1)(f), 13, 23, 28, 37, 38, 161, 162 (2bis), 163, 164bis (2) Codice Privacy
Type: Investigation
Outcome: Violation Found
Started: 21.02.2019
Decided: 24.03.2022
Published: 19.05.2022
Fine: 4.240.000 EUR
Parties: Uber B.V.
Uber Technologies Inc.
National Case Number/Name: 9771142
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: Garante Privacy (in IT)
Initial Contributor: sabrina_salmeri

The Italian DPA fined Uber a total of €4,240,000 for violations relating to 1,500,000 data subjects in Italy, including lack of transparency and consent and failure to notify the DPA of a personal data breach.

English Summary

Facts

The Italian DPA launched an investigation into Uber B.V., with registered office in Amsterdam, and Uber Technologies Inc., with registered office in San Francisco, after the US parent company made public a data breach in 2017. The DPA found that the Dutch company Uber BV and the US company Uber Technologies were joint controllers, each responsible for violating the Italian Privacy Code (the Italian implementation of EU Directive 95/46/EC) against data subjects in Italy.

During their inspections carried out at Uber Italy srl, the DPA found several violations, including inadequate privacy notice, personal data processed without consent and failure to notify the DPA about the data breach.

The security incident, which occurred before the GDPR came into effect, involved the data of around 57 million data subjects worldwide, and had been sanctioned by the Dutch and British DPA on the basis of their respective national regulations. The personal data processed by Uber concerned personal and contact data (name, surname, telephone number, and e-mail), access credentials to the app, location data (those that appeared at the time of registration), and relations with other data subjects (sharing trips, introducing friends, profiling information).

The controllers had also, without having obtained valid consent, processed the data of approximately 1,379,000 data subjects by profiling them on the basis of the so-called 'fraud risk', assigning them a qualitative rating (e.g., 'low') and a numerical parameter (from 1 to 100). Finally, the controllers had not complied with the obligation to notify the DPA of the processing of personal data for geolocation purposes, as required by the legislation in force before the GDPR came into effect.

Holding

The DPA found violations related in particular to the inadequate privacy notice provided to data subjects (insofar as it lacks an indication of joint ownership of the processing) and 'formulated in a generic and approximate manner' with 'unclear and incomplete information' and 'not easy to understand'. Purposes of the processing were not well specified, the references to the rights of the data subjects were vague and incomplete, and it was not clear whether data subjects were obliged or not to provide their data, nor what the consequences of a possible refusal would be.

The DPA found the following violations:

1. Violation of article 13 Privacy Code, for failure to acquire the consent of the data subjects.

2. Violation of articles 37 and 163 Privacy Code, for failure to notify the DPA of the breach.

3. Violation of Article 164-bis (2) Privacy Code, because the violations committed relate to databases of particular relevance or size.

Consequently, the DPA fined Uber B.V. (Holland) and Uber Technologies Inc. (USA), €2,120,000 respectively (a total of €4,240,000), for violations relating to 1,5 million data subjects in Italy, including drivers and passengers.

In defining the amount of the sanctions, the DPA, in addition to the seriousness of the violations ascertained, also took into account the significant number of data subjects involved and the economic conditions of the company.

Comment

Although it does not involve current European legislation (GDPR), this decision is relevant with regard to the general principles on the data protection already contained in Directive 95/46/EC, harmonised in each EU Member State with national legislation: in Italy this legislation is represented by the 'Privacy Code'.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

Injunction Order against Uber B.V. and Uber Technologies Inc. - 24 March 2022

Register of Measures
No. 101 of 24 March 2022

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

AT TODAY'S MEETING, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice-President, Dr. Agostino Ghiglia and Mr. Guido Scorza, members, and Cons. Fabio Mattei, Secretary General;

HAVING REGARD TO Article 1, paragraph 2, of Law No. 689 of 24 November 1981, pursuant to which the laws providing for administrative sanctions apply only in the cases and for the time periods considered therein

NOTING that the Office of the Guarantor, by deed No. 6254/96792/124735 of 21 February 2019 (notified by registered mail), which is to be deemed herein fully referred to, challenged Uber B.V., in the person of its pro-tempore legal representative, with registered office at Meester Treublan No. 7, Amsterdam (The Netherlands), and Uber Technologies Inc, in the person of its pro-tempore legal representative, with its registered office at 1455 Market Street No. 1455, San Francisco, California, the violations provided for in Articles 161, 162, paragraph 2-bis, 163 and 164-bis, paragraph 2, of the Personal Data Protection Code (Legislative Decree 196/2003, hereinafter referred to as the "Code", in the wording prior to the amendments made following the entry into force of Legislative Decree 101/2018), in relation to Articles 13, 23 and 37 of the same Code;

NOTING that, upon examination of the records of the sanctioning proceedings, initiated with the above-mentioned notice of objection, it emerged that:

- following a data breach, which occurred in the autumn of 2016 and involved the data of approximately 57 million users worldwide, including Italian users, the Garante initiated a complex preliminary investigation against Uber B.V. (hereinafter UBV) and Uber Technologies Inc. (hereinafter UTI) aimed at acquiring elements of assessment regarding the domestic scope of the security incident that had occurred, sending, in this regard, a request for information to Uber Italy s.r.l. (note of 23 November 2017) and subsequently carrying out an inspection at the premises of Uber Italy s.r.l, in Milan, on 9 and 10 April 2018. From the examination of the overall documentation acquired, it emerged that the data breach concerned: personal and contact data (first name, surname, telephone number and e-mail), access credentials to the app, location data (as they appeared at the time of registration), relations with other users (i.e. sharing trips, introducing friends and some profiling information). On the Italian territory, the violation concerned data of 295,000 interested parties (52,000 drivers and 243,000 passengers);

- as a result of the preliminary investigation carried out by the Office, on 13 December 2018, the Garante adopted Order No. 498 (available at www.gpdp.it, web doc. no. 9069046, hereinafter 'Order'), to which reference is made in full;

- in the aforementioned provision, the Garante declared that the roles played by UBV and UTI, framed in the owner-manager relationship, were not correctly qualified, since the elements acquired during the preliminary investigation and during the inspections carried out at the premises of Uber Italy s.r.l., made it possible to classify the companies UBV and UTI as joint controllers of the processing, each responsible for the processing operations of the personal data of the Italian users (drivers and passengers) which took place in breach of the provisions of the Code

- in particular, on the basis of what was established in the measure, it was ascertained that the information notice provided to the users, pursuant to Article 13 of the Code, was unsuitable, in that it was 'formulated in a generic and approximate manner, containing unclear and incomplete information, not easy to understand for the interested parties and liable to generate confusion on the various aspects of the processing

- it was also ascertained that with reference to the specific purpose qualified as 'fraud risk indicator', no information had been provided nor valid consent acquired from the data subjects, pursuant to Articles 13 and 23 of the Code

- finally, it was found that the processing of data disclosing the geographical location of users was carried out without prior notification to the Garante, as required by Articles 37 and 38 of the Code;

NOTING that, by the aforementioned act of 21 February 2019, the two companies were charged, in their capacity as joint controllers of the processing pursuant to Articles 4(1)(f) and 28 of the Code:

- the administrative violation provided for by Article 161 of the Code, in relation to Article 13, with reference to the issuance of an unsuitable information notice;

- the administrative violation provided for by Article 162, paragraph 2-bis, of the Code, in relation to Article 23, with reference to the failure to obtain consent;

- the administrative violation provided for in Article 163 of the Code, in relation to Article 37, for failure to notify the Garante;

- lastly, the breach provided for by Article 164-bis, paragraph 2, of the Code, with reference to the circumstance that the breaches committed relate to databases of particular relevance or size;

HAVING NOTED from the report prepared by the Office pursuant to Article 17 of Law No. 689/1981 that no reduced payment has been made in respect of the breaches referred to in Articles 161, 162, paragraph 2-bis, and 163 of the Code

HAVING CONSIDERED the defence briefs, sent pursuant to Article 18 of Law No. 689/1981 on 3 April 2019, which refer in full to the pleadings submitted to the Civil Court of Rome, in opposition to the Garante's order, in which the party has, in summary

- contested the applicability of Italian law to the present case. This is because, according to Article 5 of Legislative Decree No. 196/2003, in the wording prior to the amendments introduced by Legislative Decree No. 101/2018, and taking into account Opinion No. 8/2010 rendered by the Art. 29 Group, the Italian law would be applicable "only if Uber Italy's processing activities in Italy were deemed to be carried out by an establishment of UBV and in the context of Uber Italy's activities (and not UBV)". Instead, it is undisputed that Uber Italy acts only as a data processor on behalf of UBV, providing mere customer support and marketing services, as was documented in the course of the investigation. The Garante, which had been aware since 2015 (on the occasion of an initial invitation to provide information addressed to the company) of Uber Italy's role as data controller, considered, in any case, the Italian legislation (and not the Dutch one) to be applicable "without any justification resulting in the Decision being vitiated by an absolute lack of motivation";

- in the notice of appeal in opposition to the decision, it is amply argued that UBV acts as data controller with regard to the processing of the personal data of the users of the Uber app outside the United States, including those of the users of the Uber app in Italy; in this regard, it is stated that 'UTI acts as UBV's data controller with regard to the data of the users of the Uber app outside the United States', as regulated in the Data Processing Agreement. Consequently, the conclusions reached by the Garante, in the contested measure, as to the co-ownership of the processing of the personal data of UBV and UTI are not correct and constitute a premise for upholding the unfounded nature of the complaint relating to the inadequate information;

- in particular, with regard to the infringement of Article 13 of the Code, the party, in its notice of appeal, argued at length that the objections raised in the Provvedimento concerning the unsuitability of the information provided were unfounded. In fact, not only the privacy policy (which is constantly updated by the company), but all the documents and forms made available to the user, provide detailed information on the purposes of the processing, the mandatory nature of the provision of certain information, and the exercise of the rights of the data subjects. Among other things, the information notice that the Garante deemed 'generic and approximate' was available online and, therefore, knowable to the Authority at least since 2015. Nonetheless, the Authority, on the occasion of its previous contacts with the company, has never questioned Uber's practices concerning the information provided, which, among other things, does not appear to have been challenged by the interested parties through reports or complaints;

- as regards the failure to obtain the consent of the data subjects in relation to the processing carried out for the so-called 'fraud risk' purpose, the company pointed out that Uber had not used the 'fraud risk indicator' for more than two years. In any case, under Dutch law (applicable to the processing activities carried out by Uber) consent is not required for such processing operations, as the company showed that it had a legitimate interest in protecting its platform;

- the failure to notify the Garante in relation to the processing of geolocation data cannot be contested, as this is conduct of which the Authority was aware as early as 2015. Therefore, 'if the Garante really had considered that Uber's conduct was in breach of some rule, the Garante could and should have informed Uber of this in 2015', which never happened;

- finally, there are no grounds for the application of the sanction referred to in Article 164-bis, paragraph 2, of the Code, given that the company has always acted in good faith and cooperated proactively with the Italian Authority since 2015, providing all the information requested also during inspections, as well as with the Dutch Authority in order to ensure compliance with the applicable law, regarding the processing of personal data;

READ the minutes of the hearing of 8 October 2019, pursuant to Article 18 of Law No. 689/1981, in which the party referred to what it had already argued in its defence briefs and in the appeal filed to challenge the Measure. In particular, it pointed out that it had notified the processing of geolocation data to the Dutch Authority and not to the Italian Authority as well, considering, in good faith, that the Italian legislation was not applicable. The party therefore requested that, where it was considered that the conditions for proceeding with the dismissal of the sanctioning proceedings did not exist, the sanctions be applied to the extent of the minimum edict, taking into account the criteria laid down in Article 11 of Law No 689/1981;

CONSIDERED that the arguments put forward are not suitable to exclude the liability of the party in respect of the contested charges.

Preliminary to any other observation on the merits of the case, is the question relating to the rules applicable to the case in question. On this point, the Authority considers that there are all the prerequisites to assert the competence of the Italian legislation to the processing of personal data carried out by Uber, on the basis of the provisions of art. 5, par. 1, of the Code, of art. 4, par. 1, lett. a), of the Directive 95/46/EC, (applicable at the time when the facts occurred), as well as of what was clarified by the Art. 29 Group in its Opinion no. 8/2010 of 16.12.2010 on the subject of applicable law. In particular, the application of the Italian national law to the case under consideration rests on the clear assumption that Uber Italy s.r.l. represents a stable organisation of Uber on the national territory and that the processing activities carried out by that entity are 'inextricably linked' to the processing carried out by UBV and UTI, i.e. carried out 'in the context of the activities of the establishment' of the data controller. In this regard, the circumstance that Uber Italy s.r.l. acts as data controller (rather than as data owner) is not relevant, since it is established that the activities carried out by the latter are aimed at enabling the data subjects, whose personal data are collected on the national territory, to take full advantage of the service offered by the group, by providing the support activities (to customers and drivers) necessary for the correct and regular performance of the service. The Art. 29 Working Party in its above-mentioned Opinion No. 8/2010 noted that 'in order to determine whether one or more laws apply to the different stages of processing, it is important to bear in mind the overall picture of processing activity: a set of operations carried out in a number of different Member States, but all intended to serve a single purpose (...)'. The Garante, therefore, making use of this contribution, already on previous occasions, has had the opportunity to clarify that the applicable law is not that of the Member State where the data controller resides, but that of the country where the processing activities are actually carried out, also taking into account the persons to whom they are actually addressed (see, in this regard, injunction order against Facebook Ireland Ltd and Facebook Italy s.r.l., provv. no. 134 of 14.06.2019, in www.garanteprivacy.it, web doc no. 9121486; injunction order against Yahoo Emea Limited, prov. no. 144 of 8.3.2018, web doc no. 9072702). It is also worth recalling the judgments of the Court of Justice of the EU on the cases "Google Spain and Google" (Case C-131/12 of 13 May 2014) and "Weltimmo" (Case C-230/14 of 1 October 2015), which affirm the principle that, when processing is carried out in the context of the activities of an establishment of the data controller in the territory of a Member State, the national law of that Member State is applicable pursuant to Art. 4(1)(a) of Directive 95/46/EC; therefore, the supervisory authority of that Member State may exercise, pursuant to Art. 28(1) and (3) of the Directive, all the powers which that right confers on it vis-à-vis that establishment in order to ensure compliance with the data protection rules in that territory, and this irrespective of the fact that the data controller also has establishments in other Member States (in this sense, see also the Article 29 Working Party, Opinion No. 179 - "Update of the Opinion 8/2010 on applicable law in light of the CJEU judgement in Google Spain"-, of 16 December 2015).

That being said, it follows that the arguments put forward by the party with regard to the inapplicability of the Italian regulations to the various aspects of the processing of personal data, carried out by the company, are unfounded, including the observations made with reference to the fact that the processing is carried out solely by UBV. In this respect, it should be noted that the elements gathered during the preliminary investigation phase, also by means of inspections, provided a representation of the roles of UBV and UTI that did not correspond to what was described by the company. The Garante considered that the ownership of the processing should be attributed to both UTI and UBV on the basis of a series of elements that were adequately reported in the measure of 13 December 2018. These included, in particular, the decisions taken with respect to the purposes and means of the processing, which were not prepared solely by UBV; instead, it emerged that the policies relating to the operation and management of the service were prepared solely by UTI, in its capacity as parent company. On this point, the company pointed out, in the course of the preliminary investigation, that the choice of entrusting the management of the policies and the adoption of technical and organisational security measures to a single entity (in this case, the UTI) was aimed at guaranteeing the same level of protection of personal data within the group, similarly to what was done by other companies operating globally. In the case at hand, however, it appears that UTI exercises an autonomous decision-making power on such aspects that cannot be considered merely formal, as, inter alia, also confirmed by Uber, in its note of 30 April 2018, in which it states that 'UBV has instructed its data controller, UTI, to decide and implement the technical and organisational security measures necessary for the protection of personal data relating to Italian (and other non-US) passengers and drivers'. It is worth emphasising that the issue of the ownership of the processing of personal data was the subject of in-depth analysis and was at the centre of similar investigations carried out by the Authorities of the other EU countries that were involved in the examination of the data breach occurred to the company. The conclusions reached by the Authorities concerned were, in this respect, unequivocal, all agreeing on the co-ownership of the processing of personal data by UBV and UTI (in this regard, the Délibération n°SAN-2018-011 adopted by the CNIL on 19.12.2018, the Decision adopted by the Dutch PA on 8.11.2018 and the Decision of the ICO on 26.11.2018).

At the outcome of the investigation conducted by the Office, in the context of which all the documentation inherent to the processing operations carried out by the company was acquired, it was found that the information provided to approximately 1,513,431 users (including drivers and passengers) was not suitable, not only with regard to the lack of indication of the co-ownership of the processing operations carried out, but also in other aspects that are decisive in guaranteeing the transparency and correctness of the processing operations themselves to the interested parties. Given that the same information notice was prepared in respect of the drivers and passengers, providing an indistinct representation of the processing operations carried out, their purposes and methods. Moreover, it was ascertained that the information notice described, in a generic and approximate manner, the purposes of the processing in relation to the categories of personal data collected; it did not indicate the compulsory nature of the provision of the data, in relation to the various operations carried out and the consequences of any refusal to provide them; the information notice was also unsuitable in relation to the exercise of the rights of the data subjects (with reference, for example, to the right to update and to object on legitimate grounds). These critical issues, assessed overall by the Office at the outcome of the preliminary investigation, are relevant regardless of the fact that no reports and/or complaints were filed by the data subjects in relation to an infringement of their rights.

With regard to the violations relating to the failure to obtain specific consent in relation to the processing carried out for the assessment of the so-called "fraud risk" and the failure to notify the Guarantor in relation to the processing of geolocation data, the additional arguments put forward by the company in its defence are not relevant, since, for both processing operations carried out, the applicable regulations (referring to Legislative Decree 196/2003 in force at the time when the violations occurred) provided for the fulfilment of certain obligations by the data controller that were not fulfilled. In particular, on the basis of the documents in the file, it appears that no consent "freely and specifically expressed in relation to a clearly identified processing operation" was acquired in relation to the pursuit of the purpose relating to the so-called "fraud risk" indicator, reported on the profiles of approximately 1,379,000 customers (passengers), and consisting in the assignment of a qualitative judgement (e.g. "low") and a numerical parameter (from 1 to 100).

Similarly, with respect to the processing of geolocation data, the rules applicable at the time of the inspection provided (Article 37(1)(a) of the Code) for the prior notification of the processing to the Garante, in accordance with the procedures set out in Article 38 below. Although the notification is no longer provided for in EU Regulation 679/2016, under the former legislation it constituted a particularly important fulfilment that required the data controller to communicate to the Garante a series of information relating to the processing that it intended to initiate and relating to the data controller itself; this was done in order to provide every guarantee for the protection of data subjects.

Finally, as regards the application of the sanction referred to in Article 164-bis, paragraph 2, of the Code, it should be noted that this was ordered in view of the significant number of data subjects (approximately 1,514,000 drivers and passengers, and approximately 1,379,000 passengers in relation to the failure to obtain consent) whose personal data were subject to the processing operations carried out by both companies in breach of the provisions of the Code. On this point, it should be noted that in a recent jurisprudential ruling, the Court of Cassation reiterated that the case provided for by Article 164-bis, paragraph 2, of the Code is not an aggravated hypothesis with respect to the other contested violations, but rather an entirely autonomous figure of unlawful conduct (Civil cassation, section II Ord., 03/09/2020, no. 18288);

TAKEN NOTE of judgement no. 11803/2019 R.G. issued by the Court of Rome on 29/11/2021 by which the opposition proposed by the two Companies against the Guarantor's Order no. 498 of 20/12/2018 was declared inadmissible. In particular, the judge held that "the substantive rules applicable ratione temporis are those in force prior to the entry into force of the RGPD, while those of a procedural and procedural nature, immediately applicable, are those subsequent to the entry into force of the Regulations and Legislative Decree no. 101/2018";

NOTED, therefore, that UBV and UTI, in their capacity as co-processors pursuant to Articles 4(1)(f) and 28 of the Code appear to have committed the violations referred to in Articles 161, 162(2-bis) and 163 of the same Code, as indicated in the notice of objection No. 6254/96792/124735 of 21 February 2019, as well as the violation referred to in Article 164-bis(2) in relation to databases of particular relevance and size;

NOTED, moreover, that in relation to their status as joint data controllers, responsibility for the contested violations must be attributed separately to each of the companies;

CONSIDERED that, for the purposes of determining the amount of the pecuniary sanctions, it is necessary to take into account, pursuant to Article 11 of Law No. 689/1981, the work performed by the agent to eliminate or mitigate the consequences of the violation, the seriousness of the violation, and the personality and economic conditions of the offender

WHEREAS, in the case under consideration

- with regard to the aspect of seriousness, the elements relating to the intensity of the psychological element and the extent of the danger and harm must be assessed in view of the fact that the infringements were committed in relation to a significant number of persons concerned

- for the purposes of assessing the work performed by the agent, it must be pointed out that, in view of the new requirements laid down by the Regulation, changes have been made, especially with reference to the information

- with regard to the personality of the author of the violation, it must be considered that there are no previous sanctioning proceedings against UBV and IOUs;

- with regard to the economic conditions of the agent, the operating budget for the year 2019 was taken into consideration;

CONSIDERED, therefore, that it is necessary to determine, pursuant to Article 11 of Law no. 689/1981, the amount of the pecuniary sanctions, on the basis of the aforementioned elements assessed as a whole, in the amount of:

- euro 30,000.00 (thirty thousand) for the breach referred to in Article 161 of the Code, in relation to Article 13;

- euro 100,000.00 (one hundred thousand) for the breach referred to in Article 162, paragraph 2-bis, of the Code, in relation to Article 23;

- euro 100,000.00 (one hundred thousand) for the breach referred to in Article 163 of the Code, in relation to Article 37;

- Euro 300,000.00 (three hundred thousand) for the breach referred to in Article 164-bis, paragraph 2, of the Code;
for a total amount of Euro 530,000.00 (five hundred and thirty thousand);

CONSIDERING, moreover, that in consideration of the economic conditions of the offender, having regard to the data relative to the overall turnover and the number of users, the above mentioned fine is ineffective and must therefore be increased by four times, as provided by Article 164-bis, paragraph 4, of the Code, for a total amount equal to Euro 2,120,000.00 (two million one hundred and twenty thousand)

HAVING REGARD TO the documentation in the files

HAVING REGARD TO law no. 689/1981 and subsequent amendments and supplements

HAVING REGARD TO the observations of the Office formulated by the Secretary General pursuant to Article 15 of the Supervisor's Regulation No. 1/2000, adopted by resolution of 28 June 2000;

BE IT RESOLVED by Mr Guido Scorza, lawyer;

ORDERED

Uber B.V., in the person of its pro-tempore legal representative, with registered office at Meester Treublan No. 7, Amsterdam (The Netherlands), and Uber Technologies Inc., in the person of its pro-tempore legal representative, with registered office at Market Street No. 1455, San Francisco, California, to pay each the sum of EUR 2,120,000.00 (two million one hundred and twenty thousand) by way of administrative fine for the violations indicated in the grounds;

INSTRUCTS

the aforesaid companies to pay, each one, the sum of EUR 2,120,000.00 (two million one hundred and twenty thousand), according to the modalities indicated in the annex, within 30 days from the notification of this measure, under penalty of the adoption of the consequent executive acts pursuant to Article 27 of law no. 689 of 24 November 1981.

Pursuant to Article 152 of the Code and Article 10 of Legislative Decree no. 150/2011, an objection to this measure may be lodged with the ordinary judicial authority, by lodging an appeal with the ordinary court of the place where the data controller resides, within thirty days from the date of notification of the measure itself, or sixty days if the applicant resides abroad.

Rome, 24 March 2022

THE CHAIRMAN
Stanzione

THE REPORTER
Scorza

THE SECRETARY GENERAL
Mattei