Garante per la protezione dei dati personali (Italy) - 9893718

From GDPRhub
Garante per la protezione dei dati personali - 9893718
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(a) GDPR
Article 5(1) GDPR
Article 5(2) GDPR
Article 6 GDPR
Article 7 GDPR
Article 13 GDPR
Article 28 GDPR
Article 29 GDPR
Article 30 GDPR
Article 32 GDPR
Art. 130 c. 3 D. lgs. 196/2003
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.04.2023
Published:
Fine: 1.800.000 EUR
Parties: Mas s.r.l.
Mas s.r.l.s.
Sesta Impresa s.r.l.
Arnia SocCoop
National Case Number/Name: 9893718
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: carloc

The Italian DPA investigated companies that ilegally acquired and shared personal data for advertising of eletric utilities and ordered the confiscation of IT and paper files, in addition to imposing fines of €200,000, €300,000 , €500,000 and €800,000.

English Summary[edit | edit source]

Facts[edit | edit source]

In February 2021, the Italian Financial Police (Guardia di Finanza) informed the Italian DPA that two related companies, MAS S.R.L. and MAS S.R.L.S., were engaging in door-to-door marketing and ilegally using personal data to promote and offer contracts with electric companies.

Initially, the DPA opened an investigation only against the two companies. However, the investigations revealed a complex system of direct and indirect contractual relationships, with two companies in the energy sector as final recipients of said marketing services: HERA COMM and ENEL ENERGIA.

Operating as part of that system, MAS S.R.L.S. first bought personal data bases from an Italian and a Spanish company and also from an unidentified vendor on Facebook. Then, together with MAS S.R.L., it processed these data for door-to-door marketing on behalf of the electric companies, without telling consumers that they were mere intermediaries. Additionally, the companies did not tell them how they collected their personal data.

Moreover, MAS S.R.L. and MAS S.R.L.S. shared the collected personal data with telemarketing companies SESTA IMPRESA and ARNIA, that further processed the data for telephone advertising. During the investigation, no proof of consumer consent was provided.

The DPA also found that SESTA IMPRESA got the credentials to access ENEL's infromation systems and shared them with ARNIA. In turn, ARNIA used these credentials to upload the signed contracts into the system without authorization from ENEL. None of the telemarketing companies had a written contract with ENEL appointing them as processors.

Although ARNIA had been appointed as a processor by SESTA in 2019, none of the other companies had signed data processing or joint controllership agreements. They were also not appointed as processors or sub-processors by other intermediaries nor by the final customers HERA COMM and ENEL.

The DPA also verified that the marketing activities involved a large number of consumers as ARNIA uploaded 260.000 contracts between 2018 and 2022. While ARNIA presented a purely procedural defense, the other investigated companies decided to not defend themselves at all.

Holding[edit | edit source]

In its decision, the DPA highlighted the absolute lack of collaboration of the companies with the investigations. It then emphasized that the investigations revealed the functioning of a marketing industry based on a series of illegal practices. According to the DPA, these companies were passing personal data from hand to hand without consumers being aware of it without contractually defining their responsibilities in this data sharing network.

With regard to company MAS S.R.L., the DPA found that, in addition to processing personal data for advertising purposes without providing consumers with prior information and obtaining their specific consent, it got them to sign contracts on behalf of ENEL, without having signed a processor agreement. Besides, it shared the data contained in the contracts with SESTA, with whom it also had no written agreement. Therefore, it considered MAS S.R.L. as independent controller since Article 6(1)(b) GDPR only allows the parties to the contract to process personal data necessary for the performance of that contract.

The same reasoning was applied in relation to company MAS S.R.L.S., that shared the data with the latter, operating in the exact same environment and having the exact same personnel working indifferently for both companies.

As for the company SESTA, the DPA pointed out that, although there was a contract signed with ENEL, such contract did not qualify it as a processor. Therefore, it carried out personal data processing to promote electricity services in the absence of a mandate that would legitimize it to do so, acting as a de facto processor. Likewise, the numerous collaborators, both natural and legal persons, with which SESTA has shared the data were neither legitimized to process it.

Finally, regarding ARNIA, the DPA deemed its appointment as a processor by SESTA as ineffective. According to the DPA, this appointment did not correspond to the reality of the facts since SESTA carried out promotional activities as a de facto processor. It held that the only activity that ARNIA carried out under the controllership of SESTA and the other companies were the phone calls with potential customers. However, to make promotional calls, it used the same ilegally obtained database. The DPA then further emphasized that ARNIA ilegally accessed ENEL's IT platforms to perfom data entry operations without being entitled to use its authentication credentials. The DPA also held that ARNIA failed to adequately provide the resquested documents during the investigations.

The DPA concluded that there was a violation of Articles 5(1)(a), 6, 7 and 13, of the GDPR as well as Art. 130 of the Italian Privacy Code. Moreover, it considered that the lack of a written agreement violated Articles 28 and 29 GDPR and that the lack of records of the processing activities violated Article 30 GDPR. For theses reasons, it deemed the processing as 'radically ilegal' and orther the companies to stop it. Moreover, it ordered the confiscation of IT and paper files containing the the personal data illegally acquired by them in order to protect the large number of affected data subjects.

As a sanction for the violations, it imposed the following fines:

  • MAS S.R.L. was fined €200,000 for violating Articles 5, 6, 7, 28, 29, and 30 GDPR as well as Art. 130(3) of the Italian Privacy Code;
  • MAS S.R.L.S. was fined €500,000 for violating Articles 5(1), Article 5(2), 6, 7, 13, 28, 29, and 30 GDPR;
  • SESTA IMPRESA was fined €300,000 for violating Articles 5(1)(a), 6, 7, 28, 29, and 32 GDPR as well as Art. 2-quaterdecies of the Italian Privacy Code;
  • ARNIA was fined €800,000 for violating Articles 5(1)(a), Article 6, 7, 13, 28, 29, and 32 GDPR as well as Art. 130(3) of the Italian Privacy Code.

Comment[edit | edit source]

On 6 June 2023 the Italian DPA published a press release on the decision.

The Italian DPA noted that personal data are often unlawfully processed in telemarketing. Around the same time, the DPA published three more decisions about the unlawful processing of personal data for telemarketing. These included a €7.631.175 fine against telcom company Tim S.p.A. for a lack of oversight over its telemarketing contractors.

The DPA also noted that the illegal processing of personal data can raise competition issues on the telemarketing market. For this reason, the DPA forwarded its decision to the Italian competition authority (AGCOM).

Mas s.r.l., Mas s.r.l.s., and Sesta Impresa did not file a defense in the procedure, and Arnia only filed a defense on procedural issues. The Italian DPA evaluated this lack of collaboration negatively.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Press release of 6 June 2023



[doc. web no. 9893718]

Provision of April 13, 2023

Register of measures
no. 184 of 13 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Geneva Cerrina Feroni;

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

With deed of 15 November 2022, n. 64099/22 (notified on the same date by certified e-mail), which here must be understood as reproduced in full, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the provisions pursuant to art. 58, par. 2 of the Regulation against: 1) Mas s.r.l., with registered office in Verona, Corso Milano 64, Tax Code 04600740239; 2) Mas s.r.l.s., with registered office in Verona, corso Milano 64, C.F. 04464070236; 3) Sesta Impresa s.r.l., with registered office in Florence, viale Belfiore 34, Tax Code 02108430501; 4) Arnia Società Cooperativa, with registered office in Florence, viale Belfiore 34, Tax Code 06488750487.

The proceeding originates from a report that the Special Unit for the Protection of Privacy and Technological Frauds of the Guardia di Finanza received from the Soave Company of the same Corps, a report then forwarded to the Authority. It stated that the Compagnia di Soave had started inspections against two Veronese companies, Mas s.r.l. and Mas s.r.l.s. which, as it is easy to deduce from the company name, operate within the same entrepreneurial initiative.

On 19 February 2021, the Guardia di Finanza noted, during the ordinary school activities during the pandemic period, that two people were wandering around the municipal area of Soave despite the health restrictions adopted at the time: the two people claimed to be procurers of business on behalf of the aforementioned companies, at which the Compagnia di Soave therefore carried out the investigations.

1.2. Inspection checks at Mas s.r.l. and Mas s.r.l.s

The inspection activities carried out by the Guardia di Finanza returned significant results in relation to the legislation on the protection of personal data, as well as further findings subject to separate discussion. For the aspects within the competence of this Authority, it emerged that Mas s.r.l. and Mas s.r.l.s. they carried out activities aimed at promoting the services of companies in the electricity and gas sector, sharing offices and employees with each other. The promotional activities, as emerges from the service reports in the file, had also involved the commander of the Compagnia di Soave, recipient of unwanted phone calls from Mas s.r.l.

The inspections returned a picture of substantial non-compliance in the processing of personal data carried out by the two companies which made promotional calls aimed at selling the services of the energy companies Enel Energia and Hera Comm. The calls were made using lists of potential customers which appeared to have been purchased by the owner of Mas s.r.l.s., in one case through an unidentified seller present on Facebook, in other cases by an individual Italian company and by the Spanish company Telecontact List s.l., a company already subject to further reports.

The contact lists were used both for the contact activities of Mas s.r.l. both for those of Mas s.r.l.s. without the two companies having carried out checks on the correct acquisition of consent for the communication of data from one owner to another and for carrying out treatments for promotional purposes.

Although Mas s.r.l. was linked to Hera Comm by an agency contract for the creation of advertising campaigns, the same s.r.l. also contacted potential customers to promote Enel Energia's services and, during the meetings aimed at finalizing the membership proposals, the business brokers showed Enel Energia's contractual forms and identification cards, apparently counterfeit, relating to the same company.

As for the concrete methods of carrying out the promotional activities, some procurers or employees of the two companies were questioned by the Guardia di Finanza. From their declarations it emerged that the customer acquisition activities on behalf of Hera Comm and Enel Energia envisaged, for each business agent, the daily telephone contact of about fifty potential customers, which necessarily resulted in eight appointments for the following days, appointments aimed at conclusion of contracts with Hera Comm. Only in the event that the potential customer had an existing contract with Hera Comm, should a change of manager towards Enel Energia be proposed to him. Subsequently, the customer was contacted again to change manager again (from Hera Comm to Enel Energia and vice versa). This circumstance was also confirmed by the statements of some customers, obtained with summary information in the context of the Compagnia di Soave's investigations.

As for the undue contact of the commander of the Compagnia di Soave, an employee of Mas s.r.l. author of the promotional call, who declared that the name had been provided by the owner of the company, who  had then recommended to his employee to represent to the Finance Police that it was instead a contact suggested by another customer.

The numerous contracts made by Mas s.r.l. for Enel Energia they appeared to have been sent, for the activation of the services, to the Florentine company Sesta Impresa s.r.l.

1.3. Inspections at Sesta Impresa s.r.l.

Based on the information acquired by the Guardia di Finanza, this Authority ordered the carrying out of an inspection at the headquarters of the company Sesta Impresa s.r.l. aimed at verifying the transit of Enel Energia contracts from Mas s.r.l. and, more generally, the methods of data processing in the context of promotional activities on behalf of companies in the energy sector.

The assessment was carried out by the Special Unit for the protection of privacy and technological fraud of the Guardia di Finanza on 10 February 2022 and returned numerous critical elements with reference to the correct fulfilments regarding the protection of personal data since it made it possible to detect that Sesta Impresa operated as a sub- agent of various energy companies, including Enel Energia, by virtue of contracts (for the performance of work or business procurement) stipulated with various agencies, in turn contractually linked with the energy companies. The aforementioned contracts, acquired in the course of the operations, did not bear any reference to the designation of Sesta Impresa as responsible for the processing carried out on behalf of the energy companies, nor on behalf of the two agencies from which the entire investigation originates.

Specifically, the contracts with XX (promotion of Enel Energia services), XX (XX), XX (XX), XX (Enel Energia services), XX (Enel Energia services), Mas s.r.l. (Hera Comm services), XX (XX), XX (Enel Energia services), XX (XX), XX (Enel Energia services).

Particular importance must be attributed to the fact that the legal representative and Chairman of the board of directors of Sesta Impresa declared that he had never dealt with issues related to data protection, since, according to him, the Company did not provide lists of subjects to contact nor did it deal with the forwarding of the contractual proposals, which were sent directly to a different subject, the Arnia cooperative company, which provided, at an office located in Montecatini, "back-office" services, i.e. the set of operations subsequent to the signing of the contractual proposals by the customers.

The owner of Sesta Impresa declared that he was not aware of the ways in which promotional contacts were made on behalf of the energy companies nor the technical steps for uploading the contractual proposals and the customers' personal data on the companies' platforms, since the activity promotion was entirely entrusted to the brokers who, once the contractual forms were signed by the customers, sent them to the Arnia cooperative which was responsible for entering the data into the management platforms of the energy companies.

Finally, the owner of Sesta Impresa represented that he was not aware of the operating procedures to ensure that the interested parties exercise the rights referred to in articles 15-22 of the Regulation.

In essence, the investigations revealed that Sesta Impresa had the task, on the one hand, of entering into sub-agency contracts with partners in the official sales network of energy companies and, on the other, of "recruiting" business brokers ( natural persons and small companies - overall about 16-17 people) who were then distributed throughout the territory, on the basis of telephone contacts previously made by the Arnia cooperative company, to get potential customers to sign the contractual proposals with the energy companies themselves. These business brokers were not identified as managers, sub-managers or persons authorized to process personal data on behalf of the energy companies, agencies and Sesta Impresa.

After the date on which the investigations were carried out, Sesta Impresa sent a copy of the service contract entered into between the same Sesta Impresa and the Arnia cooperative company to the Finance Police Unit. In this contract, Arnia is expected to carry out, on behalf of Sesta Impresa, the activity of "advertising products and new offers as well as possibly scheduling appointments for its commercial agents, more briefly defined as a "call center" activity (useful contacts - appointments taken)" and "loading-processing of contracts, an activity more briefly defined as "data entry"".

1.4. Inspection checks at the cooperative company Arnia

The results of the inspection assessment against Sesta Impresa s.r.l. imposed further activity also against the Arnia cooperative society which appeared to be the real organizational engine of the entire entrepreneurial initiative.

The investigation at the Arnia cooperative company was carried out by the Special Unit for the protection of privacy and technological fraud of the Guardia di Finanza on 22 and 23 June 2022, with the participation of Authority personnel, and it emerged that the cooperative provided the services indicated by Sesta Impresa (call center, for making promotional telephone calls and data entry of contracts relating to the supply of electricity and gas) not only for the latter company but also for three other companies, Idra s.r.l., Argo s.r.l. and Miral Synergy s.r.l., later transformed into Aries s.r.l. Relations between Arnia and the four companies were governed by contracts signed between 15 October 2017 and 2 January 2018; however, the four companies designated Arnia as data processor only on 21 January 2019: this designation relates only to the treatments for which the four companies take on the legal role of data controller.

With reference to the call-center and data entry activity, it emerged that Arnia, at the time of the investigation, had 22 collaborators (worker-members and external collaborators), 13 of whom included in the call-centre: this personnel carried out , based on the statistics presented by the cooperative, 76,618 cd. "useful phone calls" (understood as those in which the customer shows an interest in continuing the conversation without interrupting the call) in 2018, 114,142 in 2019, 99,603 in 2020, 107,699 in 2021 and 45,804 in the six months of 2022.

The remaining personnel carried out data entry activities, understood as processing operations for each contract for registration on the IT platforms of energy companies, entering 50,364 contracts in 2018, 64,470 in 2019, 60,035 in 2020, 62,220 in 2021 and 26,401 in the first half 2022.

As regards the concrete methods of carrying out the call center activities, they can be summarized as follows:

phase 1 – preliminary operations. The Arnia call center operators assign each business agent of the 4 companies (Sesta Impresa, Argo, Idra and Aries, agents or sub-agents of energy companies) the geographical area in which they can operate, enter it in the Arnia's telephone dispatching system, and the system returns the names of potential customers to contact based on their delivery address;

phase 2 – contact. The call center operators carry out the promotional calls on behalf of the four companies, promoting the services of the energy companies. The calls are made by Arnia using two databases of which it has declared to be the owner, one made up of the names of customers who, in the context of signing a contractual proposal, have given their consent to the processing of their personal data for promotional purposes . The other database consists of the names of individuals contacted by telephone by Arnia to set an appointment, who, during the same appointment, are asked to sign a form directly referable to the promotional activities of the same Arnia.;

phase 3 – promotion. In the promotional contact, the operator presents himself as belonging to the Arnia cooperative in Montecatini, illustrating the purpose of the call, i.e. to provide customers on the free market with new opportunities for cheaper energy contracts than those in place. In the event that the customer requests to know the origin of their personal data held by Arnia, the operator replies that such data is available to the Company since "the person contacted is a customer of the free energy market". During the call, the energy companies with which it is possible to sign a new contract are indicated. Once the availability of an appointment at your home has been obtained, the operator enters the appointment in the seller's diary and, once around 5/6 appointments have been set, the diary can be considered completed for the reference day .

As far as data entry operations are concerned, these are carried out by the remaining 9 Arnia collaborators and concern the uploading of the information present in the contracts signed by customers following visits by business brokers from the four companies.

Also in this case the activities include several phases:

stage 1 – division of labor. The workload of the contracts stipulated by the various agents of the 4 partner companies, which they undertake to deliver to the Montecatini headquarters, is divided among the various employees who have the right to access the portals of the energy companies;

phase 2 – access to the computer networks of the energy companies. The connection to the portals of the energy companies takes place by entering the authentication credentials that the companies have provided to the agent companies. The credential for accessing each portal is unique for each company and allows simultaneous access to multiple workstations, even outside the corporate network;

step 3 – uploading contractual information. After accessing the network of the companies, the operators enter the information necessary to allow the subsequent activation of the service. If, during insertion, anomalies emerge, the operator can contact a dedicated toll-free number that each company makes available for technical assistance. In the case of contacts with the toll-free number, the operator qualifies as an Arnia collaborator on behalf of one of the 4 partner companies.

During the inspection activity, elements also emerged relating to the activities carried out by the cooperative with reference to the promotions and sale of Enel Energia services, which took place through the companies Mas s.r.l. and Sixth Enterprise. Both the owner of the cooperative and the coordinator of the data-entry activities confirmed that they had entered the contracts from Mas s.r.l., which then became available to Sesta Impresa, by accessing the Enel Energia system, of which they also provided the exact name.

1.5. Followed instructors

Upon conclusion of the inspections, Arnia reserved the right to send the Guardia di Finanza, within 15 days, the data relating to the overall numerical consistency (with specification of the number of consents attributable to the 4 agent companies and Arnia) of the master data present in the two databases of which he claimed ownership.

In this regard, it should be noted that, with a joint note from the Commander of the Special Unit for the protection of privacy and technological fraud of the Guardia di Finanza and the Commander of the Privacy Group, it was represented that "the company has not fulfilled the deadline set for the dissolution of reserves and that, following various reminders [...] requested an extension of the deadline for transmitting the additional data, which was not consistent with the provisions of this Authority and the related reasons given". An email dated 22 July 2022 from Arnia was attached to the note, in which it was noted that "in relation to the request made by you following the inspection of 22 and 23 June last, for the supply of data relating to privacy, we are forced to request an extension of the deadline for the supply of the same. The reason lies in the fact that, to complete the retrieval of the copious documentation requested by you, we realized that we need very substantial human resources for our Cooperative, as the retrieval of contracts and consents, present in our archives for the almost entirely in paper form, it requires much longer times than we had estimated at the time of your inspection. To give an idea, the master database contains 138,000 names, to which the relative paper consent forms are associated, which must be extracted and matched. At the moment we have managed to complete about 12,000 names, of which 10,000 belong to our Cooperative, and the remainder to the agent companies".

1.6. Claiming Violations

At the end of the preliminary investigation, the Office adopted the aforementioned notice of dispute no. 64099/22 in which, in general, it was observed that from the inspections carried out by the Guardia di Finanza it was possible to outline an extremely serious and alarming picture in relation to the complex of activities carried out by the companies Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society, aimed at promoting the services of energy companies in general and those of Hera Comm and Enel Energia in particular.

We then proceeded to identify the specific hypotheses of violation which are referred to in full here:

a) Mas s.r.l. – art. 5, par. 1, lit. a), 6, 7 and 13 of the Regulation, as well as 130, paragraph 3, of the Code, for having made promotional telephone contacts, using lists of personal data acquired in the absence of specific consent and in the absence of the release of prior information, lists that they also appear to originate from foreign companies and in any case appear to lack indications regarding the methods of data collection and acquisition of consent for commercial and promotional purposes;

b) Mas s.r.l. - articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, for having proceeded to get customers to sign contract proposals on Enel Energia forms, without having received from the company or from any agent agencies, the designation as manager or sub-manager of the treatment , as well as for having transmitted the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as responsible for the treatment;

c) Mas s.r.l. – art. 28 of the Regulation, for having failed to communicate to the data controller and/or data processor the identification of Mas s.r.l.s. as sub-manager;

d) Mas s.r.l. – art. 30 of the Regulation, for not having prepared and made available to the operators the Register of treatments;

e) Mas s.r.l.s. – articles 5, par. 1 and 2, 6, 7 and 13 of the Regulation, for having purchased lists of personal data from several suppliers, including foreign ones, without having ascertained the correct collection of personal data contained therein and the acquisition from the interested parties of the necessary consent to the transfer of their data to third parties, as well as for having transferred such data to Mas s.r.l., without having previously provided the necessary information to the interested parties and acquired from them the prescribed consent to the communication of the data;

f) Mas s.r.l.s. – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, for having carried out processing for the acquisition of customers for Enel Energia without having received, from the latter or from Sesta Impresa, formal designations as manager or sub-manager of the treatment, as well as for having transmitted the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as data processor: the data transfer therefore appears to have been carried out as independent data controller , in the absence of an appropriate legal basis;

g) Mas s.r.l.s. – art. 28 of the Regulation, for having failed to inform the data controller and/or data processor of the identification of Mas s.r.l. as sub-manager;
h)    Mas s.r.l.s. – art. 30 of the Regulation, for not having prepared and made available to the operators the Register of treatments;

i) Sesta Impresa s.r.l. – articles 28 and 29 of the Regulation, for having carried out processing on behalf of XX (Enel Energia services), XX (XX), XX (XX), XX (Enel Energia services), XX (Enel Energia services), Mas s.r.l. (Hera Comm services), XX (XX), XX (Enel Energia services), XX (XX), XX (Enel Energia services), without having been designated as data processor or sub-processor;

j) Sesta Impresa s.r.l. – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, also in relation to art. 2-quaterdecies of the Code, for having failed to designate its commercial partners (including Mas s.r.l.) as managers or sub-managers of the treatment and its collaborators as subjects authorized to carry out processing operations, thus carrying out communications of customer data, by partners to Sesta Impresa, by Sesta Impresa to its collaborators and by these to Sesta Impresa and Arnia, due to the absence of the legal basis that justifies the treatment;

k) Sesta Impresa s.r.l. – articles 5, par. 1, lit. f) and 32 of the Regulation, for having acquired individual authentication credentials from the agent companies for access to the IT platforms of the energy companies, credentials not uniquely attributed to Sesta Impresa and subsequently made available to Arnia cooperative society, thus creating unauthorized accesses to the IT systems of energy companies;

l) Sesta Impresa s.r.l. – art. 28 of the Regulation, for having failed to communicate to the data controller and/or data processor the identification of Arnia cooperative society as sub-manager;

m) Arnia cooperative society – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, as well as 130, paragraph 3, of the Code, for having carried out treatments aimed at promoting products and services of energy companies without having received from them a suitable designation as manager or sub-manager of the processing thus carrying out communications of customer data, from Arnia to Sesta Impresa, from Sesta Impresa to Arnia and from Arnia to the energy companies, due to the absence of a legal basis justifying the processing;

n) Arnia cooperative society – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation for having achieved, in the year 2018, 70,000 useful contacts of potential customers and 50,000 entries of contracts stipulated by the same, in the absence of suitable designation as manager or data processor, thus carrying out processing of customer data aimed at promoting the services of energy companies, in the absence of an appropriate legal basis that justifies the processing;

o) Arnia cooperative society – articles 5, par. 1, lit. a), 6, 7 and 13 of the Regulation for having communicated the data present in the contact lists of which it is the owner to Sesta Impresa s.r.l., Aries s.r.l., Idra s.r.l. and Argo s.r.l. without having provided the interested parties with the necessary information and acquired the required consent;

p) Arnia cooperative society – articles 5, par. 1, lit. f) and 32 of the Regulation, for having acquired from Sesta Impresa authentication credentials for access to the IT platforms of the energy companies not uniquely attributed to Arnia, thus making unauthorized accesses to the IT systems of the energy companies;

q) Arnia cooperative society – articles 5, par. 1, lit. a), 6 and 7 of the Regulation, for having received from Sesta Impresa data from Mas s.r.l., collected on Enel Energia forms, and for having processed such data and communicating the same to another subject, manager of the so-called “EVA Portal” in the absence of an appropriate legal basis;

r) Arnia cooperative society – art. 157 of the Code and art. 31 of the Regulation, for failure to respond to a request for information and presentation of documents formulated by the Authority through the Guardia di Finanza, thus demonstrating, moreover, an insufficient degree of cooperation with the Supervisory Authority.

2. THE DEFENSE OF THE OWNER

Despite the act n. 64099/22 of initiation of the proceeding has been duly notified to the parties, as already represented in the introduction, it must be noted that Mas s.r.l., Mas s.r.l.s. and Sesta Impresa s.r.l. they did not send defense briefs nor did they request a hearing before the Authority, therefore not availing themselves of any defensive prerogative.

As regards the Arnia cooperative, however, it did not intend to submit written briefs but requested to be heard, on the basis of the provisions of art. 166, paragraph 6, of the Code and by art. 13 of the Guarantor's regulation n. 1/2019.

The hearing took place on 18 January 2023 at the headquarters of the Authority and did not concern the numerous disputes relating to the processing carried out by the cooperative as part of the entrepreneurial initiative which also involved Mas s.r.l., Mas s.r.l.s. and Sesta Impresa, but only the residual aspect of the failure to reply to the requests for information formulated by the Guarantor, as disputed, to Arnia, in point r) of the deed initiating the procedure.

On this point, the representatives of the company specified that “the Cooperative had requested a 60-day extension for the delivery of the documentation requested during the inspection and on which a reservation had been made. The Guardia di Finanza, according to the party, did not respond to this request for an extension either in the affirmative or in the negative. The party also specified that the circumstance reported by the Guardia di Finanza of "various reminders" addressed to it for the production of documents is not true. In reality it would have been a single telephone reminder, to which the Cooperative responded immediately (July 22, 2022), representing the difficulties encountered and requesting the aforementioned extension".

The cooperative therefore reserved the right to produce what was originally requested by the Guardia di Finanza and on which, during the inspection, a reservation had already been formulated. Subsequently, on 25 January 2023, a package was delivered to the Authority's headquarters, sent by Arnia, containing only a storage device (USB pen-drive) without any transmission note or supporting or in some way explanatory documentation . Following an analysis by the technological structure of the Authority, it emerged that the support contains 10270 files, for a total of over 5 GB of data in pdf and/or jpg format which are named with the name and surname of the interested parties, followed by the indication of a company (merely by way of example “Arnia”, “Miral”, “Sesta”). They appear to represent the reproduction of paper forms generically referable to "information on data processing" and "consent" signed by thousands of different interested parties.

In this regard, it should be noted that the forms reproduced in the USB support and attributable to the ownership of the Arnia cooperative, report, for each interested party, only the name and surname and, in some cases, the number of the identification document, in addition to the date of subscription, the signature and the specific indication of the consent given. The forms referring to the ownership of the four partner companies of Arnia bear the indication of the date of birth of the interested party. In many cases, several forms have been found for the same interested party, with consents given on different dates (for example, for a single interested party - A.G. - there are consent forms signed on 10 June 2019, 23 August 2019, 20 January 2020 , September 9, 2020 and July 20, 2021). In some cases it has been observed that for some interested parties there are several consent forms signed for the same owner and on the same date. In some cases the signatures of the same interested parties on the various forms appear evidently different.

3. ASSESSMENTS OF THE AUTHORITY

First of all, it is necessary to underline that the disinterest of Mas s.r.l., Mas s.r.l.s. and Sesta Impresa s.r.l. for today's proceeding, attested by the choice not to submit defense briefs or to request a hearing before the Guarantor, confirms in itself that the three companies attribute an insignificant value to compliance with the legislation on the protection of personal data within the scope of their own entrepreneurial strategies. Given the lack of attention and the inconsistent adoption of the provisions of the Regulation and the Code, they would appear aimed exclusively at maximizing profits through the illicit processing of personal data, from which a non-compliant declination of the main rules for competition may also derive loyal to competitors in the energy services market and a substantial circumvention, with illegal practices, of the rules aimed at protecting the rights of natural persons. This practice is indicative of an attitude and a modus operandi that favor the spread of the phenomenon of wild telemarketing which involves a large part of the Italian population on a daily basis.

The same considerations must also be made for the cooperative company Arnia which, despite having requested a hearing before the Authority, nevertheless intended to articulate its defense without providing any explanation of the numerous and serious violations contested, focusing on an important but still marginal aspect to the complex of behaviors detected or that relating to the failure to respond to requests for information formulated by the Authority.

In the presence of such a blatant attitude which at no time has shown a real desire for constructive interlocution with the Authority, in order to remedy the critical issues identified and to reformulate the processing of personal data with a view to respecting the rules and people an assessment of the extreme seriousness of the conduct carried out by the four subjects referred to in today's proceeding must be formulated. It also follows a prognostic judgment of significant danger in relation to future processing of personal data, from which derives the need to adopt, in addition to appropriately effective and dissuasive administrative pecuniary sanctions, also injunctive measures capable of preventing the root of the repetition of conduct of the same species.

Therefore, what was observed in the dispute is confirmed, namely that Mas s.r.l., Mas s.r.l.s. and Sesta Impresa s.r.l. acted, under the direction of the Arnia cooperative society, in disregard of the provisions that allow to stem the phenomenon of wild telemarketing and to bring out the so-called "undergrowth" which operates on the margins of the official sales networks of the energy companies, given that the relationships between the various companies are indeterminate, smoky and without unequivocally correct references to the methods for distributing the responsibilities of the treatment that the Regulation imposes pursuant to articles . 28 and 29.

In practice, it emerged that all the companies subjected to the audit operated by carrying out massive promotional activities and the sale of energy services, both by telephone and door-to-door, without the activities being represented in detail and verified by the energy companies and their respective official sales networks . In fact, the four companies did not act as data processors or sub-processors on behalf of the energy companies and, nevertheless, they managed, by exploiting obvious weaknesses in the system and deficiencies in the controls, to introduce the numerous contractual proposals made to customers to sign (with promotional contacts, it is reiterated, made in violation of the rules on the protection of personal data) in the information assets of the same energy companies, collecting the relative commissions.

We are therefore dealing more with intermediate links in the (long) telemarketing chain in the energy sector, whose activity demonstrates that the measures, even more so if only of a contractual and civil nature, placed to control the sales network alone, are not always official from the big companies may be sufficient or able to intercept a varied and elusive phenomenon such as the one that the activity of the Guardia di Finanza and that of the Guarantor have tried to reconstruct in the present investigation.

Among all, the circumstance, ascertained with the inspections, that Mas s.r.l., after making promotional contacts using personal data lists illegally acquired by Mas s.r.l.s. (which in turn had illegally acquired them via Facebook from an Italian sole proprietorship and a Spanish company) transferred a large number of contracts for the activation of energy services with Enel Energia to Sesta Impresa s.r.l. and this in turn "passed over" these contracts to the Arnia cooperative. Although the latter does not have any type of contractual relationship relating to the processing of personal data with Enel Energia, it handled the loading of the contracts by accessing the company's systems with credentials attributed to other parties.

All this occurred in the total unawareness of the interested parties/customers who have never been aware of the fact that their personal data have passed from hand to hand between subjects who did not offer any guarantee of the correctness of the operations carried out and of the security of the data processed, going therefore to further feed the supply sources of illegal telemarketing and generating a vicious circuit of nuisance telephone calls and illicit contacts, completely detached from the intention of offering the customer economically advantageous services and linked only to the need to increase the number of calls , the contracts signed and the profits made by the companies.

The context of overall serious illegality of the joint and organically planned entrepreneurial initiative of the four companies is testified, beyond any consideration of a legal nature, by the statements made, to the Guardia di Finanza, by the so-called "business brokers" of Mas s.r.l. and Mas s.r.l.s. which return a disturbing picture: “I signed a letter of assignment for direct home sales with the company Mas s.r.l. and they handed me two cards, one on behalf of the company Hera Comm and the other of Enel Energia and both were made out to MAS. At the beginning of my career I hadn't noticed the difference between Mas s.r.l., for Hera Comm, and Mas s.r.l.s. for Enel because I have always believed that the two supplier companies used only Mas s.r.l.”; “I remember that the lists were drawn up in pen and included name, surname, address and telephone number and the time in which to meet the probable buyer. Furthermore, we also had to fix appointments for the following day with subjects who were identified from a further list called "customer package", [...] printed on the computer showing thousands of names associated with the addresses of the subjects, the mobile phone number and the supplier of the period”; “[The owners of Mas s.r.l. and Mas s.r.l.s.] pushed us agents to get Hera Comm to sign contracts for the supply of energy and gas as much as possible. We had to propose contracts on behalf of Enel only if the customer we met was already the holder of a Hera contract Comm”; “The eight appointments had to be made because [the owner of Mas s.r.l.s.] checked if we didn't go. In the event that the customer was not found at the agreed venue, we had to call him and if not, take a photo of the bell to be sent together with the GPS position [...]. In the event of our negligence, a fine of the order of a few hundred euros was envisaged. The [owner of Mas s.r.l.s.] also called himself the customer with whom the appointment had failed to verify what was communicated by the agent. Therefore we were forced even up to a late hour to look for and meet all eight expected customers”; "the list of names that was delivered to me every day was a list of about fifty subjects per single sheet and for each subject to be contacted, name and surname, tax code, supply address, POD or PDR code, supplier of the service active at the moment, the date of activation and the mobile phone number. One of the electricity and gas suppliers most indicated in the aforementioned list was Enel Energia. I was forbidden to take a copy of these lists outside the offices”; “When we contacted a customer, Mas's name was not communicated and we tried not to allow the customer to investigate the question of how we were in possession of his data. Once we got to the appointment we had to immediately look at the last activation date of the supply contract and the conditions applied, we had to detect the average cost on the bill and offer an advantageous price specifying that it would be blocked for thirty months but this was absolutely not true how much the price was never blocked and varied every month. I am sure of this as several customers to whom I have stipulated Hera contracts have contacted me complaining of fluctuating and ever higher prices. As per teachings and indications received from [the owner of Mas s.r.l.], I proceeded to insist on signing the contract even using high tones if a customer objected. I would like to point out that once I went with [the owner of Mas s.r.l.] to a customer and she demonstrated how to proceed with impetuosity and determination to convince him to sign a Hera contract"; "all the agents had to order [the owner of Mas s.r.l.] to identify from the list of names those who had recently switched to Hera Comm, we had to contact them to offer the switch to Enel even a month after receiving the first Hera Comm bill. Once the transfer to Enel had taken place, it was necessary to proceed again within a very short time with the proposal to return to Hera Comm. [The owner of Mas s.r.l.] demanded all these changes of manager in order not to lose customers and to increase the number of commissions" .

These testimonies are the most evident proof of the illicit induced activities that abusive telemarketing is capable of generating, making all the regulatory measures in the sector substantially ineffective, if identified only from a formalist and contractual point of view, and it must be considered that what has been ascertained in the case in question may assume the connotations of a system in relation to which the Guarantor reserves the right to take the initiatives of its competence, including a communication to the Guarantor Authority for competition and the market, also in the light of some recent resolutions of this latest on similar profiles (ex multis Decision of 2 November 2022, published in Bulletin 42/22 of 21 November 2022 - https://agcm.it/dotcmsdoc/bollettini/2022/42-22.pdf).

As regards the specific objections raised against each of the addressees of this provision, these appear to be confirmed by the results of the inspections which, from time to time, have created an exhaustive framework of evidence and which in no case have been questioned by the companies themselves.

In particular, it emerged that Mas s.r.l. has carried out processing activities aimed at creating promotional telephone contacts, using lists of personal data acquired in the absence of specific consent and in the absence of the release of prior information, lists which also appear to originate from foreign companies and in any case appear to lack indications in order to the methods of data collection and acquisition of consent for commercial and promotional purposes. The company also proceeded to get customers to sign contract proposals on Enel Energia forms, without having received from the company or from any agent agencies, the designation as manager or sub-manager of the treatment. It then transmitted the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as responsible for the treatment: the collection and transfer of data therefore appear to have been carried out by Mas s.r.l. as independent data controller, in the absence of an appropriate legal basis, given that the art. 6, par. 1, lit. b) of the Regulation allows the processing necessary for the execution of the contract only to the parties to the contract itself and to the subjects ritually designated as responsible. Finally, due to the sharing with Mas s.r.l.s. of the same operating environments as well as the same personnel who worked indifferently for both companies, the same have carried out constant sharing of personal data without having provided for reciprocal acts of designation suitable for distributing and dividing the responsibilities of the different treatments. The company has not prepared and made the treatment register available to operators.

Similarly Mas s.r.l.s. appears to have purchased lists of personal data from several suppliers, including foreign ones, without having verified the correct collection of the personal data contained therein and the acquisition from the interested parties of the necessary consent to the transfer of their data to third parties. It has also transferred such data to Mas s.r.l., without having previously provided the necessary information to the interested parties and acquired from them the prescribed consent to the communication of the data. The company, due to a commercial relationship with Sesta Impresa s.r.l., has carried out treatments for the acquisition of customers for Enel Energia without having received, from the latter or from Sesta Impresa, formal designations as manager or sub-manager of the treatment. It then transmitted, like Mas s.r.l., the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as responsible for the treatment: also in this case the transfer of data appears to have been carried out as an independent data controller, in the absence of a specific legal basis on the point.

As regards Sesta Impresa s.r.l., the Company has been found to carry out promotional activities for products and services of numerous energy companies, on behalf of some agent agencies with which it has signed business procurement or work performance contracts. In this regard, it appears that the contracts with XX (Enel Energia services), XX (XX), XX (XX), XX (Enel Energia services), XX (Enel Energia services), Mas s.r.l. (Hera Comm services), XX (XX), XX (Enel Energia services), XX (XX), XX (Enel Energia services), do not bear the designation of Sesta Impresa as data controller; the contract with Diler Power Italia s.r.l. (Eon services) bears the designation of Sesta Impresa as sub-manager of the treatment with express prohibition to designate further sub-manager. It therefore emerged by tabulas that Sixth company carried out personal data processing aimed at the commercial promotion of the services of the energy companies mentioned above in the absence of designations and distributions of responsibilities suitable for inserting the same treatments in the framework of legitimacy that only the direct relationship with the contracting company could have supplied.

Similarly, the numerous collaborators, both natural and legal persons, which Sesta Impresa has made use of, do not appear to have been included in a context consistent with the provisions of articles 28 and 29 of the Regulation and 2-quaterdecies of the Code.

As far as the relationship with Arnia cooperative society is concerned, the latter appears to have been designated by Sesta Impresa as data processor, a designation which however appears to be completely ineffective in restoring legitimacy to the processing carried out as it was adopted by Sesta Impresa as independent data controller of the treatment: this legal status appears inconsistent with the nature and purpose of the treatments, aimed at promoting the services of energy companies which, as original clients, should have identified the overall chain of the sales network, adopted the relative designation deeds and be made aware of the presence of any subjects who operated as sub-managers, in order to include them too in the division of responsibilities.

The failure to correctly designate the subjects of the treatment, in addition to configuring the specific violations envisaged by the Regulation, determines the illegality of the communications of customer data, from Sesta Impresa to its collaborators and from these to Sesta Impresa and Arnia, due to the absence of the legal basis that justifies the processing, given that, as also observed in relation to the position of Mas s.r.l. and Mas s.r.l.s., the Regulation allows the processing necessary for the execution of a contract only between the parties to the contract itself and between the subjects included in the supply chain recognized by the owner.

Sesta Impresa also received from the company Mas s.r.l., during at least the years 2020 and 2021, constant flows of personal data of customers who had signed contracts on Enel Energia forms precisely through Mas s.r.l. These data were subsequently transmitted to Arnia cooperative society for data entry operations, thus carrying out data communications in the absence of an appropriate legal basis. Finally, Sesta Impresa would have obtained from the mandatory agencies the availability of authentication credentials to access the IT platforms of the energy companies, credentials that it could not have already used per se since they were individually registered to another entity. On the other hand, these credentials were communicated by Sesta Impresa to Arnia so that the latter could carry out, on its own behalf of Sesta Impresa and the other client agencies, the data entry operations of the contracts signed by the clients, in violation of the provisions of the Regulation on the matter security of the treatment.

Finally, with reference to Arnia cooperative society, the company was found to be the nerve center of the marketing activities carried out in the illegitimate and illegal manner described above. In fact, it was evident, already from the declarations of the owner of Sesta Impresa, that he completely relied on the organization of the cooperative company for the realization of the telephone contacts preparatory to the setting of appointments with potential customers, for the keeping of the databases containing lists of which Arnia was found to be the exclusive owner and for the data entry operations of the contracts stipulated by the procurers on behalf of the energy companies.

The relationship between Arnia cooperative society and Sesta Impresa, as well as that with Idra s.r.l., Argo s.r.l. and Aries s.r.l., is regulated by a service contract and by the designation of Arnia as responsible for the treatments carried out by the four companies as controllers. However, this approach does not appear to correspond to the reality of the facts since the promotional activities carried out by Sesta Impresa are carried out in the capacity of "de facto" sub-manager and in any case are unequivocally attributable to the ownership of the energy companies, the original clients. From this it follows that the designation of Arnia by Sesta Impresa is not suitable for bringing the processing operations from the same stage with energy company customer data back to a framework of legitimacy, a legitimacy which, moreover, is originally extraneous also to the processing of Sixth Company. The only processing operations that Arnia carries out under the ownership of Sesta Impresa and the other three companies are those aimed at telephone contact with potential customers and scheduling appointments in the agenda of the latter's collaborators. However, to make promotional calls, Arnia uses the databases containing the contact lists it owns, which it therefore makes unduly available to Sesta Impresa and the other three companies in the context of the activities for which it is independent holders, realizing a communication of data not foreseen by the information provided to the interested parties and not supported by any legal basis, in particular that of consent. Similarly, Arnia, during the inspection, declared that it in turn obtained consent to the processing of data for marketing purposes which ends up feeding an already illegal database.

In addition to this, due consideration should be given to the fact that the designation of Arnia as data processor of the 4 companies was carried out in January 2019 while the service contracts were stipulated between the years 2017 and 2018 and was, in this regard , acquired documentation regarding the execution of about 70,000 useful promotional contacts on behalf of the 4 companies and the insertion of about 50,000 contracts in the platforms of the energy companies. Arnia performs data entry operations of the contracts stipulated on the forms of the energy companies, accessing the IT platforms of the latter without being entitled to them and using authentication credentials in the name of other subjects (the agent agencies that unduly communicate them to Sesta Impresa and to the other companies ). Furthermore, with reference to the contractual proposals entered into by Mas s.r.l. on Enel Energia forms, Arnia would have received this documentation in the absence of an appropriate legal basis that legitimizes the processing of the related data and would have accessed Enel Energia's systems through the company's portal, loading all the contracts and determining the full realization of the unlawful conduct initiated by the other partner companies.

Finally, Arnia failed to respond to requests for information relating to the two databases that the Authority, through the Guardia di Finanza, addressed to it both during the inspection, during the operations, and subsequently. The latter circumstance occurred despite the fact that it had been granted a deadline of 15 days for replies. In this regard, it should be noted that the Company, after being repeatedly requested, requested, on 22 July 2022, a further extension of the response terms of two months. Although this extension was not granted, Arnia did not send any response, not even after two months, thus carrying out a conduct in violation of the provisions of art. 157 of the Code and demonstrating a marked non-cooperative attitude towards the Authority and the Guardia di Finanza, which significantly slowed down the preliminary investigation process.

Moreover, even in the phase of exercising the right of defence, Arnia proceeded to send the Guarantor not only the information and documentation requested, or rather "the data relating to the overall numerical consistency of the personal data present in the master database and the data relating to the number of archived consents divided according to the data controller (Agents or Arnia)" but a disorganized collection of scanned documents, containing the information and consent models prepared by Arnia and by the other 4 partner companies (Aries, Argo, Sesta Impresa and Idra), which cannot constitute a complete response to the requests of the Guarantor.

On the contrary, it must be observed that, on the one hand, the scanned forms present critical elements with reference to the identification of the subjects who have given the consent (in many cases the forms only show the name and surname of the data subject) and, on the other , that the response provided by Arnia, despite the long time elapsed since the deadline granted by the Guardia di Finanza for the production of documents, was limited to 10,270 scanned documents, i.e. a lower number of documents than those that the cooperative had declared have completed processing since July 2022 (as emerges from the July 22 email referred to in point 1.5).

Therefore, in confirming the disputes referred to in the initiation of the proceeding, it must be considered that the radical illegality of the processing operations as described above makes it necessary to adopt a prohibition measure against Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society, of any further processing aimed at the creation of promotional contacts, of any further processing involving the use of personal data lists acquired from Mas s.r.l.s. and Mas s.r.l. and of the databases owned by Arnia cooperative society as well as any further processing aimed at carrying out data-entry activities of contracts for the activation of energy services, given the unsuitability of any provision of a prescriptive nature to remedy the very serious illegalities committed.

Finally, it is deemed necessary to adopt the accessory sanction of confiscation of computer and paper supports containing the lists of personal data illegally acquired by Mas s.r.l.s. via Facebook, by an Italian sole proprietorship and by a Spanish company, as well as lists of personal data and paper forms that make up the databases available to the Arnia cooperative company.

This measure becomes necessary and is applicable to the present case for two reasons.

Firstly, due to the peculiar entrepreneurial initiative launched by the four companies, implemented from the beginning in total disregard of the legislation on personal data (think in particular of the complete sharing of data between the two companies called Mas or the databases that Arnia managed autonomously even if originating from data collections carried out by partner companies and which Arnia then fed with the illegal acquisition of consents falling under its ownership but acquired by the business brokers of the partners, also for communication to third parties) , as well as the already represented prognostic judgment of significant danger in relation to future processing of personal data, it is considered necessary to subtract from the availability of these companies a substantial amount of information (it is reiterated, acquired and held illegally), also in order to prevent in any case illegal reuse also by other third parties.

Secondly, the confiscation appears functional to adequately protect the large number of interested parties, despite their having stumbled upon the complex of illegal activities described up to now. The measure of confiscation therefore assumes the meaning of restoring, at least ideally and figuratively, to the interested parties, the sense of adequate protection of their personal data through a public authority, given the fact that the object of the confiscation – in particular the Arnia databases – represents both the instrument and the product of the set of violations referred to up to now.

For these reasons, it must also be ordered, pursuant to the combined provisions of Articles 58, par. 6, of the Regulation, 166, paragraph 7, of the Code and 20, paragraph 3, of the law no. 689/1981, the confiscation of IT and paper supports containing the lists of personal data illegally acquired by Mas s.r.l.s. via Facebook, by an Italian sole proprietorship and by a Spanish company, as well as lists of personal data and paper forms that make up the databases available to the Arnia cooperative company.

4. CONCLUSIONS

For the above, the responsibility of Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia Società Cooperativa with regard to all the disputed violations.

Having also ascertained the unlawfulness of the conduct of the four companies mentioned above with reference to the treatments examined, it is necessary:

- impose on them, pursuant to art. 58, par. 2, lit. f) of the Regulations, the prohibition of any further processing aimed at creating promotional contacts, of any further processing that provides for the use of the lists of personal data acquired from Mas s.r.l.s. and Mas s.r.l. and of the databases owned by Arnia cooperative society as well as any further processing aimed at carrying out data-entry activities of contracts for the activation of energy services.

- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against the four companies of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation

5. ORDER-INJUNCTION FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5 of the Regulations (payment of a sum up to €20,000,000.00);

In order to determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation;

In the present case, the following are relevant:

1) the exceptional seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation), taking into account the object, the purposes of the data processed, attributable to the overall phenomenon of telemarketing, the methods of treatment, in clear disregard of the regulations on the protection of personal data, of the significant number of subjects involved, deducible from the volume of promotional activities as reported in the justification and of the considerable duration of the treatments, at least from the entry into force of the Regulation;

2) as an aggravating factor, the intentional nature of the conduct (Article 83, paragraph 2, letter b) of the Regulation) put in place in order to circumvent the legislation on the protection of personal data and other regulatory disciplines in the sector ;

3) as a further aggravating factor, the very low degree of cooperation with the supervisory authority in order to remedy the violation and mitigate its possible negative effects (Article 83, paragraph 2, letter f) of the Regulation) since the four apart from the "necessary" interlocution during the inspection, the companies have not undertaken any initiative to facilitate the preliminary investigation process and to mitigate the consequences of the violations;

4) as an element of evaluation to parameterize the sanction (Article 83, paragraph 2, letter k) of the Regulation), the economic capacity of the offenders as inferred from the information present in the financial statements for the year 2021.

Based on the set of elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1 of the Regulation, as well as the role played and the specific contribution of each company to the infringement project (according to which Arnia cooperative society appears to be the figure of connection and junction of the main illegal activities, Mas s.r.l. the company that has had functions of coordination of the Veronese companies and transmission of the huge amount of contracts acquired in violation of privacy regulations, Sesta Impresa s.r.l. the executor of the undue promotional activities planned by Arnia and Mas s.r.l.s. the company that illegally acquired contact lists also from companies foreign) it is believed that the following should apply:

- to Mas s.r.l.s. the administrative sanction of the payment of a sum of 200,000 euros;

- to Mas s.r.l. the administrative sanction of the payment of a sum of 500,000 euros;

- to Sesta Impresa s.r.l. the administrative sanction of the payment of a sum of 300,000 euros;

- to Arnia cooperative society the administrative sanction of the payment of a sum of 800,000 euros.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the nature of the treatments and the conduct of the Companies, as well as the elements of risk for the rights and freedoms of the interested parties.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the annotation of this provision in the Authority's internal register.

ALL THIS CONSIDERING THE GUARANTEE

a) requires Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society, pursuant to art. 58, par. 2, lit. f) of the Regulations, the prohibition of any further processing aimed at creating promotional contacts, of any further processing that provides for the use of the lists of personal data acquired from Mas s.r.l.s. and Mas s.r.l. and of the databases owned by Arnia cooperative society as well as any further processing aimed at carrying out data-entry activities of contracts for the activation of energy services;

b) enjoins the aforementioned companies, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the imposed measure; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5, of the Regulation;

c) has, pursuant to articles 58, par. 6, of the Regulation and 154, paragraph 4, of the Code, the transmission of this provision to the Authority for competition and the market, for the initiatives of competence.

ORDER

1) to Mas s.r.l., with registered office in Verona, Corso Milano 64, Tax Code 04600740239, to pay the sum of Euro 500,000.00 (five hundred thousand/00) as an administrative fine for the violations indicated in the justification;

2)  to Mas s.r.l.s., with registered office in Verona, Corso Milano 64, Tax Code 04464070236, to pay the sum of Euro 200,000.00 (two hundred thousand/00) as an administrative fine for the violations indicated in the justification;

3) to Sesta Impresa s.r.l., with registered office in Florence, viale Belfiore 34, Tax Code 02108430501, to pay the sum of 300,000.00 (three hundred thousand/00) euros as a pecuniary administrative sanction for the violations indicated in the justification;

4) to Arnia Società Cooperativa, with registered office in Florence, viale Belfiore 34, Tax Code 06488750487, to pay the sum of 800,000.00 (eight hundred thousand/00) euros as an administrative fine for the violations indicated in the justification

It is represented that offenders, pursuant to art. 166, paragraph 8, of the Code have the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned companies, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay in full the sums respectively indicated (500,000 euros for Mas s.r.l.; 200,000 euros for Mas s.r.l.s.; 300,000 euros for Sesta Impresa s.r.l.; 800,000 euros for Arnia cooperative society), according to the procedures indicated in the attachment , within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

- the application of the ancillary sanction, pursuant to the combined provisions of articles 58, par. 6, of the Regulation, 166, paragraph 7, of the Code and 20, paragraph 3, of the law no. 689/1981, of the confiscation of IT and paper supports containing the lists of personal data illegally acquired by Mas s.r.l.s. through Facebook, by an Italian sole proprietorship and by a Spanish company, as well as lists of personal data and paper forms that make up the databases available to the cooperative company Arnia;

- the application of the ancillary sanction of publication of this provision on the website of the Guarantor, provided for by articles 166, paragraph 7 of the Code and 16 of the Regulation of the Guarantor n. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, par. 1, lit. u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with art. 58, par. 2, of the Regulation itself.

Pursuant to articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within the term of thirty days from the date of communication of the provision itself .

Rome, 13 April 2023

PRESIDENT
Station

THE SPEAKER
Cerrina Feroni

THE SECRETARY GENERAL
Matthew



SEE ALSO Press release of 6 June 2023



[doc. web no. 9893718]

Provision of April 13, 2023

Register of measures
no. 184 of 13 April 2023

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;

HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, as well as on the free circulation of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter "Regulation");

HAVING REGARD TO the Code regarding the protection of personal data (legislative decree 30 June 2003, n. 196), as amended by legislative decree 10 August 2018, n. 101, containing provisions for the adaptation of the national legal system to the aforementioned Regulation (hereinafter the "Code");

HAVING REGARD to the documentation in the deeds;

HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER Prof. Geneva Cerrina Feroni;

1. THE INVESTIGATION ACTIVITY CARRIED OUT

1.1. Premise

With deed of 15 November 2022, n. 64099/22 (notified on the same date by certified e-mail), which here must be understood as reproduced in full, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the provisions pursuant to art. 58, par. 2 of the Regulation against: 1) Mas s.r.l., with registered office in Verona, Corso Milano 64, Tax Code 04600740239; 2) Mas s.r.l.s., with registered office in Verona, corso Milano 64, C.F. 04464070236; 3) Sesta Impresa s.r.l., with registered office in Florence, viale Belfiore 34, Tax Code 02108430501; 4) Arnia Società Cooperativa, with registered office in Florence, viale Belfiore 34, Tax Code 06488750487.

The proceeding originates from a report that the Special Unit for the Protection of Privacy and Technological Frauds of the Guardia di Finanza received from the Soave Company of the same Corps, a report then forwarded to the Authority. It stated that the Compagnia di Soave had started inspections against two Veronese companies, Mas s.r.l. and Mas s.r.l.s. which, as it is easy to deduce from the company name, operate within the same entrepreneurial initiative.

On 19 February 2021, the Guardia di Finanza noted, during the ordinary school activities during the pandemic period, that two people were wandering around the municipal area of Soave despite the health restrictions adopted at the time: the two people claimed to be procurers of business on behalf of the aforementioned companies, at which the Compagnia di Soave therefore carried out the investigations.

1.2. Inspection checks at Mas s.r.l. and Mas s.r.l.s

The inspection activities carried out by the Guardia di Finanza returned significant results in relation to the legislation on the protection of personal data, as well as further findings subject to separate discussion. For the aspects within the competence of this Authority, it emerged that Mas s.r.l. and Mas s.r.l.s. they carried out activities aimed at promoting the services of companies in the electricity and gas sector, sharing offices and employees with each other. The promotional activities, as emerges from the service reports in the file, had also involved the commander of the Compagnia di Soave, recipient of unwanted phone calls from Mas s.r.l.

The inspections returned a picture of substantial non-compliance in the processing of personal data carried out by the two companies which made promotional calls aimed at selling the services of the energy companies Enel Energia and Hera Comm. The calls were made using lists of potential customers which appeared to have been purchased by the owner of Mas s.r.l.s., in one case through an unidentified seller present on Facebook, in other cases by an individual Italian company and by the Spanish company Telecontact List s.l., a company already subject to further reports.

The contact lists were used both for the contact activities of Mas s.r.l. both for those of Mas s.r.l.s. without the two companies having carried out checks on the correct acquisition of consent for the communication of data from one owner to another and for carrying out treatments for promotional purposes.

Although Mas s.r.l. was linked to Hera Comm by an agency contract for the creation of advertising campaigns, the same s.r.l. also contacted potential customers to promote Enel Energia's services and, during the meetings aimed at finalizing the membership proposals, the business brokers showed Enel Energia's contractual forms and identification cards, apparently counterfeit, relating to the same company.

As for the concrete methods of carrying out the promotional activities, some procurers or employees of the two companies were questioned by the Guardia di Finanza. From their declarations it emerged that the customer acquisition activities on behalf of Hera Comm and Enel Energia envisaged, for each business agent, the daily telephone contact of about fifty potential customers, which necessarily resulted in eight appointments for the following days, appointments aimed at conclusion of contracts with Hera Comm. Only in the event that the potential customer had an existing contract with Hera Comm, should a change of manager towards Enel Energia be proposed to him. Subsequently, the customer was contacted again to change manager again (from Hera Comm to Enel Energia and vice versa). This circumstance was also confirmed by the statements of some customers, obtained with summary information in the context of the Compagnia di Soave's investigations.

As for the undue contact of the commander of the Compagnia di Soave, an employee of Mas s.r.l. author of the promotional call, who declared that the name had been provided by the owner of the company, who  had then recommended to his employee to represent to the Finance Police that it was instead a contact suggested by another customer.

The numerous contracts made by Mas s.r.l. for Enel Energia they appeared to have been sent, for the activation of the services, to the Florentine company Sesta Impresa s.r.l.

1.3. Inspections at Sesta Impresa s.r.l.

Based on the information acquired by the Guardia di Finanza, this Authority ordered the carrying out of an inspection at the headquarters of the company Sesta Impresa s.r.l. aimed at verifying the transit of Enel Energia contracts from Mas s.r.l. and, more generally, the methods of data processing in the context of promotional activities on behalf of companies in the energy sector.

The assessment was carried out by the Special Unit for the protection of privacy and technological fraud of the Guardia di Finanza on 10 February 2022 and returned numerous critical elements with reference to the correct fulfilments regarding the protection of personal data since it made it possible to detect that Sesta Impresa operated as a sub- agent of various energy companies, including Enel Energia, by virtue of contracts (for the performance of work or business procurement) stipulated with various agencies, in turn contractually linked with the energy companies. The aforementioned contracts, acquired in the course of the operations, did not bear any reference to the designation of Sesta Impresa as responsible for the processing carried out on behalf of the energy companies, nor on behalf of the two agencies from which the entire investigation originates.

Specifically, the contracts with XX (promotion of Enel Energia services), XX (XX), XX (XX), XX (Enel Energia services), XX (Enel Energia services), Mas s.r.l. (Hera Comm services), XX (XX), XX (Enel Energia services), XX (XX), XX (Enel Energia services).

Particular importance must be attributed to the fact that the legal representative and Chairman of the board of directors of Sesta Impresa declared that he had never dealt with issues related to data protection, since, according to him, the Company did not provide lists of subjects to contact nor did it deal with the forwarding of the contractual proposals, which were sent directly to a different subject, the Arnia cooperative company, which provided, at an office located in Montecatini, "back-office" services, i.e. the set of operations subsequent to the signing of the contractual proposals by the customers.

The owner of Sesta Impresa declared that he was not aware of the ways in which promotional contacts were made on behalf of the energy companies nor the technical steps for uploading the contractual proposals and the customers' personal data on the companies' platforms, since the activity promotion was entirely entrusted to the brokers who, once the contractual forms were signed by the customers, sent them to the Arnia cooperative which was responsible for entering the data into the management platforms of the energy companies.

Finally, the owner of Sesta Impresa represented that he was not aware of the operating procedures to ensure that the interested parties exercise the rights referred to in articles 15-22 of the Regulation.

In essence, the investigations revealed that Sesta Impresa had the task, on the one hand, of entering into sub-agency contracts with partners in the official sales network of energy companies and, on the other, of "recruiting" business brokers ( natural persons and small companies - overall about 16-17 people) who were then distributed throughout the territory, on the basis of telephone contacts previously made by the Arnia cooperative company, to get potential customers to sign the contractual proposals with the energy companies themselves. These business brokers were not identified as managers, sub-managers or persons authorized to process personal data on behalf of the energy companies, agencies and Sesta Impresa.

After the date on which the investigations were carried out, Sesta Impresa sent a copy of the service contract entered into between the same Sesta Impresa and the Arnia cooperative company to the Finance Police Unit. In this contract, Arnia is expected to carry out, on behalf of Sesta Impresa, the activity of "advertising products and new offers as well as possibly scheduling appointments for its commercial agents, more briefly defined as a "call center" activity (useful contacts - appointments taken)" and "loading-processing of contracts, an activity more briefly defined as "data entry"".

1.4. Inspection checks at the cooperative company Arnia

The results of the inspection assessment against Sesta Impresa s.r.l. imposed further activity also against the Arnia cooperative society which appeared to be the real organizational engine of the entire entrepreneurial initiative.

The investigation at the Arnia cooperative company was carried out by the Special Unit for the protection of privacy and technological fraud of the Guardia di Finanza on 22 and 23 June 2022, with the participation of Authority personnel, and it emerged that the cooperative provided the services indicated by Sesta Impresa (call center, for making promotional telephone calls and data entry of contracts relating to the supply of electricity and gas) not only for the latter company but also for three other companies, Idra s.r.l., Argo s.r.l. and Miral Synergy s.r.l., later transformed into Aries s.r.l. Relations between Arnia and the four companies were governed by contracts signed between 15 October 2017 and 2 January 2018; however, the four companies designated Arnia as data processor only on 21 January 2019: this designation relates only to the treatments for which the four companies take on the legal role of data controller.

With reference to the call-center and data entry activity, it emerged that Arnia, at the time of the investigation, had 22 collaborators (worker-members and external collaborators), 13 of whom included in the call-centre: this personnel carried out , based on the statistics presented by the cooperative, 76,618 cd. "useful phone calls" (understood as those in which the customer shows an interest in continuing the conversation without interrupting the call) in 2018, 114,142 in 2019, 99,603 in 2020, 107,699 in 2021 and 45,804 in the six months of 2022.

The remaining personnel carried out data entry activities, understood as processing operations for each contract for registration on the IT platforms of energy companies, entering 50,364 contracts in 2018, 64,470 in 2019, 60,035 in 2020, 62,220 in 2021 and 26,401 in the first half 2022.

As regards the concrete methods of carrying out the call center activities, they can be summarized as follows:

phase 1 – preliminary operations. The Arnia call center operators assign each business agent of the 4 companies (Sesta Impresa, Argo, Idra and Aries, agents or sub-agents of energy companies) the geographical area in which they can operate, enter it in the Arnia's telephone dispatching system, and the system returns the names of potential customers to contact based on their delivery address;

phase 2 – contact. The call center operators carry out the promotional calls on behalf of the four companies, promoting the services of the energy companies. The calls are made by Arnia using two databases of which it has declared to be the owner, one made up of the names of customers who, in the context of signing a contractual proposal, have given their consent to the processing of their personal data for promotional purposes . The other database consists of the names of individuals contacted by telephone by Arnia to set an appointment, who, during the same appointment, are asked to sign a form directly referable to the promotional activities of the same Arnia.;

phase 3 – promotion. In the promotional contact, the operator presents himself as belonging to the Arnia cooperative in Montecatini, illustrating the purpose of the call, i.e. to provide customers on the free market with new opportunities for cheaper energy contracts than those in place. In the event that the customer requests to know the origin of their personal data held by Arnia, the operator replies that such data is available to the Company since "the person contacted is a customer of the free energy market". During the call, the energy companies with which it is possible to sign a new contract are indicated. Once the availability of an appointment at your home has been obtained, the operator enters the appointment in the seller's diary and, once around 5/6 appointments have been set, the diary can be considered completed for the reference day .

As far as data entry operations are concerned, these are carried out by the remaining 9 Arnia collaborators and concern the uploading of the information present in the contracts signed by customers following visits by business brokers from the four companies.

Also in this case the activities involve several phases:

stage 1 – division of labor. The workload of the contracts stipulated by the various agents of the 4 partner companies, which they undertake to deliver to the Montecatini headquarters, is divided among the various employees who have the right to access the portals of the energy companies;

phase 2 – access to the computer networks of the energy companies. The connection to the portals of the energy companies takes place by entering the authentication credentials that the companies have provided to the agent companies. The credential for accessing each portal is unique for each company and allows simultaneous access to multiple workstations, even outside the corporate network;

step 3 – uploading contractual information. After accessing the network of the companies, the operators enter the information necessary to allow the subsequent activation of the service. If, during insertion, anomalies emerge, the operator can contact a dedicated toll-free number that each company makes available for technical assistance. In the case of contacts with the toll-free number, the operator qualifies as an Arnia collaborator on behalf of one of the 4 partner companies.

During the inspection activity, elements also emerged relating to the activities carried out by the cooperative with reference to the promotions and sale of Enel Energia services, which took place through the companies Mas s.r.l. and Sixth Enterprise. Both the owner of the cooperative and the coordinator of the data-entry activities confirmed that they had entered the contracts from Mas s.r.l., which then became available to Sesta Impresa, by accessing the Enel Energia system, of which they also provided the exact name.

1.5. Followed instructors

Upon conclusion of the inspections, Arnia reserved the right to send the Guardia di Finanza, within 15 days, the data relating to the overall numerical consistency (with specification of the number of consents attributable to the 4 agent companies and Arnia) of the master data present in the two databases of which he claimed ownership.

In this regard, it should be noted that, with a joint note from the Commander of the Special Unit for the protection of privacy and technological fraud of the Guardia di Finanza and the Commander of the Privacy Group, it was represented that "the company has not fulfilled the deadline set for the dissolution of reserves and that, following various reminders [...] requested an extension of the deadline for transmitting the additional data, which was not consistent with the provisions of this Authority and the related reasons given". An email dated 22 July 2022 from Arnia was attached to the note, in which it was noted that "in relation to the request made by you following the inspection of 22 and 23 June last, for the supply of data relating to privacy, we are forced to request an extension of the deadline for the supply of the same. The reason lies in the fact that, to complete the retrieval of the copious documentation requested by you, we realized that we need very substantial human resources for our Cooperative, as the retrieval of contracts and consents, present in our archives for the almost entirely in paper form, it requires much longer times than we had estimated at the time of your inspection. To give an idea, the master database contains 138,000 names, to which the relative paper consent forms are associated, which must be extracted and matched. At the moment we have managed to complete about 12,000 names, of which 10,000 belong to our Cooperative, and the remainder to the agent companies".

1.6. Claiming Violations

At the end of the investigation, the Office adopted the above-mentioned statement of objection no. 64099/22 in which, in general, it was observed that from the inspections carried out by the Guardia di Finanza it was possible to outline an extremely serious and alarming picture in relation to the complex of activities carried out by the companies Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society, aimed at promoting the services of energy companies in general and those of Hera Comm and Enel Energia in particular.

We then proceeded to identify the specific hypotheses of violation which are referred to in full here:

a) Mas s.r.l. – art. 5, par. 1, lit. a), 6, 7 and 13 of the Regulation, as well as 130, paragraph 3, of the Code, for having made promotional telephone contacts, using lists of personal data acquired in the absence of specific consent and in the absence of the release of prior information, lists that they also appear to originate from foreign companies and in any case appear to lack indications regarding the methods of data collection and acquisition of consent for commercial and promotional purposes;

b) Mas s.r.l. - articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, for having proceeded to get customers to sign contract proposals on Enel Energia forms, without having received from the company or from any agent agencies, the designation as manager or sub-manager of the treatment , as well as for having transmitted the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as responsible for the treatment;

c) Mas s.r.l. – art. 28 of the Regulation, for having failed to communicate to the data controller and/or data processor the identification of Mas s.r.l.s. as sub-manager;

d) Mas s.r.l. – art. 30 of the Regulation, for not having prepared and made available to the operators the Register of treatments;

e) Mas s.r.l.s. – articles 5, par. 1 and 2, 6, 7 and 13 of the Regulation, for having purchased lists of personal data from several suppliers, including foreign ones, without having ascertained the correct collection of personal data contained therein and the acquisition from the interested parties of the necessary consent to the transfer of their data to third parties, as well as for having transferred such data to Mas s.r.l., without having previously provided the necessary information to the interested parties and acquired from them the prescribed consent to the communication of the data;

f) Mas s.r.l.s. – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, for having carried out processing for the acquisition of customers for Enel Energia without having received, from the latter or from Sesta Impresa, formal designations as manager or sub-manager of the treatment, as well as for having transmitted the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as data processor: the data transfer therefore appears to have been carried out as independent data controller , in the absence of an appropriate legal basis;

g) Mas s.r.l.s. – art. 28 of the Regulation, for having failed to inform the data controller and/or data processor of the identification of Mas s.r.l. as sub-manager;
h)    Mas s.r.l.s. – art. 30 of the Regulation, for not having prepared and made available to the operators the Register of treatments;

i) Sesta Impresa s.r.l. – articles 28 and 29 of the Regulation, for having carried out processing on behalf of XX (Enel Energia services), XX (XX), XX (XX), XX (Enel Energia services), XX (Enel Energia services), Mas s.r.l. (Hera Comm services), XX (XX), XX (Enel Energia services), XX (XX), XX (Enel Energia services), without having been designated as data processor or sub-processor;

j) Sesta Impresa s.r.l. – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, also in relation to art. 2-quaterdecies of the Code, for having failed to designate its commercial partners (including Mas s.r.l.) as managers or sub-managers of the treatment and its collaborators as subjects authorized to carry out processing operations, thus carrying out communications of customer data, by partners to Sesta Impresa, by Sesta Impresa to its collaborators and by these to Sesta Impresa and Arnia, due to the absence of the legal basis that justifies the treatment;

k) Sesta Impresa s.r.l. – articles 5, par. 1, lit. f) and 32 of the Regulation, for having acquired individual authentication credentials from the agent companies for access to the IT platforms of the energy companies, credentials not uniquely attributed to Sesta Impresa and subsequently made available to Arnia cooperative society, thus creating unauthorized accesses to the IT systems of energy companies;

l) Sesta Impresa s.r.l. – art. 28 of the Regulation, for having failed to communicate to the data controller and/or data processor the identification of Arnia cooperative society as sub-manager;

m) Arnia cooperative society – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation, as well as 130, paragraph 3, of the Code, for having carried out treatments aimed at promoting products and services of energy companies without having received from them a suitable designation as manager or sub-manager of the processing thus carrying out communications of customer data, from Arnia to Sesta Impresa, from Sesta Impresa to Arnia and from Arnia to the energy companies, due to the absence of a legal basis justifying the processing;

n) Arnia cooperative society – articles 5, par. 1, lit. a), 6, 7, 28 and 29 of the Regulation for having achieved, in the year 2018, 70,000 useful contacts of potential customers and 50,000 entries of contracts stipulated by the same, in the absence of suitable designation as manager or data processor, thus carrying out processing of customer data aimed at promoting the services of energy companies, in the absence of an appropriate legal basis that justifies the processing;

o) Arnia cooperative society – articles 5, par. 1, lit. a), 6, 7 and 13 of the Regulation for having communicated the data present in the contact lists of which it is the owner to Sesta Impresa s.r.l., Aries s.r.l., Idra s.r.l. and Argo s.r.l. without having provided the interested parties with the necessary information and acquired the required consent;

p) Arnia cooperative society – articles 5, par. 1, lit. f) and 32 of the Regulation, for having acquired from Sesta Impresa authentication credentials for access to the IT platforms of the energy companies not uniquely attributed to Arnia, thus making unauthorized accesses to the IT systems of the energy companies;

q) Arnia cooperative society – articles 5, par. 1, lit. a), 6 and 7 of the Regulation, for having received from Sesta Impresa data from Mas s.r.l., collected on Enel Energia forms, and for having processed such data and communicating the same to another subject, manager of the so-called “EVA Portal” in the absence of an appropriate legal basis;

r) Arnia cooperative society – art. 157 of the Code and art. 31 of the Regulation, for failure to respond to a request for information and presentation of documents formulated by the Authority through the Guardia di Finanza, thus demonstrating, moreover, an insufficient degree of cooperation with the Supervisory Authority.

2. THE DEFENSE OF THE OWNER

Despite the act n. 64099/22 of initiation of the proceeding has been duly notified to the parties, as already represented in the introduction, it must be noted that Mas s.r.l., Mas s.r.l.s. and Sesta Impresa s.r.l. they did not send defense briefs nor did they request a hearing before the Authority, therefore not availing themselves of any defensive prerogative.

As regards the Arnia cooperative, however, it did not intend to submit written briefs but requested to be heard, on the basis of the provisions of art. 166, paragraph 6, of the Code and by art. 13 of the Guarantor's regulation n. 1/2019.

The hearing took place on 18 January 2023 at the headquarters of the Authority and did not concern the numerous disputes relating to the processing carried out by the cooperative as part of the entrepreneurial initiative which also involved Mas s.r.l., Mas s.r.l.s. and Sesta Impresa, but only the residual aspect of the failure to reply to the requests for information formulated by the Guarantor, as disputed, to Arnia, in point r) of the deed initiating the procedure.

On this point, the representatives of the company specified that “the Cooperative had requested a 60-day extension for the delivery of the documentation requested during the inspection and on which a reservation had been made. The Guardia di Finanza, according to the party, did not respond to this request for an extension either in the affirmative or in the negative. The party also specified that the circumstance reported by the Guardia di Finanza of "various reminders" addressed to it for the production of documents is not true. In reality it would have been a single telephone reminder, to which the Cooperative responded immediately (July 22, 2022), representing the difficulties encountered and requesting the aforementioned extension".

The cooperative therefore reserved the right to produce what was originally requested by the Guardia di Finanza and on which, during the inspection, a reservation had already been formulated. Subsequently, on 25 January 2023, a package was delivered to the Authority's headquarters, sent by Arnia, containing only a storage device (USB pen-drive) without any transmission note or supporting or in some way explanatory documentation . Following an analysis by the technological structure of the Authority, it emerged that the support contains 10270 files, for a total of over 5 GB of data in pdf and/or jpg format which are named with the name and surname of the interested parties, followed by the indication of a company (merely by way of example “Arnia”, “Miral”, “Sesta”). They appear to represent the reproduction of paper forms generically referable to "information on data processing" and "consent" signed by thousands of different interested parties.

In this regard, it should be noted that the forms reproduced in the USB support and attributable to the ownership of the Arnia cooperative, report, for each interested party, only the name and surname and, in some cases, the number of the identification document, in addition to the date of subscription, the signature and the specific indication of the consent given. The forms referring to the ownership of the four partner companies of Arnia bear the indication of the date of birth of the interested party. In many cases, several forms have been found for the same interested party, with consents given on different dates (for example, for a single interested party - A.G. - there are consent forms signed on 10 June 2019, 23 August 2019, 20 January 2020 , September 9, 2020 and July 20, 2021). In some cases it has been observed that for some interested parties there are several consent forms signed for the same owner and on the same date. In some cases the signatures of the same interested parties on the various forms appear evidently different.

3. ASSESSMENTS OF THE AUTHORITY

First of all, it is necessary to underline that the disinterest of Mas s.r.l., Mas s.r.l.s. and Sesta Impresa s.r.l. for today's proceeding, attested by the choice not to submit defense briefs or to request a hearing before the Guarantor, confirms in itself that the three companies attribute an insignificant value to compliance with the legislation on the protection of personal data within the scope of their own entrepreneurial strategies. Given the lack of attention and the inconsistent adoption of the provisions of the Regulation and the Code, they would appear aimed exclusively at maximizing profits through the illicit processing of personal data, from which a non-compliant declination of the main rules for competition may also derive loyal to competitors in the energy services market and a substantial circumvention, with illegal practices, of the rules aimed at protecting the rights of natural persons. This practice is indicative of an attitude and a modus operandi that favor the spread of the phenomenon of wild telemarketing which involves a large part of the Italian population on a daily basis.

The same considerations must also be made for the cooperative company Arnia which, despite having requested a hearing before the Authority, nevertheless intended to articulate its defense without providing any explanation of the numerous and serious violations contested, focusing on an important but still marginal aspect to the complex of behaviors detected or that relating to the failure to respond to requests for information formulated by the Authority.

In the presence of such a blatant attitude which at no time has shown a real desire for constructive interlocution with the Authority, in order to remedy the critical issues identified and to reformulate the processing of personal data with a view to respecting the rules and people an assessment of the extreme seriousness of the conduct carried out by the four subjects referred to in today's proceeding must be formulated. It also follows a prognostic judgment of significant danger in relation to future processing of personal data, from which derives the need to adopt, in addition to appropriately effective and dissuasive administrative pecuniary sanctions, also injunctive measures capable of preventing the root of the repetition of conduct of the same species.

Therefore, what was observed in the dispute is confirmed, namely that Mas s.r.l., Mas s.r.l.s. and Sesta Impresa s.r.l. have acted, under the direction of the Arnia cooperative society, in disregard of the provisions that allow to stem the phenomenon of wild telemarketing and to bring out the so-called "undergrowth" which operates on the margins of the official sales networks of the energy companies, given that the relationships between the various companies are indeterminate, smoky and without unambiguously correct references to the methods of distribution of the responsibilities of the treatment that the Regulation imposes pursuant to articles . 28 and 29.

In practice, it emerged that all the companies subjected to the audit operated by carrying out massive promotional activities and the sale of energy services, both by telephone and door-to-door, without the activities being represented in detail and verified by the energy companies and their respective official sales networks . In fact, the four companies did not act as data processors or sub-processors on behalf of the energy companies and, nevertheless, they managed, by exploiting obvious weaknesses in the system and deficiencies in the controls, to introduce the numerous contractual proposals made to customers to sign (with promotional contacts, it is reiterated, made in violation of the rules on the protection of personal data) in the information assets of the same energy companies, collecting the relative commissions.

We are therefore dealing more with intermediate links in the (long) telemarketing chain in the energy sector, whose activity demonstrates that the measures, even more so if only of a contractual and civil nature, placed to control the sales network alone, are not always official from the big companies may be sufficient or able to intercept a varied and elusive phenomenon such as the one that the activity of the Guardia di Finanza and that of the Guarantor have tried to reconstruct in the present investigation.

Among all, the circumstance, ascertained with the inspections, that Mas s.r.l., after making promotional contacts using personal data lists illegally acquired by Mas s.r.l.s. (which in turn had illegally acquired them via Facebook from an Italian sole proprietorship and a Spanish company) transferred a large number of contracts for the activation of energy services with Enel Energia to Sesta Impresa s.r.l. and this in turn "passed over" these contracts to the Arnia cooperative. Although the latter does not have any type of contractual relationship relating to the processing of personal data with Enel Energia, it handled the loading of the contracts by accessing the company's systems with credentials attributed to other subjects.

All this occurred in the total unawareness of the interested parties/customers who have never been aware of the fact that their personal data have passed from hand to hand between subjects who did not offer any guarantee of the correctness of the operations carried out and of the security of the data processed, going therefore to further feed the supply sources of illegal telemarketing and generating a vicious circuit of nuisance telephone calls and illicit contacts, completely detached from the intention of offering the customer economically advantageous services and linked only to the need to increase the number of calls , the contracts signed and the profits made by the companies.

The context of overall serious illegality of the joint and organically planned entrepreneurial initiative of the four companies is testified, beyond any consideration of a legal nature, by the statements made, to the Guardia di Finanza, by the so-called "business brokers" of Mas s.r.l. and Mas s.r.l.s. which return a disturbing picture: “I signed a letter of assignment for direct home sales with the company Mas s.r.l. and they handed me two cards, one on behalf of the company Hera Comm and the other of Enel Energia and both were made out to MAS. At the beginning of my career I hadn't noticed the difference between Mas s.r.l., for Hera Comm, and Mas s.r.l.s. for Enel because I have always believed that the two supplier companies used only Mas s.r.l.”; “I remember that the lists were drawn up in pen and included name, surname, address and telephone number and the time in which to meet the probable buyer. Furthermore, we also had to fix appointments for the following day with subjects who were identified from a further list called "customer package", [...] printed on the computer showing thousands of names associated with the addresses of the subjects, the mobile phone number and the supplier of the period”; “[The owners of Mas s.r.l. and Mas s.r.l.s.] pushed us agents to get Hera Comm to sign contracts for the supply of energy and gas as much as possible. We had to propose contracts on behalf of Enel only if the customer we met was already the holder of a Hera contract Comm”; “The eight appointments had to be made because [the owner of Mas s.r.l.s.] checked if we didn't go. In the event that the customer was not found at the agreed venue, we had to call him and if not, take a photo of the bell to be sent together with the GPS position [...]. In the event of our negligence, a fine of the order of a few hundred euros was envisaged. The [owner of Mas s.r.l.s.] also called himself the customer with whom the appointment had failed to verify what was communicated by the agent. Therefore we were forced even up to a late hour to look for and meet all eight expected customers”; "the list of names that was delivered to me every day was a list of about fifty subjects per single sheet and for each subject to be contacted, name and surname, tax code, supply address, POD or PDR code, supplier of the service active at the moment, the date of activation and the mobile phone number. One of the electricity and gas suppliers most indicated in the aforementioned list was Enel Energia. I was forbidden to take a copy of these lists outside the offices”; “When we contacted a customer, Mas's name was not communicated and we tried not to allow the customer to investigate the question of how we were in possession of his data. Once we got to the appointment we had to immediately look at the last activation date of the supply contract and the conditions applied, we had to detect the average cost on the bill and offer an advantageous price specifying that it would be blocked for thirty months but this was absolutely not true how much the price was never blocked and varied every month. I am sure of this as several customers to whom I have stipulated Hera contracts have contacted me complaining of fluctuating and ever higher prices. As per teachings and indications received from [the owner of Mas s.r.l.], I proceeded to insist on signing the contract even using high tones if a customer objected. I would like to point out that once I went with [the owner of Mas s.r.l.] to a customer and she demonstrated how to proceed with impetuosity and determination to convince him to sign a Hera contract"; "all the agents had to order [the owner of Mas s.r.l.] to identify from the list of names those who had recently switched to Hera Comm, we had to contact them to offer the switch to Enel even a month after receiving the first Hera Comm bill. Once the transfer to Enel had taken place, it was necessary to proceed again within a very short time with the proposal to return to Hera Comm. [The owner of Mas s.r.l.] demanded all these changes of manager in order not to lose customers and to increase the number of commissions" .

These testimonies are the most evident proof of the illicit induced activities that abusive telemarketing is capable of generating, making all the regulatory measures in the sector substantially ineffective, if identified only from a formalist and contractual point of view, and it must be considered that what has been ascertained in the case in question may assume the connotations of a system in relation to which the Guarantor reserves the right to take the initiatives of its competence, including a communication to the Guarantor Authority for competition and the market, also in the light of some recent resolutions of this latest on similar profiles (ex multis Decision of 2 November 2022, published in Bulletin 42/22 of 21 November 2022 - https://agcm.it/dotcmsdoc/bollettini/2022/42-22.pdf).

As regards the specific objections raised against each of the addressees of this provision, these appear to be confirmed by the results of the inspections which, from time to time, have created an exhaustive framework of evidence and which in no case have been questioned by the companies themselves.

In particular, it emerged that Mas s.r.l. has carried out processing activities aimed at creating promotional telephone contacts, using lists of personal data acquired in the absence of specific consent and in the absence of the release of prior information, lists which also appear to originate from foreign companies and in any case appear to lack indications in order to the methods of data collection and acquisition of consent for commercial and promotional purposes. The company also proceeded to get customers to sign contract proposals on Enel Energia forms, without having received from the company or from any agent agencies, the designation as manager or sub-manager of the treatment. It then transmitted the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as responsible for the treatment: the collection and transfer of data therefore appear to have been carried out by Mas s.r.l. as independent data controller, in the absence of an appropriate legal basis, given that the art. 6, par. 1, lit. b) of the Regulation allows the processing necessary for the execution of the contract only to the parties to the contract itself and to the subjects ritually designated as responsible. Finally, due to the sharing with Mas s.r.l.s. of the same operating environments as well as the same personnel who worked indifferently for both companies, the same have carried out constant sharing of personal data without having provided for reciprocal acts of designation suitable for distributing and dividing the responsibilities of the different treatments. The company has not prepared and made the treatment register available to operators.

Similarly Mas s.r.l.s. appears to have purchased lists of personal data from several suppliers, including foreign ones, without having verified the correct collection of the personal data contained therein and the acquisition from the interested parties of the necessary consent to the transfer of their data to third parties. It has also transferred such data to Mas s.r.l., without having previously provided the necessary information to the interested parties and acquired from them the prescribed consent to the communication of the data. The company, due to a commercial relationship with Sesta Impresa s.r.l., has carried out treatments for the acquisition of customers for Enel Energia without having received, from the latter or from Sesta Impresa, formal designations as manager or sub-manager of the treatment. It then transmitted, like Mas s.r.l., the data contained in the contract proposals to Sesta Impresa s.r.l., without the latter having been designated, by Enel Energia or by others, as responsible for the treatment: also in this case the transfer of data appears to have been carried out as an independent data controller, in the absence of a specific legal basis on the point.

As regards Sesta Impresa s.r.l., the Company has been found to carry out promotional activities of products and services of numerous energy companies, on behalf of some agent agencies with which it has signed business procurement or work performance contracts. In this regard, it appears that the contracts with XX (Enel Energia services), XX (XX), XX (XX), XX (Enel Energia services), XX (Enel Energia services), Mas s.r.l. (Hera Comm services), XX (XX), XX (Enel Energia services), XX (XX), XX (Enel Energia services), do not bear the designation of Sesta Impresa as data controller; the contract with Diler Power Italia s.r.l. (Eon services) bears the designation of Sesta Impresa as sub-manager of the treatment with express prohibition to designate further sub-manager. It therefore emerged by tabulas that Sixth company carried out personal data processing aimed at the commercial promotion of the services of the energy companies referred to above in the absence of designations and distributions of responsibilities suitable for inserting the same treatments in the framework of legitimacy that only the direct relationship with the contracting company could have supplied.

Similarly, the numerous collaborators, both natural and legal persons, which Sesta Impresa has made use of, do not appear to have been included in a context consistent with the provisions of articles 28 and 29 of the Regulation and 2-quaterdecies of the Code.

As far as the relationship with Arnia cooperative society is concerned, the latter appears to have been designated by Sesta Impresa as data processor, a designation which however appears to be completely ineffective in restoring legitimacy to the processing carried out as it was adopted by Sesta Impresa as independent data controller of the treatment: this legal status appears inconsistent with the nature and purpose of the treatments, aimed at promoting the services of energy companies which, as original clients, should have identified the overall chain of the sales network, adopted the relative designation deeds and be made aware of the presence of any subjects who operated as sub-managers, in order to include them too in the division of responsibilities.

The failure to correctly designate the subjects of the treatment, in addition to configuring the specific violations envisaged by the Regulation, determines the illegality of the communications of customer data, from Sesta Impresa to its collaborators and from these to Sesta Impresa and Arnia, due to the absence of the legal basis that justifies the processing, given that, as also observed in relation to the position of Mas s.r.l. and Mas s.r.l.s., the Regulation allows the processing necessary for the execution of a contract only between the parties to the contract itself and between the subjects included in the supply chain recognized by the owner.

Sesta Impresa also received from the company Mas s.r.l., during at least the years 2020 and 2021, constant flows of personal data of customers who had signed contracts on Enel Energia forms precisely through Mas s.r.l. These data were subsequently transmitted to Arnia cooperative society for data entry operations, thus carrying out data communications in the absence of an appropriate legal basis. Finally, Sesta Impresa would have obtained from the mandatory agencies the availability of authentication credentials to access the IT platforms of the energy companies, credentials that it could not have already used per se since they were individually registered to another entity. On the other hand, these credentials were communicated by Sesta Impresa to Arnia so that the latter could carry out, on its own behalf of Sesta Impresa and the other client agencies, the data entry operations of the contracts signed by the clients, in violation of the provisions of the Regulation on the matter security of the treatment.

Finally, with reference to Arnia cooperative society, the company was found to be the nerve center of the marketing activities carried out in the illegitimate and illegal manner described above. In fact, it was evident, already from the declarations of the owner of Sesta Impresa, that he completely relied on the organization of the cooperative company for the realization of the telephone contacts preparatory to the setting of appointments with potential customers, for the keeping of the databases containing lists of which Arnia was found to be the exclusive owner and for the data entry operations of the contracts stipulated by the procurers on behalf of the energy companies.

The relationship between Arnia cooperative society and Sesta Impresa, as well as that with Idra s.r.l., Argo s.r.l. and Aries s.r.l., is regulated by a service contract and by the designation of Arnia as responsible for the treatments carried out by the four companies as controllers. However, this approach does not appear to correspond to the reality of the facts since the promotional activities carried out by Sesta Impresa are carried out in the capacity of "de facto" sub-manager and in any case are unequivocally attributable to the ownership of the energy companies, the original clients. From this it follows that the designation of Arnia by Sesta Impresa is not suitable for bringing the processing operations from the same stage with energy company customer data back to a framework of legitimacy, a legitimacy which, moreover, is originally extraneous also to the processing of Sixth Company. The only processing operations that Arnia carries out under the ownership of Sesta Impresa and the other three companies are those aimed at telephone contact with potential customers and scheduling appointments in the agenda of the latter's collaborators. However, to make promotional calls, Arnia uses the databases containing the contact lists it owns, which it therefore makes unduly available to Sesta Impresa and the other three companies in the context of the activities for which it is independent holders, realizing a communication of data not foreseen by the information provided to the interested parties and not supported by any legal basis, in particular that of consent. Similarly, Arnia, during the inspection, declared that it in turn obtained consent to the processing of data for marketing purposes which ends up feeding an already illegal database.

In addition to this, due consideration should be given to the fact that the designation of Arnia as data processor of the 4 companies was carried out in January 2019 while the service contracts were stipulated between the years 2017 and 2018 and was, in this regard , acquired documentation regarding the execution of about 70,000 useful promotional contacts on behalf of the 4 companies and the insertion of about 50,000 contracts in the platforms of the energy companies. Arnia performs data entry operations of the contracts stipulated on the forms of the energy companies, accessing the IT platforms of the latter without being entitled to them and using authentication credentials in the name of other subjects (the agent agencies that unduly communicate them to Sesta Impresa and to the other companies ). Furthermore, with reference to the contractual proposals entered into by Mas s.r.l. on Enel Energia forms, Arnia would have received this documentation in the absence of an appropriate legal basis that legitimizes the processing of the related data and would have accessed Enel Energia's systems through the company's portal, loading all the contracts and determining the full realization of the unlawful conduct initiated by the other partner companies.

Finally, Arnia failed to respond to requests for information relating to the two databases that the Authority, through the Guardia di Finanza, addressed to it both during the inspection, during the operations, and subsequently. The latter circumstance occurred despite the fact that it had been granted a deadline of 15 days for replies. In this regard, it should be noted that the Company, after being repeatedly requested, requested, on 22 July 2022, a further extension of the response terms of two months. Although this extension was not granted, Arnia did not send any response, not even after two months, thus carrying out a conduct in violation of the provisions of art. 157 of the Code and demonstrating a marked non-cooperative attitude towards the Authority and the Guardia di Finanza, which significantly slowed down the preliminary investigation process.

Moreover, even in the phase of exercising the right of defence, Arnia proceeded to send the Guarantor not only the information and documentation requested, or rather "the data relating to the overall numerical consistency of the personal data present in the master database and the data relating to the number of archived consents divided according to the data controller (Agents or Arnia)" but a disorganized collection of scanned documents, containing the information and consent models prepared by Arnia and by the other 4 partner companies (Aries, Argo, Sesta Impresa and Idra), which cannot constitute a complete response to the requests of the Guarantor.

On the contrary, it must be observed that, on the one hand, the scanned forms present critical elements with reference to the identification of the subjects who have given the consent (in many cases the forms only show the name and surname of the data subject) and, on the other , that the response provided by Arnia, despite the long time elapsed since the deadline granted by the Guardia di Finanza for the production of documents, was limited to 10,270 scanned documents, i.e. a lower number of documents than those that the cooperative had declared have completed processing since July 2022 (as emerges from the July 22 email referred to in point 1.5).

Therefore, in confirming the disputes referred to in the initiation of the proceeding, it must be considered that the radical illegality of the processing operations as described above makes it necessary to adopt a prohibition measure against Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society, of any further processing aimed at the creation of promotional contacts, of any further processing involving the use of personal data lists acquired from Mas s.r.l.s. and Mas s.r.l. and of the databases owned by Arnia cooperative society as well as any further processing aimed at carrying out data-entry activities of contracts for the activation of energy services, given the unsuitability of any provision of a prescriptive nature to remedy the very serious illegalities committed.

Finally, it is deemed necessary to adopt the accessory sanction of confiscation of computer and paper supports containing the lists of personal data illegally acquired by Mas s.r.l.s. via Facebook, by an Italian sole proprietorship and by a Spanish company, as well as lists of personal data and paper forms that make up the databases available to the Arnia cooperative company.

This measure becomes necessary and is applicable to the present case for two reasons.

Firstly, due to the peculiar entrepreneurial initiative launched by the four companies, implemented from the beginning in total disregard of the legislation on personal data (think in particular of the complete sharing of data between the two companies called Mas or the databases that Arnia managed autonomously even if originating from data collections carried out by partner companies and which Arnia then fed with the illegal acquisition of consents falling under its ownership but acquired by the business brokers of the partners, also for communication to third parties) , as well as the already represented prognostic judgment of significant danger in relation to future processing of personal data, it is considered necessary to subtract from the availability of these companies a substantial amount of information (it is reiterated, acquired and held illegally), also in order to prevent in any case illegal reuse also by other third parties.

Secondly, the confiscation appears functional to adequately protect the large number of interested parties, despite their having stumbled upon the complex of illegal activities described up to now. The measure of confiscation therefore assumes the meaning of restoring, at least ideally and figuratively, to the interested parties, the sense of adequate protection of their personal data through a public authority, given the fact that the object of the confiscation – in particular the Arnia databases – represents both the instrument and the product of the set of violations referred to up to now.

For these reasons, it must also be ordered, pursuant to the combined provisions of Articles 58, par. 6, of the Regulation, 166, paragraph 7, of the Code and 20, paragraph 3, of the law no. 689/1981, the confiscation of IT and paper supports containing the lists of personal data illegally acquired by Mas s.r.l.s. via Facebook, by an Italian sole proprietorship and by a Spanish company, as well as lists of personal data and paper forms that make up the databases available to the Arnia cooperative company.

4. CONCLUSIONS

For the above, the responsibility of Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia Società Cooperativa with regard to all the disputed violations.

Having also ascertained the unlawfulness of the conduct of the four companies mentioned above with reference to the treatments examined, it is necessary:

- impose on them, pursuant to art. 58, par. 2, lit. f) of the Regulations, the prohibition of any further processing aimed at creating promotional contacts, of any further processing that provides for the use of the lists of personal data acquired from Mas s.r.l.s. and Mas s.r.l. and of the databases owned by Arnia cooperative society as well as any further processing aimed at carrying out data-entry activities of contracts for the activation of energy services.

- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against the four companies of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5, of the Regulation

5. ORDER-INJUNCTION FOR THE APPLICATION OF THE PECUNIARY ADMINISTRATIVE SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of the law n. 689/1981, for the application against Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society of the pecuniary administrative sanction provided for by art. 83, para. 3 and 5 of the Regulations (payment of a sum up to €20,000,000.00);

In order to determine the amount of the fine, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation;

In the present case, the following are relevant:

1) the exceptional seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation), taking into account the object, the purposes of the data processed, attributable to the overall phenomenon of telemarketing, the methods of treatment, in clear disregard of the regulations on the protection of personal data, of the significant number of subjects involved, deducible from the volume of promotional activities as reported in the justification and of the considerable duration of the treatments, at least from the entry into force of the Regulation;

2) as an aggravating factor, the intentional nature of the conduct (Article 83, paragraph 2, letter b) of the Regulation) put in place in order to circumvent the legislation on the protection of personal data and other regulatory disciplines in the sector ;

3) as a further aggravating factor, the very low degree of cooperation with the supervisory authority in order to remedy the violation and mitigate its possible negative effects (Article 83, paragraph 2, letter f) of the Regulation) since the four apart from the "necessary" dialogue during the inspection, the companies have not undertaken any initiative to facilitate the preliminary investigation process and to mitigate the consequences of the violations;

4) as an element of evaluation to parameterize the sanction (Article 83, paragraph 2, letter k) of the Regulation), the economic capacity of the offenders as inferred from the information present in the financial statements for the year 2021.

Based on the set of elements indicated above, and the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1 of the Regulation, as well as the role played and the specific contribution of each company to the infringement project (according to which Arnia cooperative society appears to be the figure of connection and junction of the main illegal activities, Mas s.r.l. the company that has had functions of coordination of the Veronese companies and transmission of the huge amount of contracts acquired in violation of privacy regulations, Sesta Impresa s.r.l. the executor of the undue promotional activities planned by Arnia and Mas s.r.l.s. the company that illegally acquired contact lists also from companies foreign) it is believed that the following should apply:

- to Mas s.r.l.s. the administrative sanction of the payment of a sum of 200,000 euros;

- to Mas s.r.l. the administrative sanction of the payment of a sum of 500,000 euros;

- to Sesta Impresa s.r.l. the administrative sanction of the payment of a sum of 300,000 euros;

- to Arnia cooperative society the administrative sanction of the payment of a sum of 800,000 euros.

In the case in question, it is believed that the ancillary sanction of publication on the Guarantor's website of this provision should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Regulation of the Guarantor n. 1/2019, taking into account the nature of the treatments and the conduct of the Companies, as well as the elements of risk for the rights and freedoms of the interested parties.

Finally, the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor for the annotation of this provision in the Authority's internal register.

ALL THIS CONSIDERING THE GUARANTEE

a) requires Mas s.r.l., Mas s.r.l.s., Sesta Impresa s.r.l. and Arnia cooperative society, pursuant to art. 58, par. 2, lit. f) of the Regulations, the prohibition of any further processing aimed at creating promotional contacts, of any further processing that provides for the use of the lists of personal data acquired from Mas s.r.l.s. and Mas s.r.l. and of the databases owned by Arnia cooperative society as well as any further processing aimed at carrying out data-entry activities of contracts for the activation of energy services;

b) enjoins the aforementioned companies, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the imposed measure; any failure to comply with the provisions of this point may result in the application of the administrative fine provided for by art. 83, paragraph 5, of the Regulation;

c) has, pursuant to articles 58, par. 6, of the Regulation and 154, paragraph 4, of the Code, the transmission of this provision to the Authority for competition and the market, for the initiatives of competence.

ORDER

1) to Mas s.r.l., with registered office in Verona, Corso Milano 64, Tax Code 04600740239, to pay the sum of Euro 500,000.00 (five hundred thousand/00) as an administrative fine for the violations indicated in the justification;

2)  to Mas s.r.l.s., with registered office in Verona, Corso Milano 64, Tax Code 04464070236, to pay the sum of Euro 200,000.00 (two hundred thousand/00) as an administrative fine for the violations indicated in the justification;

3) to Sesta Impresa s.r.l., with registered office in Florence, viale Belfiore 34, Tax Code 02108430501, to pay the sum of 300,000.00 (three hundred thousand/00) euros as a pecuniary administrative sanction for the violations indicated in the justification;

4) to Arnia Società Cooperativa, with registered office in Florence, viale Belfiore 34, Tax Code 06488750487, to pay the sum of 800,000.00 (eight hundred thousand/00) euros as an administrative fine for the violations indicated in the justification

It is represented that offenders, pursuant to art. 166, paragraph 8, of the Code have the right to settle the dispute, with the fulfillment of the instructions given and the payment, within the term of thirty days, of an amount equal to half of the fine imposed.

ENJOYS

to the aforementioned companies, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay in full the sums respectively indicated (500,000 euros for Mas s.r.l.; 200,000 euros for Mas s.r.l.s.; 300,000 euros for Sesta Impresa s.r.l.; 800,000 euros for Arnia cooperative society), according to the procedures indicated in the attachment , within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of the law n. 689/1981.

HAS

- the application of the ancillary sanction, pursuant to the combined provisions of articles 58, par. 6, of the Regulation, 166, paragraph 7, of the Code and 20, paragraph 3, of the law no. 689/1981, of the confiscation of IT and paper supports containing the lists of personal data illegally acquired by Mas s.r.l.s. through Facebook, by an Italian sole proprietorship and by a Spanish company, as well as lists of personal data and paper forms that make up the databases available to the cooperative company Arnia;

- the application of the ancillary sanction of publication of this provision on the website of the Guarantor, provided for by articles 166, paragraph 7 of the Code and 16 of the Regulation of the Guarantor n. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by art. 57, par. 1, lit. u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with art. 58, par. 2, of the Regulation itself.

Pursuant to articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller has its registered office, within the term of thirty days from the date of communication of the provision itself .

Rome, 13 April 2023

PRESIDENT
station

THE SPEAKER
Cerrina Feroni

THE SECRETARY GENERAL
Matthew