Garante per la protezione dei dati personali (Italy) - 9988710: Difference between revisions

Garante per la protezione dei dati personali - 9988710
Authority:	Garante per la protezione dei dati personali (Italy)
Jurisdiction:	Italy
Relevant Law:	Article 5(1)(f) GDPR Article 5(2) GDPR Article 24(1) GDPR Article 25 GDPR Article 28 GDPR Article 32 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	14.07.2023
Decided:	08.02.2024
Published:
Fine:	79,107,101 EUR
Parties:	n/a
National Case Number/Name:	9988710
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Italian
Original Source:	Garante (in IT)
Initial Contributor:	im

The DPA imposed a fine of €79 million on Enel Energia S.p.A. due to significant shortcomings in their security protocols, allowing authorised telemarketing companies to submit contracts concluded with consumers in violation of the law. This constitutes a highest fine ever imposed by the DPA.

English Summary

Facts

An investigation was carried out by the Guardia di Finanza (financial police) in which fines were imposed on four companies and databases were confiscated as they related to illegally conducted telemarketing calls from 2015 to 2022. The calls aimed at promoting services of companies in the electricity and gas sector. One of these companies was Enel Energia ('the controller').

Further investigation of the databases revealed that Enel Energia acquired as many as 978 contracts from the four companies, even though the companies did directly not belong to Enel Energia's sales network. The agreements reached by these companies with potential customers were sent to the Enel Energia’s customer relationship management ('CRM') system, which actually concluded the contracts on behalf on Enel Energia.

An additional investigation was launched by the Italian DPA ('Garante'), which revealed that these marketing activities were carried out using illicitly acquired lists of customers which contained addresses, telephone numbers, municipality of customer residences, and the customer's relevant energy company. The four companies which were never officially designated by Enel nor any of its sales agencies as data processors, nor was Enel fully aware of these irregularities. However, the processing activities were performed on Enel's behalf and with economic profit for the latter.

The DPA investigated in particular the lack of security measures in the access to the CRM system. The Garante noted how it was extremely easy for external companies - even in lack of any direct contractual relationship with Enel - to obtain the credentials necessary to use the system and "upload" contracts in violation of the law.

As a response to the allegations made by the Garante, Enel Energia highlighted procedural irregularities. They contested the proceedings, among other things, by claiming that the Garante infringed the principle of ne bis in idem as the objections overlapped with previous measures against Enel. In particular, the Tribunal of Rima by ruling No. 443/2021 had already annulled the Garante’s fine against Enel Energia.

Holding

The DPA found the following infringements.

Enel Energia violated Article 5(1)(f) GDPR and Article 32 GDPR where it failed to carry out an adequate assessment of the risks connected to its CRM system and failed to adopt appropriate measures to guarantee the correct use of access credentials and avoid the sharing of credentials. The Garante stated that this allowed the introduction of contract proposals acquired by employees of the agencies not authorised to access and process personal data within Enel Energia's contractual system.

The Garante also held that Enel Energia violated Articles 5(2), 24(1) and 25 GDPR. These articles relate to the duties of accountability and privacy by design which were in this case breached for not effectively counteracting the improper conduct of those agencies that intended to procure contracts for Enel Energia. Enel Energia's inability to demonstrate an exercise of its powers and control over functionality and security of its systems, is thus evident.

Lastly, the Garante decided that Enel Energia violated Article 28 GDPR because the contracts it concluded with its sales agencies did not reflect the actual and accurate handling of personal data. These contracts did not include terms about the controller's responsibilities or ensured the sales agencies were eligible to conclude legal agreements with external parties. This led to the situation at hand, where unauthorized telemarketing companies illicitly accessed Enel's credentials and unlawfully processed personal data in favour of the company.

Regarding the Enel Energia’s argument concerning the breach of ne bis in idem procedure, the DPA highlighted the distinction between the previous measure taken by the Garante (No. 443) and the current objections raised against Enel Energia.

The previous measure covered a wide range of activities conducted by Enel Energia, including telemarketing without consent, violations of opposition register rules, delays in responding to data subject rights requests, among others. It also addressed Enel Energia's efforts to prevent the misuse of its services by customers. On the other hand, security measures and monitoring of critical events in the CRM were not part of the previous examination. In this sense, the Garante adopted corrective measures addressing a different violation.

As a result, the DPA imposed a fine in the amount of €79,107,101 making it the highest sanction ever imposed by the Italian DPA.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE ALSO Press release of February 29, 2024



[doc. web no. 9988710]

Provision of 8 February 2024

Register of measures
n. 81 of 8 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and Dr. Claudio Filippi, deputy general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER the lawyer. Guido Scorza;

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

1.1. Premise

With deed of 14 July 2023, n. 108535/173067 (notified on the same date by certified email), which must be understood as fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Enel Energia S.p.A., (hereinafter “Enel Energia” or “the Company”), in the person of the legal representative pro tempore, with registered office in Rome, viale Regina Margherita n. 125, C.F. 06655971007.

The proceeding originates from an investigation launched by the Authority, following receipt of the results of an activity carried out by the Soave Company of the Guardia di Finanza and by the Special Privacy Protection Unit, an investigation relating to the telemarketing activities carried out by some agencies located in Verona (Mas s.r.l. and Mas s.r.l.s.) and in Tuscany (Sesta Impresa s.r.l. and Arnia soc. cooperative), outcomes fully reported in the Guarantor's Provision no. 184 of 13 April 2023 (in www.gpdp.it, web doc. no. 9893718), to which reference is made in full.

In a nutshell, for the part that interests us here, the investigations carried out by the Financial Police made it possible to ascertain that two Verona companies carried out activities aimed at promoting the services of companies in the electricity and gas sector. The activities of the two companies appeared to be essentially focused on promoting the services of the companies Enel Energia and XX which their collaborators carried out by having identification cards, which later turned out to be counterfeit, and forms from both Enel Energia and XX.

The marketing activities carried out by the two Veronese companies were carried out, in the first instance, through telephone contact with potential customers, a contact which took place using lists of names accompanied by addresses, telephone numbers, indication of the municipality of residence within the province of Verona and the relevant energy company. The lists were found to have been acquired illicitly and the contacts made without observing the provisions of the Regulation, the Code, the national laws and the numerous provisions, including of a general nature, adopted by the Authority regarding telemarketing. As for the methods of carrying out the promotional activities following the telephone contact, they provided that, in the event that the potential customer had an existing contract with XX, a change of operator to Enel Energia should be proposed to him. After a certain period of time from the signing of a contract, the customer was contacted again to change provider again (from XX to Enel Energia and vice versa).

It is important to point out here that the two Veronese companies did not appear to have any collaboration contract or contract for the provision of services in existence with Enel Energia and therefore no authorization to stipulate contracts on its behalf which, once signed, were sent to the Florentine company Sesta Impresa s.r.l.

The Special Unit for the protection of privacy and technological fraud, based on a request from the Authority, carried out an inspection on 10 February 2022 against the latter company, from which it emerged that it had agreements in place with some agencies in the sales network of Enel Energia (XX, XX., XX, XX and XX.) despite not having been designated either by the energy company or its agencies as data controller. From the inspection activity it also emerged that the activity of forwarding the contractual proposals to Enel Energia was not carried out directly by Sesta Impresa but by another company in Florence, having the same registered office as Sesta Impresa and operational headquarters in Montecatini, called a cooperative company Hive. This cooperative turned out to be the real organizational engine of telemarketing activities since, in addition to carrying out the data-entry of the contracts acquired by Sesta Impresa and other companies, it coordinated autonomous promotional initiatives, contacting potential customers by telephone, included in its own database , for marketing activities then finalized by Sesta Impresa and other companies.

The Financial Police, upon further request from the Authority, therefore carried out an investigation against the company. cooperative Arnia on the dates of 22 and 23 June 2022, which confirmed, in addition to numerous profiles not relating to Enel Energia, that Arnia had uploaded Enel Energia contracts, on behalf of Sesta Impresa, into the information systems of the energy company, even though they do not have their own authorizations to access the aforementioned systems. Furthermore, the investigation highlighted that the maintenance of the database of potential customers through which Arnia carried out telephone contacts aimed at promoting the services of energy companies was not legitimized by suitable legal bases for the processing of personal data of the people registered therein. .

From all the investigations it emerged, in a nutshell, that the four companies had, among other things, implemented uniquely organized and coordinated activities to: 1) acquire assignments from the Enel Energia sales network in order to promote the services of the same, even in the absence of formal designations or authorizations from the client; 2) contact potential customers using databases of unauthorized origin, bypassing the provisions of the Regulation, the Code and national laws on telephone marketing; 3) upload the contracts by accessing the Company portal in the absence of formal authorizations from the Company and independent access credentials.

1.2. The inspection at Enel Energia and further investigative activities

Following what was ascertained regarding the four companies indicated above, it was necessary to carry out an inspection activity against Enel Energia, which the Authority delegated to the Financial Police, with a request for information and presentation of documents on site pursuant to of the art. 157 of the Code, aimed at verifying the methods of uploading the contracts acquired by the agencies on the company platforms, the security measures implemented by Enel Energia on the aforementioned platforms and the presence of the contracts acquired by the Veronese companies and then passed through Sesta Impresa and the Arnia cooperative .

From the investigations, carried out on 24 and 25 November 2022 and from the subsequent sending of documentation (made available to the Office, lastly and in its entirety, on 21 February 2023, with sending by the Financial Police, protocol no. 31529/173067) the following emerged, among other things:

a) Identification of systems and databases

the operations of the Enel Energia sales network agencies are based on a platform for accessing the company's CRM (Customer Relationship Management), called N.Eve, an acronym for "New Eve", a dedicated interface for this purpose, which replaced the previous “Eva” system following a roll-out carried out by the Company from 6 to 27 July 2018. The Eva system remained in operation until 22 February 2019, after which it was definitively decommissioned. Through N.Eve, the contractual proposals coming from the Agencies, which derive from a supplier change operation, drawn up on a pre-printed paper form, which is part of a kit supplied to the sellers, are uploaded, through a back-up activity. office, on the system. N.Eve, as part of the broader CRM, has been subjected to risk analysis and impact assessment procedures;

b) agencies of the Enel Energia sales network

the Company provided, with documentation sent following the inspection and received by the Office on 31 January 2023 (protocol no. 15928/173067), the list of 210 agencies which were assigned a total of 1288 authentication credentials for access to the systems corporate. The aforementioned agencies, between 2020 and 2022, uploaded a total of 2,653,388 contracts via the N.Eve platform;

c) method of attributing credentials to the Agencies for access to the systems

the granting of credentials to the agencies takes place in two steps, in compliance with a specific company policy. There is an initial accreditation of the legal representative of the agency by the "territorial channel manager" of Enel Energia, who provides the first with the credentials to access the Access Management Hub. From here, the legal representative will then be able to enter, to subject them to a series of checks, the names of the individual agents and back-office operators (the data-entry workers), in order to obtain the access credentials that will be activated from the IMAC (Identity Management Access Control) company system. The credentials of the agents who operate via the Enel app are associated with 2-factor authentication via Microsoft Authenticator; in the case of a paper contract, the operator who then carries out the data entry authenticates himself via MFA (Multi factor Authentication);

d) security and monitoring measures related to the activities of the Agencies

starting from June 2021, the Company has adopted a system for verifying the methods of access to company systems, which involves the acquisition of access logs and also an alert system in the event of anomalous events (night accesses, accesses from different geographical positions , multiple accesses). The system is called SEOL (Security eye on log) but it has not been applied to N.Eve in the sense that, although recording of system access logs is foreseen (which are kept for 18 months), this recording does not provide for alert "on accesses from different geographical positions and on multiple accesses" due, in the company's opinion, to the not high level of risk of N.Eve, the difficulty found in geolocating IP addresses with precision, as well as the excessive number of fakes positive (with regard to multiple accesses) due to "a high use of mobile devices". The Company specified that "currently there are no procedures in place that prevent possible simultaneous access with the same credential on N.Eve, since the access procedure involves a double authentication factor. Likewise, the system does not provide barriers connected to a selection of IP addresses from which access attempts are made."

To concretely illustrate the methods of use of the SEOL system, Enel Energia, with the documentation received on 31 January 2023, provided evidence of access to the CRM via the N.Eve system (successful logins and failed logins) by the identifiers referring to 12 December 2022, attributable to the agencies XX (1 user, 26 access attempts in total), XX (2 users, 320 access attempts), XX (2 users, 3 access attempts) and XX (2 users , 12 login attempts), extracted from the SEOL dashboard.

The Company also sent an example report of the uploading activities carried out by the agencies extracted from the N.Eve system, which shows, for some days taken as a sample, the list of paper contracts inserted by the XX, XX, XX and XX agencies ).

The results of the above extractions, in the absence of specific explanatory elements provided by the Company, were analysed, together with the remaining preliminary documentation, by the technological division of the Authority which, on 22 March 2023, drew up a report fully attached to the act of initiation of proceedings no. 108535/173067;

e) verification of the presence of contracts acquired by Veronese companies and passed through Florentine companies

during the inspection activities at Enel Energia, the lists relating to the contracts resulting from the illicit marketing activity carried out by the Veronese companies were delivered to the company managers, which were then passed through the two Florentine companies for the purpose of uploading into the Enel Energia systems. The inspection staff requested to know, for each of the contracts in question, whether it was present in the company systems and, if so, the company name of the agency that had uploaded it, the activation status of the supply and type of commodity (electricity or gas). The Company responded to the request by sending a list, received from the Authority, as already indicated above, on 31 January 2023, in which there are 595 contract identifiers out of the 654 found at the Veronese and Florentine companies.

However, it must be highlighted that this figure takes into account the merging of contracts in cases where the same identifier can be referred, for each customer, to both the supply of gas and electricity. In reality, the table provided by Enel Energia consists of 978 contracts, 573 of which relate to the supply of electricity and 405 to the supply of gas. Of these 978 contracts, 874 were regularly activated and 104 cancelled. From the systems it appears that these contracts were uploaded by agencies XX (433 contracts),XX (164), XX (150) and XX. (231). With reference to the latter agency, Enel Energia stated that it "has repeatedly applied penalties for contractual breaches found during the inspection. The contractual relationship with XX ceased as of February 26, 2021".

Furthermore, during the inspection activity, access was made to the company's CRM to verify some paper contracts on Enel Energia forms, acquired from the Veronese companies. 5 of the 8 requested contracts, stipulated by XX (3 contracts) and XX, were found and displayed. (2 contracts). In all these cases, the scanned copy acquired from the CRM was displayed, a copy which, however, presents more than one discrepancy with the copy originally acquired by the Authority.

The original paper forms of the contracts stipulated by the agencies are sent to the XX company for digitization, archiving and subsequent matching with the customer's details.

For completeness it should be noted that, in execution of the aforementioned provision no. 184 of 13 April 2023 against the Veronese and Florentine companies, on 6 and 7 June 2023 the databases and registry lists used for the ascertained illicit marketing activities were confiscated;

f) further investigations on the contracts found at the Veronese companies

the list of contracts acquired by the Veronese companies, passed through the Tuscan companies and then in the CRM of Enel Energia was exhibited to the XX energy company during inspection activities carried out on 17-19 April 2023 against the latter precisely for the purpose to complete the entire investigative framework relating to the original activity of the Guardia di Finanza, from which today's proceedings derive. In that context it was possible to ascertain (response to the minutes' requests received on 23 May 2023 - protocol no. 81559/173067) that 264 users present in the lists came from XX's customers; of these, almost all (244) are represented by customers that XX had acquired in the past through one of the Veronese companies, which was also affiliated with its official sales network. In addition to this, from XX's findings it can be seen that in the lists exhibited during the inspection there are a further 231 subjects for whom a specific indication of the tax code and POD/PDR numbers is missing: therefore based on the names alone, these 231 subjects would have been customers of XX, of which 225 were acquired by one of the Veronese companies, specifically the one included in the official sales network of the energy company. The overall total of former XX customers who then merged into Enel Energia through the illicit promotional activities of the Veronese companies and the equally illicit data-entry activities of the Florentine companies would amount to approximately 469 names, compared to the 654 present (equal to 71, 7% of the total) in the lists acquired during the inspection operations of the Financial Police.

1.3. Dispute of violations

At the end of the investigation, the Office adopted the aforementioned notice of dispute no. 108535/173067 in which, in extreme summary, he observed that:

with reference to the methods of access to the N.Eve platform by the Agencies of the sales network, Enel Energia has introduced a double level of authentication capable of reducing the risk associated with the theft of credentials as well as various types of cyber attacks, including so-called attacks brute force or credential stuffing, which however does not reduce the risk of sharing credentials between multiple users who use them at the same time. The shared use of credentials, which appears to be confirmed by numerous information obtainable from the reports sent by Enel Energia in response to the Authority's requests for information, is made possible precisely by an authentication system which does not exclude the possibility of multiple and simultaneous accesses with the same credentials and is suitable to allow multiple subjects, even external to the official sales network of Enel Energia and, therefore, exempt from the constraints that it contractually imposes also in relation to compliance with the data protection legislation, to upload contractual proposals on N.Eve, creating the commercial outlet or the gateway to the many illicit activities of the so-called. "undergrowth of telemarketing", as highlighted by the objective and incontrovertible data of the numerous contract proposals procured by the illicit association referred to in the provision of 14 April 2023, contract proposals later found in Enel Energia's systems;

with reference to the adoption of measures aimed at preventing, starting from the collection of data, possible illicit processing, the Company, despite having various compliance verification systems and despite collecting the access logs of the agencies of its sales network, has never effectively and effectively used the tools at its disposal to verify the correct use of the systems and prevent incorrect practices by its own contracted agencies as well as by third parties. In other words, as demonstrated by the preliminary findings, Enel Energia would in theory already have all the data that would allow it to combat the so-called phenomenon. "undergrowth", but does not use them effectively, having not prepared the organizational and technical measures aimed at critically deciphering such data neither in a horizontal sense (quantity of contractual proposals inserted by each agency of the official sales network), nor in a vertical sense (quantity of contractual proposals entered by each agent and methods of such insertion), in order to identify possible incorrect practices. The entire reporting and control system has in fact been structured with the pre-eminent (if not exclusive) purpose of verifying the contractual validity with reference to users and the "productivity" with respect to partner agencies. As proof of this, the company itself stated that the log monitoring activity, although also provided for the N.Eve interface, is not carried out via alerts on accesses from different geographical locations and on multiple accesses. In the first case the function was deactivated due to an alleged difficulty in accurately geolocating IP addresses, in the second case the function was deactivated because it generated an excessive number of false positives, due to a high use of mobile devices.

The absence of effective security measures and the voluntary deactivation of the controls described so far is what made it possible for what was ascertained to occur regarding the Veronese and Florentine companies, which did not limit themselves to pouring into Enel Energia's systems the 978 contracts, relating to 595 users, of which there is certain documentary evidence, having all been verified by Enel Energia itself but, according to the examination of the material confiscated in execution of provision no. 184/2023, would have introduced approximately 9300 contracts into Enel Energia's systems from 2015 to 2022, of which 1640 in just the ten months of 2022 prior to the inspection at the energy company. All this without any of the four companies being officially included in the Enel Energia sales network;

with reference to the methods of designation of the agencies as data controllers and the possibility granted to them to make use of sub-agencies, it is necessary to reiterate that a correct system of distribution of responsibilities cannot ignore a capillary control, provided for by law, which the owner must implement a control over the data controllers, and possibly also over the sub-processors, which, as the results of the investigation show, has never actually been carried out over the agencies that allowed the inclusion of the contracts unduly acquired by the companies referred to in provision no. 184/2023. It is also noted that the obligations and constraints that bind the data controller to its owner also have an effect, by law, on further relationships between the data controller and any sub-processors. Therefore, the relationships between agencies and sub-managers cannot be regulated without considering this "chain of responsibility" which goes back from the sub-agent to the owner, which must be taken into account when formalizing the relationships between these subjects.

Based on the considerations summarized here, the Office notified Enel Energia of the following alleged violations:

a) articles. 5, par. 1, letter. f), and 32 of the Regulation, for having failed to carry out an adequate assessment of the risks connected to the N.Eve interface and, consequently, for having failed to adopt, towards the network of official agents, the appropriate measures to guarantee a correct use of access credentials to the company system and to avoid sharing the credentials themselves between multiple subjects, thus allowing the introduction into Enel Energia's information and contractual system of contract proposals acquired by subjects not authorized to process personal data and access to the Company's systems;

b) articles. 5, par. 2, 24, par. 1 and 25 of the Regulation for having violated the duties of accountability and privacy by design where it has not implemented effective action to combat the incorrect behavior of some agencies, thus allowing them to act in order to procure contracts for Enel Energia, , and for not having exercised, in a full and conscious manner, its duties and its power of control through elements of prevention, functionality, security of the systems as well as through the transparency of the processing and the centrality of the interested party;

c) art. 28 of the Regulation for, on the one hand, having stipulated contracts with its agencies which formally provide for a division of responsibility that does not correspond to the concrete structure of the processing chain and is lacking in terms of the control obligations of the data controller and, on the other hand, for not having stipulated or ensured that the necessary legal documents were stipulated with those subjects, allegedly unknown, but in reality - as demonstrated by the preliminary findings - known and actively and fully integrated in the sales chain of the company's services Society.

2. THE OWNER'S OBSERVATIONS

Enel Energia, with a note dated 24 July 2023, recalling the existence of needs linked to the "large number and complexity of the disputes handled", requested pursuant to art. 13, paragraph 3, of the Regulation of the Office of the Guarantor n. 1/2019 that "the deadline for submitting defense deductions be extended by at least 15 days, and in any case until 28 September 2023". The Office granted this extension: the Company therefore exercised its right to be heard by submitting a brief on 28 September 2023 and participating in the hearing at the Authority on 4 October 2023.

In the brief, which is intended to be fully referenced here, Enel Energia observed what is summarized below:

a) violation of the terms of the procedure - in consideration of the fact that the Authority carried out inspection activities against Enel Energia on 24 and 25 November 2022 and that the Company sent the further supplementary documentation on 16 December 2022, the deadline of 120 days from ascertainment of the violation for initiating proceedings, provided for by regulation no. 2/2019 of the Office of the Guarantor, would have expired on 15 April 2023, while the initiation act n.108535/173067 was notified on 14 July 2023. In this regard, Enel Energia recalls the peremptory nature of the deadline taken into consideration and the fact that the technical report of the technological structure of the Authority, filed in the documents on 22 March 2023, would be "an internal act of compilation of the results already collected which does not change anything";

b) infringement of the right of defence, infringement of legitimate expectations and of the duty to concentrate the administrative proceedings - Enel Energia recalls the previous provision adopted by the Guarantor against the same Company, no. 443 of 16 December 2021 (in www.gpdp.it, web doc. no. 9735672), then highlighting that "the facts underlying the current dispute are part of an investigation that began with the activity of the Compagnia di Soave della Guardia of Finance starting from March 2021" therefore to the knowledge of the Authority before the notification of provision no. 443. This knowledge, realized in September 2021 with the transmission of the documents, should have led the Guarantor to suspend the proceedings which gave rise to provision no. 443, or archive it and proceed to reformulate new complaints that take into account the investigations of the Financial Police. Furthermore, the Authority would have ordered the inspections (of Sesta Impresa, Arnia and Enel Energia) at a considerable distance from each other "instead of immediately notifying EE [Enel Energia] of what was emerging", it would have "conducted the investigation leaving EE continued its activity trusting in the correctness of its actions" so that Enel Energia would have been "caught by surprise" by the new complaint of 14 July 2023. All this would be contrary to the principles of good performance and correctness of the Public Administration, leading to excess and misuse of power , "with consequent annulment of any sanctioning measure";

c) violation of the principle of ne bis in idem (lis pendens and res judicata) - the object of the dispute in this proceeding would coincide with that relating to provision no. 443 of 16 December 2021, differing only due to the technical tool identified as the cause of the violations (in provision no. 443, the quality call system; in the dispute of 14 July 2023, the Multi Factor Authentication – MFA system). Due to the identity of the disputes, the judicial proceedings that would be initiated following any challenge to today's provision would be overwhelmed by the rules on lis pendens or those on res judicata, in relation to the first provision. The two proceedings (the one relating to provision no. 443, and the entirely hypothetical one relating to today's provision) would share the parties involved, the petitum constituted by the request for a declaration regarding "the correctness of the management methods of the agency channel and teleselling currently in use by Enel Energia", and the lawsuit is pending, given that the Authority would have accused the Company of the same conduct relating to the same time period. Enel Energia observes that "in any case, the Dispute concerns conduct that was already known in December 2021 (at least in its essential elements) to the Guarantor, who should therefore have deduced it in the first proceeding or, if deemed necessary, investigated it further reopening the investigation”;

d) partial denial of the right of documentary access and prejudice to the cross-examination (request for deferral or exclusion of documents) – Enel Energia notes that, during the access to the administrative documents of 26 July 2023, the Authority would not have allowed the extraction of copy of documents relating to the company database. coop. Hive, subject to confiscation in the previous month of June; on this point, the Company observes that consulting the Arnia database is essential to understand the extent of the relationships between some agencies contracted by Enel Energia and the four Veronese and Florentine companies, only in this way being able to collect the information to evaluate the possible involvement of these agencies in the undergrowth system;

e) absence of the causal link between the alleged lack of security measures and the alleged inadequacy of the governance of Enel Energia's telephone contacts - unfoundedness of the complaints referred to in points a) and b) of paragraph 1.3. of this provision - the Guarantor would attribute the cause of the consolidation of the wild telemarketing phenomenon to the lack of a single and specific security measure linked to the management of the credentials of the N.Eve platform. This would be based on a mere supposition, i.e. the alleged uploading of contracts by subjects not specifically authorized by Enel Energia and would be in contradiction with the assumptions of provision no. 443 of December 2021, which would identify the non-completeness of the so-called as the sole cause. quality call. Furthermore, Enel Energia would detect elements of contradiction and "approximation" in the conduct of the investigation by the Guarantor, since not only would it have examined a single critical element to consider the entire privacy organization of the telemarketing processing chain unsuitable, but it would have limited its investigations to the period from 2015 to 2021, therefore excluding from its analysis the relevant security implementations adopted by the Company after 2020. The problems underlying the phenomenon of unwanted telemarketing can be traced back to much more complex issues which concern the unfair conduct of some agents in the official supply chain, the limited powers of Enel Energia in controls and the role of public authorities such as the Guarantor, police forces and judicial authorities. Regardless, in any case, of the complexity of the phenomenon, in order to consider Enel Energia fully involved in the effort to combat the undergrowth of telemarketing, primary consideration must be given to the Company's choice to activate, from 2020, an authentication system for the access to its own systems with greater security and reliability than the previous ones;

f) EE cannot be blamed for the possible inadequacy of the N.Eve system and the controls on the agency network - unfoundedness of the complaints relating to the articles. 5, par. 1 letter f) and 32 of the Regulation; 5 par. 2, 24 and 25 of the Regulation - due to the fact that the illicit telemarketing activities ascertained with provision no. 184 of 13 April 2023 were implemented by four companies not under contract with Enel Energia and that the agencies of the official sales network were made known to the Company only following access to the documents on 26 July 2023, it is clear that On the one hand, the only subjects who have benefited from the overall affair are those who have operated behind Enel Energia's back, who have maximized the advantages of the so-called. “energy tourism” (repeated passage of customers from one company to another in order to gain maximum commissions in a limited time frame), a phenomenon that could only be fully reconstructed through the detailed analysis of the confiscated databases. In fact, a summary analysis revealed that the number of contracts acquired in his favor by the four agencies (9,344) is significantly lower than the number of contracts lost due to the customer switching to another supplier (20,148). Also from the point of view of accountability, Enel Energia's choice to introduce a more secure authentication system, combined with the decision taken in July 2023 to eliminate the possibility of simultaneously accessing systems with the same account from multiple devices, constitutes full confirmation of the fact that the Company has acted by adopting all the security measures required based on the state of the art at the time of setting up the platform and the management process of the final phase of remote contracting, according to the standard of diligence required by the articles. 24, 25 and 32 of the Regulation.

It should also be considered that, alongside the MFA authentication system, Enel Energia has included the interactions of operators with the N.Eve platform in the monitoring procedures envisaged in SEOL. In particular, SEOL monitors the data uploaded to N.EVE and generates alerts in the event of access to the system outside working hours, massive downloading of data, searches that generate massive lists of customer data, use of unauthorized robots . To this it must be added that the procedures adopted by the Company for the verification of contracts (analysis of monthly averages for each individual agent, monitoring of unproductive agents, feasibility analysis of individual offers, verification of the traceability of the kits for sale to the agent to whom they were originally assigned, analysis of contract loading times, analysis of PODs to verify the existence of episodes of "energy tourism") are not reduced to a mere control of productivity but constitute an advanced monitoring system of the Agencies' activity aimed at measuring the quality of services by aligning the activities of all partners with standards of excellence and thus preventing possible malpractices. Enel Energia then adds that the introduction and subsequent strengthening, from May 2023, of the Quality Portal (with the analysis of the quantity of offers canceled by customers and the withdrawal rate immediately following the subscription of the offer) allows for greater identification accuracy of any anomalous behavior of the agencies. Enel Energia concludes that these checks “to date have not revealed any anomalies. However, Enel Energia is evaluating an increase in controls on the management of paper contracts, which is also carried out using external suppliers".

In addition to the above considerations, Enel Energia has added further considerations regarding the good faith and correctness of the Company, which highlight that since July 2023 the N.Eve platform has been set up in such a way that for each agency account a only device at a time. An automatic mechanism was therefore introduced whereby, if during a work session a second device attempted to connect with the same credentials, the system would block access. At the same time, starting from April 2023, as part of SEOL, the Company has developed and installed a monitoring system to control multiple access attempts in order to detect suspicious behavior in contract uploading activities by both agencies and businesses commercial outlets managed directly by Enel Energia. Furthermore, the Company represented that it had taken steps to request information from its agencies on the matter referred to in the November 2022 inspection, with letters dated February 2023, and that it had precautionally suspended contractual relationships with these agencies between June and August 2023. Enel Energia underlined that during the aforementioned inspection activities it informed the Guarantor that it had established a sort of black-list of the agencies and that this circumstance was used in the act of initiating the procedure not to take good faith into account and the collaboration of the Company but, on the contrary, to highlight the irrelevance of its initiatives;

g) unfoundedness of the complaint regarding the violation of the art. 28 of the Regulation - the contractual clause of the standard agreement with the agencies according to which "any employees, subagents, auxiliaries and collaborators used by the Agency are under its exclusive responsibility and will therefore respond directly to the Agency itself , with total ignorance of the Principal" does not violate the provisions of the art. 28 of the Regulation since it provides that the data controller can give the data controller the possibility (even general) to contact sub-processors and in the chain of responsibilities the data controller is always responsible towards the data controller for any illicit activity of the sub-processors. managers: “Enel Energia, far from wanting to escape its responsibility, has forced its managers to adopt specific clauses also in contracts with sub-managers and has also required managers to make available all useful information and to make themselves available to inspections".

Enel Energia finally drew attention to how it is contrary to the rules regarding the competition of norms, established in general terms by art. 9 of law no. 689/1981 as well as art. 83 of the Regulation, to believe that the same fact can be sanctioned for the violation of rules actually established to protect the same legal asset and of which one is special compared to the other. This starting from the consideration that the rules alleged to have been violated in the act of initiating proceedings no. 108535/173067 are an expression of the same general obligation of correctness of the processing as foreseeable at the time of planning the processing.

During the hearing held at the Authority on 4 October 2023, Enel Energia recalled what was observed in the brief and further specified with reference to the monitoring functions introduced in SEOL, that they return an alert when the operators of all channels physicists, including agencies, make at least ten daily accesses to Enel Energia systems. Upon exceeding a further threshold, equal to 50 daily accesses, analytical checks are envisaged (analysis of IP addresses and the browser used for data transit) by the competent Enel Energia functions in relation to the activity of individual operators. These checks, carried out since April 2023 on all the agencies operating for Enel, including those that had uploaded the approximately 500 contracts provided by the Authority, did not reveal any anomalies, in the sense that the multiple accesses were attributable to the same address IP and therefore, probably, to the same person.

As for the post-inspection checks of November 2022, Enel Energia represented that the starting point of the approximately 500 contracts made it possible to send a request for clarification to the various agencies involved, which communicated the names of the agents who had acquired the contracts then delivered to back-office operators for subsequent data entry. All the contracts were uploaded by the agencies' back-office operators, equipped with independent credentials, and not by the agents using their own. The agents were all duly designated by their respective agencies at the time the contracts were uploaded. However, when responding to the Guarantor's requests in November 2022, they were all already revoked by the agencies themselves. Only following access to the documents on 26 July 2023 was the Company able to learn that some of these agents had held various roles in Sesta Impresa (specifically Messrs. XX, XX and XX). The facts that emerged from the documents acquired during access to the documents and the analyzes carried out subsequently are condensed in a complaint to the AG. being prepared. The Company therefore sent the list of the above agents on 13 October 2023.

3. ASSESSMENTS BY THE AUTHORITY

Although the Company's arguments were mostly concentrated (70 points out of a total of 129) on aspects of the formal legitimacy of the investigation rather than on the substance of the charges, the Authority deems it necessary to reverse this order of presentation by focusing primarily on non already on the formal consequences of the Guarantor's investigation but on those, much more serious and substantial, which may derive from an unsuitable configuration of security measures to safeguard the information assets of Enel Energia and its customers.

The examination of the considerations expressed by Enel Energia in the defense brief and during the hearing, in fact, leads us to believe that they are not suitable for excluding or mitigating the Company's responsibilities in relation to the disputed violations, for the reasons that are analytically set out here .

Starting therefore from the substantive aspects, it is worth underlining, before any consideration regarding what was stated by Enel Energia in the context of the exercise of the right to be heard, that the Company was unable to provide its own version, ruling, regarding the main fact, ascertained and documented, from which the entire proceeding originates, namely that a list of 595 users of the energy and gas market, to which 978 contracts can be traced back, found at two Veronese companies not contracted with Enel Energia , appears to have subsequently passed through two Tuscan companies who admitted having carried out data-entry operations on the aforementioned contracts by accessing the Enel Energia portal without having their own authentication credentials, and those contracts were almost entirely found within the Enel Energia systems.

Likewise, no explanation was provided regarding the circumstance, which is also peaceful since it was verified by Enel Energia when accessing the documents of 26 July 2023, which from 2015 to 2022 the company. Arnia cooperative, never contracted by the Company but even the subject of a specific warning for illegitimate use of the Enel brand, was able to guarantee the loading of approximately 9300 contracts in favor of the aforementioned energy company for approximately 8 years of activity.

In this regard, it is fair to point out that the Authority's investigation, starting from an episode that casually came to the attention of the Financial Police (the investigations into some people who were circulating the streets trying to enter homes despite the prohibitions connected to the emergency pandemic that was dramatically underway at the time), was complex and difficult to implement because it had to reconstruct the path of the contracts illicitly acquired by the Veronese companies starting from the single abusive agent, up to the Enel Energia systems that implemented them.

Therefore, what was investigated by the Guarantor was a web of relationships and incorrect practices that Enel Energia, from within and with more penetrating means due to the contractual constraints of the sales network and the possibilities of having resources relevant for the control of its partners and its systems, could have easily brought to light also in consideration of the experience now acquired by almost all the large energy and telephone companies (which, not surprisingly, have completed, together with the category, the difficult work of a Code of Conduct on the matter) that the phenomenon of wild telemarketing has produced and which can be eradicated by raising the quality of procedures, controls and security measures to an appropriate extent compared to the pressure that the so-called underbosco exercises on the official supply chains and which in Italy appears to be extraordinarily significant.

In light of these considerations, the fact that, even today, Enel Energia has not been able to provide timely responses and solutions to an episode as serious as it is significant, denotes an approach that is still not aware, much less responsible for the complexity of the problem, where the The need expressed by Enel to also obtain in court a "declaration regarding the correctness of the management methods of the agency channel and teleselling currently in use by Enel Energia" appears to be more prevalent for it than that of intercepting and combating incorrect activities that have been verified in all their objectivity by the presence, within the Company's systems, of contracts acquired illicitly (on this point see the provisions of the Guarantor regarding telemarketing which have become irrevocable, referred to below).

As for the observations expressed by Enel Energia in the memorandum of 28 September 2023, on the merits, first of all, the company highlights the absence of the causal link between the lack of security measures and the inadequacy of the governance of telephone contacts, from which would result in the unfoundedness of the complaints referred to in points a) and b) of paragraph 1.3. of this provision.

In this regard, it should be noted that the complaint referred to in point a) concerns Enel Energia's failure to evaluate the risks associated with the use of the N.Eve platform and, specifically, the failure to adopt security measures suitable to avoid an undue use of the authentication credentials for the aforementioned platform. On this point it must be reiterated that the presence in one's CRM of contracts that should not have been there and the loading of the same by unauthorized parties does not represent, contrary to what the Company observes, a mere "theory", but a fact found in the declarations of the owner and employees of the company. cooperative Arnia ("Both the owner of the cooperative and the coordinator of the data-entry activities confirmed that they had inserted the contracts coming from Mas s.r.l., which then became available to Sesta Impresa, by accessing the Enel Energia system, of which they provided also the exact name" - provision no. 184 of 13 April 2023), as well as from the results of the inspection activity at Enel Energia, from which it emerged that 595 customers, to whom 978 contracts for the supply of electricity and gas, present in the lists of Veronese companies had merged into the Company's CRM. To these elements must be added the circumstance, ascertained following the examination of what was confiscated from the Veronese and Florentine companies, that the company. coop. Arnia would have carried out the uploads into the Enel Energia systems on a regular basis from the year 2015 until the end of 2022, inserting a total of 9380 contracts of which 1640 in the year 2022, 1490 in 2021 and 1660 in 2020 (years of full operation of the new authentication system).

The three elements mentioned above (testimonies at Arnia, findings in Enel Energia's systems and further verification from the examination of the material subjected to confiscation) provide evidence of a practice considered by the undergrowth agencies as completely ordinary and easy to implement, if it is also considered that the same was carried out by normal data-entry operators and certainly not by sophisticated cyber-criminals, from which one must derive, ictu oculi, a judgment of significant vulnerability of the security measures and monitoring systems and control placed to safeguard the information assets of the Company and its customers.

For the sake of completeness of the investigation, also for the benefit of the Data Controller, the Office, with the in-depth analyzes conducted in the technical report of March 22, 2023, nevertheless analyzed the results of the extractions from the company systems provided by Enel Energia, from which it was found that "the use of MFA via Microsoft Authenticator does not, in itself, make it impossible for multiple subjects, even those not known to the Company, to share the same credentials given to an agent. In fact, Authenticator allows you to connect multiple verification devices to an account, without disconnecting the previous devices. As indicated by Microsoft itself in the FAQ on the use of Authenticator “Adding Authenticator to the new device does not automatically remove the app from the old device. Even deleting the app from your old device isn't enough. You must delete the app from your old device and tell Microsoft or your organization to forget and deregister your old device.”

On this point, the technical report significantly concludes that the risk of unauthorized operations can be avoided or reduced "by preventing, ex ante, multiple accesses by the same user by terminating the user session if another is established with the same credentials or denying the establishment of the new session", a measure which appears to have been actually implemented by Enel Energia (in July 2023) and which must be taken into account.

On the contrary, the measure introduced in April 2023 which provides for alert thresholds with unspecified effects in the event of exceeding 10 or 50 daily accesses by the same user appears ineffective.

As for the possible ex-post controls, with the technical report, in addition to observing that, from the data on accesses and uploads extracted from the company systems, "the operators of some agencies are able to insert contracts into the N.Eve system with a absolutely remarkable (up to 10 contracts per hour for 2021 and up to 6 contracts per hour for 2022, for every hour of every working day, without breaks)" and that "in some cases, a few tens of seconds are enough to an operator to enter all the data of a contractual proposal (see for example operator XX or operator XX of XX or operator XX of XX)", it was also found that from the access logs "in fact, numerous and close login operations are traced (for example for an XX operator at 11:59:33, at 12:00:53, at 12:29:10, at 12:31:30 on 12/12/2022) without any logout operation associated with it, although both operations are traced in the N.Eve logs". The circumstance appears significant since multiple log-in operations, without each of them resulting in a correlated log-out operation, are evidently attributable to simultaneous access from multiple stations. These "suspicious" operations could be easily monitored by Enel Energia through selective checks by specific agencies if we consider that some of them, compared to the average loading times of the entire Company's sales network, have averages higher than 11, 12 and even 14 times.

If it is true that certain proof of the uploading of contracts into Enel Energia's systems by unauthorized parties could only be obtained by surprising the operator concerned in the flagrant act of illicit conduct (however a purely scholastic hypothesis), the evidence collected by the Authority and mentioned above, together with the choice of the Company, represented during the inspection activity, to weaken the monitoring functions of the N.Eve platform, due to its riskiness, considered modest, are suitable to constitute full demonstration of the hypothesis of violation formulated in chapter a) of the act initiating the procedure: in other words, the choices of Enel Energia connected to the assessment of modest risk of the N.Eve system and of the procedures for loading the contracts acquired through outsourced marketing activities, were hired despite the phenomenon of wild marketing being operated by a vast and branched underground world of agents and business touts who also operate by creating intolerable illegal activities, as documented in provision no. 184 of 13 April 2023 and despite the Company's sales network being made up of 210 agencies and 1288 accounts eligible for access to company systems. The result of this choice is represented by the gross activity in violation of the provisions of the Regulation, the Code and national laws carried out by the 4 Veronese and Florentine companies, which was easily and for a long time conveyed within the Enel Energia systems without the Company perceived the slightest sign of it.

For these reasons, the hypothesis of violation referred to in chapter a), referred to in paragraph 1.3 of this provision, must be considered fully confirmed, for Enel Energia having omitted an adequate assessment of the risks connected to the N.Eve interface and, consequently, for having failed to adopt, towards the network of official agents, the appropriate measures to guarantee correct use of the access credentials to the company system and to avoid sharing the credentials between multiple subjects.

As for the second complaint, referred to in point b) of the heading, it was observed by Enel Energia that the Company's liability cannot be recognized since, first of all, the illicit conduct would have been carried out by external parties, not included in the official sales network of the energy company, necessarily removed from the control regime of the same and, secondly, because the Company would in any case have set up a system of checks, through MFA, SEOL procedures and contract analysis , which responds to the needs identified by the articles. 24 and 25 of the Regulation regarding the responsibility of the owner and privacy by design.

In this regard, it is necessary to reiterate what was specifically highlighted in the document initiating proceedings no. 108535/173067, namely that the deficiencies found in Enel Energia's systems are reflected in the preparation of planning tools and knowledge of the processes aimed at carrying out processing of personal data within the company.

Enel Energia, a company of primary importance in the Italian economy, has the means and organization to be able to establish, in every production process, a virtuous circuit that becomes a paradigm of the best practices that can be adopted. As also observed in the past, the history, structure and organizational dimension of Enel Energia would have allowed this company, leader in the Italian energy market and always at the center of the economic-productive life of the country, even as a historical protagonist of the process of unification of the national electricity system, first, and of the privatization and liberalization system, then (as effectively stated on the enel.com website where there is talk of "Enel's transition from state utility to multinational integrated operator, listed on the stock exchange." cf. https://www.enel.com/it/impresa/storie/articles/2022/09/nuova-dimensione-internazionale), to prepare with due diligence cutting-edge organizational measures in the protection of interested parties, as well as appropriate and effective tools control over the entire supply chain involved in the processing of personal data. The Company, also due to its important history, has a very large number of personal data of the resident population and, on the other hand, know-how regarding the processing of such data also with regard to the promotional activities of its services , in the context of which it was able to make use of the Authority's interlocution and also of a significant precedent of measures that the Guarantor has adopted in the last 4 years, suitable for tracing the path both for correct data processing and for establishing a valid fight against illegal marketing.

From this perspective, if the request that the provisions of articles. 24 and 25 of the Regulation require each data controller to formulate "to what extent the data controller has done what he could be expected to do given the nature, purposes or extent of the processing and how he has managed to prove his operated", the matter analyzed in today's provision returns a judgment of serious insufficiency regarding the actions prepared and then actually implemented by Enel Energia, even if only through the observation that effective measures would certainly have prevented an infiltration of illicit contracts for such a long term (as far as we know from 2015 to 2022).

The extremely large number of the Company's network of agencies and the users authorized to upload contracts should have led the company to create and structure a system of checks suitable to allow full control of the outsourced processes, to be carried out with timely feedback on the contracts acquired, on the correctness of the compilation, on the presence or absence of corrections, and with checks and audits aimed at ensuring that what was represented by the Agencies in the contractual commitments with the Company corresponded to their actual operations.

What emerged from the contracts inspected, however, was that all of them, even the minimum sample displayed in a digitized copy, were found to have been acquired illicitly by the Veronese and Florentine companies and were present where they should not have been, namely in Enel Energia's systems, and above all they reported deletions and discrepancies. , in particular with reference to the agencies of origin. Even this last element could not fail to induce the Company to carry out targeted controls regarding obvious activities of alteration of the official documentation, which would certainly have revealed illicit conduct.

Furthermore, it cannot fail to be highlighted, as admitted and documented by Enel Energia itself, that as many as 164 contracts from the list of 978 present in the energy company's systems, illicitly acquired by the Veronese and Florentine companies, were "procured" by XX, director of one of the two Florentine companies, who had appeared on the Enel Energia blacklist since the time of the November 2022 investigations. The related contracts are all acquired by the XX agency, and in this regard it is legitimate to observe that a close control of the aforementioned agency and others with similar problems, even with random checks, would certainly have brought to light significant anomalies in relation to the matter referred to to today's provision and, in all likelihood, also in relation to similar conduct which has still remained submerged because it has not come to the attention of the Guarantor (and in this regard it should be noted that another agent present in the Enel Energia black-list also appears to have acquired some of the 978 contracts, in this case attributable to the XX agency). It must also be reiterated what was highlighted in the complaint regarding the overall activity of the Agencies where some of them uploaded up to 50,000 contracts in two years, despite having only one user enabled for uploading and a total of 6 employees.

It is therefore very clear, from the above observations to which must be added those reported in the general considerations of this paragraph, that Enel Energia has not used all the information it necessarily has at its disposal, being able to segment the operations of the Agencies and being able to carry out checks on site, not even when the aggregate data returned production levels worthy of attention and not even when agents who ended up on the company black-list turned out to be among the most active business procurers of some well-identified agencies.

As regards the functionality of the SEOL system and the MFA procedure, we must refer to what has already been observed in relation to the complaint under a), reiterating that the choice to weaken the controls envisaged in SEOL and that of adopting an authentication procedure which did not exclude the possibility of multiple accesses with the same credential of the Enel Energia systems obeys a precise choice of the data controller made on the basis of an assessment of not high risk of the N.Eve system. An assessment which, when tested by the facts, proved to be incorrect.

Furthermore, Enel Energia did not provide adequate evidence, required by art. 5, par. 2, of the Regulation on accountability, to demonstrate that one's choices regarding the processing of personal data obey a logic of effective containment of the serious phenomenon of wild telemarketing fueled by the undergrowth of "de facto" agencies, even though these choices differ from the models repeatedly suggested by the Guarantor (for all, the provisions that have become irrevocable no. 7 of 15 January 2020, in www.gpdp.it, web doc. no. 9256486; no. 143 of 9 July 2020, web doc. no. 9435753; no. 144 of 9 July 2020, web doc. no. 9435774; no. 224 of 12 November 2020, web doc. no. 9485681; no. 112 of 25 March 2021, web doc. no. 9570997; no. 192 of 13 May 2021, web doc. no. 9670025; no. 182 of 14 April 2023, web doc. no. 9894631) and fully outlined in the Code of Conduct for telemarketing and teleselling activities, presented by the trade associations (XX, XX, XX, XX, XX, XX, XX, XX) on 10 November 2022, after having been subjected to consultation with the most representative subjects of the categories involved from 21 July 2022 to 9 September 2022, and approved by the Guarantor with the aforementioned provision no. 70 of 9 March 2023.

The complex of considerations set out so far leads us to believe that the hypothesis of violation referred to in point b) of the heading is fully confirmed.

As for the dispute under c), having taken note of what was observed by Enel Energia, it must be highlighted that, having examined the standard contract with the agencies provided by the Company during the November 2022 inspection, it is noted that it does not provide what is established from the art. 28, par. 4, of the Regulation, namely that "when a data controller uses another data controller for the execution of specific processing activities on behalf of the data controller, the other legal act under Union or Member State law, the same data protection obligations contained in the contract or other legal act between the controller and the processor referred to in paragraph 3, providing in in particular sufficient guarantees to implement adequate technical and organizational measures so that the processing meets the requirements of this regulation". In the standard contract, reference is made, as highlighted in the dispute, only to the second part of the aforementioned provision, relating to the transfer of responsibility from the owner to the manager in relation to the actions of the sub-manager, a transfer which, from a systematic interpretation of the article , must be considered effective only in the case of exact application of the first part.

Furthermore, the fact that the standard contract does not carry any obligation on the manager to regulate the relationships with the sub-manager just as the owner intended to regulate those with the manager himself can be seen from the simple observation that, while the standard Enel Energia contract Agency consists, between the main part and annexes, as a rule of over 150 pages, the relationships between agencies and sub-agents are crystallized in very short agreements of a few pages in which almost never reference is made to the main Enel Energia - Agency contract and in some cases the underlying relationship with the energy company is not even mentioned in the introduction.

All this must certainly have been known to Enel Energia if what is stated in the standard contract between it and the Agencies is true, namely that "within ten days of the signing of this contract, the Agency undertakes to provide, by certified e-mail, to the The principal is the list and details of the following subjects whom he intends to use: i) sub-agents, auxiliaries and collaborators".

From the above considerations it emerges that the standard contract that Enel Energia has prepared to regulate relations with the Agencies does not provide for the correct inclusion of any sub-managers in the circuit of relations and exchange of data owner-manager, limiting itself to identifying a sort of total discharge of responsibility of the Company without this corresponding to full awareness and equally complete control of the processing possibly carried out by subjects identified by the managers. From this perspective, the observation reported in the complaint, namely that "a provision such as that provided for in number 6.4. of the contract between Enel Energia and the Agencies appears to deviate from this "chain of responsibility" which goes back from the subagent to the owner, formalizing, in fact, a release of responsibility for the owner, justified with the existence of a sort of "terrae nullius" – that of the sub-managers – where the owner cannot and does not want to enter” provides the correct description of the reporting system that Enel Energia has set up with reference to the activities of managers and sub-managers in the telemarketing sector, a reporting system which appears to confirm the hypothesis of violation of the art. 28 of the Regulation.

Coming to the numerous observations made by Enel Energia in relation to alleged procedural violations by the Authority which would have directly affected the legitimacy of the act initiating the procedure and the overall investigation, it is necessary to proceed with a detailed analysis.

It is also a priority duty to reject as unacceptable and extremely serious the considerations expressed by Enel Energia's defense regarding the performance by the Guarantor of investigative activities in violation of the principle of trust, with the intention of misleading its interlocutor regarding the correctness of its conduct - from this point of view it is surprising that Enel Energia considered the complex of activities carried out by the Guarantor to bring to light serious episodes of unwanted telemarketing as detrimental to the good faith of the Company, which was initially kept in the dark about the investigation in deed at the four Veronese and Florentine companies and then subject to investigative measures such as an inspection, followed by a "surprise" notification of administrative violations; all in a context of alleged violation by the Guarantor of the principles of good performance and correctness of the public administration.

In this regard, it must be highlighted that the complaint is completely unfounded and specious. Enel Energia, in demanding to be promptly informed of the Guarantor's preliminary proceedings, even when addressed to other subjects, in addition to denoting an evident confusion of roles with the internal audit activity carried out in the company, distorts the normal process of the procedure investigation by an independent administrative authority, which can take place, in particular due to the extensive investigative powers that art. 58, par. 1 of the Regulation grants the Guarantor, through a wide range of activities to be modulated based on the principle of administrative discretion, especially in cases of greater complexity, also to protect the authenticity of the evidence collected and the confidentiality of any third parties. Activities which, however, in today's proceedings did not translate into the adoption of "surprise" actions, given that the inspection was also pre-announced and accompanied by extensive documentation and the subsequent steps appear in line with the provisions of the law, with the internal regulations of the Office and with the constant application practice at the Authority.

The inspection activities at Enel Energia, planned and carried out immediately after the conclusion of the investigation relating to the four Veronese and Florentine companies (closing of the investigation against the 4 companies on 15 November 2022, inspection at Enel Energia on 24 and 25 November 2022 , announced to the Company on 23 November 2022), were carried out, moreover, with the use of the collaborative dialectics envisaged by the art. 157 of the Code, ordinarily adopted by the Guarantor precisely to keep the dialogue with the owners alive and constant.

During these activities, the Company was provided, including copies, of the documentation relating to the contracts believed to have infiltrated the company systems, with a precise indication of the hypothesized responsibilities. Even subsequently, and in particular with an email dated 16 January 2023 sent to the Company's DPO, the Office reiterated, at the request of the same DPO, that "the documents made available to Enel Energia during the inspection activity can certainly be used (since moreover of contractual documentation pertaining to the Company) in order to implement all the organizational measures deemed necessary and/or appropriate within the framework of the principle of responsibility and in the adoption of internal measures aimed at its sales network".

To this it must be added that the Guarantor, with Measure no. 70 of 9 March 2023 (in www.gpdp.it, web doc. no. 9868813), and therefore long before the adoption of the act initiating proceedings against Enel Energia, approved the Code of Conduct regarding telemarketing and teleselling which, in art. 5, paragraph 8, identifies, as the owner's obligation, that the same prepares "the platform for the registration of contract proposals in such a way that the traceability of the operations carried out is guaranteed, adopting, for example, authentication procedures that: a) prevent access to the platform with the same credentials from multiple locations at the same time; b) prevent access from different IP addresses or through authentication methods that do not comply with those authorized for each call center/teleseller/agency at the time of attribution of credentials; c) assign individual authentication credentials for each operator authorized to carry out insertion operations; d) allow the identification of the authorized operator even in the event of telephone contact with the assistance service". Even if this Code of Conduct is not, at present, fully operational, its approval (and the previous public consultation launched on 18 July 2022) indicates to all owners the "best practice" in terms of security that the Guarantor deems suitable to avoid or at least minimize the risks of unauthorized access and data infiltration into company platforms.

We understand once again the absolute groundlessness of the defensive consideration that Enel Energia would have been "caught by surprise by the new Dispute of 14 July 2023", having over time adopted a line of dialogue with the Company, equally of that undertaken with the other owners, characterized by the maximum possible transparency and collaboration, in light of the needs, although worthy of consideration, of confidentiality related to the need to effectively carry out investigative activities towards numerous subjects.

Violation of the terms of the procedure for having notified the notice of dispute more than 120 days from the date of the assessment (as required by regulation no. 2/2019 of the Office of the Guarantor), which Enel Energia considers to coincide with the date of sending by of the Company of the documentation that it had reserved the right to produce during the inspection (sending of the documents by Enel Energia: 16 December 2022; deadline for the dispute: 16 March 2023).

On this point, it is necessary to start from a completely undisputed jurisprudential fact, namely that "assessment" refers not to "the mere news of the hypothetically sanctionable fact in its materiality, but to the acquisition of full knowledge of the illicit conduct, implying verification ( for the purpose of a correct formulation of the complaint) of the existence and consistency of the infringement and its effects" (Council of State, Section VI, Sentence 4 October 2022, n. 8503).

Therefore, excluding the possibility that the date of the assessment could be the one indicated by Enel Energia, for a correct reconstruction of the effective date of the terms above it is necessary to refer instead to the date of notification of the act of initiation of the administrative procedure with communication of the alleged violations, carried out on 14 July 2023 at the Company's digital address. Proceeding backwards 120 days from that date we reach 16 March 2023: if one or more significant assessment documents fall within the time interval between 16 March 2023 and 14 July 2023, the notification of the assessment document dispute must be considered within the deadlines.

Even without wanting to draw on constant jurisprudence (for all, Court of Cassation, Civil Section II, Sentence 30 March 2023, no. 9022 - "the deadline for contesting the offenses starts from the moment of the relevant assessment, which does not necessarily coincide with that of the mere observation of the facts in their materiality nor with that in which the reports or final reports of those in charge of the investigations have been deposited or in any case made available to the bodies of the supervisory authority competent for the relevant examination, having to take into account, for this purpose , of the time strictly necessary so that, at the end of the preliminary checks, the finding of the facts could have been translated into an assessment") which highlights the need to place the act of assessment in a period subsequent to the knowledge by the Authority of the facts in their materiality and the receipt of documents or exhibits, it is noted that in the time interval between 16 March 2023 and the day of notification of the notification of the administrative violations, the documents of file no. 173067, relating to today's proceedings, various elements necessary to evaluate the existence and consistency of the violations carried out by Enel Energia and, in particular:

- the report drawn up by the technological division of the Authority, which was called to examine the documentation relating to the SEOL system and the MFA authentication procedure, documentation which was received on 31 January 2023 from Enel Energia via the Guardia di Finanza and which was devoid of precise technical notations. This report, drawn up and filed on March 22, 2023, outlined the scope of existence of Enel Energia's conduct and was attached in full to the notice of dispute;

- provision no. 184 of 13 April 2023, referred to several times in today's proceedings and also fully attached to the complaint, which is inserted as a logical and factual premise with respect to the conduct of Enel Energia and which defines the scope of the phenomenon that the Company has instead underestimated;

- the inspection activities carried out on 17-19 April 2023 at XX., with documents received on 14 June 2023, which made it possible to acquire elements regarding the consistency of the violations in terms of financial benefits achieved (as required by art. 83, par. 2, letter k), of the Regulation), also in relation to the loss of market shares of direct competitors, given that the contracts illicitly acquired by the Veronese and Florentine companies and found in the Enel Energia database mostly come from customers of XX and the illicit acquisition activities in favor of Enel Energia were carried out by one of the Veronese companies, official agent of XX;

- the examination of the databases confiscated from the Veronese and Florentine companies on 6 June 2023, with findings delivered to the Authority on 16 June 2023, which made it possible to determine the consistency of the data flow from the Veronese and Florentine companies to Enel Energia and the duration of the illicit conduct (circumstances which are relevant for the assessment of the seriousness of the conduct, also with reference to what is expressly indicated in art. 83, par. 2, letter a), of the Regulation).

In light of the above and in consideration of the particular degree of complexity of the investigations carried out in the case in question, it is believed that the deadlines for the notification of the notification of the administrative violations to Enel Energia have been fully respected, as this occurred as soon as 28 days (instead of 120) after receipt of the last documents necessary for the complete evaluation of the matter.

Violation of the principle of ne bis in idem (lis pendens and res judicata) due to the identity of the disputes in today's proceedings compared to those from which provision no. originated. 443 of 16 December 2021, against Enel Energia, canceled by the Court of Rome with sentence of 13 February 2023, filed on 13 January 2024.

In this regard, it must be preliminarily highlighted that the ruling of the Court of Rome of 13 February 2023 - 13 January 2024 does not in any way examine the content aspects of the administrative procedure defined with provision no. 443 of 16 December 2021, but only the controversial issue of the deadline for contesting administrative violations (which, it is reiterated, the aforementioned Regulation no. 2/2019 of the Office of the Guarantor identifies as 120 days from the assessment act) and the relationship between this term and the overall structure of the investigative activities carried out by the Office. Nothing to do with the investigation of today's provision, opened in November 2022 and concluded after less than eight months, based on a tight sequence of documents which has been fully accounted for in the previous paragraph.

From the annulment of the previous provision, no assessment of merit can therefore be deduced to the advantage of Enel Energia's defense, nor can a "license" of lawfulness and legitimacy be obtained for the entire set of treatments carried out.

Furthermore, it should be highlighted that provision no. 443/2021 was adopted at the end of a procedure initiated at the request of a party (135 complaints and reports from Italian interested parties), in order to provide feedback and verify what was complained about, regarding very specific situations, from the various moments .

On this point it must be noted that there is no identity between the complaints underlying provision no. 443 and the current disputes. In addition to the fact that provision no. 443 examined a variety of activities carried out by Enel Energia (telemarketing without consent, telemarketing in violation of the regulations of the Registry of Objections, late feedback on the exercise of the rights of interested parties, promotional calls with automated systems, sending of promotional text messages, sending of invoices to incorrect addresses, improper association of telephone numbers with energy users, non-compliant management of the so-called Single Profile - online customer area, critical issues in signing up to the Company's loyalty program) which constituted multiple offenses related to different provisions regulations (14 violations, including, by way of example only, art. 5, par. 1, letter a), as well as art. 12 of the Regulation or article 130 of the Privacy Code), it must be highlighted that, by focusing attention only on telemarketing activities, the disputes referred to in the first provision took into consideration the correct legal basis of the activities directly carried out by Enel Energia and by its sales network and the measures adopted by the Company to identify and block contracts acquired following promotional contacts carried out in violation of the provisions regarding lawfulness of processing, aspects which in the current proceeding have not been taken into consideration since the activities of the four Veronese and Florentine companies were found to be fundamentally illicit, as they were set up in the absence of any contractual and operational link with the energy company. Provision no. 443, furthermore, did not examine the aspects relating to the security measures applied by Enel Energia on the systems responsible for managing contracts and customer data, a topic which is instead at the center of the current proceeding, nor the related aspect of monitoring of the critical events, which evidently pertains to a subsequent phase compared to that examined with the first measure relating to the moment of promotion of the services.

It should also be noted that the hypothesis of lis pendens and violation of the principle of ne bis in idem, net of what has been observed above, is currently entirely hypothetical and, in any case, the request made by Enel Energia to the judge of first degree of "declaration regarding the correctness of the management methods of the agency channel and teleselling currently in use" at the Company certainly cannot exempt the Authority from opening new proceedings and starting new investigations in the event that it becomes aware of of facts and circumstances capable of constituting hypotheses of violation of the relevant regulations on the protection of personal data towards the same owner.

Even in the event that there was formal coincidence between the provisions referred to in provision no. 443/2021 and those in today's provision, it cannot be said in any way that there is a substantial coincidence. In fact, if we consider, for example, the violation of the principle of accountability, referred to in art. 5, par. 2 of the Regulation, the latter within Measure no. 443/2021 had been ascertained in close correlation to the lawfulness of the original acquisition of the data and/or the first contact of the potential customer. Differently, today's provision declines the violation of the principle of accountability, and of the related provisions relating to the obligations of the data controller, to the organizational deficiencies in terms of processing security and to the basic choices in the design and structuring of the control system .

It is worth highlighting that the general principle written in the art. 5, par. 2, of the Regulation, allows the Supervisory Authority to also ascertain liability of omission on the part of the data controller in relation to different and various cases as well as in reference to distinct other obligations and principles of data protection.

The Authority, in exercising its corrective powers and carrying out the tasks assigned to it by the Regulation, can concentrate its attention on individual aspects and certain procedures, in particular with reference to production entities having particularly complex structures and organisations, and can therefore deal with the same owner several times, a hypothesis expressly provided for by the Regulation itself which, in art. 83, par. 2, letter. e) and i), requires the Authority to take into account "any previous relevant violations committed by the data controller or data processor" and "if measures referred to in Article 58, paragraph 2, have previously been ordered against the data controller or data processor in question relating to the same object, compliance with such measures".

From this point of view, it is hardly necessary to remember that the processing of personal data is made up of a multiplicity of operations, which involve a large number of subjects and cannot be considered a uniquely lawful or unlawful whole, proof of which is that, several times, in the recent past, the Authority has adopted measures against the same owner, even in a short time, measures which have examined the complex of processing operations and have led to the application of corrective and sanctioning measures, even of significant magnitude (for all orders no. 7 of 15 January 2020 and no. 183 of 13 March 2023; no. 224 of 12 November 2020 and no. 379 of 10 November 2022, all against important telephone companies).

Partial denial of the right of documentary access and prejudice to the cross-examination since, during the access on 26 July 2023, the Authority did not grant Enel Energia the possibility of extracting a copy of the database containing the contracts allegedly uploaded by the Arnia cooperative.

Even in this case it is necessary to reconstruct the facts with greater precision. Following the publication of provision no. 184 of 13 April 2023, Enel Energia sent a request for access to administrative documents, sent via PEC on 15 June 2023, with reference to "every act and document relating to the preliminary investigation for the issue of the Measure of 13 April 2023, including confiscation" pointing out that it was "in the interest of Enel Energia S.p.A. verify whether the facts and documents that gave rise to the Measure of 13 April 2023 also involve the companies regularly contracted by Enel Energia, in order to take any consequent initiative for its own protection". Therefore, the request for access to Enel Energia's documents was presented before notification of the notice of dispute and therefore, obviously, not for purposes related to the exercise of the right of defence.

The Authority provided feedback on 14 July 2023 by communicating that "part of the information requested can be found in the full version of the repeatedly referenced Provision no. 184/2023 which is attached here […]. We also inform you, pursuant to articles. 4, paragraph 1, and 5, paragraph 2, of internal regulation no. 1 of 2006, the willingness to allow access to the additional documentation requested by viewing the documents at the Office of the Guarantor". Access took place on 26 July 2023 from 11am to 4pm: during this access Enel Energia was able to view all the documents in file 173067, including the documentation confiscated from the Veronese and Florentine companies, and acquired a copy of the approximately 600 pages of the investigation file. Furthermore, although the request for access dated 15 June 2023 was not strictly related to the exercise of the right of defence, upon specific request of the Company's lawyers ("considering the high number and complexity of the disputes handled, the deadline for the presentation of defense deductions is extended by at least 15 days, and in any case until 28 September 2023, in accordance with the provisions of art. 13, paragraph 3, of the Authority's Regulation no. 1/2019; that the aforementioned deadline of 28 September 2023 is application only on the condition that the Authority allows Enel Energia to view the documents on 26 July 2023, as already requested, or, at the latest, by 31 July 2023, failing which the deadline for submitting the documents must also be recalculated defenses”), the Office granted an extension for the presentation of the defense statement, in order to allow the most complete exercise of the right of defence.

In light of the above reconstruction, an infringement of the right of defense to the detriment of Enel Energia must be excluded if we consider, first of all, that the request for access to the administrative documents presented by the Company was presented well before the notification of the disputes and therefore for purposes not attributable to the exercise of the right of defense as mentioned above and, secondly, that the access took place with characteristics of absolute urgency and without time limits for consultation, taking into account all the needs of the party.

As for the content of the access, it should be noted that Enel Energia was able to view all the documents used to contest administrative violations, all the documents in file 173067 including those of confiscation, and was able to extract copies (about 600 pages) of all the documents relating to the preliminary investigations. As for the confiscation documents, only viewing of them was permitted (which in any case allowed the Company to verify not only the overall number of users entered into the company systems following the illicit activities of the Veronese and Florentine companies - the only data used in the of dispute - but also those that are believed to have been released) due to the main function of the confiscation itself, which is to remove things that were intended for illicit uses and which, therefore, cannot be reintroduced into a circuit of free usability, moreover as they were mostly electronic documents and spreadsheets, in the same format that had allowed their improper use.

Apparent competition of rules and violation of art. 9 of the law. 689/1981 and art. 50 of the Charter of Fundamental Rights of the European Union for having the Guarantor considered that the same fact can be sanctioned for the violation of rules actually established to protect the same legal good and of which one is special compared to the other. In other words, the rules that are alleged to have been violated in the notification of the dispute would be, according to Enel, an expression of the same general obligation of correctness of the processing as foreseeable at the time of designing the processing. In this regard, without prejudice to what is stated in Guidelines no. 4/2022 of the European Data Protection Board (version adopted on 24 May 2023) - in a merely reconnaissance manner on this specific aspect - it must be noted that the only principle expressly codified in Italian law, as a general criterion for resolving the apparent competition, is of specialty (art. 9 of law 689/1981), as indeed indicated by the jurisprudence referred to in the defense brief (point 149). Having said this, in consideration of the fact that the rules referred to in the complaint do not appear to be in a special relationship with each other, the corresponding violations are correctly contested as they can be configured independently. In any case it should be kept in mind that the art. 83, par. 3 of the Regulation expressly provides for a hypothesis of legal cumulation in the face of a plurality of contested offenses in relation to the same type of processing, an eventuality which finds application in this provision.

Given all the considerations set out above, it is deemed necessary to confirm the responsibility of Enel Energia with reference to the violations contested with the aforementioned act of initiation of the proceedings of 14 July 2023, n. 108535/173067.

4. CONCLUSIONS

For the above, Enel Energia's responsibility for the following violations is deemed to be established:

a) articles. 5, par. 1, letter. f), and 32 of the Regulation, for having failed to carry out an adequate assessment of the risks connected to the N.Eve interface and, consequently, for having failed to adopt, towards the network of official agents, the appropriate measures to guarantee a correct use of access credentials to the company system and to avoid sharing the credentials themselves between multiple subjects, thus allowing the introduction into Enel Energia's information and contractual system of contract proposals acquired by subjects not authorized to process personal data and access to the Company's systems;

b) articles. 5, par. 2, 24, par. 1 and 25 of the Regulation for having failed to undertake, with respect to the incorrect actions of some agencies which, in fact, acted with the aim of procuring Enel Energia contracts, an effective counteraction, exercising (and being able to prove) in a full and aware of their responsibilities, which correspond to the duties of accountability and privacy by design (through elements of prevention, functionality, system security as well as transparency of processing and centrality of the interested party);

c) art. 28 of the Regulation for, on the one hand, having stipulated contracts with its agencies which formally provide for a division of responsibility that does not correspond to the concrete structure of the processing chain and is lacking in terms of the control obligations of the data controller and, on the other hand, for not having stipulated or ensured that the necessary legal documents were stipulated with those subjects, allegedly unknown, but in reality - as demonstrated by the preliminary findings - known and actively and fully integrated in the sales chain of the company's services Society.

Having also ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to:

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 595 interested parties, whose personal data entered the Company's systems following the illicit acquisitions by the Veronese and Florentine companies, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority when applying this provision;

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to provide adequate documentation in order to certify the implementation of security measures that prevent simultaneous access to the N.Eve system with the same authentication credentials;

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to introduce further measures so that the traceability and effective monitoring of the operations carried out and critical events on the N.Eve system is guaranteed and access from IP addresses other than those attributed to each agency is prevented ;

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation, to provide that the agencies stipulate with any sub-agents contracts that are fully compliant with the standard contract stipulated between Enel Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by the art. 28 of the Regulation;

- adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Enel Energia of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulation

5. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Enel Energia of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulation (payment of a sum of up to €20,000,000.00 or, for businesses, up to 4% of the annual worldwide turnover of the previous financial year, if higher);

To determine the maximum statutory fine, it is therefore necessary to refer to the turnover of Enel Energia, as obtained from the latest available financial statement (31 December 2022) in accordance with the previous provisions adopted by the Authority, and therefore it is determined this statutory maximum, in the case in question, is 988 million 838,774 euros.

To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, attributable to the overall phenomenon of unwanted telemarketing, in relation to which the Authority has adopted, in particular in the last four years, numerous measures which have fully examined the many critical elements, providing owners with numerous indications to adapt the treatments to current legislation and to mitigate the impact of nuisance calls on the interested parties; also taking into account the number of subjects involved (due to the approximately 9300 contracts conveyed by the Arnia coop. company) and the duration of the illicit infiltration of contracts (from 2015 to 2022);

2) as an aggravating factor, the seriously negligent nature of the violations, the result of corporate choices made with conscience and will which have effectively weakened the security measures and the control and accountability system of the various subjects operating in the Enel Energia sales network (art. 83, par. 2, letter b) of the Regulation);

3) as an aggravating factor the degree of responsibility of the data controller (art. 83, par. 2, letter d) of the Regulation) due to the ineffectiveness of the technical and organizational measures implemented and the particular role that Enel Energia assumes in the Italian production panorama, as a leading company in industrial and technological development processes and the high number of personal data of the population resident in Italy and from which it must necessarily expect an organization of the processing of personal data based on the maximum protection of the information assets of its customers and to the maximum responsibility of all the figures involved in the processing itself;

4) as a mitigating factor, the circumstance that Enel Energia introduced, in July 2023, an authentication system that prevents the simultaneous use of the same credentials to access the N.Eve system from different locations (art. 83, par. 2, letter c) of the Regulation);

5) as a mitigating factor to be taken into consideration to parameterize the sanction (art. 83, par. 2, letter k) of the Regulation), the circumstance that from the examination of the databases subject to confiscation it emerges that the number of contracts subject to illicit acquisition in favor of Enel Energia (9,300) is lower than those "outgoing" again following the illicit activities of the Veronese and Florentine companies (20,456) and this compensates for what was recorded in relation to the loss of market shares of XX with reference to the contracts acquired by the Veronese and Florentine companies which appear to have been included in Enel Energia's systems.

Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of 79,107,101 euros, equal to 8% of the maximum statutory fine and 0.32% of the annual turnover.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the Company's processing and conduct, as well as the elements of risk for the rights and freedoms of the interested parties.
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 595 interested parties, whose personal data entered the Company's systems following the illicit acquisitions by the Veronese and Florentine companies, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority when applying this provision;

b) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to provide adequate documentation in order to certify the implementation of security measures that prevent simultaneous access to the N.Eve system with the same authentication credentials;

c) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to introduce further measures so that the traceability and effective monitoring of the operations carried out and critical events on the N.Eve system is guaranteed and access from IP addresses other than those attributed to each agency is prevented ;

d) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation, to provide that the agencies stipulate with any sub-agents contracts that are fully compliant with the standard contract stipulated between Enel Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by the art. 28 of the Regulation;

e) orders Enel Energia, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;

ORDER

to Enel Energia S.p.A., in the person of its legal representative pro tempore, with registered office in Rome, viale Regina Margherita n. 125, C.F. 06655971007, to pay the sum of 79,107,101 euros (seventy-nine million one hundred seven thousand one hundred and one/00) as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to resolve the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of euro 79,107,101 (seventy-nine million one hundred seven thousand one hundred and one/00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the 'art. 27 of law no. 689/1981.

HAS

The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself.

Pursuant to the articles. 152 of the Code and 10 of the Legislative Decree. n. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, 8 February 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE DEPUTY SECRETARY GENERAL
Philippi



SEE ALSO Press release of February 29, 2024



[doc. web no. 9988710]

Provision of 8 February 2024

Register of measures
n. 81 of 8 February 2024

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

IN today's meeting, which was attended by prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer. Guido Scorza, members and Dr. Claudio Filippi, deputy general secretary;

HAVING REGARD to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 /CE (General Data Protection Regulation, hereinafter “Regulation”);

HAVING REGARD to the Code regarding the protection of personal data (Legislative Decree 30 June 2003, n. 196), as amended by Legislative Decree 10 August 2018, n. 101, containing provisions for the adaptation of the national law to the aforementioned Regulation (hereinafter the "Code");

HAVING SEEN the documentation in the documents;

GIVEN the observations made by the deputy general secretary pursuant to art. 15 of the Guarantor's regulation no. 1/2000, adopted with resolution of 28 June 2000;

SPEAKER the lawyer. Guido Scorza;

1. THE INVESTIGATIVE ACTIVITY CARRIED OUT

1.1. Premise

With deed of 14 July 2023, n. 108535/173067 (notified on the same date by certified email), which must be understood as fully referenced and reproduced here, the Office has initiated, pursuant to art. 166, paragraph 5, of the Code, a procedure for the adoption of the measures referred to in art. 58, par. 2, of the Regulation towards Enel Energia S.p.A., (hereinafter “Enel Energia” or “the Company”), in the person of the legal representative pro tempore, with registered office in Rome, viale Regina Margherita n. 125, C.F. 06655971007.

The proceeding originates from an investigation launched by the Authority, following receipt of the results of an activity carried out by the Soave Company of the Guardia di Finanza and by the Special Privacy Protection Unit, an investigation relating to the telemarketing activities carried out by some agencies located in Verona (Mas s.r.l. and Mas s.r.l.s.) and in Tuscany (Sesta Impresa s.r.l. and Arnia soc. cooperative), outcomes fully reported in the Guarantor's Provision no. 184 of 13 April 2023 (in www.gpdp.it, web doc. no. 9893718), to which reference is made in full.

In a nutshell, for the part that interests us here, the investigations carried out by the Financial Police made it possible to ascertain that two Verona companies carried out activities aimed at promoting the services of companies in the electricity and gas sector. The activities of the two companies appeared to be essentially focused on promoting the services of the companies Enel Energia and XX which their collaborators carried out by having identification cards, which later turned out to be counterfeit, and forms from both Enel Energia and XX.

The marketing activities carried out by the two Veronese companies were carried out, in the first instance, through telephone contact with potential customers, a contact which took place using lists of names accompanied by addresses, telephone numbers, indication of the municipality of residence within the province of Verona and the relevant energy company. The lists were found to have been acquired illicitly and the contacts made without observing the provisions of the Regulation, the Code, the national laws and the numerous provisions, including of a general nature, adopted by the Authority regarding telemarketing. As for the methods of carrying out the promotional activities following the telephone contact, they provided that, in the event that the potential customer had an existing contract with XX, a change of operator to Enel Energia should be proposed to him. After a certain period of time from the signing of a contract, the customer was contacted again to change provider again (from XX to Enel Energia and vice versa).

It is important to point out here that the two Veronese companies did not appear to have any collaboration contract or contract for the provision of services in existence with Enel Energia and therefore no authorization to stipulate contracts on its behalf which, once signed, were sent to the Florentine company Sesta Impresa s.r.l.

The Special Unit for the protection of privacy and technological fraud, based on a request from the Authority, carried out an inspection on 10 February 2022 against the latter company, from which it emerged that it had agreements in place with some agencies in the sales network of Enel Energia (XX, XX., XX, XX and XX.) despite not having been designated either by the energy company or its agencies as data controller. From the inspection activity it also emerged that the activity of forwarding the contractual proposals to Enel Energia was not carried out directly by Sesta Impresa but by another company in Florence, having the same registered office as Sesta Impresa and operational headquarters in Montecatini, called a cooperative company Hive. This cooperative turned out to be the real organizational engine of telemarketing activities since, in addition to carrying out the data-entry of the contracts acquired by Sesta Impresa and other companies, it coordinated autonomous promotional initiatives, contacting potential customers by telephone, included in its own database , for marketing activities then finalized by Sesta Impresa and other companies.

The Financial Police, upon further request from the Authority, therefore carried out an investigation against the company. cooperative Arnia on the dates of 22 and 23 June 2022, which confirmed, in addition to numerous profiles not relating to Enel Energia, that Arnia had uploaded Enel Energia contracts, on behalf of Sesta Impresa, into the information systems of the energy company, even though they do not have their own authorizations to access the aforementioned systems. Furthermore, the investigation highlighted that the maintenance of the database of potential customers through which Arnia carried out telephone contacts aimed at promoting the services of energy companies was not legitimized by suitable legal bases for the processing of personal data of the people registered therein. .

From all the investigations it emerged, in a nutshell, that the four companies had, among other things, implemented uniquely organized and coordinated activities to: 1) acquire assignments from the Enel Energia sales network in order to promote the services of the same, even in the absence of formal designations or authorizations from the client; 2) contact potential customers using databases of unauthorized origin, bypassing the provisions of the Regulation, the Code and national laws on telephone marketing; 3) upload the contracts by accessing the Company portal in the absence of formal authorizations from the Company and independent access credentials.

1.2. The inspection at Enel Energia and further investigative activities

Following the findings regarding the four companies indicated above, it was necessary to carry out an inspection activity against Enel Energia, which the Authority delegated to the Financial Police, with a request for information and presentation of documents on site pursuant to of the art. 157 of the Code, aimed at verifying the methods of uploading the contracts acquired by the agencies on the company platforms, the security measures implemented by Enel Energia on the aforementioned platforms and the presence of the contracts acquired by the Veronese companies and then passed through Sesta Impresa and the Arnia cooperative .

From the investigations, carried out on 24 and 25 November 2022 and from the subsequent sending of documentation (made available to the Office, lastly and in its entirety, on 21 February 2023, with sending by the Financial Police, protocol no. 31529/173067) the following emerged, among other things:

a) Identification of systems and databases

The operations of the Enel Energia sales network agencies are based on a platform for accessing the company's CRM (Customer Relationship Management), called N.Eve, an acronym for "New Eve", an interface dedicated for this purpose, which replaced the previous “Eva” system following a roll-out carried out by the Company from 6 to 27 July 2018. The Eva system remained in operation until 22 February 2019, after which it was definitively decommissioned. Through N.Eve, the contractual proposals coming from the Agencies, which derive from a supplier change operation, drawn up on a pre-printed paper form, which is part of a kit supplied to the sellers, are uploaded, through a back-up activity. office, on the system. N.Eve, as part of the broader CRM, has been subjected to risk analysis and impact assessment procedures;

b) agencies of the Enel Energia sales network

the Company provided, with documentation sent following the inspection and received by the Office on 31 January 2023 (protocol no. 15928/173067), the list of 210 agencies which were assigned a total of 1288 authentication credentials for access to the systems corporate. The aforementioned agencies, between 2020 and 2022, uploaded a total of 2,653,388 contracts via the N.Eve platform;

c) method of attributing credentials to the Agencies for access to the systems

the granting of credentials to the agencies takes place in two steps, in compliance with a specific company policy. There is an initial accreditation of the legal representative of the agency by the "territorial channel manager" of Enel Energia, who provides the first with the credentials to access the Access Management Hub. From here, the legal representative will then be able to enter, to subject them to a series of checks, the names of the individual agents and back-office operators (the data-entry workers), in order to obtain the access credentials that will be activated from the IMAC (Identity Management Access Control) company system. The credentials of the agents who operate via the Enel app are associated with 2-factor authentication via Microsoft Authenticator; in the case of a paper contract, the operator who then carries out the data entry authenticates himself via MFA (Multi factor Authentication);

d) security and monitoring measures related to the activities of the Agencies

starting from June 2021, the Company has adopted a system for verifying the methods of access to company systems, which involves the acquisition of access logs and also an alert system in the event of anomalous events (night accesses, accesses from different geographical positions , multiple accesses). The system is called SEOL (Security eye on log) but it has not been applied to N.Eve in the sense that, although recording of system access logs is foreseen (which are kept for 18 months), this recording does not provide for alert "on accesses from different geographical positions and on multiple accesses" due, in the company's opinion, to the not high level of risk of N.Eve, the difficulty found in geolocating IP addresses with precision, as well as the excessive number of fakes positive (with regard to multiple accesses) due to "a high use of mobile devices". The Company specified that "currently there are no procedures in place that prevent possible simultaneous access with the same credential on N.Eve, since the access procedure involves a double authentication factor. Likewise, the system does not provide barriers connected to a selection of IP addresses from which access attempts are made."

To concretely illustrate the methods of use of the SEOL system, Enel Energia, with the documentation received on 31 January 2023, provided evidence of access to the CRM via the N.Eve system (successful logins and failed logins) by the identifiers referring to 12 December 2022, attributable to the agencies XX (1 user, 26 access attempts in total), XX (2 users, 320 access attempts), XX (2 users, 3 access attempts) and XX (2 users , 12 login attempts), extracted from the SEOL dashboard.

The Company also sent an example report of the uploading activities carried out by the agencies extracted from the N.Eve system, which shows, for some days taken as a sample, the list of paper contracts inserted by the XX, XX, XX and XX agencies ).

The results of the above extractions, in the absence of specific explanatory elements provided by the Company, were analysed, together with the remaining preliminary documentation, by the technological division of the Authority which, on 22 March 2023, drew up a report fully attached to the 'deed initiating proceedings no. 108535/173067;

e) verification of the presence of contracts acquired by Veronese companies and passed through Florentine companies

during the inspection activities at Enel Energia, the lists relating to the contracts resulting from the illicit marketing activity carried out by the Veronese companies were delivered to the company managers, which were then passed through the two Florentine companies for the purpose of uploading into the Enel Energia systems. The inspection staff requested to know, for each of the contracts in question, whether it was present in the company systems and, if so, the company name of the agency that had uploaded it, the activation status of the supply and type of commodity (electricity or gas). The Company responded to the request by sending a list, received from the Authority, as already indicated above, on 31 January 2023, in which there are 595 contract identifiers out of the 654 found at the Veronese and Florentine companies.

However, it must be highlighted that this figure takes into account the merging of contracts in cases where the same identifier can be referred, for each customer, to both the supply of gas and electricity. In reality, the table provided by Enel Energia consists of 978 contracts, 573 of which relate to the supply of electricity and 405 to the supply of gas. Of these 978 contracts, 874 were regularly activated and 104 cancelled. From the systems it appears that these contracts were uploaded by agencies XX (433 contracts),XX (164), XX (150) and XX. (231). With reference to the latter agency, Enel Energia stated that it "has repeatedly applied penalties for contractual breaches found during the inspection. The contractual relationship with XX ceased as of February 26, 2021".

Furthermore, during the inspection activity, the company's CRM was accessed to verify some paper contracts on Enel Energia forms, acquired from the Veronese companies. 5 of the 8 requested contracts, stipulated by XX (3 contracts) and XX, were found and displayed. (2 contracts). In all these cases, the scanned copy acquired from the CRM was displayed, a copy which, however, presents more than one discrepancy with the copy originally acquired by the Authority.

The original paper forms of the contracts stipulated by the agencies are sent to the XX company for digitization, archiving and subsequent matching with the customer's details.

For completeness it should be noted that, in execution of the aforementioned provision no. 184 of 13 April 2023 against the Veronese and Florentine companies, on 6 and 7 June 2023 the databases and registry lists used for the ascertained illicit marketing activities were confiscated;

f) further investigations on the contracts found at the Veronese companies

the list of contracts acquired by the Veronese companies, passed through the Tuscan companies and then in the CRM of Enel Energia was exhibited to the XX energy company during inspection activities carried out on 17-19 April 2023 against the latter precisely for the purpose to complete the entire investigative framework relating to the original activity of the Guardia di Finanza, from which today's proceedings derive. In that context it was possible to ascertain (response to the minutes' requests received on 23 May 2023 - protocol no. 81559/173067) that 264 users present in the lists came from XX's customers; of these, almost all (244) are represented by customers that XX had acquired in the past through one of the Veronese companies, which was also affiliated with its official sales network. In addition to this, from XX's findings it can be seen that in the lists exhibited during the inspection there are a further 231 subjects for whom a specific indication of the tax code and POD/PDR numbers is missing: therefore based on the names alone, these 231 subjects would have been customers of XX, of which 225 were acquired by one of the Veronese companies, specifically the one included in the official sales network of the energy company. The overall total of former XX customers who then merged into Enel Energia through the illicit promotional activities of the Veronese companies and the equally illicit data-entry activities of the Florentine companies would amount to approximately 469 names, compared to the 654 present (equal to 71, 7% of the total) in the lists acquired during the inspection operations of the Financial Police.

1.3. Dispute of violations

At the end of the investigation, the Office adopted the aforementioned notice of dispute no. 108535/173067 in which, in extreme summary, he observed that:

with reference to the methods of access to the N.Eve platform by the Agencies of the sales network, Enel Energia has introduced a double level of authentication capable of reducing the risk associated with the theft of credentials as well as various types of cyber attacks, including so-called attacks brute force or credential stuffing, which however does not reduce the risk of sharing credentials between multiple users who use them at the same time. The shared use of credentials, which appears to be confirmed by numerous information obtainable from the reports sent by Enel Energia in response to the Authority's requests for information, is made possible precisely by an authentication system which does not exclude the possibility of multiple and simultaneous accesses with the same credentials and is suitable to allow multiple subjects, even external to the official sales network of Enel Energia and, therefore, exempt from the constraints that it contractually imposes also in relation to compliance with the data protection legislation, to upload contractual proposals on N.Eve, creating the commercial outlet or the gateway to the many illicit activities of the so-called. "undergrowth of telemarketing", as highlighted by the objective and incontrovertible data of the numerous contract proposals procured by the illicit association referred to in the provision of 14 April 2023, contract proposals later found in Enel Energia's systems;

with reference to the adoption of measures aimed at preventing, starting from the collection of data, possible illicit processing, the Company, despite having various compliance verification systems and despite collecting the access logs of the agencies of its sales network, has never effectively and effectively used the tools at its disposal to verify the correct use of the systems and prevent incorrect practices by its own contracted agencies as well as by third parties. In other words, as demonstrated by the preliminary findings, Enel Energia would in theory already have all the data that would allow it to combat the so-called phenomenon. "undergrowth", but does not use them effectively, having not prepared the organizational and technical measures aimed at critically deciphering such data neither in a horizontal sense (quantity of contractual proposals inserted by each agency of the official sales network), nor in a vertical sense (quantity of contractual proposals entered by each agent and methods of such insertion), in order to identify possible incorrect practices. The entire reporting and control system has in fact been structured with the pre-eminent (if not exclusive) purpose of verifying the contractual validity with reference to users and the "productivity" with respect to partner agencies. As proof of this, the company itself stated that the log monitoring activity, although also provided for the N.Eve interface, is not carried out via alerts on accesses from different geographical locations and on multiple accesses. In the first case the function was deactivated due to an alleged difficulty in accurately geolocating IP addresses, in the second case the function was deactivated because it generated an excessive number of false positives, due to a high use of mobile devices.

The absence of effective security measures and the voluntary deactivation of the controls described so far is what made it possible for what was ascertained to occur regarding the Veronese and Florentine companies, which did not limit themselves to pouring into Enel Energia's systems the 978 contracts, relating to 595 users, of which there is certain documentary evidence, having all been verified by Enel Energia itself but, according to the examination of the material confiscated in execution of provision no. 184/2023, would have introduced approximately 9300 contracts into Enel Energia's systems from 2015 to 2022, of which 1640 in just the ten months of 2022 prior to the inspection at the energy company. All this without any of the four companies being officially included in the Enel Energia sales network;

with reference to the methods of designation of the agencies as data controllers and the possibility granted to them to make use of sub-agencies, it is necessary to reiterate that a correct system of distribution of responsibilities cannot ignore a capillary control, provided for by law, which the owner must implement a control over the data controllers, and possibly also over the sub-processors, which, as the results of the investigation show, has never actually been carried out over the agencies that allowed the inclusion of the contracts unduly acquired by the companies referred to in provision no. 184/2023. It is also noted that the obligations and constraints that bind the data controller to its owner also have an effect, by law, on further relationships between the data controller and any sub-processors. Therefore, the relationships between agencies and sub-managers cannot be regulated without considering this "chain of responsibility" which goes back from the sub-agent to the owner, which must be taken into account when formalizing the relationships between these subjects.

Based on the considerations summarized here, the Office notified Enel Energia of the following alleged violations:

a) articles. 5, par. 1, letter. f), and 32 of the Regulation, for having failed to carry out an adequate assessment of the risks connected to the N.Eve interface and, consequently, for having failed to adopt, towards the network of official agents, the appropriate measures to guarantee a correct use of access credentials to the company system and to avoid sharing the credentials themselves between multiple subjects, thus allowing the introduction into Enel Energia's information and contractual system of contract proposals acquired by subjects not authorized to process personal data and access to the Company's systems;

b) articles. 5, par. 2, 24, par. 1 and 25 of the Regulation for having violated the duties of accountability and privacy by design where it has not implemented effective action to combat the incorrect behavior of some agencies, thus allowing them to act in order to procure contracts for Enel Energia, , and for not having exercised, in a full and conscious manner, its duties and its power of control through elements of prevention, functionality, security of the systems as well as through the transparency of the processing and the centrality of the interested party;

c) art. 28 of the Regulation for, on the one hand, having stipulated contracts with its agencies which formally provide for a division of responsibility that does not correspond to the concrete structure of the processing chain and is lacking in terms of the control obligations of the data controller and, on the other hand, for not having stipulated or ensured that the necessary legal documents were stipulated with those subjects, allegedly unknown, but in reality - as demonstrated by the preliminary findings - known and actively and fully integrated in the sales chain of the company's services Society.

2. THE OWNER'S OBSERVATIONS

Enel Energia, with a note dated 24 July 2023, recalling the existence of needs linked to the "large number and complexity of the disputes handled", requested pursuant to art. 13, paragraph 3, of the Regulation of the Office of the Guarantor n. 1/2019 that "the deadline for submitting defense deductions be extended by at least 15 days, and in any case until 28 September 2023". The Office granted this extension: the Company therefore exercised its right to be heard by submitting a brief on 28 September 2023 and participating in the hearing at the Authority on 4 October 2023.

In the brief, which is intended to be fully referenced here, Enel Energia observed what is summarized below:

a) violation of the terms of the procedure - in consideration of the fact that the Authority carried out inspection activities against Enel Energia on 24 and 25 November 2022 and that the Company sent further supplementary documentation on 16 December 2022, the deadline of 120 days from ascertainment of the violation for initiating proceedings, provided for by regulation no. 2/2019 of the Office of the Guarantor, would have expired on 15 April 2023, while the initiation act n.108535/173067 was notified on 14 July 2023. In this regard, Enel Energia recalls the peremptory nature of the deadline taken into consideration and the fact that the technical report of the technological structure of the Authority, filed in the documents on 22 March 2023, would be "an internal act of compilation of the results already collected which does not change anything";

b) infringement of the right of defence, infringement of legitimate expectations and of the duty to concentrate the administrative proceedings - Enel Energia recalls the previous provision adopted by the Guarantor against the same Company, no. 443 of 16 December 2021 (in www.gpdp.it, web doc. no. 9735672), then highlighting that "the facts underlying the current dispute are part of an investigation that began with the activity of the Compagnia di Soave della Guardia of Finance starting from March 2021" therefore to the knowledge of the Authority before the notification of provision no. 443. This knowledge, realized in September 2021 with the transmission of the documents, should have led the Guarantor to suspend the proceedings which gave rise to provision no. 443, or archive it and proceed to reformulate new complaints that take into account the investigations of the Financial Police. Furthermore, the Authority would have ordered the inspections (of Sesta Impresa, Arnia and Enel Energia) at a considerable distance from each other "instead of immediately notifying EE [Enel Energia] of what was emerging", it would have "conducted the investigation leaving EE continued its activity trusting in the correctness of its actions" so that Enel Energia would have been "caught by surprise" by the new complaint of 14 July 2023. All this would be contrary to the principles of good performance and correctness of the Public Administration, leading to excess and misuse of power , "with consequent annulment of any sanctioning measure";

c) violation of the principle of ne bis in idem (lis pendens and res judicata) - the object of the dispute in this proceeding would coincide with that relating to provision no. 443 of 16 December 2021, differing only due to the technical tool identified as the cause of the violations (in provision no. 443, the quality call system; in the dispute of 14 July 2023, the Multi Factor Authentication – MFA system). Due to the identity of the disputes, the judicial proceedings that would be initiated following any challenge to today's provision would be overwhelmed by the rules on lis pendens or those on res judicata, in relation to the first provision. The two proceedings (the one relating to provision no. 443, and the entirely hypothetical one relating to today's provision) would share the parties involved, the petitum constituted by the request for a declaration regarding "the correctness of the management methods of the agency channel and teleselling currently in use by Enel Energia", and the lawsuit is pending, given that the Authority would have accused the Company of the same conduct relating to the same time period. Enel Energia observes that "in any case, the Dispute concerns conduct that was already known in December 2021 (at least in its essential elements) to the Guarantor, who should therefore have deduced it in the first proceeding or, if deemed necessary, investigated it further reopening the investigation”;

d) partial denial of the right of documentary access and prejudice to the cross-examination (request for deferment or exclusion of documents) – Enel Energia notes that, during access to the administrative documents of 26 July 2023, the Authority would not have allowed the extraction of copy of documents relating to the company database. coop. Hive, subject to confiscation in the previous month of June; on this point, the Company observes that consulting the Arnia database is essential to understand the extent of the relationships between some agencies contracted by Enel Energia and the four Veronese and Florentine companies, only in this way being able to collect the information to evaluate the possible involvement of these agencies in the undergrowth system;

e) absence of the causal link between the alleged lack of security measures and the alleged inadequacy of the governance of Enel Energia's telephone contacts - unfoundedness of the complaints referred to in points a) and b) of paragraph 1.3. of this provision - the Guarantor would attribute the cause of the consolidation of the wild telemarketing phenomenon to the lack of a single and specific security measure linked to the management of the credentials of the N.Eve platform. This would be based on a mere supposition, i.e. the alleged uploading of contracts by subjects not specifically authorized by Enel Energia and would be in contradiction with the assumptions of provision no. 443 of December 2021, which would identify the non-completeness of the so-called as the sole cause. quality call. Furthermore, Enel Energia would recognize elements of contradiction and "approximation" in the conduct of the investigation by the Guarantor, since not only would it have examined a single critical element to consider the entire privacy organization of the telemarketing processing chain unsuitable, but it would have limited its investigations to the period from 2015 to 2021, therefore excluding from its analysis the relevant security implementations adopted by the Company after 2020. The problems underlying the phenomenon of unwanted telemarketing can be traced back to much more complex issues which concern the unfair conduct of some agents in the official supply chain, the limited powers of Enel Energia in controls and the role of public authorities such as the Guarantor, police forces and judicial authorities. Regardless, in any case, of the complexity of the phenomenon, in order to consider Enel Energia fully involved in the effort to combat the undergrowth of telemarketing, primary consideration must be given to the Company's choice to activate, from 2020, an authentication system for the access to its own systems with greater security and reliability than the previous ones;

f) EE cannot be blamed for the possible inadequacy of the N.Eve system and the controls on the agency network - unfoundedness of the complaints relating to the articles. 5, par. 1 letter f) and 32 of the Regulation; 5 par. 2, 24 and 25 of the Regulation - due to the fact that the illicit telemarketing activities ascertained with provision no. 184 of 13 April 2023 were implemented by four companies not under contract with Enel Energia and that the agencies of the official sales network were made known to the Company only following access to the documents on 26 July 2023, it is clear that On the one hand, the only subjects who have benefited from the overall affair are those who have operated behind Enel Energia's back, who have maximized the advantages of the so-called. “energy tourism” (repeated passage of customers from one company to another in order to gain maximum commissions in a limited time frame), a phenomenon that could only be fully reconstructed through the detailed analysis of the confiscated databases. In fact, a summary analysis revealed that the number of contracts acquired in his favor by the four agencies (9,344) is significantly lower than the number of contracts lost due to the customer switching to another supplier (20,148). Also from the point of view of accountability, Enel Energia's choice to introduce a more secure authentication system, combined with the decision taken in July 2023 to eliminate the possibility of simultaneously accessing systems with the same account from multiple devices, constitutes full confirmation of the fact that the Company has acted by adopting all the security measures required based on the state of the art at the time of setting up the platform and the management process of the final phase of remote contracting, according to the standard of diligence required by the articles. 24, 25 and 32 of the Regulation.

It should also be considered that, alongside the MFA authentication system, Enel Energia has included the interactions of operators with the N.Eve platform in the monitoring procedures envisaged in SEOL. In particular, SEOL monitors the data uploaded to N.EVE and generates alerts in the event of access to the system outside working hours, massive downloading of data, searches that generate massive lists of customer data, use of unauthorized robots . To this it must be added that the procedures adopted by the Company for the verification of contracts (analysis of monthly averages for each individual agent, monitoring of unproductive agents, feasibility analysis of individual offers, verification of the traceability of the kits for sale to the agent to whom they were originally assigned, analysis of contract loading times, analysis of PODs to verify the existence of episodes of "energy tourism") are not reduced to a mere control of productivity but constitute an advanced monitoring system of the Agencies' activity aimed at measuring the quality of services by aligning the activities of all partners with standards of excellence and thus preventing possible malpractices. Enel Energia then adds that the introduction and subsequent strengthening, from May 2023, of the Quality Portal (with the analysis of the quantity of offers canceled by customers and the withdrawal rate immediately following the subscription of the offer) allows for greater identification accuracy of any anomalous behavior of the agencies. Enel Energia concludes that these checks “to date have not revealed any anomalies. However, Enel Energia is evaluating an increase in controls on the management of paper contracts, which is also carried out using external suppliers".

In addition to the above considerations, Enel Energia has added further considerations regarding the good faith and correctness of the Company, which highlight that since July 2023 the N.Eve platform has been set up in such a way that for each agency account a only device at a time. An automatic mechanism was therefore introduced whereby, if during a work session a second device attempted to connect with the same credentials, the system would block access. At the same time, starting from April 2023, as part of SEOL, the Company has developed and installed a monitoring system to control multiple access attempts in order to detect suspicious behavior in contract uploading activities by both agencies and businesses commercial outlets managed directly by Enel Energia. Furthermore, the Company represented that it had taken steps to request information from its agencies on the matter referred to in the November 2022 inspection, with letters dated February 2023, and that it had precautionally suspended contractual relationships with these agencies between June and August 2023. Enel Energia underlined that during the aforementioned inspection activities it informed the Guarantor that it had established a sort of black-list of the agencies and that this circumstance was used in the act of initiating the procedure not to take good faith into account and the collaboration of the Company but, on the contrary, to highlight the irrelevance of its initiatives;

g) unfoundedness of the complaint regarding the violation of the art. 28 of the Regulation - the contractual clause of the standard agreement with the agencies according to which "any employees, subagents, auxiliaries and collaborators used by the Agency are under its exclusive responsibility and will therefore respond directly to the Agency itself , with total ignorance of the Principal" does not violate the provisions of the art. 28 of the Regulation since it provides that the data controller can give the manager the possibility (even general) to contact sub-processors and in the chain of responsibilities the person responsible is always responsible towards the owner for any illicit activity of the sub-processors. managers: “Enel Energia, far from wanting to escape its responsibility, has forced its managers to adopt specific clauses also in contracts with sub-managers and has also required managers to make available all useful information and to make themselves available to inspections".

Enel Energia finally drew attention to how it is contrary to the rules regarding the competition of norms, established in general terms by art. 9 of law no. 689/1981 as well as art. 83 of the Regulation, to believe that the same fact can be sanctioned for the violation of rules actually established to protect the same legal asset and of which one is special compared to the other. This starting from the consideration that the rules alleged to have been violated in the act of initiating proceedings no. 108535/173067 are an expression of the same general obligation of correctness of the processing as foreseeable at the time of planning the processing.

During the hearing held at the Authority on 4 October 2023, Enel Energia recalled what was observed in the brief and further specified with reference to the monitoring functions introduced in SEOL, that they return an alert when the operators of all channels physicists, including agencies, make at least ten daily accesses to Enel Energia systems. Upon exceeding a further threshold, equal to 50 daily accesses, analytical checks are envisaged (analysis of IP addresses and the browser used for data transit) by the competent Enel Energia functions in relation to the activity of individual operators. These checks, carried out since April 2023 on all the agencies operating for Enel, including those that had uploaded the approximately 500 contracts provided by the Authority, did not reveal any anomalies, in the sense that the multiple accesses were attributable to the same address IP and therefore, probably, to the same person.

As for the post-inspection checks of November 2022, Enel Energia represented that the starting point of the approximately 500 contracts made it possible to send a request for clarification to the various agencies involved, which communicated the names of the agents who had acquired the contracts then delivered to back-office operators for subsequent data entry. All the contracts were uploaded by the agencies' back-office operators, equipped with independent credentials, and not by the agents using their own. The agents were all duly designated by their respective agencies at the time the contracts were uploaded. However, when responding to the Guarantor's requests in November 2022, they were all already revoked by the agencies themselves. Only following access to the documents carried out on 26 July 2023 was the Company able to learn that some of these agents had held various roles in Sesta Impresa (specifically Messrs. XX, XX and XX). The facts that emerged from the documents acquired during access to the documents and the analyzes carried out subsequently are condensed in a complaint to the AG. being prepared. The Company therefore sent the list of the above-mentioned agents on 13 October 2023.

3. ASSESSMENTS BY THE AUTHORITY

Although the Company's arguments were mostly concentrated (70 points out of a total of 129) on aspects of the formal legitimacy of the investigation rather than on the substance of the charges, the Authority deems it necessary to reverse this order of presentation by focusing primarily on non already on the formal consequences of the Guarantor's investigation but on those, much more serious and substantial, which may derive from an unsuitable configuration of security measures to safeguard the information assets of Enel Energia and its customers.

The examination of the considerations expressed by Enel Energia in the defense brief and during the hearing, in fact, leads us to believe that they are not suitable for excluding or mitigating the Company's responsibilities in relation to the disputed violations, for the reasons that are analytically set out here .

Starting therefore from the substantive aspects, it is worth underlining, before any consideration regarding what was stated by Enel Energia in the context of the exercise of the right to be heard, that the Company was unable to provide its own version, ruling, regarding the main fact, ascertained and documented, from which the entire proceeding originates, namely that a list of 595 users of the energy and gas market, to which 978 contracts can be traced back, found at two Veronese companies not contracted with Enel Energia , appears to have subsequently passed through two Tuscan companies who admitted having carried out data-entry operations on the aforementioned contracts by accessing the Enel Energia portal without having their own authentication credentials, and those contracts were almost entirely found within the Enel Energia systems.

Likewise, no explanation was provided regarding the circumstance, which is also peaceful since it was verified by Enel Energia when accessing the documents of 26 July 2023, which from 2015 to 2022 the company. Arnia cooperative, never contracted by the Company but even the subject of a specific warning for illegitimate use of the Enel brand, was able to guarantee the loading of approximately 9300 contracts in favor of the aforementioned energy company for approximately 8 years of activity.

In this regard, it is fair to point out that the Authority's investigation, starting from an episode that casually came to the attention of the Financial Police (the investigations into some people who were circulating the streets trying to enter homes despite the prohibitions connected to the emergency pandemic that was dramatically underway at the time), was complex and difficult to implement because it had to reconstruct the path of the contracts illicitly acquired by the Veronese companies starting from the single abusive agent, up to the Enel Energia systems that implemented them.

Therefore, what was investigated by the Guarantor was a web of relationships and incorrect practices that Enel Energia, from within and with more penetrating means due to the contractual constraints of the sales network and the possibilities of having resources relevant for the control of its partners and its systems, could have easily brought to light also in consideration of the experience now acquired by almost all the large energy and telephone companies (which, not surprisingly, have completed, together with the category, the difficult work of a Code of Conduct on the matter) that the phenomenon of wild telemarketing has produced and which can be eradicated by raising the quality of procedures, controls and security measures to an appropriate extent compared to the pressure that the so-called underbosco exercises on the official supply chains and which in Italy appears to be extraordinarily relevant.

In light of these considerations, the fact that, even today, Enel Energia has not been able to provide timely responses and solutions to an episode as serious as it is significant, denotes an approach that is still not aware, much less responsible for the complexity of the problem, where the The need expressed by Enel to also obtain in court a "declaration regarding the correctness of the management methods of the agency channel and teleselling currently in use by Enel Energia" appears to be more prevalent for it than that of intercepting and combating incorrect activities that have been verified in all their objectivity by the presence, within the Company's systems, of contracts acquired illicitly (on this point see the provisions of the Guarantor regarding telemarketing which have become irrevocable, referred to below).

As for the observations expressed by Enel Energia in the memorandum of 28 September 2023, on the merits, first of all, the company highlights the absence of the causal link between the lack of security measures and the inadequacy of the governance of telephone contacts, from which would result in the unfoundedness of the complaints referred to in points a) and b) of paragraph 1.3. of this provision.

In this regard, it should be noted that the complaint referred to in point a) concerns Enel Energia's failure to evaluate the risks associated with the use of the N.Eve platform and, specifically, the failure to adopt security measures suitable to avoid an undue use of the authentication credentials for the aforementioned platform. On this point it must be reiterated that the presence in one's CRM of contracts that should not have been there and the uploading of the same by unauthorized parties does not represent, contrary to what the Company observes, a mere "theory", but a fact found in the declarations of the owner and employees of the company. cooperative Arnia ("Both the owner of the cooperative and the coordinator of the data-entry activities confirmed that they had inserted the contracts coming from Mas s.r.l., which then became available to Sesta Impresa, by accessing the Enel Energia system, of which they provided also the exact name" - provision no. 184 of 13 April 2023), as well as from the results of the inspection activity at Enel Energia, from which it emerged that 595 customers, to whom 978 contracts for the supply of electricity and gas, present in the lists of Veronese companies had merged into the Company's CRM. To these elements must be added the circumstance, ascertained following the examination of what was confiscated from the Veronese and Florentine companies, that the company. coop. Arnia would have carried out the uploads into the Enel Energia systems on a regular basis from the year 2015 until the end of 2022, inserting a total of 9380 contracts of which 1640 in the year 2022, 1490 in 2021 and 1660 in 2020 (years of full operation of the new authentication system).

The three elements mentioned above (testimonies at Arnia, findings in Enel Energia's systems and further verification from the examination of the material subjected to confiscation) provide evidence of a practice considered by the undergrowth agencies as completely ordinary and easy to implement, if it is also considered that the same was carried out by normal data-entry operators and certainly not by sophisticated cyber-criminals, from which one must derive, ictu oculi, a judgment of significant vulnerability of the security measures and monitoring systems and control placed to safeguard the information assets of the Company and its customers.

For the sake of completeness of the investigation, also for the benefit of the Data Controller, the Office, with the in-depth analyzes conducted in the technical report of March 22, 2023, nevertheless analyzed the results of the extractions from the company systems provided by Enel Energia, from which it was found that "the use of MFA via Microsoft Authenticator does not, in itself, make it impossible for multiple subjects, even those not known to the Company, to share the same credentials given to an agent. In fact, Authenticator allows you to connect multiple verification devices to an account, without disconnecting the previous devices. As indicated by Microsoft itself in the FAQ on the use of Authenticator “Adding Authenticator to the new device does not automatically remove the app from the old device. Even deleting the app from your old device isn't enough. You must delete the app from your old device and tell Microsoft or your organization to forget and deregister your old device.”

On this point, the technical report significantly concludes that the risk of unauthorized operations can be avoided or reduced "by preventing, ex ante, multiple accesses by the same user by terminating the user session if another is established with the same credentials or denying the establishment of the new session", a measure which appears to have been actually implemented by Enel Energia (in July 2023) and which must be taken into account.

On the contrary, the measure introduced in April 2023 which provides for alert thresholds with unspecified effects in the event of exceeding 10 or 50 daily accesses by the same user appears ineffective.

As for the possible ex-post controls, with the technical report, in addition to observing that, from the data on accesses and uploads extracted from the company systems, "the operators of some agencies are able to insert contracts into the N.Eve system with a absolutely remarkable (up to 10 contracts per hour for 2021 and up to 6 contracts per hour for 2022, for every hour of every working day, without breaks)" and that "in some cases, a few tens of seconds are enough to an operator to enter all the data of a contractual proposal (see for example operator XX or operator XX of XX or operator XX of XX)", it was also found that from the access logs "in fact, numerous and close login operations are traced (for example for an XX operator at 11:59:33, at 12:00:53, at 12:29:10, at 12:31:30 on 12/12/2022) without any logout operation associated with it, although both operations are traced in the N.Eve logs". The circumstance appears significant since multiple log-in operations, without each of them resulting in a correlated log-out operation, are evidently attributable to simultaneous access from multiple stations. These "suspicious" operations could be easily monitored by Enel Energia through selective checks by specific agencies if we consider that some of them, compared to the average loading times of the entire Company's sales network, present averages higher than 11, 12 and even 14 times.

If it is true that certain proof of the uploading of contracts into Enel Energia's systems by unauthorized parties could only be obtained by surprising the operator concerned in the flagrant act of illicit conduct (however a purely scholastic hypothesis), the evidence collected by the Authority and mentioned above, together with the choice of the Company, represented during the inspection activity, to weaken the monitoring functions of the N.Eve platform, due to its riskiness, considered modest, are suitable to constitute full demonstration of the hypothesis of violation formulated in chapter a) of the act initiating the procedure: in other words, the choices of Enel Energia connected to the assessment of modest risk of the N.Eve system and of the procedures for loading the contracts acquired through outsourced marketing activities, were hired despite the phenomenon of wild marketing being operated by a vast and branched underground world of agents and business touts who also operate by creating intolerable illegal activities, as documented in provision no. 184 of 13 April 2023 and despite the Company's sales network being made up of 210 agencies and 1288 accounts eligible for access to company systems. The result of this choice is represented by the gross activity in violation of the provisions of the Regulation, the Code and national laws carried out by the 4 Veronese and Florentine companies, which was easily and for a long time conveyed within the Enel Energia systems without the Company perceived the slightest sign of it.

For these reasons, the hypothesis of violation referred to in chapter a), referred to in paragraph 1.3 of this provision, must be considered fully confirmed, for Enel Energia having omitted an adequate assessment of the risks connected to the N.Eve interface and, consequently, for having failed to adopt, towards the network of official agents, the appropriate measures to guarantee correct use of the access credentials to the company system and to avoid sharing the credentials between multiple subjects.

As for the second complaint, referred to in point b) of the heading, it was observed by Enel Energia that the Company's liability cannot be recognized since, first of all, the illicit conduct would have been carried out by external parties, not included in the official sales network of the energy company, necessarily removed from the control regime of the same and, secondly, because the Company would in any case have set up a system of checks, through MFA, SEOL procedures and contract analysis , which responds to the needs identified by the articles. 24 and 25 of the Regulation regarding the responsibility of the owner and privacy by design.

In this regard, it is necessary to reiterate what was specifically highlighted in the document initiating proceedings no. 108535/173067, namely that the deficiencies found in Enel Energia's systems are reflected in the preparation of planning tools and knowledge of the processes aimed at carrying out processing of personal data within the company.

Enel Energia, a company of primary importance in the Italian economy, has the means and organization to be able to establish, in every production process, a virtuous circuit that becomes a paradigm of the best practices that can be adopted. As also observed in the past, the history, structure and organizational dimension of Enel Energia would have allowed this company, leader in the Italian energy market and always at the center of the economic-productive life of the country, even as a historical protagonist of the process of unification of the national electricity system, first, and of the privatization and liberalization system, then (as effectively stated on the enel.com website where there is talk of "Enel's transition from state utility to multinational integrated operator, listed on the stock exchange." cf. https://www.enel.com/it/impresa/storie/articles/2022/09/nuova-dimensione-internazionale), to prepare with due diligence cutting-edge organizational measures in the protection of interested parties, as well as appropriate and effective tools control over the entire supply chain involved in the processing of personal data. The Company, also due to its important history, has a very large number of personal data of the resident population and, on the other hand, know-how regarding the processing of such data also with regard to the promotional activities of its services , in the context of which it was able to make use of the Authority's interlocution and also of a significant precedent of measures that the Guarantor has adopted in the last 4 years, suitable for tracing the path both for correct data processing and for establishing a valid fight against illegal marketing.

From this perspective, if the request that the provisions of articles. 24 and 25 of the Regulation require each data controller to formulate "to what extent the data controller has done what he could be expected to do given the nature, purposes or extent of the processing and how he has managed to prove his operated", the matter analyzed in today's provision returns a judgment of serious insufficiency regarding the actions prepared and then actually implemented by Enel Energia, even if only through the observation that effective measures would certainly have prevented an infiltration of illicit contracts for such a long term (as far as we know from 2015 to 2022).

The extremely large number of the Company's network of agencies and the users authorized to upload contracts should have led the company to create and structure a system of checks suitable to allow full control of the outsourced processes, to be carried out with timely feedback on the contracts acquired, on the correctness of the compilation, on the presence or absence of corrections, and with checks and audits aimed at ensuring that what was represented by the Agencies in the contractual commitments with the Company corresponded to their actual operations.

What emerged from the contracts inspected, however, was that all of them, even the minimum sample displayed in a digitized copy, were found to have been acquired illicitly by the Veronese and Florentine companies and were present where they should not have been, namely in Enel Energia's systems, and above all they reported deletions and discrepancies. , in particular with reference to the agencies of origin. Even this last element could not fail to induce the Company to carry out targeted controls regarding obvious activities of alteration of the official documentation, which would certainly have revealed illicit conduct.

Furthermore, it cannot fail to be highlighted, as admitted and documented by Enel Energia itself, that as many as 164 contracts from the list of 978 present in the energy company's systems, illicitly acquired by the Veronese and Florentine companies, were "procured" by XX, director of one of the two Florentine companies, who had appeared on the Enel Energia blacklist since the time of the November 2022 investigations. The related contracts are all acquired by the XX agency, and in this regard it is legitimate to observe that a close control of the aforementioned agency and others with similar problems, even with random checks, would certainly have brought to light significant anomalies in relation to the matter referred to to today's provision and, in all likelihood, also in relation to similar conduct which has still remained submerged because it has not come to the attention of the Guarantor (and in this regard it should be noted that another agent present in the Enel Energia black-list also appears to have acquired some of the 978 contracts, in this case attributable to the XX agency). It must also be reiterated what was highlighted in the complaint regarding the overall activity of the Agencies where some of them uploaded up to 50,000 contracts in two years, despite having only one user enabled for uploading and a total of 6 employees.

It is therefore very clear, from the above observations to which must be added those reported in the general considerations of this paragraph, that Enel Energia has not used all the information it necessarily has at its disposal, being able to segment the operations of the Agencies and being able to carry out checks on site, not even when the aggregate data returned production levels worthy of attention and not even when agents who ended up on the company black-list turned out to be among the most active business procurers of some well-identified agencies.

As regards the functionality of the SEOL system and the MFA procedure, we must refer to what has already been observed in relation to the complaint under a), reiterating that the choice to weaken the controls envisaged in SEOL and that of adopting an authentication procedure which did not exclude the possibility of multiple accesses with the same credential of the Enel Energia systems obeys a precise choice of the data controller made on the basis of an assessment of not high risk of the N.Eve system. An assessment which, when tested by the facts, proved to be incorrect.

Furthermore, Enel Energia did not provide adequate evidence, required by art. 5, par. 2, of the Regulation on accountability, to demonstrate that one's choices regarding the processing of personal data obey a logic of effective containment of the serious phenomenon of wild telemarketing fueled by the underworld of "de facto" agencies, even though these choices differ from the models suggested several times by the Guarantor (for all, the provisions that have become irrevocable no. 7 of 15 January 2020, in www.gpdp.it, web doc. no. 9256486; no. 143 of 9 July 2020, web doc. no. 9435753; no. 144 of 9 July 2020, web doc. no. 9435774; no. 224 of 12 November 2020, web doc. no. 9485681; no. 112 of 25 March 2021, web doc. no. 9570997; no. 192 of 13 May 2021, web doc. no. 9670025; no. 182 of 14 April 2023, web doc. no. 9894631) and fully outlined in the Code of Conduct for telemarketing and teleselling activities, presented by the trade associations (XX, XX, XX, XX, XX, XX, XX, XX) on 10 November 2022, after having been subjected to consultation with the most representative subjects of the categories involved from 21 July 2022 to 9 September 2022, and approved by the Guarantor with the aforementioned provision no. 70 of 9 March 2023.

The complex of considerations set out so far leads us to believe that the hypothesis of violation referred to in point b) of the heading is fully confirmed.

As for the dispute under c), having taken note of what was observed by Enel Energia, it must be highlighted that, having examined the standard contract with the agencies provided by the Company during the November 2022 inspection, it is noted that it does not provide what is established from the art. 28, par. 4, of the Regulation, namely that "when a data controller uses another data controller for the execution of specific processing activities on behalf of the data controller, the other legal act under Union or Member State law, the same data protection obligations contained in the contract or other legal act between the controller and the processor referred to in paragraph 3, providing in in particular sufficient guarantees to implement adequate technical and organizational measures so that the processing meets the requirements of this regulation". In the standard contract, reference is made, as highlighted in the dispute, only to the second part of the aforementioned provision, relating to the transfer of responsibility from the owner to the manager in relation to the actions of the sub-manager, a transfer which, from a systematic interpretation of the article , must be considered effective only in the case of exact application of the first part.

Furthermore, the fact that the standard contract does not carry any obligation on the manager to regulate the relationships with the sub-manager just as the owner intended to regulate those with the manager himself can be seen from the simple observation that, while the standard Enel Energia contract Agency consists, between the main part and annexes, as a rule of over 150 pages, the relationships between agencies and sub-agents are crystallized in very short agreements of a few pages in which almost never reference is made to the main Enel Energia - Agency contract and in some cases the underlying relationship with the energy company is not even mentioned in the introduction.

All this must certainly have been known to Enel Energia if what is stated in the standard contract between it and the Agencies is true, namely that "within ten days of the signing of this contract, the Agency undertakes to provide, by certified e-mail, to the The principal is the list and details of the following subjects whom he intends to use: i) sub-agents, auxiliaries and collaborators".

From the above considerations it emerges that the standard contract that Enel Energia has prepared to regulate relations with the Agencies does not provide for the correct inclusion of any sub-managers in the circuit of relations and exchange of data owner-manager, limiting itself to identifying a sort of total discharge of responsibility of the Company without this corresponding to full awareness and equally complete control of the processing possibly carried out by subjects identified by the managers. From this perspective, the observation reported in the complaint, namely that "a provision such as that provided for in number 6.4. of the contract between Enel Energia and the Agencies appears to deviate from this "chain of responsibility" which goes back from the subagent to the owner, formalizing, in fact, a release of responsibility for the owner, justified with the existence of a sort of "terrae nullius" – that of the sub-managers – where the owner cannot and does not want to enter” provides the correct description of the reporting system that Enel Energia has set up with reference to the activities of managers and sub-managers in the telemarketing sector, a reporting system which appears to confirm the hypothesis of violation of the art. 28 of the Regulation.

Coming to the numerous observations made by Enel Energia in relation to alleged procedural violations by the Authority which would have directly affected the legitimacy of the act initiating the procedure and the overall investigation, it is necessary to proceed with a detailed analysis.

It is also a priority duty to reject as unacceptable and extremely serious the considerations expressed by Enel Energia's defense regarding the performance by the Guarantor of investigative activities in violation of the principle of trust, with the intention of misleading its interlocutor regarding the correctness of its conduct - from this point of view it is surprising that Enel Energia considered the complex of activities carried out by the Guarantor to bring to light serious episodes of unwanted telemarketing as detrimental to the good faith of the Company, which was initially kept in the dark about the investigation in deed at the four Veronese and Florentine companies and then subject to investigative measures such as an inspection, followed by a "surprise" notification of administrative violations; all in a context of alleged violation by the Guarantor of the principles of good performance and correctness of the public administration.

In this regard, it must be highlighted that the complaint is completely unfounded and specious. Enel Energia, in demanding to be promptly informed of the Guarantor's preliminary proceedings, even when addressed to other subjects, in addition to denoting an evident confusion of roles with the internal audit activity carried out in the company, distorts the normal process of the procedure investigation by an independent administrative authority, which can take place, in particular due to the extensive investigative powers that art. 58, par. 1 of the Regulation grants the Guarantor, through a wide range of activities to be modulated based on the principle of administrative discretion, especially in cases of greater complexity, also to protect the authenticity of the evidence collected and the confidentiality of any third parties. Activities which, however, in today's proceedings did not translate into the adoption of "surprise" actions, given that the inspection was also pre-announced and accompanied by extensive documentation and the subsequent steps appear in line with the provisions of the law, with the internal regulations of the Office and with the constant application practice at the Authority.

The inspection activities at Enel Energia, planned and carried out immediately after the conclusion of the investigation relating to the four Veronese and Florentine companies (closing of the investigation against the 4 companies on 15 November 2022, inspection at Enel Energia on 24 and 25 November 2022 , announced to the Company on 23 November 2022), were carried out, moreover, with the use of the collaborative dialectics envisaged by the art. 157 of the Code, ordinarily adopted by the Guarantor precisely to keep the dialogue with the owners alive and constant.

During these activities, the Company was provided, including copies, of the documentation relating to the contracts believed to have infiltrated the company systems, with a precise indication of the hypothesized responsibilities. Even subsequently, and in particular with an email dated 16 January 2023 sent to the Company's DPO, the Office reiterated, at the request of the same DPO, that "the documents made available to Enel Energia during the inspection activity can certainly be used (since moreover of contractual documentation pertaining to the Company) in order to implement all the organizational measures deemed necessary and/or appropriate within the framework of the principle of responsibility and in the adoption of internal measures aimed at its sales network".

To this it must be added that the Guarantor, with Measure no. 70 of 9 March 2023 (in www.gpdp.it, web doc. no. 9868813), and therefore long before the adoption of the act initiating proceedings against Enel Energia, approved the Code of Conduct regarding telemarketing and teleselling which, in art. 5, paragraph 8, identifies, as the owner's obligation, that the same prepares "the platform for the registration of contract proposals in such a way that the traceability of the operations carried out is guaranteed, adopting, for example, authentication procedures that: a) prevent access to the platform with the same credentials from multiple locations at the same time; b) prevent access from different IP addresses or through authentication methods that do not comply with those authorized for each call center/teleseller/agency at the time of attribution of credentials; c) assign individual authentication credentials for each operator authorized to carry out insertion operations; d) allow the identification of the authorized operator even in the event of telephone contact with the assistance service". Even if this Code of Conduct is not, at present, fully operational, its approval (and the previous public consultation launched on 18 July 2022) indicates to all owners the "best practice" in terms of security that the Guarantor deems suitable to avoid or at least minimize the risks of unauthorized access and data infiltration into company platforms.

We understand once again the absolute groundlessness of the defensive consideration that Enel Energia would have been "caught by surprise by the new Dispute of 14 July 2023", having over time adopted a line of dialogue with the Company, equally of that undertaken with the other owners, characterized by the maximum possible transparency and collaboration, in light of the needs, although worthy of consideration, of confidentiality related to the need to effectively carry out investigative activities towards numerous subjects.

Violation of the terms of the procedure for having notified the notice of dispute more than 120 days from the date of the assessment (as required by regulation no. 2/2019 of the Office of the Guarantor), which Enel Energia considers to coincide with the date of sending by of the Company of the documentation that it had reserved the right to produce during the inspection (sending of documents by Enel Energia: 16 December 2022; deadline for notification: 16 March 2023).

On this point, it is necessary to start from a completely undisputed jurisprudential fact, namely that "assessment" refers not to "the mere news of the hypothetically sanctionable fact in its materiality, but to the acquisition of full knowledge of the illicit conduct, implying verification ( for the purpose of a correct formulation of the complaint) of the existence and consistency of the infringement and its effects" (Council of State, Section VI, Sentence 4 October 2022, n. 8503).

Therefore, excluding the possibility that the date of the assessment could be the one indicated by Enel Energia, for a correct reconstruction of the effective date of the terms above it is necessary to refer instead to the date of notification of the act of initiation of the administrative procedure with communication of the alleged violations, carried out on 14 July 2023 at the Company's digital address. Proceeding backwards 120 days from that date we reach 16 March 2023: if one or more significant assessment documents fall within the time interval between 16 March 2023 and 14 July 2023, the notification of the assessment document dispute must be considered within the deadlines.

Even without wanting to draw on constant jurisprudence (for all, Court of Cassation, Civil Section II, Sentence 30 March 2023, no. 9022 - "the deadline for contesting the offenses starts from the moment of the relevant assessment, which does not necessarily coincide with that of the mere observation of the facts in their materiality nor with that in which the reports or final reports of those in charge of the investigations have been deposited or in any case made available to the bodies of the supervisory authority competent for the relevant examination, having to take into account, for this purpose , of the time strictly necessary so that, at the end of the preliminary checks, the finding of the facts could have been translated into an assessment") which highlights the need to place the act of assessment in a period subsequent to the knowledge by the Authority of the facts in their materiality and the receipt of documents or exhibits, it is noted that in the time interval between 16 March 2023 and the day of notification of the notification of the administrative violations, the documents of file no. 173067, relating to today's proceedings, various elements necessary to evaluate the existence and consistency of the violations carried out by Enel Energia and, in particular:

- the report drawn up by the technological division of the Authority, which was called to examine the documentation relating to the SEOL system and the MFA authentication procedure, documentation which was received on 31 January 2023 from Enel Energia via the Guardia di Finanza and which was devoid of precise technical notations. This report, drawn up and filed on March 22, 2023, outlined the scope of existence of Enel Energia's conduct and was attached in full to the notice of dispute;

- provision no. 184 of 13 April 2023, referred to several times in today's proceedings and also fully attached to the complaint, which is inserted as a logical and factual premise with respect to the conduct of Enel Energia and which defines the scope of the phenomenon that the Company has instead underestimated;

- the inspection activities carried out on 17-19 April 2023 at XX., with documents received on 14 June 2023, which made it possible to acquire elements regarding the consistency of the violations in terms of financial benefits achieved (as required by art. 83, par. 2, letter k), of the Regulation), also in relation to the loss of market shares of direct competitors, given that the contracts illicitly acquired by the Veronese and Florentine companies and found in the Enel Energia database mostly come from customers of XX and the illicit acquisition activities in favor of Enel Energia were carried out by one of the Veronese companies, official agent of XX;

- the examination of the databases confiscated from the Veronese and Florentine companies on 6 June 2023, with findings delivered to the Authority on 16 June 2023, which made it possible to determine the consistency of the data flow from the Veronese and Florentine companies to Enel Energia and the duration of the illicit conduct (circumstances which are relevant for the assessment of the seriousness of the conduct, also with reference to what is expressly indicated in art. 83, par. 2, letter a), of the Regulation).

In light of the above and in consideration of the particular degree of complexity of the investigations carried out in the case in question, it is believed that the deadlines for the notification of the notification of the administrative violations to Enel Energia have been fully respected, as this occurred as soon as 28 days (instead of 120) after receipt of the last documents necessary for the complete evaluation of the matter.

Violation of the principle of ne bis in idem (lis pendens and res judicata) due to the identity of the disputes in today's proceedings compared to those from which provision no. originated. 443 of 16 December 2021, against Enel Energia, canceled by the Court of Rome with sentence of 13 February 2023, filed on 13 January 2024.

In this regard, it must be preliminarily highlighted that the ruling of the Court of Rome of 13 February 2023 - 13 January 2024 does not in any way examine the content aspects of the administrative procedure defined with provision no. 443 of 16 December 2021, but only the controversial issue of the deadline for contesting administrative violations (which, it is reiterated, the aforementioned Regulation no. 2/2019 of the Office of the Guarantor identifies as 120 days from the assessment act) and the relationship between this deadline and the overall structure of the investigative activities carried out by the Office. Nothing to do with the investigation of today's provision, opened in November 2022 and concluded after less than eight months, based on a tight sequence of documents which has been fully accounted for in the previous paragraph.

From the annulment of the previous provision, no assessment of merit can therefore be deduced to the advantage of Enel Energia's defense, nor can a "license" of lawfulness and legitimacy be obtained for the entire set of treatments carried out.

Furthermore, it should be highlighted that provision no. 443/2021 was adopted at the end of a procedure initiated at the request of a party (135 complaints and reports from Italian interested parties), in order to provide feedback and verify what was complained about, regarding very specific situations, from the various moments .

On this point it must be noted that there is no identity between the complaints underlying provision no. 443 and the current disputes. In addition to the fact that provision no. 443 examined a variety of activities carried out by Enel Energia (telemarketing without consent, telemarketing in violation of the regulations of the Registry of Objections, late feedback on the exercise of the rights of interested parties, promotional calls with automated systems, sending of promotional text messages, sending of invoices to incorrect addresses, improper association of telephone numbers with energy users, non-compliant management of the so-called Single Profile - online customer area, critical issues in signing up to the Company's loyalty program) which constituted multiple offenses related to different provisions regulations (14 violations, including, by way of example only, art. 5, par. 1, letter a), as well as art. 12 of the Regulation or article 130 of the Privacy Code), it must be highlighted that, by focusing attention only on telemarketing activities, the disputes referred to in the first provision took into consideration the correct legal basis of the activities directly carried out by Enel Energia and by its sales network and the measures adopted by the Company to identify and block contracts acquired following promotional contacts carried out in violation of the provisions regarding lawfulness of processing, aspects which in the current proceeding have not been taken into consideration since the activities of the four Veronese and Florentine companies were found to be fundamentally illicit, as they were set up in the absence of any contractual and operational link with the energy company. Provision no. 443, furthermore, did not examine the aspects relating to the security measures applied by Enel Energia on the systems responsible for managing contracts and customer data, a topic which is instead at the center of the current proceeding, nor the related aspect of monitoring of the critical events, which evidently pertains to a subsequent phase compared to that examined with the first measure relating to the moment of promotion of the services.

It should also be noted that the hypothesis of lis pendens and violation of the principle of ne bis in idem, net of what has been observed above, is currently entirely hypothetical and, in any case, the request made by Enel Energia to the judge of first degree of "declaration regarding the correctness of the management methods of the agency channel and teleselling currently in use" at the Company certainly cannot exempt the Authority from opening new proceedings and starting new investigations in the event that it becomes aware of of facts and circumstances capable of constituting hypotheses of violation of the relevant regulations on the protection of personal data towards the same owner.

Even if there was formal coincidence between the provisions referred to in provision no. 443/2021 and those in today's provision, it cannot be said in any way that there is a substantial coincidence. In fact, if we consider, for example, the violation of the principle of accountability, referred to in art. 5, par. 2 of the Regulation, the latter within Measure no. 443/2021 had been ascertained in close correlation to the lawfulness of the original acquisition of the data and/or the first contact of the potential customer. Differently, today's provision declines the violation of the principle of accountability, and of the related provisions inherent to the obligations of the data controller, to the organizational deficiencies in terms of processing security and to the basic choices in the design and structuring of the control system .

It is worth highlighting that the general principle written in the art. 5, par. 2, of the Regulation, allows the Supervisory Authority to also ascertain liability of omission on the part of the data controller in relation to different and various cases as well as in reference to distinct other obligations and principles of data protection.

The Authority, in exercising its corrective powers and carrying out the tasks assigned to it by the Regulation, can concentrate its attention on individual aspects and certain procedures, in particular with reference to production entities having particularly complex structures and organisations, and can therefore deal with the same owner several times, a hypothesis expressly provided for by the Regulation itself which, in art. 83, par. 2, letter. e) and i), requires the Authority to take into account "any previous relevant violations committed by the data controller or data processor" and "if measures referred to in Article 58, paragraph 2, have previously been ordered against the data controller or data processor in question relating to the same object, compliance with such measures".

From this point of view, it is hardly necessary to remember that the processing of personal data is made up of a multiplicity of operations, which involve a large number of subjects and cannot be considered a uniquely lawful or unlawful whole, proof of which is that, several times, in the recent past, the Authority has adopted measures against the same owner, even in a short time, measures which have examined the complex of processing operations and have led to the application of corrective and sanctioning measures, even of significant magnitude (for all orders no. 7 of 15 January 2020 and no. 183 of 13 March 2023; no. 224 of 12 November 2020 and no. 379 of 10 November 2022, all against important telephone companies).

Partial denial of the right of documentary access and prejudice to the cross-examination since, during the access on 26 July 2023, the Authority did not grant Enel Energia the possibility of extracting a copy of the database containing the contracts allegedly uploaded by the Arnia cooperative.

Even in this case it is necessary to reconstruct the facts with greater precision. Following the publication of provision no. 184 of 13 April 2023, Enel Energia sent a request for access to administrative documents, sent via PEC on 15 June 2023, with reference to "every act and document relating to the preliminary investigation for the issue of the Measure of 13 April 2023, including confiscation" pointing out that it was "in the interest of Enel Energia S.p.A. verify whether the facts and documents that gave rise to the Measure of 13 April 2023 also involve the companies regularly contracted by Enel Energia, in order to take any consequent initiative for its own protection". Therefore, the request for access to Enel Energia's documents was presented before notification of the notice of dispute and therefore, obviously, not for purposes related to the exercise of the right of defence.

The Authority provided feedback on 14 July 2023 by communicating that "part of the information requested can be found in the full version of the repeatedly referenced Provision no. 184/2023 which is attached here […]. We also inform you, pursuant to articles. 4, paragraph 1, and 5, paragraph 2, of internal regulation no. 1 of 2006, the willingness to allow access to the additional documentation requested by viewing the documents at the Office of the Guarantor". Access took place on 26 July 2023 from 11am to 4pm: during this access Enel Energia was able to view all the documents in file 173067, including the documentation confiscated from the Veronese and Florentine companies, and acquired a copy of the approximately 600 pages of the investigation file. Furthermore, although the request for access dated 15 June 2023 was not strictly related to the exercise of the right of defence, upon specific request of the Company's lawyers ("considering the high number and complexity of the disputes handled, the deadline for the presentation of defense deductions is extended by at least 15 days, and in any case until 28 September 2023, in accordance with the provisions of art. 13, paragraph 3, of the Authority's Regulation no. 1/2019; that the aforementioned deadline of 28 September 2023 is application only on the condition that the Authority allows Enel Energia to view the documents on 26 July 2023, as already requested, or, at the latest, by 31 July 2023, failing which the deadline for submitting the documents must also be recalculated defenses”), the Office granted an extension for the presentation of the defense statement, in order to allow the most complete exercise of the right of defence.

In light of the above reconstruction, an infringement of the right of defense to the detriment of Enel Energia must be excluded if we consider, first of all, that the request for access to the administrative documents presented by the Company was presented well before the notification of the disputes and therefore for purposes not attributable to the exercise of the right of defense as mentioned above and, secondly, that the access took place with characteristics of absolute urgency and without time limits for consultation, taking into account all the needs of the party.

As for the content of the access, it should be noted that Enel Energia was able to view all the documents used to contest administrative violations, all the documents in file 173067 including those of confiscation, and was able to extract copies (about 600 pages) of all the documents relating to the preliminary investigations. As for the confiscation documents, only viewing of them was permitted (which in any case allowed the Company to verify not only the overall number of users entered into the company systems following the illicit activities of the Veronese and Florentine companies - the only data used in the of dispute - but also those that are believed to have been released) due to the main function of the confiscation itself, which is to remove things that were intended for illicit uses and which, therefore, cannot be reintroduced into a circuit of free usability, moreover as they were mostly electronic documents and spreadsheets, in the same format that had allowed their improper use.

Apparent competition of rules and violation of art. 9 of the law. 689/1981 and art. 50 of the Charter of Fundamental Rights of the European Union for having the Guarantor considered that the same fact can be sanctioned for the violation of rules actually established to protect the same legal good and of which one is special compared to the other. In other words, the rules that are alleged to have been violated in the notification of the dispute would be, according to Enel, an expression of the same general obligation of correctness of the processing as foreseeable at the time of designing the processing. In this regard, without prejudice to what is stated in Guidelines no. 4/2022 of the European Data Protection Board (version adopted on 24 May 2023) - in a merely reconnaissance manner on this specific aspect - it must be noted that the only principle expressly codified in Italian law, as a general criterion for resolving the apparent competition, is of specialty (art. 9 of law 689/1981), as indeed indicated by the jurisprudence referred to in the defense brief (point 149). Having said this, in consideration of the fact that the rules referred to in the complaint do not appear to be in a special relationship with each other, the corresponding violations are correctly contested as they can be configured independently. In any case it should be kept in mind that the art. 83, par. 3 of the Regulation expressly provides for a hypothesis of legal cumulation in the face of a plurality of contested offenses in relation to the same type of processing, an eventuality which finds application in this provision.

Given all the considerations set out above, it is deemed necessary to confirm the responsibility of Enel Energia with reference to the violations contested with the aforementioned act of initiation of the proceedings of 14 July 2023, n. 108535/173067.

4. CONCLUSIONS

For the above, Enel Energia's responsibility for the following violations is deemed to be established:

a) articles. 5, par. 1, letter. f), and 32 of the Regulation, for having failed to carry out an adequate assessment of the risks connected to the N.Eve interface and, consequently, for having failed to adopt, towards the network of official agents, the appropriate measures to guarantee a correct use of access credentials to the company system and to avoid sharing the credentials themselves between multiple subjects, thus allowing the introduction into Enel Energia's information and contractual system of contract proposals acquired by subjects not authorized to process personal data and access to the Company's systems;

b) articles. 5, par. 2, 24, par. 1 and 25 of the Regulation for having failed to undertake, with respect to the incorrect actions of some agencies which, in fact, acted with the aim of procuring Enel Energia contracts, an effective counteraction, exercising (and being able to prove) in a full and aware of their responsibilities, which correspond to the duties of accountability and privacy by design (through elements of prevention, functionality, system security as well as transparency of processing and centrality of the interested party);

c) art. 28 of the Regulation for, on the one hand, having stipulated contracts with its agencies which formally provide for a division of responsibility that does not correspond to the concrete structure of the processing chain and is lacking in terms of the control obligations of the data controller and, on the other hand, for not having stipulated or ensured that the necessary legal documents were stipulated with those subjects, allegedly unknown, but in reality - as demonstrated by the preliminary findings - known and actively and fully integrated in the sales chain of the company's services Society.

Having also ascertained the illegality of the Company's conduct with reference to the treatments examined, it is necessary to:

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 595 interested parties, whose personal data entered the Company's systems following the illicit acquisitions by the Veronese and Florentine companies, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority when applying this provision;

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to provide adequate documentation in order to certify the implementation of security measures that prevent simultaneous access to the N.Eve system with the same authentication credentials;

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to introduce further measures so that the traceability and effective monitoring of the operations carried out and critical events on the N.Eve system is guaranteed and access from IP addresses other than those attributed to each agency is prevented ;

- order Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation, to provide that the agencies stipulate with any sub-agents contracts that are fully compliant with the standard contract stipulated between Enel Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by the art. 28 of the Regulation;

- adopt an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Enel Energia of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulation

5. ORDER-INJUNCTION FOR THE APPLICATION OF THE ADMINISTRATIVE FINANCIAL SANCTION

The violations indicated above require the adoption of an injunction order, pursuant to articles. 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Enel Energia of the pecuniary administrative sanction provided for by art. 83, par. 3 and 5 of the Regulation (payment of a sum of up to €20,000,000.00 or, for businesses, up to 4% of the annual worldwide turnover of the previous financial year, if higher);

To determine the maximum statutory fine, it is therefore necessary to refer to the turnover of Enel Energia, as obtained from the latest available financial statement (31 December 2022) in accordance with the previous provisions adopted by the Authority, and therefore it is determined this statutory maximum, in the case in question, is 988 million 838,774 euros.

To determine the amount of the sanction it is necessary to take into account the elements indicated in the art. 83, par. 2, of the Regulation;

In the case in question, the following are relevant:

1) the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purpose of the data processed, attributable to the overall phenomenon of unwanted telemarketing, in relation to which the Authority has adopted, in particular in the last four years, numerous measures which have fully examined the many critical elements, providing owners with numerous indications to adapt the treatments to current legislation and to mitigate the impact of nuisance calls on the interested parties; also taking into account the number of subjects involved (due to the approximately 9300 contracts conveyed by the Arnia coop. company) and the duration of the illicit infiltration of contracts (from 2015 to 2022);

2) as an aggravating factor, the seriously negligent nature of the violations, the result of corporate choices made with conscience and will which have effectively weakened the security measures and the control and accountability system of the various subjects operating in the Enel Energia sales network (art. 83, par. 2, letter b) of the Regulation);

3) as an aggravating factor the degree of responsibility of the data controller (art. 83, par. 2, letter d) of the Regulation) due to the ineffectiveness of the technical and organizational measures implemented and the particular role that Enel Energia assumes in the Italian production panorama, as a leading company in industrial and technological development processes and the high number of personal data of the population resident in Italy and from which it must necessarily expect an organization of the processing of personal data based on the maximum protection of the information assets of its customers and to the maximum responsibility of all the figures involved in the processing itself;

4) as a mitigating factor, the fact that Enel Energia introduced, in July 2023, an authentication system that prevents the simultaneous use of the same credentials to access the N.Eve system from different locations (art. 83, par. 2, letter c) of the Regulation);

5) as a mitigating factor to be taken into consideration to parameterize the sanction (art. 83, par. 2, letter k) of the Regulation), the circumstance that from the examination of the databases subject to confiscation it emerges that the number of contracts subject to illicit acquisition in favor of Enel Energia (9,300) is lower than those "outgoing" again following the illicit activities of the Veronese and Florentine companies (20,456) and this compensates for what was recorded in relation to the loss of market shares of XX with reference to the contracts acquired by the Veronese and Florentine companies which appear to have been included in Enel Energia's systems.

Based on all the elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by the art. 83, par. 1 of the Regulation, and taking into account the necessary balance between the rights of the interested parties and freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of 79,107,101 euros, equal to 8% of the maximum statutory fine and 0.32% of the annual turnover.

In the case in question, it is believed that the additional sanction of publication of this provision on the Guarantor's website, provided for by art., should be applied. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation n. 1/2019, taking into account the nature of the Company's processing and conduct, as well as the elements of risk for the rights and freedoms of the interested parties.
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.

ALL THIS CONSIDERING THE GUARANTOR

a) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) and e) of the Regulation, to communicate to the 595 interested parties, whose personal data entered the Company's systems following the illicit acquisitions by the Veronese and Florentine companies, the outcomes of today's proceedings on the basis of a text to be agreed with the Authority when applying this provision;

b) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to provide adequate documentation in order to certify the implementation of security measures that prevent simultaneous access to the N.Eve system with the same authentication credentials;

c) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation to introduce further measures so that the traceability and effective monitoring of the operations carried out and critical events on the N.Eve system is guaranteed and access from IP addresses other than those attributed to each agency is prevented ;

d) orders Enel Energia, pursuant to art. 58, par. 2, letter. d) of the Regulation, to provide that the agencies stipulate with any sub-agents contracts that are fully compliant with the standard contract stipulated between Enel Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by the art. 28 of the Regulation;

e) orders Enel Energia, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the pecuniary administrative sanction provided for by the art. 83, paragraph 5, of the Regulation;

ORDER

to Enel Energia S.p.A., in the person of the legal representative pro tempore, with registered office in Rome, viale Regina Margherita n. 125, C.F. 06655971007, to pay the sum of 79,107,101 euros (seventy-nine million one hundred seven thousand one hundred and one/00) as a pecuniary administrative sanction for the violations indicated in the justification, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the instructions given and paying, within thirty days, an amount equal to half of the sanction imposed.

ORDERS

to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of euro 79,107,101 (seventy-nine million one hundred seven thousand one hundred and one/00), according to the methods indicated in the annex, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts in accordance with the 'art. 27 of law no. 689/1981.

HAS

The application of the accessory sanction of the publication of this provision on the Guarantor's website, provided for by the articles. 166, paragraph 7 of the Code and 16 of the Guarantor's Regulation no. 1/2019, and the annotation of the same in the internal register of the Authority - provided for by the art. 57, par. 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to violations and measures adopted in compliance with the art. 58, par. 2, of the Regulation itself.

Pursuant to the articles. 152 of the Code and 10 of the Legislative Decree. n. 150/2011, opposition to this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is based, within thirty days from the date of communication of the provision itself. .

Rome, 8 February 2024

PRESIDENT
Stantion

THE SPEAKER
Zest

THE DEPUTY SECRETARY GENERAL
Philippi