Banner2.png

Garante per la protezione dei dati personali (Italy) - 10114967

From GDPRhub
Garante per la protezione dei dati personali - 10114967
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 24 GDPR
Article 25 GDPR
Article 28 GDPR
Article 29 GDPR
Article 32 GDPR
Art. 111 bis d. lgs. 196/2003
Art. 130 d. lgs. 193/2003
Type: Investigation
Outcome: Violation Found
Started: 11.11.2023
Decided: 27.02.2025
Published:
Fine: 300,000 EUR
Parties: Energia Pulita S.r.l.
National Case Number/Name: 10114967
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: cci

The Italian data protection authority fined an energy company €300,000 for unlawfully processing personal data for direct marketing, for failing to properly implement data protection principles on an organizational level, and for insufficiently informing job applicants about the processing of their data.

English Summary

Facts

The Italian data protection authority received many complaints of aggressive telemarketing practices carried out on behalf of energy company Energia Pulita S.r.l. (the data controller). Some of the complainants reported deceitful marketing practices. Others were called despite their number’s inclusion in Italy’s Do Not Call registry.

In November 2023 the authority started a broad investigation on the controller. Additionally, the authority required information about all of the purchase offers from February 5 to February 12 2024.

Privacy compliance and quality controls

The authority inquired about the measures taken by the data controller to ensure privacy compliance both in its own marketing activities, and in the marketing activities of its subcontractors (acting as data processors or sub-processors).

The controller implemented some technical and organizational measures to implement data protection principles, including quality check calls and checks for the recipient’s consent to marketing. Starting March 2024, the controller implemented a more robust privacy compliance program: for instance, the controller provided its employees with privacy training, and adopted more robust privacy standards for its contractors.

The authority found these measures to be insufficient. The authority held that the data controller failed to vigilate over the privacy practices of its subcontractors. Additionally, the controller failed to choose subcontractors with robust privacy practices. In this regard, the authority pointed out that it still received complaints about aggressive marketing on behalf of the controller after March 2024.

The authority also observed that controllers must adopt appropriate technical and organisational measures to ensure the implementation of data protection principles from the very beginning of the data processing (data protection by default).

Consent and the Do Not Call registry

The data controller pointed out that some of the recipients (the data subjects) consented to the processing of their data for marketing purposes after their inclusion in the Do Not Call Registry. These consents were collected via four third-party websites where users provided their personal data in order to receive commercial offers. In the controller’s view, the data subjects’ consents authorized its marketing calls.

The authority found issues with the consents. Three websites (nuoveofferte.com, offertenergetiche.it, and ricercaofferte.it) prompted users to consent to marketing for a very broad range of products and services. After consent collection, personal data were shared with an undefined number of companies for marketing purposes, each acting as the data controller. Additionally, users could not choose the form of the marketing communications they would receive. A fourth website (Offerte-gas-luce.it) lacked a privacy notice altogether.

For these reasons, the authority held that the websites did not collect granular and free consent. In this regard, the authority referred to its own guidance on telemarketing[1].

The data controller also defended its practices by pointing out that energy contracts were not concluded over the phone: the phone calls only served to initiate contact and to direct prospective customers to the controller's website. For this reason, the controller argued that the calls were not a form of telemarketing and did not fall under the Italian rules on the Do Not Call registry.

The authority rejected the controller’s argument. In the authority’s view, calls that merely initiate contract with the customer, are nonetheless telemarketing. In this regard, the authority referred to the Code of Conduct on telemarketing and teleselling[2].

Job candidates and privacy notices

The authority inquired on the provision of information to the controller’s job applicants.

Individuals could apply for a job with the controller by providing personal data on its website. Initially, the controller would provide applicants with a privacy notice before the job interview. The data controller provided no notice at a collection and provided no information at all to applicants who did not show up for the job interview.

The data controller eventually improved its practices. Starting July 2024, the data controller started providing applicants with a notice at collection.

The authority held that the data controller violated its transparency obligations until July 2024. Additionally, the authority held that the controller did not correctly identify the legal bases for processing applicant’s data in the earlier version of its privacy notice.

Holding

Overall, the authority held that the controller violated Articles 5, 6, 9, 12, 13, 24, 25, 28, 29, and 32 GDPR as well as Articles 111-bis and 130 d. lgs. 196/2003[3].

The authority fined the controller €300,000. The authority also ordered the controller to implement better data protection measures through the marketing value chain and to document its follow-up. Finally, the authority ordered the controller to inform 68 complainants of the outcome of the procedure.

Comment

The decision addresses the authority's investigation on the controller as well as several complaints filed by data subjects.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details. 

- SEE ALSO NEWSLETTER OF MARCH 21, 2025
 
[web doc. n. 10114967]
Measure of February 27, 2025
Register of measures
n. 114 of February 27, 2025
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members and Councilor Fabio Mattei, general secretary;
HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”);
HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of national law to the aforementioned Regulation (hereinafter “Code”);
HAVING SEEN the documentation in the files;
HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000, adopted with resolution of 28 June 2000;
RAPPORTEUR Dr. Agostino Ghiglia;
1. THE INVESTIGATIVE ACTIVITY CARRIED OUT
1.1. Introduction
With act no. 131956 of 11 November 2024 (notified on the same date by certified email), which must be considered reproduced in its entirety here, the Office initiated, pursuant to art. 166, paragraph 5, of the Code, a proceeding for the adoption of the provisions referred to in art. 58, paragraph 2, of the Regulation against Energia Pulita S.r.l. (hereinafter “Energia Pulita” or “Company”), represented by its legal representative pro tempore, with registered office in Milan (MI), Via Vincenzo Monti, 48, VAT number 10802400969.
The proceedings originated from an investigation initiated following the receipt of eighty-two reports brought to the attention of the Authority regarding unwanted calls made in the absence of an appropriate legal basis.
1.2. Requests for information formulated by the Authority
On 26 June 2024, the Office initiated an investigation against Energia Pulita S.r.l. (hereinafter “Energia Pulita”, “Company” or the “Owner”), by means of a cumulative request for information, formulated pursuant to art. 157 of the Code (see Prot. no. 78301/24), useful for the evaluation of numerous other reports received by the Authority in the period between November 2023 and June 2024, mostly concerning the subject of telemarketing.
With the same note, the Company was asked to «provide a list of purchase proposals from its sales network that led to the activation of energy services in the period from 5 February 2024 to 12 February 2024 inclusive, divided between “residential” and “business”», as well as to provide clarifications in relation to:
• the relationships with the companies using some of the calling numbers reported (see Broker S.r.l., Dialtech S.R.L.S., A1 Service S.r.l.s., Rocket S.r.l.);
• the instructions given to its suppliers for the performance of telemarketing activities and the measures implemented for the purposes of supervising and monitoring their work;
• the «methods for providing information on the processing of personal data to interested parties who submit applications through the form on the website https://www.energiapulita.energy/lavora-con-noi»;
• the «nature of the contractual relationships in place with Green Network S.p.A. luce e gas, Antenore Energia S.r.l. and Metan Alpi Sestriere Teleriscaldamento S.r.l., including the assignment of subjective roles and the processing of personal data carried out by and on behalf of these companies, as well as the measures adopted for the purposes of separating the databases containing the data of customers belonging to the individual companies and to prevent the risk of unauthorized access by unauthorized parties».
With a note dated 11 July 2024 (see Prot. no. 86098 of 12 July 2024), providing the first of the requested feedback, the Company preliminarily declared that it uses the following sales channels:
• sales agencies which, by virtue of an agency contract, promote the Company's products and services through one or more of the following methods: «i) teleselling activities, ii) telemarketing activities followed by physical contact with the customer, iii) use of commercial premises available to the agency, iv) door-to-door visits to end customers (marginal activity) and v) the so-called “virtual sales outbound rec” sales channel»;
• comparator, which by virtue of a specific agreement, provides for the promotion of the Company's products and services through its web platform and the subsequent conclusion of the contract with the end customer, as well as uploading to the company CRM;
• subordinate workers and/or collaborators of Energia Pulita who operate at physical branches in the territory.
With specific reference to the so-called “virtual sales outbound rec” channel, the Company highlighted that based on this sales methodology, the seller contacts the potential customer by telephone to test their interest in the services covered by the ongoing promotional campaign and inserts the relevant contractual proposal on Energia Pulita’s customer relationship management (“CRM”) platform. At a later stage, the potential customer “is first sent an SMS containing an OTP code that allows the customer to confirm their identity and, subsequently, a link – which the customer receives at their email address – through which the potential customer can, after entering the aforementioned OTP code, access the Energia Pulita contractual package and confirm their willingness to sign a contract with Energia Pulita”.
In the same note, Energia Pulita also highlighted that in the context of energy activations attributable to Switcho S.r.l. “the contractualization process takes place via a web platform and no telephone calls are made to potential customers”.
Finally, the Company produced the following lists of purchase proposals relating to the period indicated by the Guarantor:
• n. 639 proposals in the context of “residential teleselling”;
• n. 246 proposals in the context of “residential physical network”;
• n. 15 proposals in the context of “residential comparators”;
• n. 1328 proposals in the context of “residential virtual sales”;
• n. 42 proposals in the context of “business teleselling”;
• n. 51 proposals in the context of “business physical network”.
With a subsequent note sent on 26 July 2024 (see Prot. n. 93584 of 29 July 2024), Energia Pulita highlighted that «none of the 82 contacts contested with the complaints ever resulted in the conclusion of a contract with the Company, which, therefore, did not benefit in any way from such telemarketing and teleselling activities. In fact, none of the 82 complainants are present in Energia Pulita's CRM (Customer Relationship Management), except for 4 cases relating to subjects already contracted by Energia Pulita at the time of filing the complaint and the nuisance call".
The Company also represented that "since November 2023, it has started a compliance process with the code of conduct for telemarketing and teleselling activities ("Code of Conduct"), wanting to adopt, regardless of the actual applicability of the Code of Conduct and, despite not knowing the number of complaints received by the Authority, the necessary measures to ensure compliance" and that "as early as March 2024, after the gap analysis phase, the Company has started to adopt new compliance measures".
Then, with specific reference to the reports received by the Authority, Energia Pulita did not recognize all the calling numbers that were reported, with the exception of files no. 323520 and 344211, which were also the subject of complaints received by the Company and related to contacts legitimized by consent; file no. 357058 with which the reporting party had complained about receiving an unwanted phone call attributable to Dialtech S.r.l.s., a sub-agency of RG Group S.r.l..
With regard to the four reports addressed both to the Authority and to Energia Pulita and to a report sent to a certified email address belonging to another company, but similar to that of Energia Pulita (see files nos. 323520 – 367610 – 337805 – 344211 – 353028 - 343273), the Data Controller stated the following.
With respect to file no. 323520, after having carried out the appropriate internal checks, the Company declared that it had promptly found the interested party, communicating that the first call had been made by one of its agencies RG Group S.r.l., on the basis of a consent given after the registration in the RPO, but that the words used during the call and the use of a number not registered in the ROC constituted a violation of the contractual provisions. Following these events, Energia Pulita had announced to the agency the application of «a contractual penalty that the Company did not apply immediately considering the fact that the contact had in any case taken place on the basis of the consent, but which it will apply in the event of repetition of the incorrect conduct». In any case, the name of the reporting person was included in the black-list of the Company and its agencies.
With regard to report no. 367610, the Company clarified that it had found the interested party, communicating that «no supply contract had been concluded; the personal data of the reporting person were not present in the Company's CRM; the personal data of the reporting person were not present in the CRM of the Company's sales partners", as well as having "arranged in any case the insertion of the number of the reporting person in the black-list of the Company and its agencies".
With reference to report no. 337805, Energia Pulita stated that it had responded to the applicant, highlighting that «the call did not come from a number attributable to the Company or its partners (also in this case therefore the name of Energia Pulita was used illegitimately); (ii) his personal data were not present in the Company's archives or in those of its partners; and (iii) his contact details had been included in the Company's blacklist and in that of its agencies». Also in this case, Energia Pulita had carried out the necessary investigations with its partners and ascertained that the calling number did not belong to its agency network.
With regard to report no. 344211, the Company had provided feedback to the user stating that no account had been activated and that the interested party's personal data were not present on the company systems, with the exception of those pertaining to the management of the complaint, as well as having started appropriate checks at Rocket S.r.l. These investigations then revealed the legitimacy of the contact by the sub-agency, based on a consent given after the registration to the RPO and in any case, the inclusion of the reporting party's number in the black-list of the Company and its agencies had been ordered.
With regard to report no. 353028, the owner clarified that he had reassured the interested party that no supply had been activated and that the reporting party's data were not present in the Company's databases. In any case, the Company had ordered the inclusion of the number in question in the black-list of the Company and its agencies.
Finally, with specific reference to file no. 343273, Energia Pulita observed that this complaint had been sent to a certified email address belonging to another company. Also in this case, internal checks had revealed that no contract had been activated, that the interested party's personal data were not present in the company systems and that the calling number did not refer to its sales network.
With the same note and in response to the requests made by the Authority, Energia Pulita provided «the standard contract (and the related attached call scripts) adopted by Energia Pulita before the start of the compliance process in March 2024 (doc. 8); and the standard contract adopted subsequently, already in use for all new agencies and in the process of being extended to the agencies already in office through specific addenda that the Company is preparing, containing the necessary additions in order to guarantee full compliance with the Code of Conduct (doc. 9) with the related call scripts used that the Company has updated and is putting into use in this period».
With respect to the relationships with the Agencies, which, after consulting the ROC, were found to be the users of some of the calling numbers reported, the Company represented that it did not have «any existing and/or terminated relationship» with Broker S.r.l. and A1 Service S.r.l.s. On this point, Energia Verde also clarified that it had «purchased a branch of Green Network S.p.A. (…). As part of the purchase of this branch, there was also the contract between Green Network, as principal, and RG Group S.r.l. (previously Start Group S.r.l.), as agency (doc. 12). Following the purchase of the branch, Energia Pulita signed a new deed of appointment as data controller with RG Group S.r.l. (previously Start Group S.r.l.)» and that RG Group S.r.l., in turn, had appointed Dialtech S.r.l.s. and Rocket S.r.l as sub-processors.
The Company then illustrated the monitoring activities on the agency network carried out up to March 2024, those implemented after that date and those in the process of being implemented.
More specifically, until March 2024, the monitoring and control measures implemented against the agencies were mainly attributable to the request for sample reporting on the checks carried out at the FUB or on the existence of an appropriate legal basis for the processing of personal data for the purposes of carrying out marketing activities (i.e. consents and information). Furthermore, the Company provided for specific contractual clauses regarding compliance with the legislation on the protection of personal data, the violation of which could lead to the application of a penalty or the failure to recognize the commission. In addition, the contractual proposals uploaded by the agencies to the company CRM were subjected to specific checks and “Quality Check Calls”. Finally, in the event of termination of the agency contract, Energia Pulita proceeded to “immediately close the credentials”. Starting from March 2024, as part of the implementation of a broader corporate compliance program, the measures just described had been integrated with the provision of certain checks relating to privacy skills to be carried out during the agent selection phase, the organization of training activities aimed at employees, the review of the standard contract in use for teleselling activities.
With respect to the methods of providing the information on the processing of personal data to interested parties who submit applications through the form on the website https://www.energiapulita.energy/lavora-con-noi, the Company highlighted that «the information was uploaded to the website on 8 July 2024 following an internal check and a subsequent reminder sent by the compliance officer of Energia Pulita to the competent function of the management of the website already sent on 20 June 2024. In any case, at the time of the interview, candidates are always provided with an ad hoc information» and that a further review of the information in use was planned, including the information for candidates downloadable from the website.
Finally, Energia Pulita provided the clarifications requested in relation to the relationships with the other energy operators indicated on the company website, also stating that «on the first access page to the customer area of the Energia Pulita website, the customer is asked to indicate the brand (between Green Network, Antenore and Metan Alpi) through which he concluded the contract with Energia Pulita, it being understood that the customer information on the website refers only to Energia Pulita as the data controller».
More specifically, the Company highlighted that it had acquired «a branch of the company from Green Network S.p.A. (…). The branch of the company included the registered trademark “Green Network” and all its derivatives (…). For this reason, Energia Pulita uses the indicated trademarks, but this does not mean that there are different owners or different databases in relation to the data of the end customers».
The owner then stated that it had «never had any contractual relationship with Metan Alpi Sestriere Teleriscaldamento S.r.l. but exclusively with Metan Alpi Sestriere S.p.A. (…), a company which we understand to be owned by the aforementioned Metan Alpi Sestriere Teleriscaldamento S.r.l.». The Company, in fact, «has acquired a branch of the company from Metan Alpi Sestriere S.p.A. (…) and (…) has obtained a onerous and exclusive license to use the “METAN ALPI” trademark. For this reason Energia Pulita uses this trademark, but this does not imply that there are different owners or different databases in relation to the data of the end customers involved in the transfer of the branch».
Antenore Energia S.r.l. (hereinafter also “Antenore”) and Energia Pulita, on the other hand, had stipulated three contracts for the provision of reciprocal services, by virtue of which each holds – depending on who provides the services – the role of data controller for the other party as specified in the specific appointments on data processing within each contract. Specifically, "Energia Pulita supplies electricity and natural gas to some of Antenore's customers indicated in the specific annex to the contract, also providing for the issuing and collection of invoices and customer support. To this end, Energia Pulita processes the data of Antenore's customers, which are contained in Energia Pulita's CRM together with the data of the Company's customers. The separation within the CRM is guaranteed by the methods of access to it by Antenore, which can only access its customers' data through specific credentials. It should be noted that, for the entire duration of the aforementioned contract, Antenore Energia S.r.l. has granted Energia Pulita S.r.l., on an exclusive basis, the license to use the "Antenore Energia" trademark." At the same time, «Antenore acts as a commercial agent – on an exclusive basis – on behalf of Energia Pulita, and has therefore been appointed as data controller for this purpose (…) the contracts concluded by Antenore on behalf of Energia Pulita are contracts promoted through the trademark licensed for use “Antenore Energia”». In addition, Antenore performs fronting and outbound services, as well as collection and collection operations of amounts with reference to Energia Pulita S.r.l. customers procured by Antenore Energia S.r.l. (…); also in this case, given that the data processed relate to Energia Pulita S.r.l. customers, Antenore Energia S.r.l. has been appointed as data controller».
1.3. Verification at the Public Register of Oppositions
In order to carry out the necessary checks regarding the correctness of the aforementioned telemarketing activities, on 13 August 2024 (see Prot. no. 99048) the Office sent the aforementioned list of telephone numbers that were the subject of the aforementioned response by Energia Pulita to the Ugo Bordoni Foundation, which manages the Public Register of Oppositions. In this context, information was requested, pursuant to art. 157 of the Code, for each number, regarding any registration in the Public Register of Oppositions (RPO) no later than 31 December 2023.
On 27 August 2024, the Foundation sent its response (see Prot. no. 101580 of 28 August 2024), from the analysis of which, at the time of the promotional calls made by the Company, 157 telephone users were registered in the Public Register of Oppositions, equal to just over 6.75% of the total number of telephone contacts made in the reference period (no. 2,327).
1.4. Supplement to the investigation
While the investigation was pending, the Authority received further reports against the Company in which the interested parties complained about receiving unwanted calls made in the absence of an appropriate legal basis and coming from numbers not registered with the ROC (see file nos. 381587 – 386244 – 387286 – 387396 – 387909 – 388262 – 390395 – 391357 – 391441 – 397354 – 399349 – 405133 – 405186 – 409771 – 411093 – 411191 – 411222 – 411755 - 411883 – 413466).
In order to promote the organic examination of all the issues raised, although received at different times, pursuant to art. 10, paragraph 4, of the internal regulation no. 1/2019 (available for consultation on the website www.gpdp.it, doc-web no. 9107633), the Office deemed it appropriate to also deal with these reports in the context of today's proceedings.
The consolidation of the proceedings made it possible to fully implement the principles of cost-effectiveness and reasonable duration of the proceedings and to guarantee, at the same time, also the right of defense and non-aggravation of the proceedings recognized by law to the data controller.
1.5. Contestation of the violations
The Office, at the end of the investigation, adopted the aforementioned contestation act no. 131956/24 in which, first of all, it was observed that having contacted 157 telephone numbers in the context of telemarketing activities carried out in the period January - February 2024 (equal to just over 6.7% of the total number of telephone contacts made for promotional purposes, while the same users were registered with the RPO - and therefore with the opt-out mechanism established by the current legislation) entailed the possible violation of art. 130 of the Code, as well as more generally, of art. 5, par. 1, letter a) and 6, par. 1, letter a) of the Regulation, with regard to the principle of lawfulness and the need for the legal basis of consent to legitimise the processing of the data in question for promotional purposes.
The existence of the violation in question, moreover, also seemed to be confirmed by the multitude of reports that the Authority had received and continued to receive pending the proceedings.
In addition to these findings, there was also the incisive case history of sudden switches highlighted by the feedback provided on the reports. In fact, from the documentation sent, it emerged that in eight cases (out of a total of 82), the whistleblowers had activated a supply with Energia Pulita for only a month or a little more.
All the circumstances just mentioned, considered together, led to the belief that in violation of the obligations incumbent on the data controller pursuant to articles 5, 24, 25, 28 and 32 of the Regulation, the Company had failed to carry out the necessary control over the entire processing chain and to implement adequate technical and organizational security measures to avoid the risk of activating supplies deriving from illicit contacts, thus fueling the induced effect of the so-called telemarketing undergrowth.
More generally, then, the documentation and the allegations acquired as a whole seemed to provide a picture of privacy governance that was not completely compliant and updated with the legislation in force on the protection of personal data and the principles constantly established also through the provisions of the Authority.
Likewise, the circumstance that the organization of training activities had only taken place in 2024 also appeared to be in conflict with the obligations incumbent on the data controller pursuant to art. 29 of the Regulation, which requires not only to provide training for staff before or in any case in the initial periods with respect to the actual assignment to carry out the processing of personal data, but also to provide periodic refresher activities, customized on the basis of the tasks actually performed.
Finally, also in relation to the processing of personal data collected through the forms on the company website (i.e. candidates and contact request), certain critical profiles were identified both with regard to the principles of clarity and transparency pursuant to art. 5, 12 and 13 of the Regulation, both in relation to the lawfulness of the processing and the existence of an appropriate legal basis pursuant to Articles 5, 6, 7 and 9 of the Regulation and 111 bis of the Code.
The Office, therefore, contested Energia Pulita for the alleged violation of Articles 5, 6, 7, 9, 12, 13, 24, 25, 28, 29 and 32 of the Regulation, as well as Articles 111 bis and 130 of the Code, for having carried out the above-described processing of personal data of users and contractors in the energy sector in conflict with the principles of lawfulness and accountability, in the absence of an appropriate legal basis and by implementing inadequate technical and organizational measures to guarantee, from the design stage, and to be able to demonstrate, that the processing is carried out in accordance with the Regulation.
2. THE OWNER'S DEFENSE
With defensive briefs submitted on 11 December 2024 (see Prot. no. 146050 of 12 December 2024) the Company preliminarily highlighted that «Energia Pulita was established in 2019, shortly before the start of the pandemic crisis, and until 2023 the Company had only 4 agencies for carrying out teleselling activities».
Subsequently «This activity was increased only starting from 16 January 2023, when the Company acquired from Green Network S.p.A. (…), a business unit to which 26 agency contracts could be traced (4 of which carried out telemarketing/teleselling activities)».
Energia Pulita also clarified that the aforementioned transfer of the business unit - with the associated commercial network - "has determined the need to manage new customer procurement activities, both through the physical channel and telemarketing and teleselling". For this reason, starting from November 2023, the Company has undertaken a compliance process.
With regard to the governance regarding the protection of personal data prior to November 2023, Energia Pulita declared that the Company had implemented the measures listed below:
i. request for reports relating to contacts made with potential customers to verify that they were not registered in the Public Register of Opposition (RPO) on the date of signing the contract with the Company, or that privacy consent had been obtained after such registration. Furthermore, a sample (over 10 contacts for each agency) "was asked to attach the screenshots demonstrating the check carried out on the RPO, with the date and time of the so-called "fubbatura"";
ii. request for a bimonthly report to demonstrate that customers had given consent to be contacted for marketing purposes, containing details of the campaign used, the privacy information provided and any specific additional elements;
iii. imposition of contractual obligations concerning the numbers used, the times and methods of calls, and the recording of the customer's refusal to receive commercial contacts during the promotional call or on other occasions, with communication to Energia Pulita of the related refusal;
iv. provision of scripts to be used for making promotional calls;
v. failure to recognize the commission to the agent in the event of a complaint for unsolicited activation;
vi. imposition of a penalty equal to 8% of the total commissions accrued in the last twelve months for the agent in the event of a complaint for unsolicited activation;
vii. checks on the contract proposals uploaded by the agency within the Company's CRM;
viii. Mandatory Quality Check Call for teleselling agencies;
ix. control of the contractual package;
x. immediate closure of the agency credentials for access to the company CRM upon termination of the contractual relationship.
The Company also represented that it had started a "Code of Conduct compliance process in November 2023, intending to adopt, regardless of the actual applicability of the Code of Conduct and even if unaware of the Complaints, the necessary measures to ensure compliance of its governance with the most recent provisions in this area", therefore at the beginning of 2024 the following measures were also implemented:
i. requests for specific information to agencies during the selection process;
ii. periodic training for employees of the agency network;
iii. contractual changes (exclusion of commissions in the event of illicit contacts, as well as for unsolicited activations and provision of specific obligations for agencies, communication of the numbers used, use of recognizable and non-clonable numbers, drafting of detailed reports of promotional campaigns, timely management of denials and registration in blacklists, etc.);
iv. implementation of the Multi Factor Authentication (“MFA”) system with census of the second device used;
v. tracking of the IP addresses of agents authorized to upload contracts on behalf of Energia Pulita;
vi. periodic audits on agencies and review of scripts and control calls to verify the origin of contacts;
vii. Blocking check call: the Company verifies the conformity of the contact and the interested party’s willingness to conclude the agreement via a control call. In the event of the customer’s absence or willingness not to continue the contractual process, the same is blocked and a penalty is applied to the agency;
viii. exclusion of the agency’s commission in the event of a complaint for unsolicited activation, as well as whenever it emerges that the initial contact was illicit, in addition to the application of a penalty for each violation of privacy legislation.
With specific reference to the results of the verification conducted on the so-called sample week, Energia Pulita first of all objected that the numbers registered in the register, net of the cases of duplication, were ninety-six and that therefore the relative percentage decreased to 4.13%. 
Furthermore, according to the defensive theory put forward by the Company, all the aforementioned contracts were revealed to be legitimate since they «can be traced back to (i) telephone calls made on the basis of consent to marketing following the registration of the interested parties in the RPO or requests for recontact by the interested parties themselves; (ii) to the physical channel, and therefore with respect to which no verification is necessary regarding any registration in the RPO; or, finally, (iii) to contracts concluded directly by the interested parties on the websites of the comparators, in the absence of any telemarketing activity by the Company and/or the comparator itself». 
With regard to the reports brought to the attention of the Authority, the Company disavowed all the contacts that were the subject of the complaint as they were made using calling numbers outside its network of agencies, with the exception of the three cases illustrated below.
With reference to the complaint in file no. 323520, the Company clarified that the contact had been made by an agency of the Company (i.e. RG Group S.r.l.), on the basis of a consent given after the registration with the RPO, however the agency had violated the contractual provisions for the words used and for the use of a number not registered with the ROC. Since the contact had been made lawfully, Energia Pulita had sent a reminder and a warning to the agency in question, as well as requested to delete all the personal data of the reporting party. In addition, the name of the reporting party had been included in the black-list of the Company and its agencies. Subsequently, starting from 30 September 2024, Energia Pulita had interrupted all relations with that agency.
In relation to file no. 344211 – concerning the case of an interested party who complained about receiving promotional calls from various numbers, including one belonging to Rocket S.r.l., a sub-agency of RG Group S.r.l. – the Company highlighted that in this case no user had been activated and that the interested party's data were not present on Energia Pulita's systems. In any case, the reporting party's number had been included in the black-list of the Company and its agencies. Therefore, the Company maintained that «the name of Energia Pulita was therefore used illegitimately in the first call. As regards the call attributable to Rocket S.r.l., the Company's checks confirmed that the sub-agency's contact was based on valid consent, issued after registration with the RPO».
In relation to files nos. 357058 and 391741 - in which the interested parties complained about receiving unwanted calls made in the interest of Energia Pulita - the Company acknowledged that these contacts were also attributable to RG Group S.r.l. and reiterated that it had interrupted any relationship with the aforementioned agency starting from 30 September 2024.
The Company then highlighted that none of the eighty-two contacts contested through the complaints brought to the attention of the Authority before the opening of the investigation, nor of the twenty contacts contested pending the proceedings "ever resulted in the conclusion of a contract with the Company, which, therefore, did not in any way benefit from such illicit telemarketing and teleselling activities".
In denying the contacts that were the subject of the complaint, Energia Pulita also stated that «the phenomenon of undergrowth in telemarketing arises from the activity of operators who are not officially linked by contractual relationships with energy operators and who (…) initially declare that they work for an operator to convince the interlocutor to stay on the phone and then offer a different contract. In this way, the agencies make themselves untraceable both in the eyes of the interlocutor and, consequently, before the Authority which receives the complaint against a company, in this case Energia Pulita, which has never given a mandate to these agencies nor has it benefited from their work».
For the reasons illustrated, «even if any of the telephone calls that were the subject of the complaint had turned into energy contracts of Energia Pulita (and this was not the case) for a limited period, this would represent for Energia Pulita only a cost (and, therefore, an economic damage) and not also an advantage».
With regard to the measures adopted to implement the appropriate controls on the contact chain, Energia Pulita represented that in 2023 and then subsequently in 2024 with the acquisition of the Green Network S.p.A. business unit, the Company had started a compliance process with the current legislation on the protection of personal data and the Code of Conduct which led to the implementation of the measures listed below:
i. in the context of the agent selection procedure, it is asked whether the agencies have received complaints or reports to the Guarantor or inspections or measures from the latter; how the candidate agency forms the contact lists and how the latter are purchased and controlled; the controls and contractual obligations imposed on sub-agents; as well as the instructions provided to employees/agents;
ii. training of agents (carried out in May 2024 and then periodically at least every 9 months);
iii. modification of the standard of the agency and teleselling contract in use, providing for the non-recognition of the commission not only in the event of a complaint for unsolicited activation, but also in the event of an illicit initial contact; as well as providing for additional contractual obligations for the agencies (communication of the numbers used; use of a recognizable calling line (with a specific prefix for call centers or another number as long as it can be called back); reporting on promotional campaigns; use of blacklists; being able to provide suitable information to users; using technological solutions that allow immediate identifiability);
iv. traceability of the entire chain that allows the telephone contact to reach the contract (ROC number, IP and name of the calling operator; date and time of contact; nine-monthly audit of the operators active within the commercial network (teleselling and physical network); integration of call scripts; adoption of an alert system and MFA for agents with census of the second device; tracking of agent IPs).
With respect to the specific objections raised by the Authority, the Company in the first instance observed that Energia Pulita periodically carried out audits at its agencies, verifying the measures adopted to comply with the legislation in force regarding the protection of personal data (e.g. checking the register of processing activities, the information provided to customers, the appointments of data controllers and authorised persons for processing; privacy procedures; list management; training activities carried out).
As for the Check Call procedure, the Company then clarified that «the Check Call implemented by the Company, in fact, involves the investigation of the interested party's willingness to conclude the contract and, if this is not the case, the blocking of the contractual process. Only in the event of the interested party's willingness to continue with the contractual process does the Company proceed in this direction even in the event of the first contact being unlawful, thus respecting the interested party's will but at the same time blocking the payment of the commission to the agency, in addition to applying a contractual sanction».
Energia Pulita objected that although KWH S.r.l. carries out the Quality Check Call and at the same time also operates as an agency, the performance of these activities is not ambiguous since it guarantees the segregation of roles between those responsible for telemarketing and teleselling activities and those responsible for carrying out the quality calls.
As for the contested violation of the privacy legislation attributable to the processing of data collected through the forms on the company website, Energia Pulita represented that it had already updated the information on the website - acknowledging that it had identified an incorrect legal basis for the processing - but nevertheless objected that it had been a purely theoretical violation and without practical consequences for the interested parties. The Company reiterated that it had also published the updated information for candidates on the website on 8 July 2024 and that this information was also provided during the interview.
Finally, Energia Pulita recalled the provisions of Recital no. 148 of the Regulation and the recent ruling of the European Court of Justice C-768/21 on the absence of automatic mechanisms in the application of punitive measures, while at the same time attaching the mitigating circumstances invoked in the event that the Authority had decided to apply a sanctioning measure.
During the hearing held on 15 January 2025, the Company preliminarily represented its willingness to cooperate and the attention paid to the indications provided by the Authority with the issuing of multiple provisions concerning the performance of telemarketing activities in the energy sector, as well as those contained in the Code of Conduct on telemarketing.
Energia Pulita also specified that although at the time of the aforementioned acquisition the Company had not yet formally adopted the Sales Quality Control procedure, many of the currently required procedures were already being carried out (e.g. listening to calls again, requesting privacy consent from agencies every two months), so that with the formalisation of the procedure, these controls had been strengthened.
With reference, instead, to the checks carried out on personal data from web portals and comparators (see sample week), it was clarified that the Company uses agencies that in turn purchase contact lists subject to verification at the RPO. Energia Pulita also acquires a copy of the monthly rental contracts and also compares the contact lists thus obtained with the internal black-list. Before each campaign, in addition to the ex ante communication of the contact lists by the Agencies - which already occurs - in the future, a check will also be carried out on the correspondence of the numbers present in the lists and those indicated in the agreements. If there are numbers outside the list, the related contracts will not be activated. With respect to these lists, Energia Pulita also provides for the acquisition of the information provided to users and the forms used for the acquisition of consent from the aforementioned web portals and comparators. 
Also in this regard, Energia Pulita has also clarified that in addition to the teleselling channel, the Company also uses the so-called comparators and that there are cases in which the customer himself makes a request for recontact, issuing the appropriate consents. It may also «happen that the customer stipulates the contract independently, with visibility of the agreement before signing or asks the comparator for support in stipulating it».
The Company then declared that requests for recontact (so-called hot leads) can be processed within 48 hours, subject to the issuing of consent, and that such contacts are not subject to checks at the RPO. The identity of the applicant is guaranteed by the impossibility of stipulating a contract by delegation, this method is only envisaged for the physical channel and subject to the acquisition of the documents of the delegating party.
On the same occasion, the Company highlighted that starting from 2023, a specific Regulatory Affairs & Quality Process Office has been established which takes care of the constant updating of the processes on the basis of the determinations of the relevant supervisory authorities and best practices in the sector. Furthermore, the Company has adopted an "approach that puts the regulatory aspect first, rather than the business aspect (...) This path leads to using a single teleselling agency (...), which does not have sub-agents".
The Company has also clarified that it monitors the switching requests made by customers in order to identify any anomalies (ad hoc procedures and mystery calls).
3. AUTHORITY'S ASSESSMENTS
It should be noted first of all that the elements and documentation acquired as a whole do not allow the objections raised by the Authority to be overcome.
The exceptions raised in relation to the contracts stipulated during the so-called sample week, in fact, cannot be accepted since the consents that Energia Pulita invokes as the legal basis for the processing, as will be discussed in more detail below, do not appear to have been validly acquired, given the lack of prior information and the requirements of freedom, specificity and granularity referred to in Articles 4, point no. 11), 6 and 7 of the Regulation and 130 of the Code.
In this case, the Company first noted that net of the duplication hypotheses, the total number of contacts amounted to ninety-six and the percentage of numbers registered in the register consequently decreased to 4.13%.
In this regard, it should be noted that the finding is only partially shareable, since the duplication of the numbering is indicative of hypotheses in which, in the face of the same contact, agreements were stipulated for the activation of two different supplies and therefore the related emoluments were collected.
Secondly, then, according to the defense advanced by the Company, the ninety-six contacts made during the so-called sample week were not indicative of a violation of the legislation in force, since they were attributable to consents collected through comparison portals (teleselling or virtual outbound sales), to the physical channel or to contracts concluded directly by the interested parties on the Switcho platform.
On this point, it is certainly appropriate to remember that the owner has clarified that «the so-called “virtual sales outbound rec” sales channel is divided into two distinct phases: i) in a first phase, the seller contacts the potential end customer by telephone to verify their interest in the services covered by the ongoing promotional campaign and subsequently inserts the relevant contractual proposal on the Energia Pulita customer relationship management (“CRM”) platform; ii) in a second phase, the potential end customer is first sent an SMS containing an OTP code that allows the customer to confirm their identity and, subsequently, a link – which the customer receives at the email address – through which the potential customer can, after entering the aforementioned OTP code, access the Energia Pulita contractual package and confirm their willingness to sign a contract with Energia Pulita».
The notions of telemarketing and teleselling, on the one hand, hinge on the means used for the purposes of carrying out the personal data processing operations, on the other hand on the purpose pursued by the data controller. Therefore, for the purposes of identifying the applicable discipline, it is not only the context in which the contract was concluded that is important, but also the activity that precedes the actual signing of the agreement. The cases that the Company classifies as part of the outbound virtual sales channel, since they are supported by prior telephone contact activity, are then subject to the same obligations and responsibilities in force in the field of telemarketing and teleselling stricto sensu intese. In this sense, the notion of telemarketing and teleselling referred to in art. 2 of the Code of Conduct on telemarketing also applies – which, regardless of actual adherence, has an undoubted value as best practices – according to which the terms «a) “telemarketing” mean telephone contact activities with an operator carried out for promotional purposes through direct calls to national fixed and mobile numbers; b) “teleselling” mean telephone contact activities with an operator carried out for direct sales purposes through calls to national fixed and mobile numbers».
This assumption, moreover, appears to be shared by the same Company, which despite having differentiated the sales channels, with regard to such contacts has represented and documented that it acquired the consent of the interested parties at a date subsequent to the registration to the RPO.
However, all the contacts referable to the so-called sample week and processed through the teleselling or virtual sales outbound channel, following an access to the portals carried out by the Office at a date subsequent to the notification of the dispute and the submission of the defensive briefs, do not appear to be supported by a valid consent.
More specifically, in nine cases the contract appears to be attributable to the agency RG Group S.r.l. and to the portal nuoveofferte.com.
Following an access to nuoveofferte.com - it emerged that the portal in question is owned by the London company Dynamic Web Europe Ltd and that on the home page it presents a data collection form useful for receiving the "most advantageous offers".
Although prima facie the form presents three distinct formulas for the acquisition of consent that are not pre-selected (i.e. the one for the sending of commercial communications by nuoveofferte.com, the one for the transfer to third parties for promotional purposes and the one for profiling purposes), however the one relating to the transfer of personal data to third parties for marketing and commercial purposes, invoked by the current owner, does not allow for the granting of free, specific and granular consent pursuant to articles 4, point no. 11), 6 and 7 of the Regulation and to eliminate the opposition advanced by the interested parties by registering in the Public Register of Oppositions. : In fact, due to the broad wording used in relation to the large and indistinct group of transferees of personal data operating in very different sectors, the interested party who wishes to receive offers relating to one or more of the product categories indicated therein or wishes to receive them through only one of the channels indicated is, in fact, forced to give a single consent to the indiscriminate transfer of his/her data to all, without distinction, third party recipients for promotional purposes and is not placed in a position to easily exercise the rights recognised by current legislation (see, in this regard, the formula used by the Company «I consent to the transfer for marketing and commercial purposes, with the use of the telephone with operator and/or with automated systems (e.g. email, text message) and/or sending of promotional material by post, to third parties belonging to the following economic and product categories: Tourism, leisure, High Tech, Fashion, Furniture, Mass Consumption, Food & Beverage, Finance, Banking, Insurance, Energy, Environment, Communication, Media, Entertainment, Real Estate, Pharmaceutical, Automotive, Clothing and Textile, Education, Energy, Publishing, ICT, Retail, Sports, Telecommunications, and General Services (for the complete list click here)»).
Furthermore, by using the “click here” command in the form just mentioned, the user is redirected to a page containing an even broader list of third-party recipients and means of communication (see «With your prior consent, the personal data collected may be communicated to companies, entities or associations, including non-profit ones, belonging to the following categories: credit institutions (including Banca Progetto SpA, Vivi banca Spa Ibl Banca SpA), insurance companies, commercial distributors, communication agencies, companies active in direct marketing, utilities (including C.I.P. srl), car manufacturers, brokers, financial companies (including Dynamica Retail SpA, Sigla Srl), personal advisors / financial consultants / asset management, suppliers of electricity and/or energy services (including Enel Energia SpA, Eni Gas e Luce SpA, Acea Energia Spa, A2A Spa, Edison SpA, Hera Comm Spa, Iren Luce e Gas SpA, Illumia SpA, Made in Energy SpA, Olimpia Srl, Optima SpA, Iberdrola SpA, Green Network SpA), providers of fixed and/or mobile telephone services and/or ADSL/Fiber optics (including Fastweb SpA, Linkem SpA, Telecom Italia SpA, Vodafone SpA), publishing houses, distributors and editors of newspapers, periodicals and books, suppliers of food and wine products, suppliers of office supplies, providers of digital and/or satellite TV services and television broadcasters, producers and/or distributors of children's items, companies operating in the consumer goods sector, non-profit associations (including political, trade union, religious, philosophical, recreational and sports associations, parties and movements) and public and private bodies, intermediary companies. These subjects will process personal data as "independent data controllers" for promotional marketing activities, including research and opinion polls, on their own products and services or those of third-party companies, through automated tools (e-mail, sms, fax, mms, messages on social networks, whatsapp, messenger, online instant messaging applications, web and mobile push notifications) and non-automated tools (paper mail, telephone with operator). The legal basis for data processing for this purpose is art. 6.1.a) of the GDPR»).
The use of formulas for the acquisition of consent to the processing of personal data for the transfer to third parties for marketing purposes that are so broad and generic, that they do not allow the interested party to express a granular and differentiated will, for example in relation to the product category of the commercial offers that they wish to receive (i.e. telephony, energy supplies, insurance services, fashion, cars, etc.) or that, due to the peculiar configurations of the forms and information used, do not allow them to easily express their will regarding the tools through which to convey promotional communications, does not allow for the acquisition of a valid, conscious and unequivocal manifestation of will of the interested party, since it ends up creating an uncontrollable dissemination of personal data in favor of an indistinct audience of operators, also undermining the possibility of effectively exercising the rights recognized by law in favor of the interested parties.
The expression of will regarding the transfer of data to third parties for marketing purposes can be considered truly free only if the data subject is guaranteed an effective choice and control over his or her personal data (see Guidelines no. 5/2020 on consent pursuant to Regulation (EU) 2016/679, par. 3.1 «The element of the “free” expression of will implies that the data subject has an effective choice and control over his or her data. As a general rule, the regulation establishes that if the data subject does not have an effective choice or feels obliged to consent or will suffer negative consequences if he or she does not consent, the consent will not be valid. If consent is a non-negotiable element of the general terms and conditions of the contract/service, it is presumed that it was not given freely. Consequently, consent will not be considered free if the data subject cannot refuse or withdraw it without suffering prejudice. The General Data Protection Regulation has also taken into account the notion of imbalance between the data controller and the data subject» and par. 3.1.3 «If the data controller has combined different processing purposes and has not requested separate consent for each of them, there is no freedom. Granularity is strictly related to the need for consent to be specific, as analyzed in section 3.2. When data processing aims to pursue different purposes, the solution to satisfy the conditions for the validity of consent lies in granularity, i.e. in the separation of purposes and in obtaining consent for each of them»). Conversely, this prerogative is frustrated, as happened in the case at hand, through the use of consent formulas and graphic devices that have the effect of transferring personal data to an indistinct group of recipients, operating in sectors that are also very different from each other or even to multi-mandate call centers.
Indeed, the interested party must be placed in a position to freely, granularly and specifically express their will and therefore to be able to choose, even by macro-categories, which products or services to receive promotional communications (e.g. through the implementation of specific forms that allow the selection of macro-categories of goods or categories of recipients).
On the contrary, the interested party who wishes to receive, for example, only offers relating to energy supply services, is faced with the binary condition of not giving any consent or of giving it and receiving a multitude of commercial communications also relating to services that have nothing to do with the energy sector, with a consequent and undue intrusion into their sphere of privacy and an irreparable loss of control over their personal data.
The use of such forms, moreover, by making it difficult to trace the source of the data and the data controller, undermines the possibility of exercising the rights recognized to the interested party also in relation to the choice of means used for receiving commercial communications (see Provision no. 242/2013 Consent to the processing of personal data for "direct marketing" purposes through traditional and automated contact tools, web doc. no. 2543820, which although dating back contains principles of continuing validity, in the part in which it prescribes that «the information also shows the possibility for the interested party, who does not intend to give consent in the terms indicated above, to express the possible will to receive communications for the aforementioned purposes exclusively through traditional contact methods, where provided; d) such will be made exercisable in an easy and free manner pursuant to the aforementioned art. 7, paragraph 4, of the Code»). Likewise, the thirty contracts concluded through the offerteenergetiche.it portal and also attributable to the company RG Group S.r.l., are stipulated on the basis of an illicit contact, since they were made without the prior acquisition of valid and effective consent pursuant to current legislation.
By visiting the aforementioned portal, owned by Skill S.r.l., a form is visible that is useful for providing data for the use of the "energy consultancy" service. At the bottom of the form, there is only a consent acquisition form, by flagging which the interested party declares "I ACKNOWLEDGE the processing of personal data for the execution of the requested services, having read the Privacy Policy of Skill s.r.l. (Mandatory) click here to view and select them individually".
Only by clicking inside the form just mentioned, further consent forms appear (see «I confirm that I have read the Privacy Policy and I acknowledge that my data will be processed by Skill s.r.l. and communicated to partner companies (Send an email to [email protected] to receive the complete list of our partners) to be contacted in relation to the requested product/service (mandatory); I confirm that I have read and accepted the Conditions of Use (mandatory); I confirm that I have read the Privacy information of the Operators (data of the Client company/companies) and I acknowledge the foreseen treatments (mandatory); I consent to the treatments referred to in the Privacy Policy. These consents are optional, click here to view and select them individually. I consent to the processing of personal data by Skill s.r.l. for the sending of promotional communications and advertising material, the offer of products and/or services of its own or third parties, the carrying out of surveys and market research, by any means, including in particular the use of telephone with operator and/or automated systems (e.g. SMS, MMS, fax, autoresponders, push notifications, social media) Point 2 letter d) (optional); I consent to the processing of personal data by Skill s.r.l. for profiling for commercial and marketing purposes based on the methods of use of the site offerteenergetiche.it Point 2 letter e) (optional)»).
It is clear that such formulas do not appear to be in line with current legislation since they do not allow the expression of granular, free and distinct consent for marketing activities and for the transfer of data to third parties for promotional purposes. Furthermore, even the technological measures used and the reference to whether it is mandatory or not appear misleading and lacking in terms of transparency.
Completely similar observations must also be raised with reference to the twenty-five contracts stipulated with the aid of the tariffiamo.com portal, owned by Datalia S.r.l, and attributable to the LC Trade S.r.l agencies. and No&MI S.r.l..
This portal also seems to acquire separate consents for the processing of personal data for marketing purposes and for the transfer of data to third parties for promotional purposes (see «I confirm that I have read the Privacy Policy/Promotional communications Read more I consent to the processing of my data for the sending of promotional communications by Datalia srl. With the following means (telephone with operator, email, sms, fax, mms, push notifications, messages on social networks, autoresponders, and/or paper mail), relating to products and/or services of Datalia srl./Transfer of data to third parties Read more I consent to the transfer of my data to third parties, partners of the Data Controller, for commercial promotion purposes according to the methods described in paragraph “d” of the privacy policy. The list of third parties to whom the data can be transferred is available at this link: Privacy Third Parties»).
However, by consulting the list of third party recipients, it emerges that the personal data thus collected are transferred to just over thirty entities operating in the energy, telephone and promotional fields in general (call centers).
Similarly, the three contracts signed with the help of the portal www.ricercaofferte.com, owned by Runwhip S.r.l. and attributable to LC Trade S.r.l., are not supported by legitimate contact.
As previously seen, the portal in question also contains a form useful for collecting personal data, granting consent for marketing and a separate consent for the transfer of data to third parties for promotional purposes. However, the consents acquired do not have the required requirements of freedom, specificity and granularity since it is not possible to choose, nor reduce, the group of recipients of the data or the means used for the purposes of conveying commercial communications (see information on the processing of personal data «With your express consent, personal data may be communicated to third-party companies that are clients, clients or partners of the Data Controller so that they can carry out commercial communications and send them via the web, post, e-mail, telephone (sms, mms, telemarketing). These third parties (an updated list of which is always available by requesting it from the Data Controller via the email [email protected] ) belong to the product categories indicated below: Communications: communications and technology products and services, etc.; Finance and banking: financial entities, insurance, investment, social security, etc.; Leisure: publishing, tourism, sports, collecting, photography, hobbies, communication and entertainment, art, music, etc.; Distribution and trade: electronics, IT, image and sound, fashion, accessories, clothing, textiles, bazaars, cosmetics and health and hygiene, chemicals, pharmaceuticals and biotechnology, agri-food, supermarkets, beverages, office supplies, furniture, etc.; Automotive: products and services related to cars, industrial vehicles, bicycles and motorcycles, trucks, mechanics and metallurgy, etc.; Energy and water: products related to electricity, hydrocarbons, gas, water and utilities, etc.; NGOs and associations: products and services related to non-profit organizations, foundations, etc.; Education, training, instruction, universities, etc.; Communication and services: advertising, marketing, mobile marketing, event, consultancy, advertising, PR agencies, advertising agencies, media centers, telecommunications, market research, etc.; Ecology and environment: companies operating in the field of ecological transition, environmental, eco-green, etc.; Construction, civil engineering and real estate products/services: construction, decoration, home, design, real estate agencies, etc.; Fairs and events, concerts, events etc.; IT, Internet, e-commerce sites etc»).
A contract, then, appears to have been stipulated with the help of the offerte-gas-luce.it platform and attributable to the agency RG Group S.r.l. Also in this case, it does not appear that the platform allows the granting of consents that can be considered valid pursuant to the current legislation, given the failure to publish on the site the information on data processing and useful indications for the unequivocal identification of the data controller. 
In conclusion, with the exception of the contracts originating from the physical channel or the Switcho platform, for the reasons just illustrated, the remaining 68 contacts made during the so-called sample week do not appear to be supported by a valid legal basis and are worth integrating the violation of art. 130 of the Code, as well as more generally, of art. 5, par. 1, letter a) and 6, par. 1, letter a) of the Regulation, with regard to the principle of lawfulness and the need for the legal basis of consent to legitimise the processing of the data in question for promotional purposes.
While recognizing, in fact, the undeniable social and economic utility of websites and applications that can help the user to orient themselves in the multitude of offers and tariffs present on the market - especially in the current historical moment characterized by the transition to the free market in the field of energy supplies - it is believed that such legitimate interests must in any case be guaranteed in the necessary balance with the right to privacy of the interested party. 
It follows that the use of formulas for the acquisition of consent to the processing of personal data in order to the transfer to third parties for marketing purposes so broad and generic in order to the number and type of transferees, even if correctly configured in such a way as not to present so-called consents. pre-flagged, but which nevertheless do not allow, for example, even the selection of the product category of the commercial offers that one wishes to receive (i.e. telephony, energy supplies, insurance services, fashion, cars, etc.) or which, due to the peculiar configurations of the forms and information, hinder the exercise of rights and do not allow one to easily express one's will regarding the tools through which to convey promotional communications, cannot eliminate the effects of the opposition expressed by the interested party by registering in the Public Register of Oppositions, since they do not allow the expression of a valid, conscious and unequivocal manifestation of will, instead creating an uncontrollable dissemination of personal data in favor of an indistinct audience of operators. In compliance with the principles established by the current legislation, in fact, the interested party must be put in a position to freely, granularly and specifically express their will and therefore to be able to choose, even by macro-categories, with respect to which products or services to receive promotional communications (e.g. through the implementation of specific forms that allow the selection of macro-categories of goods or categories of recipients).
In the absence of this, the interested party would be granted the only alternative of completely renouncing the receipt of commercial communications or of receiving an unpredictable multitude of commercial communications, from an indistinct group of subjects transferring personal data operating in very different sectors (including call centers), also concerning services that have nothing to do with their area of interest, with a consequent and undue intrusion into their sphere of privacy and an irremediable loss of governability over their personal data.
Likewise, the use of textual, graphic and technological devices that may influence the user's behavior (e.g. in terms of easy understanding of the methods and purposes of the processing or the granting/revocation of consent) or even aimed at understanding their will, cannot be considered in compliance with the current legislation and also affect the legitimacy of the processing carried out using personal data collected through the methods described.
The existence of the violations referred to is also confirmed by the multitude of reports that the Authority received before the start of the investigation and pending the same, regarding the receipt of promotional calls made in the interest of Energia Pulita, in the absence of prior acquisition of consent and, in almost all cases, using numbers not registered with the ROC.
The number of complaints and the tenor of the circumstances represented, in fact, constantly outline a real modus operandi attributable to the phenomenon of so-called wild telemarketing.
In a large number of complaints, the interested parties complain of having been contacted not only in the absence of an appropriate legal basis, but also through the use of particularly insidious language and commercial techniques. English: Often the telephone operator, pretending to call on behalf of another data controller (competitor or fictitious administrative offices) informs the user about the existence of phantom technical-administrative problems, bonuses or even tariff increases, and then proposes the activation of an energy supply with Energia Pulita (see File no. 381587 «The operator knew my name/surname and proposed switching to Energia Pulita to avoid alleged government increases of 30% on the electricity supply»; File no. 331890 «The operator first pretended to be the National Electricity Service, with which I currently have the supply, saying that I would switch to Energia Pulita automatically from 1 March 2024 and asking me to confirm the activation data. When I replied that I know that the switch to the gradual protection market is on 1 April and that therefore until that moment I can change operator whenever I want, she started to become aggressive and then I hung up»; File no. 337805 «I spoke with a person who, identifying himself as an employee of the national electricity service of greater protection (with which I have a contract), asked me for data in order to move my contract which by law has been transferred to the new identified manager (Energia Pulita)»).
It should also be added that from the checks conducted at the ROC and by the Company's own admission, some of the contacts reported were found to be attributable to the agency RG Group S.r.l., to which Energia Pulita had conferred the appointment as manager or to its sub-managers (i.e. Rocket S.r.l. and Dialtech S.r.l.s).
Moreover, the significant number of sudden switches requested by customers and highlighted by the feedback provided on the reports - from which it emerges that in eight cases, the reporters had activated a supply with Energia Pulita for only a month or a little more - constitutes further confirmation of the implementation of promotional activities with means and methods not in line with the current legislation.
Moreover, even the procedure for managing requests for recontact sent by interested parties by filling out the forms on the company website does not appear to be suitable for ensuring the accuracy and legitimate origin of personal data, since the only guarantee in this sense provided by the owner is to prevent the conclusion of contracts through a delegate within channels other than physical ones.
From another and different perspective, the findings that emerged during the proceedings are worth considering as also ascertained the violation of the obligations incumbent on the data controller pursuant to articles 5, 24, 25, 28 and 32 of the Regulation.
On the one hand, in fact, all the documentation and deductions submitted to the proceedings, while providing a picture of a corporate structure sensitive to the subject of personal data protection, at the same time denote a significant delay in complying with the obligations imposed by current legislation.
On the other hand, the investigation carried out revealed that the Company failed to carry out the necessary checks on the entire processing chain and to implement adequate technical and organizational security measures to prevent the risk of activating supplies deriving from illicit contacts, thus fueling the so-called telemarketing undergrowth.
First of all, it should be noted that numerous measures and precautions regarding the protection of personal data were implemented only between the end of 2023 and the beginning of 2024, therefore several years after the entry into force of the European Regulation on data protection.
In this regard, the exception raised by the data controller according to which such delay would be due to the negotiations with Green Network S.p.A. cannot be accepted, since the Company declared that the acquisition of the business unit took place on 16 January 2023, while the corporate compliance process - it is reiterated - was undertaken only between the end of 2023 and the beginning of 2024.
Moreover, by virtue of the principles of privacy by default and privacy by design, the data controller is obliged to adopt adequate technical and organizational measures in relation to the risks for the rights and freedoms of the data subjects before carrying out the processing operations and, subsequently, to constantly update its privacy system also in relation to technological and socio-economic developments.
Furthermore, before the start of the aforementioned compliance process, the Company had not yet adopted some minimum and indispensable measures, which are independent of the dimensional characteristics of the company.
The reference is for example to the formalization and implementation of an effective selection procedure for suppliers and agents, which pursuant to art. 28 of the Regulation ensures ex ante that only subjects with suitable skills in the field of personal data protection are used (so-called culpa in eligendo). But similar considerations can also be made in relation to the delayed implementation of a blocking check call mechanism, which prevents the entry into company systems of contracts stipulated downstream of illicit contacts, to the training of collaborators, to suitable security measures for access to systems (e.g. MFA and IP tracking).
Both the results emerging from the checks carried out on the so-called sample week, and the documentation in the proceedings, also attest to the occurred - and ongoing - violation of the obligations incumbent on the data controller in relation to the control and supervision of the work of the data processors (so-called culpa in vigilando), related to the provision of merely formal obligations, then not followed by the actual implementation in concrete of effective and penetrating verification initiatives, even on site or by sampling. 
In fact, numerous contacts that are the subject of complaints and made in the absence of the conditions of legitimacy, following the checks conducted at the ROC or by the Company's own admission, were carried out precisely by agencies operating on behalf of Energia Pulita. 
In this regard, the fact that, despite having declared that it would acquire a copy of the rental contracts, the owner used contact lists formed on the basis of personal data collected through web portals that did not present suitable guarantees regarding the origin of the personal data, the correct acquisition of the consents of the interested parties and the provision of the information on the processing of personal data is particularly relevant.
Moreover, the fact that the Company documented the actual performance of auditing and training activities only starting from 2024, also in this respect, further confirms the failure to fulfill the obligations incumbent on the owner pursuant to art. 28 of the Regulation.
Finally, with reference to the information on the company website in relation to the processing carried out for the management of CVs and applications, while appreciating the effort made by the owner in updating the information in question already pending the proceedings, it is ascertained that the principles of clarity and transparency pursuant to art. 5, 12 and 13 of the Regulation, both in relation to the lawfulness of the processing and to the existence of an appropriate legal basis pursuant to Articles 5, 6, 7 and 9 of the Regulation and 111-bis of the Code.
The processing of personal data, in fact, is carried out in compliance with these basic and fundamental principles when the interested party is adequately informed about the purposes and methods of the processing and therefore placed in a position to provide his/her personal data in an informed and conscious manner.
It follows that in the case of forms that can be filled in online, the information must be immediately available for consultation before the actual provision of the data, as a merely subsequent and eventual declaration cannot be used to fulfill this obligation.
In this case, the form used to submit applications was aimed at collecting personal data belonging to potential candidates interested in collaborating with the Company and in the opinion of the latter, the fact that the information was provided during the interview could be considered equivalent or in any case sufficient to make up for the failure to provide it in a phase prior to data collection.
This assessment cannot be shared, since it is contrary to the rationale and spirit of the legislation, but above all because in the event of a failure to provide an interview, the potential candidate ends up providing a series of detailed personal information, perhaps even of a particular nature in the case (for example) of belonging to a protected category, without the possibility of knowing the purposes and methods of the processing or the channels made available by the owner for the exercise of the rights recognized to the interested party pursuant to articles 15 et seq. of the Regulation. 
On the other hand, in the previous versions of the information in question, the owner had not even correctly identified the legal basis of the processing, with consequent repercussions on the lawfulness and transparency of the processing and on any consents given.
On this point, the exception advanced by the owner in relation to the circumstance that the incorrect identification of the legal basis does not constitute a significant violation or likely to cause harm to the interested party cannot be accepted, since the legal basis is an essential element of the information and constitutes the foundation of the lawfulness of the processing. Furthermore, the identification of the legal basis is also closely related to the identification of the rights that can be exercised by the interested party (i.e. opposition, withdrawal of consent). Furthermore, the data protection rules are intended to protect a fundamental interest of the person, with respect to which the Legislator has peacefully prepared an advance protection that is independent of the verification of pecuniary or non-pecuniary damage.
For all the reasons illustrated, in this case, the conditions for considering the minor violation regime applicable, as provided for and interpreted also in light of Recital no. 148 and the recent arrests of the CJEU, do not exist, also taking into account the number of interested parties involved, the duration of the violation and the particularly insidious nature of the means used to carry out the conduct being ascertained related to the pervasiveness of web portals and the Internet, as well as the circumstance that the measures adopted up to now by the owner are not sufficient to fully remedy the violations ascertained.
The liability of Energia Pulita must therefore be definitively confirmed in relation to the contested violations.
4. CONCLUSIONS
For the above reasons, the liability of Energia Pulita is deemed to be ascertained in relation to the following violations:
a) arts. 5, 6, 7, 24, 32 and 25 of the Regulation, as well as art. 130 of the Code for having processed personal data in conflict with the principles of lawfulness and accountability, in the absence of an appropriate legal basis and by implementing technical and organizational measures that are not adequate to guarantee, from the design stage, and to be able to demonstrate, that the processing is carried out in accordance with the Regulation;
b) articles 5, 24, 25, 28, 29 and 32 of the Regulation for having processed personal data using subjects internal and external to the company organization, in violation of the obligations incumbent on the data controller in order to identify, train, direct and monitor the work of the designated subjects (so-called culpa in eligendo and culpa in vigilando);
c) articles 5, 6, 7, 9, 12 and 13, as well as art. 111 bis of the Code for having processed personal data in the absence of prior and correct identification of the legal basis of the processing and the provision of the required information.
Having therefore ascertained the unlawfulness of the Company's conduct with reference to the processing under examination, it is also necessary to:
- impose on Energia Pulita, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of any further processing of the data belonging to the above-mentioned reporting parties;
- order Energia Pulita, pursuant to art. 58, par. 2, letters d) and e) of the Regulation, to communicate to the 68 interested parties, whose personal data have been entered into the Company's systems following unlawful contacts, the results of today's proceedings on the basis of a text to be agreed with the Authority when applying this provision;
- order Energia Pulita, pursuant to art. 58, par. 2, letter d) to arrange for adequate controls at its sales network and adequate implementation of the systems, in order to exclude the entry into the company assets of contracts generated by illicit contacts;
- adopt an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Energia Pulita of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation.
5. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE PECUNIARY SANCTION
The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Energia Pulita of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5, of the Regulation. 3 and 5 of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies with a turnover of over € 500,000,000, up to 4% of the annual global turnover of the previous financial year, if higher).
To determine the maximum statutory fine of the pecuniary sanction, it is therefore necessary to refer to the turnover of Energia Pulita, as obtained from the latest available financial statement (March 2024) in accordance with the previous provisions adopted by the Authority, and therefore this maximum statutory fine is determined, in the case in question, at € 20,000,000.
To determine the amount of the sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation.
In the case in question, the following are relevant:
1) the seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation), taking into account the object and purposes of the data processed, attributable to the overall phenomenon of telemarketing, in relation to which the Authority has adopted, in particular in the last five years, numerous provisions, as well as the Code of Conduct on telemarketing, which have fully examined multiple critical elements, providing the owners with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the interested parties; 2) as a mitigating factor, (Article 83, paragraph 2, letter f) of the Regulation) the degree of cooperation with the Supervisory Authority in order to remedy the violation.
Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by art. 83, par. 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €300,000.00, equal to 1.5% of the maximum sanction, should be applied to Energia Pulita. 
In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the nature of the processing and conduct of the Company, as well as the elements of risk for the rights and freedoms of the interested parties. 
In implementation of the principles set out in art. 83 of the Regulation, the imposition of this additional sanction appears reasonable and proportionate in relation to the number of interested parties involved, the duration of the violations and the peculiar dangerousness and pervasiveness of the conduct being ascertained, related to the use of web portals and the internet.
Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met.
GIVEN ALL THE ABOVE, THE GUARANTOR
a) imposes on Energia Pulita, pursuant to art. 58, par. 2, letter f) of the Regulation, the prohibition of any further processing of personal data belonging to the above-mentioned whistleblowers;
b) orders Energia Pulita, pursuant to art. 58, par. 2, letter f) of the Regulation, to d) and e) of the Regulation, to communicate to the 68 interested parties, whose personal data have been entered into the Company's systems following illicit contacts, the results of today's proceedings based on a text to be agreed with the Authority when applying this provision;
c) orders Energia Pulita, pursuant to art. 58, par. 2, letter d) to arrange for adequate controls at its sales network and adequate implementations of the systems, in order to exclude the entry into the company's assets of contracts generated by illicit contacts;
d) orders Energia Pulita, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed in the previous letters; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation;
ORDERS
to Energia Pulita S.r.l., in the person of its legal representative pro-tempore, with registered office in Milan (MI), via Vincenzo Monti, 48, VAT number 10802400969, to pay the sum of €300,000.00 (three hundred one hundred thousand/00) as an administrative pecuniary sanction for the violations indicated in the reasons, representing that the offender, pursuant to art. 166, paragraph 8, of the Code has the right to settle the dispute, by complying with the provisions given and paying, within thirty days, an amount equal to half of the sanction imposed.
ORDERS
to the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €300,000.00 (three hundred one hundred thousand/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981.
ORDERS
a) the publication of this provision, pursuant to art. 154-bis of the Code and 37 of Regulation no. 1/2019;
b) the application of the accessory sanction of the publication on the website of the Guarantor of this injunction order, as provided for by art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019;
c) the annotation of this provision in the internal register of the Authority - provided for by art. 57, paragraph 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor - relating to violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself.
Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad.
Rome, 27 February 2025
THE PRESIDENT
Stanzione
THE REPORTER
Ghiglia
THE SECRETARY GENERAL
Mattei
  1. See Garante per la protezione dei dati personali (Italy) - 2543820
  2. The Code of Conduct is a non-binding code available on the GPDP's website.
  3. D. lgs. 196/2003 is Italy's so-called "Privacy Code". Article 111-bis provides for specific rules for processing the CVs of job applicants while Article 130 regulates unsolicited marketing communications.
Retrieved from "https://gdprhub.eu/index.php?title=Garante_per_la_protezione_dei_dati_personali_(Italy)_-_10114967&oldid=46645"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki
OSZAR »