Eni gas e luce SpA – 11.5 million fine
The energy and gas supplier ENI made advertising calls in Italy without appropriate consent. It also lacked the necessary technical and organizational measures (TOM) to properly process users’ advertising objections. Furthermore, the permissible retention periods were exceeded because data records that were no longer required were not deleted. Therefore, a fine of 8.5 million euros was imposed.
At the same time, the Italian data protection authority announced that a second fine had been imposed on the company. In this case, a fine of 3 million euros was imposed.
In these proceedings, it was discovered that although the persons concerned had given notice of termination, a contract extension was secretly recorded in the CRM (Customer Relationship Management, program for recording all customer interactions, among other things). A large number of complaints from affected parties have been registered with the Italian supervisory authority. Approximately 7200 individuals were affected by this GDPR breach. In doing so, the company violated Article 32 (Security of data processing) and Article 5 (Principles for the processing of personal data) of the GDPR.
Entscheidungsdatum:
17.01.2020
Land:
Italy
Art des Verstoßes:
violated rights of the data subject
Betroffene Datensätze:
7200
Waren sensible Daten betroffen?:
Yes
verhängte Geldstrafe:
€ 11,500,000,-
Violation of GDPR Paragraph:
32. Security of processing
5. Principles relating to personal data processing
Quelle:
Press release of the Italian data protection authority (English)