Eni gas e luce SpA – 11,5 Mio. Euro data protection fine
The energy and gas supplier ENI made advertising calls in Italy without the consent of the affected people. In addition, the necessary technical and organizational measures (TOM) were missing in order to properly process data processing objections. Furthermore, the company did not delete data records, which are not longer in use. Therefore, a fine of 8.5 million euros was imposed by the data protection authority.
At the same time, the Italian data protection authority announced that a second fine of 3 million euro had been imposed on the company.
In this investigation, it was found out that the company wrote in their customer relationship management programm (CRM) a contract extension, although the affected people had given a notice of termination. A large number of complaints from those affected have been registered with the Italian data protection authority. Approximately 7200 people were affected by this GDPR violation. The company violated Art. 32 (security of data processing) and Art. 5 (principles for the processing of personal data) of the GDPR.
Type of Issue:
violated rights of the data subject
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
32. Security of processing
5. Principles relating to personal data processing