Italy: Energy provider violates GDPR
An energy provider tasked an albanian callcenter with the aquisation of new customers. The callcenter would call persons from their own database. If they showed interest in switching energy provider, the callcenter would transmit their phonenumber and other personal data to the energy company. After that, the energy company would call the potential customer to sign the contract.
Since the GDPR went live on the 25th of May 2018, all companies that are located in, or doing business with, companies in the EU have new rules that they must follow. In this case, the company violated the GDPR, as it failed to notify their customers of the data transfer. In addition, the energy provider did not tell the customers, who the primary data controller for their personal data was. Neither the energy provider nor the callcenter told the customers about their rights regarding GDPR.
The company was found guilty of 78 violations regarding illegal data collection and 155 violations in illegal data processing. These illegal actions where committed in a short period of time. The company had to pay € 2.018.000,-. Even though the base of the judgement was the old data protection law, they are still relevant. The mentioned actions would have also been illegal under the GDPR.
To transfer personal data to a processor, a contract is needed. Writing a contract is expensive and time-consuming. With easyGDPR standard you can create the contract in a few minutes. Beside that, easyGDPR creates the mandatory data protection documentation and gives you information about the data protection status in your company.
Type of Issue:
violated duty to inform
Number of involved data records:
Special category of data involved: