Telemarketing: The Italian SA imposes fines of 3 million € on an energy company and € 850 000 on agencies involved

Background information

• Date of final decision: 10 April 2025
• Cross-border case or national case: national case
• Controller:    Acea Energia spa
• Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 7 (Conditions for consent),  Article 13 (Information to be provided where personal data are collected from the data subject), Article 24 (Responsibility of the controller),  Article 25 (Data protection by design and by default),  Article 28 (Processor),  Article 29 (Processing under the authority of the controller and processor),  Article 32 (Security of processing)
• Decision: Administrative fine,  Compliance order
• Key words: Accountability, Consent, Consumer protection, Data protection by design and by default, Transparency, 
  Unsolicited communication

Summary of the Decision

Origin of the case  

The Italian Supervisory Authority (SA), Garante, in the exercise of its powers of investigation and control under the Code (Italian data protection law), carried out a number of inspection activities in cooperation with the special Nucleus for the protection of privacy and technological frauds of the Guardia di Finanza, following a complaint received by the same Nucleus from an editor of a tv show. 

In a nutshell, the complaint reported a phenomenon already known to the Italian SA, i.e. that of the activities of unauthorised call-centres (without a formal mandate from their clients and not registered in the Register of Communications Operators - ROC - set up at the National Communications Authority - AGCOM) in possession of lists of personal data of persons to be contacted by telephone to propose the activation of telephone or energy (gas and electricity) services, also by switching from one operator to another.

Key Findings 

The investigations revealed relevant evidence of illegal activities carried out through the use of lists of customers who had recently changed energy manager. The call-center operators contacted them with the prospect of non-existent technical faults in the switch between operators and, fearing the risk of financial damage, induced them to activate a new contract.
This system involved the use of lists of personal data acquired from other companies belonging to the network in the absence of specific consent and without providing prior information to the persons concerned, lists that contained detailed information on the customers.

The investigations also showed that energy company representatives had direct and constant contact with those who carried out the aggressive telemarketing activities. However, the energy company, once it became aware of what had emerged from the investigations, revoked the appointment of the agency involved in the incidents, and adopted corrective measures aimed at raising the level of security of the processing operations carried out on its behalf.

Decision 

The Garante imposed fines of 3 million € on an energy company and € 850 000 on agencies involved, in light of infringements of articles 5(1), 6, 7, 13, 24, 25, 28 and 32 of the GDPR and Article 130 of National Personal Data Protection Code.

The Garante also ordered the energy company to inform all those concerned whose data had illegally entered its systems of the outcome of the proceedings and to verify the existence of sub-processors who had not been duly contracted. All the agencies involved have been ordered not to use contact lists whose lawfulness they cannot prove.

For further information: national press release - Telemarketing: dal Garante privacy sanzioni per 3mln ad Acea Energia e 850mila euro ad agenzie e società coinvolte (Italian)