On June 26, 2024, the Italian data protection authority (Garante) published its decision no. 342, issued on June 6, 2024, in which it imposed a fine of €6,419,631 on Eni Plenitude S.p.A. following violations of the General Data Protection Regulation (GDPR).
Background to the Decision
The investigation was carried out by the Garante following 108 reports and seven complaints made against Eni Plenitude regarding the receipt of unwanted promotional calls made without individuals’ consent or through using registered numbers on the Do Not Call Registry.
Findings of the Garante
Following its investigation, the Garante determined that Eni Plenitude had violated Articles 5(1)(a), 5(1)(d), 5(1)(f), 5(2), 6, 24, 25, and 28 of the GDPR by:
- violating the principles of lawfulness, correctness, transparency, accuracy, and security;
- carrying out telemarketing activities in the absence of a suitable legal basis; and
- failing to implement appropriate security measures.
Outcome
As a result of the above, the Garante imposed a fine of €6,419,631 on Eni Plenitude. Additionally, the Garante ordered Eni Plenitude to:
- stop any further processing of data of the complainants;
- communicate this decision to the 657 parties whose personal data was entered into the company’s systems following illicit contact;
- prepare adequate measures to ensure that the processing of personal data is carried out in compliance with Article 5 of the GDPR; and
- communicate to the Garante the initiatives undertaken to implement the measures imposed.
Source: Garante