In 2020, an Italian company supplying electricity and gas to a customer base of approximately 7.7 million customers was fined a total of 11.5 million euros for violating important norms of the General Protection Data Regulation (GDPR).
The company named ‘Eni Gas e Luce’ is a retail company that is a provider of electricity and gas to customers in major cities in Europe. However, the company failed to comply with the GDPR which led to the massive fine.
Let us understand what led to the imposition of the fine:
Background:
The Data Protection Authority in Italy (the ‘Guarantor’) received complaints from numerous customers of Eni Gas e Luce because they were receiving unsolicited marketing and promotional calls from the company. Additionally about 7,200 customers had received contracts from the company without them having entered into the contract or having given their consent to enter into the contract.
Discrepancies detected:
- It was observed that Eni Gas e Luce had obtained customer data such as contact details from third party companies who would not conduct periodic checks in relation to information and consent and neither the customer details on the database of Eni Gas e Luce was subject to any checks. Moreover, many of the customers who had not consented to promotional calls were being contacted for the same purpose.
- There were various third parties involved pertaining to sharing of information and it could not be ascertained how Eni Gas e Luce could have received personal details of individuals from the third parties.
- Data had been retained for time periods longer than necessary even after the termination of contracts with customers
- Eni Gas e Luce followed a system of contacting customers which led to customers entering into contracts with the company without their knowledge. The contracts contained incorrect details of customers and this affected approximately 7,200 individuals
Decision of the Guarantor:
Taking into consideration the above discrepancies, there was a very clear violation of the GDPR specifically of Articles 5,6 7 and 13. Data minimization, consent, lawful processing were blatantly ignored which find a place in the GDPR to protect and safeguard the individual’s privacy and security. Hence, the Guarantor fined Eni Gas e Luce a total of 11.5 million euros and also gave a directive to the company to establish procedures which ensure that the data of the individual is not compromised and their privacy is respected.
Conclusion:
This case should act as an eye opener for companies that provide essential services to people. Due to the very important role that these companies play in the lives of people since they provide services such as electricity and gas which are so integral to the day to day functioning, it is all the more important for such service providers to comply with the GDPR and follow it stringently.
References:
-https://gdpr.eu
-https://www.gpdp.it