On Jan. 17, 2020, the Italian Supervisory Authority (ISA) announced it had imposed two separate fines of €8.5 million and €3 million on Eni Gas e Luce (EGL), an Italian electricity and gas supplier. These fines were in response to two distinct GDPR violations.

The first fine (in Italian), for €8.5 million, was served because EGL was found to be illegally processing personal data by making marketing calls to individuals that had opted out of receiving such promotional calls. The Italian SA also determined the company did not follow the specific procedures that required it to verify the public opt-out register. These actions are clear violations of Article 6 and Article 13 of the GDPR.

In addition to the fine, the Italian SA is forcing EGL to put in place processes that will prevent it from making similar calls in the future. This includes forcing EGL to verify that it has a customer’s consent before it contacts them as a part of any promotional drive. They are also banned from acquiring data from any third parties, namely list providers, that could not prove that the customers had consented to having their data shared.

The second fine (in Italian), which totaled €3 million, was to sanction EGL’s conclusion of unsolicited contracts (or, basically including new customers on EGL contracts without informing those individuals that EGL was now their energy company) and their use of inaccurate and, at times, forged information on those contracts. This is a clear violation of multiple sections of the GDPR, including several sections of Article 5 and Article 7.

EGL entered into contracts with over 7,000 Italians without their knowledge. In many cases, individuals did not know that EGL was their power supplier until they received their first bill from the company. EGL worked through external agencies that allowed it to acquire new or expiring electricity and gas contracts without ever having to contact the end customer. The Italian SA has ordered the company to take steps to correct this abuse of data fairness and to introduce checks to detect such procedural anomalies in the future.

That EGL is at fault is fairly cut and dry: even if these GDPR violations do not focus on online data, there is little to contest when a company uses inaccurate data to conclude contracts without an individual’s consent. It also indicates that companies may not have considered how the GDPR impacts how they use and protect data offline.  

These fines underline the importance every company should place on evaluating how it treats all personal data, not just online data. (It also suggests every company should review which third parties it is working with to get customer data and leads.) We have created a GDPR checklist and an overview of the regulation to help you get started. And if you’re a business in the US, we have a GDPR checklist for you as well.