Edison Energia has been given a €4.9 million fine after breaching several requirements of the GDPR (General Data Protection Regulation). The infringements include:
- The failure to obtain free, specific, informed and documented consent to disclose personal data;
- Sending unsolicited promotional communications; and
- Failing to provide transparent information about data processing activities.
The breaches were discovered after customers reported that they’d received unsolicited phone calls and encountered deficient or inaccurate privacy policies.
They also said that they had been denied the option of exercising their data subject rights, such as accessing the information that Edison Energia stored on them and objecting to the way personal information was processed.
The complaints led to an investigation by Italy’s data protection authority, the Garante, and the subsequent issuing of a fine.
What rules were broken?
Perhaps the most egregious breach that Edison Energia committed was using customers’ personal data without their consent to conduct promotional campaigns.
It violates Article 5 of the GDPR, which states that personal information must only be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
Additionally, Edison Energia was using contacts lists that were acquired from third parties, which means some people were being phoned having previously never interacted with the organisation.
In another consent violation, the organisation breached of Article 7 of the GDPR by bundling consent requests for users registering an account online or on its MyEdison app. Customers were told they could only create an account if they also agreed to be sent marketing material.
Elsewhere, the energy firm violated Article 12 by failing to inform customers of how their information would be used. It also failed to provide direct and simple mechanisms that would enable customers to exercise their data subject rights, such as the right to access and to object to processing.
Additionally, as customers warned, Edison Energia failed to complete some of the processing activities described in its privacy notice.
As a result of these failures, the Garante hit Edison Energia with a €4.9 million fine. Although the penalty falls some way short of the maximum threshold for fines, it’s one of the largest penalties we’ve seen in the past year, underscoring the scale of compliance failures.
In addition to the financial penalty, Edison Energia has been ordered to improve its compliance practices. This includes an immediate ban on promotional activities using contacts lists from third parties, as well as the removal of personal data that was collected without an appropriate lawful basis.