Italy

Enel Energia S.p.A.

563,052 €

GDPR enforcement action by Italian Data Protection Authority (Garante) on 2026-03-12.

Rank · Sector

#37

of 165 in Transportation and Energy

Rank · Italy

#41

of 543

Rank · All fines

#225

of 3,039

Case details

Authority: Italian Data Protection Authority (Garante)
Date: 2026-03-12
Controller / Processor: Enel Energia S.p.A.
Sector: Transportation and Energy
Quoted Articles: Art. 5 GDPR, Art. 6 GDPR, Art. 7 GDPR, Art. 24 GDPR, Art. 28 GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Italian DPA has imposed a fine of EUR 563,052 on Enel Energia S.p.A. The controller had been active in direct marketing activities and failed to implement a system that would allow them to ensure there was a sufficient legal basis for contacting data subjects. Specifically, the system worked in such a way that so-called management or welcome calls were used for advertising purposes, which were not covered by the legal basis. Additionally, the controller used an opt-out mechanism to recontact data subjects. This was not sufficient because the system failed to ensure that the contact data had been entered by the data subject. Lastly, the DPA found that the controller had failed to adequately supervise external data processors.

Open original source Links to the regulator's original publication or another source.