The Garante has fined energy company Iren Mercato 3 million euros over EU General Data Protection Regulation violations related to unlawful data processing in its telemarketing.

Under GDPR, consent must be acquired for each passage of data between muiltiple owners. Although consent may have initially been issued by a customer to a company for third party promotional activities, it cannot extend its effectiveness to subsequent transfers to further owners. 

Following numerous complaints and reports, the Italian DPA discovered that Iren Mercato had processed personal data for telemarketing activities which it had acquired from other sources and not collected directly. 

”In fact, Iren had obtained lists of personal data from an Srl, which in turn had acquired them, as an independent data controller, from two other companies. These latter companies had obtained the consent of potential customers for telemarketing carried out both by them and by third parties, but this consent did not also cover the passage of customer data from the Srl to Iren,” the Italian DPA explained. 

Subsequently, the Guarante has imposede a fine of approximately 3 million euros for not verifying that all passages of the data of the recipients of promotions were covered by consent.


Missed PrivSec Global’s livestream experience? No problem, simply click here to access the sessions on demand.