Outsourcing does not exempt a company from its data protection obligations under the GDPR.
Calculate the quote
Avvocato Arlo Canella
Can a company be held liable for promotional phone calls made by external agencies? According to the Italian Data Protection Authority (“Garante per la protezione dei dati personali”, GPDP), the answer is yes. The recent decision concerning Energia Pulita S.r.l.—fined €300,000 for violating the European General Data Protection Regulation, GDPR, —demonstrates that aggressive telemarketing practices, even when outsourced, may expose the data controller to significant legal risk [Decision of the GPDP No. 114 of February 27, 2025]. Unlawful calls to individuals listed in the Public Opt-Out Register (“Registro Pubblico delle Opposizioni” – RPO), vague consent mechanisms, and poor oversight of third-party sales channels all point to a marketing strategy incompatible with GDPR requirements. Outsourcing alone is not a shield from liability.
In November 2024, the GPDP initiated an administrative investigation into Energia Pulita S.r.l., a company operating in the electricity and gas supply sector, after receiving 82 complaints from individuals who reported unsolicited promotional calls. An additional 20 reports were filed during the investigation.
The calls followed a consistent pattern: they originated from numbers not registered with the Italian Communications Operators Registry (ROC), were not preceded by comprehensive privacy notices, and, in many instances, were made to individuals listed in the Public Opt-Out Register, which allows individuals to block unsolicited marketing calls. Some agents even impersonated other companies or misrepresented facts, such as fictitious price increases or mandatory switches to new providers.
Energia Pulita responded by stating that none of the contacts under investigation resulted in a signed contract and that, apart from a few cases (primarily involving one of the appointed agencies, RG Group S.r.l.), the calls had not been made through its official sales network. The company also claimed it had begun aligning its operations with the Telemarketing Code of Conduct as early as November 2023, introducing oversight and traceability measures in 2024.
However, the investigation revealed that many of the promotional calls could be traced back to third parties engaged by Energia Pulita or its sub-agents, operating through telephone-based sales channels. Particularly relevant was the use of a “virtual sales outbound” model: a two-step process in which a prospect is first contacted by phone and then guided to sign a contract through a digital platform using OTPs and electronic signatures. Despite its digital appearance, the phone call remains the central touchpoint.
The Authority found that between January and February 2024, Energia Pulita contacted 2,327 phone numbers, 157 of which were listed in the RPO. Additionally, the company admitted to acquiring leads from online rate-comparison platforms that collected user data via ambiguous forms with vague, bundled consents (referred to in Italy as “omnibus consents”) for the disclosure of personal data to third parties, including for telemarketing purposes.
This data supply chain—spanning call centers, sales agencies, web portals, and CRM systems—resulted in a patchwork of data processing operations with insufficient scrutiny of the applicable legal bases, in a regulatory environment where telemarketing is subject to strict requirements.
According to the GPDP, the method of finalizing a sale is irrelevant. If the initial contact with a prospect is made by phone and that contact serves a promotional or commercial purpose, the activity qualifies as telemarketing or telesales. Article 2 of the applicable Italian Code of Conduct makes this clear, and the decision confirms it: even the “virtual sales outbound” model—where contracts are signed online—is still subject to telemarketing rules.
Most notably, once a person has registered with the RPO, any promotional call is prohibited unless a valid, specific, and post-registration consent has been given. In this case, 157 RPO-listed individuals were still contacted. Furthermore, the GPDP found that the consents obtained through third-party platforms from which Energia Pulita received its leads did not meet GDPR requirements.(In this context, “leads” refers to potential customers—individuals who filled out online forms by providing their name, phone number, email address and—at least in theory—consent to be contacted with commercial offers. Leads are the fuel of telemarketing: the more leads a company receives, the more numbers it can call. But this is precisely where the problem lies.)
The privacy disclosures were vague, the consents were bundled and lacked granularity, and the forms did not allow users to select preferred communication channels, types of entities, or product categories. This type of “blanket consent” fails to satisfy the standards set out in Articles 4.11, 6, and 7. of the GDPR and Article 130 of the Italian Privacy Code, and it cannot override RPO registration. As such, the data processing was deemed unlawful from the outset.
More importantly, the GPDP emphasized that it is not sufficient for a data controller to claim ignorance about how data was collected. Under Article 24 of the GDPR, the controller has an obligation of accountability and must be able to demonstrate that the processing is lawful. Where third parties are involved, the controller is required to carefully select trustworthy processors (culpa in eligendo) and to monitor their activities on an ongoing basis (culpa in vigilando), as mandated by Articles 28 and 32 of the GDPR. According to the decision, Energia Pulita did neither.
According to the GPDP, the issues at Energia Pulita go beyond invalid consent collection. The decision centers on the company’s failure to effectively monitor its sales network and implement adequate safeguards to prevent unauthorized calls from resulting in valid contracts.
The GPDP noted that privacy compliance efforts came too late. While Energia Pulita acquired the business unit of Green Network in January 2023, meaningful compliance actions only began in late 2023 and early 2024—too late for a company already active in the market with an established agency network.
Moreover, the internal systems lacked effective intake checks on promotional contacts. There was no “blocking mechanism” in place to prevent contracts originating from non-compliant calls. This, the GPDP found, contributed to the contamination of the company’s CRM database with data from opaque, sometimes unlawful, sources.
From an organizational perspective, the selection and oversight of external partners and processors (including sub-agencies) were also insufficient. Article 28 of the GDPR imposes clear obligations in this regard, but many of the entities involved in the unlawful calls had a direct or indirect relationship with Energia Pulita. Mere contractual clauses and occasional reports were not enough—what was lacking was genuine, ongoing supervision.
Rather than pointing to a single incident, the GPDP found a systemic failure in the company’s marketing practices: a reliance on sophisticated technological tools but without adequate legal foundations. This decision sends a clear warning to all companies that outsource their sales functions: formal controls are meaningless if, in practice, they are not enforced.
It is precisely this structural weakness that led the GPDP to issue not only corrective measures but also a substantial administrative fine.
At the conclusion of the proceedings, the GPDP imposed an administrative fine of €300,000 on Energia Pulita S.r.l. While not the maximum permitted under the law, it was still a significant penalty—one that underscores the principles of effectiveness, proportionality, and dissuasiveness required by Article 83 of the GDPR.
The maximum fine for companies like Energia Pulita is set at €20 million or, where higher, 4% of the company’s total global turnover from the previous financial year. Starting from this benchmark, the Authority applied a reduction but still imposed a fine that reflected the severity and duration of the violations.
Factors that weighed heavily in the decision included the number of individuals affected, the systemic nature of the violations, the inadequacy of the company’s control mechanisms, and the fact that, despite certain recent corrective measures, the remedial actions taken were not considered sufficient to ensure future compliance.The GPDP also ordered the publication of the decision on its official website pursuant to Article 166 of the Italian Privacy Code, reinforcing the decision’s deterrent effect.
A crucial note: while the Authority acknowledged some cooperation from Energia Pulita, this did not offset the delays and structural shortcomings. Pursuant to Article 166(8) of the Italian Privacy Code, the company now has 30 days to pay half the fine, thereby resolving the matter. However, for a company named “Pulita” (which translates to “clean”), the reputational damage may prove even more costly.
For those interested in reviewing the full decision, it is available in Italian on the official website of the Italian Data Protection Authority [Decision No. 114, dated February 27, 2025].
Avvocato Arlo Canella
