The introduction of the GDPR marked a step change in sanctions for breach of data protection laws, particularly the introduction of turnover-based fines. This partly reflects its role in protecting data protection rights in accordance with Article 8 of the EU Charter of Fundamental Rights.

However, the fact the GDPR is underpinned by the fundamental right to data protection does not displace the need for supervisory authorities to enforce the regulation fairly and to comply with national procedural rules. Indeed, the GDPR guarantees the availability of an effective judicial remedy against binding decisions by supervisory authorities; a right also supported by the fundamental rights to good administration and a fair trial in the EU Charter.

These issues are being tested in many Member States and Italy is no exception. In particular, the Italian courts annulled the fine issued to Enel Energia (“Enel”) almost a year ago. It has now published its judgment (No 9551/2022). We look at the reasons for the decision.

A 27m Euro fine for marketing breaches

The Italian supervisory authority (“Garante”) started its investigation into Enel’s marketing activities back in 2018 after complaints about the use of unsolicited direct marketing phone calls.

It entered into a series of exchanges with Enel over the next couple of years, principally through requests for information and responses from Enel; with the Garante typically taking over six months to issue further requests in response to Enel’s replies. For example, the Garante issued a fourth request on 10 July 2020, to which Enel responded, following which the Garante sent another request on 24 December 2020, to which Enel responded on 14 January 2021.

Only on 14 May 2021 did the Garante inform Enel of the commencement of proceedings. Those proceedings resulted in a fine of EUR 26,513,977 issued by way of final decision number 443 of 16 December 2021. Enel appealed against that fine to the Court of Rome.

Need to comply with procedural rules

The general Italian rules on procedures in administrative proceedings (Italian Law No 241/1990) impose 30-day time-limits for their conclusion.

However, the regulations also allow enforcement authorities to vary this rule. The Garante issued Regulation No 2/2019, concerning the identification of terms and organisational units responsible for the administrative procedures (the “Enforcement Regulation”). The Enforcement Regulation (see table B, section 2) gives the Garante a time-limit of 120 days (for Italian entities), and 360 days (for foreign entities) from establishing the violation, for the notification of the same in accordance with Article 166 (5) of the Italian Privacy Code.

The Court of Rome stressed the need for compliance with this procedural time limit, in line with the principle of certainty of the timeframe within which the authority must initiate and conclude proceedings. This is a core requirement for the respect of the right of defence and of the rule of law.

The Court also decided that the dies a quo (relevant day) from which the 120/360-day period begins is determined not by the moment in which the Garante becomes aware of the hypothetically sanctionable conduct but rather the point at which it acquires full knowledge of the unlawful conduct.

That generally means the date on which the Garante either receives the last response to its requests for information (as providing the factual basis upon which the enforcement action was brought) or, in the event of silence, from the expiry of the deadline on the data controller or data processor to respond.

Here, the Court of Rome concluded that the 120-day deadline ran from the final reply and therefore the Garante was out of time when it informed Enel it was commencing proceedings on 14 May 2021. The Court therefore annulled the Garante’s order.

Conclusions

This judgment is significant. It is the first time that a fine from Garante under the GDPR has been annulled by a Court. It also imposes significant procedural constraints on the Garante, imposing a strict obligation to comply with its own time limits.

More generally, it illustrates the fact that the great enforcement powers given to supervisory authorities under the GDPR come with great responsibilities. Given the significance of the sanctions for infringement of the GDPR, controllers and processors have a right to expect they are only imposed following a fair process, in line with any national procedural obligations.