Italian energy company Enel Energia has been fined 26.5 million euros by the Italian privacy regulator for violating the GDPR. According to the Garante per la protezione dei dati personali (GPDP), the energy company has unlawfully processed the personal data of millions of people for marketing purposes. The GPDP launched an investigation into Enel Energia after it received hundreds of complaints about unwanted marketing calls. Initially, the energy company did not respond to questions from the Italian privacy regulator that it was already in violation of the GDPR. Several violations related to Article 5 of the GDPR were also identified, including lawfulness, fairness and transparency in data processing, as well as purpose limitation and data minimum processing. Furthermore, Enel Energia had not obtained consumer consent for the marketing calls and the processing of their data. In addition to the fine, the company must take various technical and organizational measures to comply with national and European privacy legislation. For example, consumers should be able to object to the processing of their data for promotional purposes.