On September 13, 2024, the Italian data protection authority (Garante) published in its newsletter no. 527 its decision no. 440, as issued on July 17, 2024, in which it imposed a fine of €5 million on HERA COMM S.p.A. following violations of the General Data Protection Regulation (GDPR).

Background to the decision

The investigation was carried out by the Garante after receiving several requests concerning HERA COMM's processing of inaccurate and outdated personal data of customers. The complainants claimed that they had only learned of a supply relationship they had with HERA COMM following the delivery of contract documents with false signatures or communications on updating the activation status of the supply of energy despite not having had any contact with HERA COMM personally through door-to-door agents or remotely. Additionally, some complaints concerned HERA COMM's late response to data subject rights requests.

Findings of the Garante

Following its investigation, the Garante determined that HERA COMM had violated Articles 5(1)(a)-(f), 5(2), 12(3), 15, 24, 28, and 32 of the GDPR by:

• unlawfully processing data as part of their customer acquisition system over the span of approximately two years; and

• not adopting adequate technical and organizational measures to prevent the illicit use of customer personal data by door-to-door agents who used details in identification documents to active supply contracts without customer knowledge.

Outcomes

As a result of the above, the Garante imposed a fine of €5 million on HERA COMM. Additionally, HERA COMM must take a series of corrective measures, including:

• carrying out checks and periodic audits to evaluate the work of agents; and

• identifying adequate retention periods for customer data.

You can read the newsletter here and the decision here, both only available in Italian.