Italy
Hera Comm S.p.A.
GDPR enforcement action by Italian Data Protection Authority (Garante) on 2024-07-17.
Case details
- Authority
- Italian Data Protection Authority (Garante)
- Date
- 2024-07-17
- Controller / Processor
- Hera Comm S.p.A.
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 5 (1) a), b), d), e), f) GDPR, Art. 5 (2) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 24 GDPR, Art. 28 GDPR, Art. 32 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The Italian DPA has imposed a fine of EUR 5 million on Hera Comm S.p.A. The investigation was launched following numerous complaints. The energy supplier had failed to take adequate protective measures, allowing door-to-door agents to unlawfully conclude electricity and gas contracts in the name of unsuspecting customers.
Many data subjects only discovered the activation of new contracts when they received bills or notifications, despite never having given their consent. The door-to-door agents involved had collected customer information, for example by photographing ID documents, and unlawfully used it to conclude contracts with fake signatures.
During its investigation, the DPA found that the company had failed to implement adequate technical and organizational measures to prevent the unlawful use of customer data by door-to-door agents. Additionally, the DPA found that the controller failed to respond to data subject rights requests in a timely manner.
Related fines