Hera Comm S.p.A.: Non-compliance with general data processing principles

The Italian DPA has imposed a fine of EUR 5 million on Hera Comm S.p.A. The investigation was launched following numerous complaints. The energy supplier had failed to take adequate protective measures, allowing door-to-door agents to unlawfully conclude electricity and gas contracts in the name of unsuspecting customers. Many data subjects only discovered the activation of new contracts when they received bills or notifications, despite never having given their consent. The door-to-door agents involved had collected customer information, for example by photographing ID documents, and unlawfully used it to conclude contracts with fake signatures. During its investigation, the DPA found that the company had failed to implement adequate technical and organizational measures to prevent the unlawful use of customer data by door-to-door agents. Additionally, the DPA found that the controller failed to respond to data subject rights requests in a timely manner.

GDPR Articles: Art. 5 (1) a), b), d), e), f) GDPR, Art. 5 (2) GDPR, Art. 12 (3) GDPR, Art. 15 GDPR, Art. 24 GDPR, Art. 28 GDPR, Art. 32 GDPR
Industry: Transportation and Energy