Hera Comm S.p.A. – €5,000,000 Fine (Italy, 2024)

The DPA received several complaints from data subjects concerning a major Italian energy provider. They argued that they received some documents from the controller concerning the activation of an energy supply contract even if they had never had any contact with the controller or expressed their willingness to enter in such a contract. Furthermore, some data subjects complained that they exercised their Chapter III GDPR rights but obtained no answer from the controller. Therefore, the DPA opened an investigation, which showed that the controller outsourced their door-to-door advertising activities to several companies, that had been appointed as processors. When a data subject accepted to enter into the energy supply contract, the contract was hand signed by the data subject and a copy of their ID card was acquired by the processor. The investigation further showed that some employees of the processors forged the signatures of data subjects. The controller implemented some practices to monitor the processors’ compliance with its internal regulation. More specifically, after the processor uploaded the contract in the appropriate online platform the controller called the data subject’s number to ask if they had the real intention of entering in the contract (“check call”). Moreover, the controller also sent a “welcome letter” to the address provided in the contract. However, if the data subject did not answer the phone, only in very few cases the consequence was that the contract was then discarded. Moreover, as for data retention, the controller pointed out that data are kept for 10 years and that it does not have any other further policy since it would be too expensive and complex to implement it. Finally, concerning the choice of the processors, the controller said that it had not conducted any audit on how they operate. On the processors First, the DPA noted that the processing at hand had been carried out by some processors. The DPA found that these processi