Acea Energia SPA – €3,000,000 Fine (Italy, 2025)
Acea Energia S.p.A. was fined €3,000,000 for using a sub-contractor that engaged in illegal marketing practices without proper consent. This matters because it shows that companies are responsible for the actions of their partners and must ensure they follow the law.
What happened
Acea Energia S.p.A. relied on a sub-contractor that contacted people without their consent and misled them about billing issues.
Who was affected
People who were contacted by the sub-contractor for marketing purposes without their consent.
What the authority found
The Italian data protection authority ruled that Acea Energia S.p.A. failed to ensure its sub-contractor complied with legal requirements, violating data protection rules.
Why this matters
This case highlights the importance of companies ensuring their partners follow data protection laws. Businesses should carefully vet their service providers to avoid legal issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Energy provider Acea Energia S.p.a. (the controller) relied on a number of processors and sub-processors for marketing purposes. In particular, the controller relied on a one-person company called Stefanelli Federica (the processor), which in turn relied on sub-processor MG Company. The controller concluded a DPA with the processor. However, the processor did not conclude a DPA with the sub-processor. Additionally, the sub-processor was not registered as a marketing operator, in violation of Italian national law. The sub-processor engaged in a long list of illegal practices such as contacting prospects without their consent, lying to prospects about (non-existing) billing issues, and eluding telemarketing laws under the pretence that it engaged in door-to-door marketing rather than telemarketing. Over one and a half years, the sub-processor concluded about 30.000 contracts and earned the processor about €2,000,000 in provisions. In 2024 a popular TV show aired a report on the sub-processor’s marketing practices. The authors of the show also reported their findings to the Italian DPA. In turn, the DPA opened a joint investigation with the financial police. The controller claimed that it was unaware of the sub-controller's involvement in its telemarketing activities and blamed the processor for engaging with the sub-processor without the controller’s knowledge. The DPA rejected the argument. The controller was responsible for appointing a reliable processor, and for watching over the compliance of the data processing chain. The controller clearly failed to do so in the case at hand. The appointed processor was a one-person business with no registered employees and could not possibly have concluded tens of thousands of contracts on behalf of the controller. So, the DPA held that the controller knew or should have known that the marketing involved unauthorized personnel. For this reason, the DPA held the controller responsible for several GDPR violations, including vi
Related Enforcement Actions (0)
No other enforcement actions found for Acea Energia SPA in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
10 April 2025
Authority
Garante per la protezione dei dati personali
Fine Amount
€3,000,000
GDPRhub ID
gdprhub-9203About this data
Cite as: Cookie Fines. Acea Energia SPA - Italy (2025). Retrieved from cookiefines.eu
Last updated: