Signore XX (the data subject) – €1,000,000 Fine (Italy, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Areti spa, an electricity distributor in Italy, mistakenly labeled a customer as insolvent, preventing them from switching suppliers. This error affected over 47,000 potential customers due to outdated and inaccurate data being shared with the insolvency registry. The Italian data protection authority fined Areti spa EUR 1,000,000 for these violations.
What happened
Areti spa incorrectly marked a customer as insolvent, sharing this wrong information with the insolvency registry.
Who was affected
Customers of Areti spa who were wrongly classified as insolvent and could not switch electricity suppliers.
What the authority found
The Italian DPA ruled that Areti spa violated GDPR by processing inaccurate and outdated data, affecting customers' ability to change suppliers.
Why this matters
This case highlights the importance of maintaining accurate customer data and the potential consequences of data errors. Companies should ensure their data systems are aligned and regularly updated to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
Areti spa, a company that distributes electricity in the Italian capital (the controller), accidentally classified a customer (the data subject) as insolvent. As would become clear later, this inaccurate profile was shared with the insolvency registry. The data subject was consequently unable to switch to another supplier and thus lost any potential savings. The data subject lodged a complaint with the DPA on 6 March 2021. The investigations from the DPA revealed that it was impossible for the user to change supplier as a result of the processing of inaccurate and outdated data. Due to a misalignment of the controller’s internal systems, incorrect information regarding customer accounts (in particular, customers with ongoing arrears) was communicated to the Integrated Information System (IIS), the database consulted by suppliers before signing a new contract. Incoming suppliers were able to assess the convenience of acquiring a new customer in the free market by consulting the IIS, which included information provided by the controller. Unfortunately, however, during the period of December 2016 until January 2022, the methods used by the controller to extract information from its own systems had, due to a series of technical and application errors, actually resulted in the fact that a number of data subjects were declared insolvent. As a consequence, on the basis of this inaccurate information, the incoming sellers had denied over 47,767 potential customers. Issuing its decision, the Italian DPA found that the incorrect use of the query for the extraction of delinquency data for the period between December 2016 and 4 January 2022 constituted a violation of Article Article 5(1)(d) GDPR. In addition, the DPA also contested the controller's inadequate data retention time (breach of Article 5(1)(e) GDPR); the migration of inaccurate data within its systems (breach of Article 5(1)(d) GDPR); and the inadequate response to access requests filed by the data subject, in vio
Related Enforcement Actions (0)
No other enforcement actions found for Signore XX (the data subject) in IT
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
24 November 2022
Authority
Garante per la protezione dei dati personali
Fine Amount
€1,000,000
GDPRhub ID
gdprhub-5682About this data
Cite as: Cookie Fines. Signore XX (the data subject) - Italy (2022). Retrieved from cookiefines.eu
Last updated: