Hera Comm S.p.A. – €5,000,000 Fine (Italy, 2024)

€5,000,000Garante per la protezione dei dati personali17 July 2024Italy
final
ePrivacy
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

The Italian DPA has imposed a fine of EUR 5 million on Hera Comm S.p.A. The investigation was launched following numerous complaints. The energy supplier had failed to take adequate protective measures, allowing door-to-door agents to unlawfully conclude electricity and gas contracts in the name of unsuspecting customers. Many data subjects only discovered the activation of new contracts when they received bills or notifications, despite never having given their consent. The door-to-door agents involved had collected customer information, for example by photographing ID documents, and unlawfully used it to conclude contracts with fake signatures. During its investigation, the DPA found that the company had failed to implement adequate technical and organizational measures to prevent the unlawful use of customer data by door-to-door agents. Additionally, the DPA found that the controller failed to respond to data subject rights requests in a timely manner.

GDPR Articles Cited

AI-verified

Art. 15 GDPR
Art. 24 GDPR
Art. 32 GDPR
Art. 5(2) GDPR
Art. 12(3) GDPR
Art. 28(1) GDPR
View original scraped data
Art. 5(2) GDPR
Art. 12(3) GDPR
Art. 15 GDPR
Art. 24 GDPR
Art. 28(1) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
scope corrected
Italy enforcementGarante per la protezione dei dati personali actionsAll Hera Comm S.p.A. actions
Full Legal Summary

The Italian DPA has imposed a fine of EUR 5 million on Hera Comm S.p.A. The investigation was launched following numerous complaints. The energy supplier had failed to take adequate protective measures, allowing door-to-door agents to unlawfully conclude electricity and gas contracts in the name of unsuspecting customers. Many data subjects only discovered the activation of new contracts when they received bills or notifications, despite never having given their consent. The door-to-door agents involved had collected customer information, for example by photographing ID documents, and unlawfully used it to conclude contracts with fake signatures. During its investigation, the DPA found that the company had failed to implement adequate technical and organizational measures to prevent the unlawful use of customer data by door-to-door agents. Additionally, the DPA found that the controller failed to respond to data subject rights requests in a timely manner.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Hera Comm S.p.A. in IT

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

Ramona Films, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

17 July 2024

Authority

Garante per la protezione dei dati personali

Fine Amount

€5,000,000

Enforcement Tracker ID

ETid-2535

GDPRhub ID

gdprhub-8295

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Hera Comm S.p.A. - Italy (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: