Italian Data Protection Authority Fines Acea Energia €2 Million Over Unauthorized Energy Contracts

Key Takeaways

• €2 Million Penalty: Italy’s data protection authority fined Acea Energia €2 million after finding serious violations in how the company handled the personal data of more than 1,200 electricity and gas customers.
• Contracts Activated Without Knowledge: Customers reported learning they had been signed up for energy supply contracts only after receiving activation confirmations or payment reminders.
• Third-Party Sales Oversight Failures: The violations were tied to door-to-door sales agents working for companies contracted by Acea to acquire customers.
• Fraud Risks in Data Collection: Agents could collect personal data using mobile devices, including photographing documents, and in some cases contracts were activated using falsified signatures.

Deep Dive

Italy’s data protection authority has fined energy supplier Acea Energia €2 million after an investigation found that contracts for electricity and gas services were activated without customers’ knowledge, following failures in how the company and its sales partners handled personal data.

The case centers on complaints from individuals who said they discovered they had become Acea customers only after receiving letters confirming that energy services had been activated or reminders to pay bills. According to the Italian Data Protection Authority, many of those individuals said they had never spoken with the company, either in person or remotely.

The violations involved the personal data of more than 1,200 people in Italy’s electricity and gas market, and the investigation began after the regulator received multiple complaints alleging that personal data had been used to activate contracts that customers never knowingly agreed to.

In several cases, individuals said the first indication that something was wrong came when Acea contacted them to confirm the start of an energy supply relationship. Others raised concerns about delays or failures when they attempted to exercise their rights under privacy law.

Those complaints prompted on-site inspections that examined how Acea and its partners were collecting and using personal data as part of customer acquisition campaigns.

Door-to-Door Sales Network Under Scrutiny

Regulators found that the activities at the center of the complaints were carried out by third-party companies hired by Acea Energia to recruit new customers through door-to-door sales.

According to the authority, Acea did not sufficiently supervise those partners or ensure safeguards were in place to prevent the misuse of personal documents collected during sales interactions.

Agents were able to gather personal information using mobile devices, including by taking photographs of identity documents. Investigators said that data could then be used to activate energy supply contracts without the customer’s knowledge, sometimes accompanied by falsified signatures.

The regulator also identified weaknesses in Acea’s recall monitoring system, which was intended to confirm that customers had genuinely agreed to sign a contract.

Instead, the system failed to reliably verify whether individuals had actually authorized the activation of their energy supply services.

Orders to Strengthen Oversight

Alongside the €2 million fine, the Italian Data Protection Authority has ordered Acea Energia to adopt a series of corrective measures aimed at tightening its oversight of customer acquisition practices.

Those measures include introducing alerts to monitor agents’ compliance with contractual procedures, carrying out periodic checks on the accuracy of collected information, and defining clear retention periods for customer data.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.