Rome, March 10 – Acea Energia SpA has been hit with a €2 million fine by the Italian Privacy Guarantor for significant breaches in the handling of personal data concerning more than 1,200 customers. The violations primarily involved the unauthorized activation of electricity and gas supply contracts.
Privacy Guarantor’s Investigation Reveals Widespread Issues
The Authority’s intervention followed numerous complaints from customers who reported discovering active energy supply contracts with Acea Energia without their consent. Many complainants stated they had no prior contact with the company, learning about the contracts only upon receiving activation notices or payment reminders. Some also highlighted Acea’s delayed or non-existent responses to requests regarding their privacy rights.
The investigation, which included on-site inspections, revealed that the data processing issues stemmed from the activities of third-party companies commissioned by Acea Energia to acquire new customers. Crucially, the Guarantor found that Acea Energia failed to exercise adequate oversight over these companies.
Inadequate Safeguards Against Fraudulent Practices
The inquiry confirmed that Acea Energia had not implemented sufficient technical and organizational measures to prevent potential fraudulent use of documents obtained by door-to-door agents or company partners. These agents were able to gain access to customers’ personal details, often by taking photos of identification documents using mobile devices, and subsequently activate supply contracts without the customers’ knowledge, sometimes even forging signatures.
Furthermore, the monitoring system, which relied on callbacks to verify customers’ actual intent to sign a contract, was deemed inadequate. The Guarantor concluded that these systemic failures led to widespread privacy violations and the unauthorized activation of services.
Measures Imposed by the Privacy Guarantor
As a result of its findings, the Privacy Guarantor has ordered Acea Energia to implement several corrective measures. These include:
- The introduction of alerts to monitor agents’ compliance with contractual procedures.
- Regular checks to ensure the accuracy of acquired customer information.
- The establishment of specific data retention periods for customer data.
These measures aim to enhance data protection and prevent similar incidents from occurring in the future.
Acea Energia’s Response: Commitment to Customer Protection and Enhanced Controls
In response to the sanction, Acea Energia acknowledged the findings but emphasized its commitment to customer protection and the strengthening of its control mechanisms. The company stated that the Guarantor’s decision recognized Acea Energia’s active cooperation throughout the entire investigation, including the provision of comprehensive documentation and clarification of the processes involved.
Acea Energia also highlighted that it had already initiated significant corrective actions independently, even before the conclusion of the proceedings. These proactive measures included the implementation of stricter controls, verification processes, and blocking mechanisms, as well as a more rigorous management approach for its commercial agencies.
The company further assured that it would complete the additional measures requested by the Guarantor within the stipulated deadlines, noting that many of these are already in an advanced stage of implementation as part of a control reinforcement plan introduced several months ago.
This case underscores the critical importance of robust data protection practices and vigilant oversight of third-party agents, particularly in sectors involving personal data and contractual agreements.
