Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Unsolicited contracts and forged signatures: million-dollar fine by the Italian DPA

PrintMailRate-it

​​​​​​​​​published on 24 September 2024 | reading time approx. 4 minutes


With decision No. 440 dated July 17th, 20241 the Italian Data Protection Authority (“Garante per la Protezione dei Dati Personali” or “Garante”) has once again targeted the energy sector, following the multi-million euro fine imposed on Eni Plenitude S.p.A. last June. 

This confirms an increasing scrutiny of the Authority toward operators in industries with high volumes of commercial interactions with end consumers and highlights the need for these operators to pay close attention to their overall compliance with the current data protection regulations.

Another company operating in the field of electricity and gas supply (the “Company”) was targeted by the Garante and ended up with a EURO 5 million fine for significant violations and shortcomings in its commercial management system, particularly concerning its door-to-door sales channel. 

The decision of the Italian DPA was originated by several complaints from individuals who received contractual documentation for energy services they had never requested, signed by the Company's agents using forged signatures. The affected customers reported that they had never had any contact with the energy operator, either in person or through other channels. In some cases, alongside the provision of electricity or gas, the data subjects were also recipients of insurance policies activated without their knowledge.

Following the investigation, the Garante questioned the inadequacy of the internal controls adopted over agencies and agents acting as data processors according to article 28 of Regulation (EU) 2016/679 (the “GDPR”). The Authority remarked the inappropriateness of the overall process for verifying customers’ willingness to enter into a contract via quality calls. Not only were there no measures in place to block the contracting process when customers turned out to be unreachable, but the process was also disconnected from the monitoring and verification system of the agencies' activities, making it totally ineffective in identifying irregularities and enabling the Company to take appropriate remedial actions.

Additionally, the agencies were not subject to regular audits or even random checks to verify their compliance with privacy regulations and the legitimacy of the contracts activated. Likewise, the lack of specific initiatives aimed at providing appropriate data protection training to agencies and individual agents was disputed.

A further critical issue raised by the Garante concerned the process by which agents collected customers' ID documents, which were essential for the conclusion of the agreements, an activity often carried out using the agents' personal mobile devices. Indeed, this practice - expressly contemplated and endorsed by the sales process guidelines provided to agents by the Company - entails a high risk of improper use of the information thus collected.

The Authority also identified specific violations regarding:
  • the methods and retention periods for customer data, highlighting the lack of a data retention policy within the CRM system to be decommissioned, as well as inaccuracies and gaps in the policies implemented in the new CRM system; 
  • the management of data subjects’ requests to exercise their rights, which resulted in inadequate and delayed responses.

Following the initiation of the sanctioning procedure, the Company informed the Authority that it had implemented a series of corrective measures aimed at addressing the identified issues and improving its compliance level. Such measures included strengthening controls over the quality of contracts executed by agencies, revising the agencies' training and monitoring process, as well as introducing a dedicated app for collecting customers’ signatures and documents.

Despite these efforts, the Italian DPA ruled that some of the proposed measures were inadequate and ordered the data controller to implement further measures to avoid the perpetuation of the discovered violations. The Authority emphasized the severity of such violations, which affected fundamental data processing principles, notably those of lawfulness, fairness, transparency, accuracy, and accountability, and determined that there were sufficient grounds to impose a EURO 5 million administrative fine.

The present case serves as a clear warning to all organizations that rely on indirect sales networks and process large volumes of consumers' personal data: only strict oversight of the supply chain and effective internal governance can ensure adequate protection of personal data and prevent violations that could harm both corporate reputation and, more importantly, data subjects' rights.

From a different perspective, this decision also provides a valuable tool for companies, as it outlines a series of clear and reasoned guidelines for implementing technical and organizational measures during customer contracting operations to ensure compliance with current data protection regulations. 

 DATA PROTECTION BITES

​​​Read all releases »​​

author

Contact Person Picture

Nicola Sandon

Avvocato

Senior Associate

+39 049 8046 911

Invia richiesta

Profilo

 RÖDL & PARTNER ITALY

​​​Discover more about our offices in Italy. Read more »
Deutschland Weltweit Search Menu