The energy operator Hera Comm SpA in Italy has been fined €5m ($5.5m) for unsolicited contacts using inaccurate and outdated customer data. The company was found to be processing the personal data of over 2,300 customers connected to supply of electricity and gas.

Garante per la protezione dei dati personali, the Italian Data Protection Authority, said the violations were serious, and contravened multiple articles of EU GDPR.

The investigation into Hera Comm started after the authority received multiple requests regarding the company’s way of processing incorrect and old personal customer information.

According to the complainants, the so-called customers only found out that they had a relationship with Hera Comm based on documents with false signatures or through communications to update the energy supply – even though they had not had any contact with the company directly or through door-to-door agents.

Some complaints also concerned late responses to data inquiries.

False signatures on insurance policies

Garante later found out that the company had failed to devise proper technical and organizational measures to prevent the illicit use of customer data by door-to-door agents. In some cases, agents were also found starting insurance policies – which were also signed with faulty signatures. The monitoring system to verify ‘the actual will’ of customers was also found insufficient.

Besides the €5m fine, Hera Comm has also been ordered to take additional corrective measures, including:

• carrying out checks and recurring audits to evaluate the work of agents; and
• identifying proper retention periods for customer data, distinguished by category and processing purpose.