Garante per la protezione dei dati personali (Italy) - 10053211
From GDPRhub
| Garante per la protezione dei dati personali - 10053211 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(2) GDPR Article 12(3) GDPR Article 15 GDPR Article 24 GDPR Article 28(1) GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 17.07.2024 |
| Published: | |
| Fine: | 5,000,000 EUR |
| Parties: | Hera Comm S.p.A. |
| National Case Number/Name: | 10053211 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | Garante per la protezione dei dati personali (in IT) |
| Initial Contributor: | fb |
The DPA fined an energy provider €5,000,000 after it failed to implement adequate measures to ensure that the processors it was using were complying with the GDPR.
English Summary
Facts
The DPA received several complaints from data subjects concerning a major Italian energy provider. They argued that they received some documents from the controller concerning the activation of an energy supply contract even if they had never had any contact with the controller or expressed their willingness to enter in such a contract. In some cases, the contract contained a fake signature of them.
Furthermore, some data subjects complained that they exercised their Chapter III GDPR rights but obtained no answer from the controller.
Therefore, the DPA opened an investigation, which showed that the controller outsourced their door-to-door advertising activities to several companies, that had been appointed as processors. When a data subject accepted to enter the energy supply contract, the contract was hand signed by the data subject and a copy of their ID card was acquired by the processor.
The controller implemented some practices to monitor the processors’ compliance with its internal regulation. More specifically, after the processor uploaded the contract in the appropriate online platform the controller called the data subject’s number to ask if they had the real intention of entering in the contract (“check call”). Moreover, the controller also sent a “welcome letter” to the address provided in the contract.
However, if the data subject did not answer the phone, only in very limited cases the consequence was that the contract was then discarded.
Moreover, as for the data retention topic, the controller pointed out that data are kept for 10 years and that it does not have any other further policy since it would be too expensive and complex to implement it.
Finally, concerning the choice of the processors, the controller said that it had not conducted any audit on how they operate.
Holding
First, the DPA noted that the processing at hand had been carried out by some processors. The DPA found that these processing activities had been carried out in violation of the instructions given by the controller. These activities implied, for example, activating energy supply contracts to unaware data subjects.
On this point, the DPA pointed out that, even though the controller did not operate this processing on its own, it is still accountable for the violations under Article 5(2) GDPR.
Moreover, the DPA noted that the controller did not implement appropriate measures to ensure its processors were complying with the GDPR. The DPA found that these measures were not efficient and inadequate. This inadequateness allowed some employees of the processor to operate in violation the GDPR.
More specifically, the DPA focused on the fact that the internal instructions did not specify how personal data was to be collected in a door-to-door situation, allowing processors to collect it also on paper and to take a picture of the data subject’s ID card.
According to the DPA, this led to the usage of the ID card to activate further contracts without data subjects’ consent.
In addition, the DPA found the “check call” and “welcome letter” measures not sufficient. The DPA noted that, in most cases, none of these measures actually prevented the contract from being further executed (e.g. activating the energy supply, sending invoices to the data subject).
As for the check call, the controller would need to call the data subject and, if they don’t pick up the call, immediately stop the further implementation of the contract.
As for the welcome letter, the DPA noted that it is sent to the address collected by the processor. The DPA found this measure useless: if the processor counterfeits the contract and puts a fake address, the letter will be sent to that address and the data subject will actually never know about the contract (and be able to express their objection).
Therefore, the DPA found a violation of Article 5(1)(a), 5(1)(d), 5(1)(f), 5(2), 24 and 32 GDPR.
Furthermore, the DPA noted that the controller, pursuant to Article 28(1) GDPR, was under an obligation to choose only processors providing sufficient guarantees to implement measures in order to comply with the GDPR. The DPA pointed out that this is a permanent obligation that imposes to carry out recurrent audits on the processor. Since the controller did not do so, the DPA found a violation of Article 28(1) GDPR.
Finally, the DPA held that the controller violated Article 15 GDPR in combination with Article 12(3) GDPR since it had replied lately to data subjects’ access requests.
On these grounds, the DPA issued a fine of €5,000,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO: Newsletter of September 13, 2024 [web doc. no. 10053211] Measure of July 17, 2024 Register of measures no. 440 of July 17, 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Councilor Fabio Mattei, Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “Regulation”); HAVING SEEN Legislative Decree no. 10053211 of June 30, 2003 196 (Personal Data Protection Code, hereinafter “Code”) as amended by Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679”; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Prof. Pasquale Stanzione; WHEREAS 1. The complaints received. This Authority has received several requests concerning the processing of inaccurate and outdated personal data of customers, carried out by Hera Comm S.p.A. (hereinafter also “Company”), through door-to-door agents, in the context of the supply of electricity and gas, through the conclusion of unsolicited contracts in the free market. In particular, the complainants complained that they learned of the establishment of the supply relationship only after Hera Comm S.p.A. delivered contractual documentation bearing a false signature or received communications aimed at updating the activation status of energy supplies, claiming that they had never had any contact, either personal or remote, with the aforementioned Company. The simultaneous activation, by Hera Comm S.p.A., of insurance policies, also bearing a false signature, related to the aforementioned supply contracts was also reported. The requests sent to the Authority also highlighted the significant difficulties and inconveniences endured by the aforementioned customers due to the unsolicited activations suffered. First of all, those relating to the need to have access to the contractual documentation (often repeatedly requested from Hera Comm S.p.A.), as well as those relating to the time lost and costs incurred (both in relation to the higher tariffs incurred and in relation to the need to appoint a lawyer) to initiate the administrative and judicial actions provided for by law to protect the consumer (such as, for example, the submission of requests for access to the contractual documentation; the forwarding of complaints to the supplier; the initiation of the restoration procedure at the Regulatory Authority for Energy, Networks and the Environment; actions related to the cancellation of activated insurance policies; the possible submission of a criminal complaint; etc.). Some complaints have also been submitted against the same Company regarding incorrect and/or late response to requests to exercise rights made pursuant to Articles 15-22 of the Regulation. 2. The preliminary investigation. The Authority, by virtue of the multiple requests submitted, decided to proceed with the merger of the individual proceedings referred to above, in order to carry out a comprehensive examination of the issues underlying them. Therefore, as part of the aforementioned investigation, some on-site inspections were carried out at the Company, specifically on 17, 18 and 19 April 2023. Subsequently, further elements were also acquired based on the supplementary documentation, sent by Hera Comm S.p.A. on 19 May 2023, to resolve the reservations formulated during the inspection activity, as well as in response to the note sent by the Company on 10 November 2023, in response to a request for information from the Authority dated 23 October 2023. During the proceedings, in relation to the profiles highlighted in the introduction, the following emerged. 2.1. The processing of customers' personal data through door-to-door agents. Hera Comm S.p.A. is a company that operates, at a national level, in the sector of sales to end customers of electricity and gas. “The number of individual customers in the free market, as of 12/31/2022, is equal to 769,662 for the energy sector and 944,956 for the gas sector” (see minutes of 17 April 2023, page 3). Customer contractualization activities are carried out through “various channels such as: teleselling; door-to-door agencies; “inbound” channel (call center); web-based contractualization; Hera Comm counters (physical points managed by the Company’s employees); Hera Comm points (stores managed by agencies in the area)”. In particular, “sales through door-to-door channels and (..) Hera Comm Points are carried out through the use of agencies. The latter “are designated as responsible pursuant to art. 28 of the Regulation” and, for each activity carried out (door-to-door agent or Hera Comm Point), “sign a specific contract” (see minutes of 17 April 2023, pages 3-4). More specifically, the agencies “operate, by means of an agency mandate, as multi-mandate agents with exclusivity for the sale of electricity and gas services”, while the Hera Comm Points “are sales points opened in territories of commercial expansion, the management of which is usually entrusted to the same agency that commercially oversees [the aforementioned perimeter]” and “deal with the acquisition of new customers; provide after-sales support for customers (..); guarantee a permanent presence in the territory” (see note of 19 May 2023, Annex 3, page 3). For the purposes of managing the data of the customers thus acquired, the Company uses two CRM systems, based on the Siebel and Salesforce platforms respectively. In this regard, it was specified that the Siebel CRM “is being replaced starting from June 2022” through a “migration [of the customer data contained therein] to the different Salesforce system [recently implemented]. The customer data of some regions (Marche and Abruzzo) are entirely on Salesforce, while for the remaining customers, Salesforce is used in the proposal entry phase until its validation; the information relating to the subsequent phases (precheck, switching, etc.) is entered into the Siebel system” (see minutes of 17 April 2023, page 6). The Company “has established the rules that the [door-to-door] agents must adhere to when signing the contractual proposals, which are specified in the agency contract, in the attachment called “Sales Manual” (..). The agents use exclusively paper contractual forms, which the customer signs with an autograph signature. The agent also acquires a copy of the identity document and, in some cases, a copy of the latest bill (possibly via photo with the agent's mobile phone). The agent then brings the contract to the agency, which, via the back-office function, scans the document and uploads the data into the system [Customer Relationship Management - hereinafter "CRM"], attaching the scanned copy. The paper document is then sent by courier to the Company. The data is uploaded into a verticalization of the CRM (..), used for the data entry function (see minutes of 17 April 2023, page 4). The "contractual proposal uploaded by the agency into the CRM is first subjected to a validation process that is divided into two phases: document control: aimed at verifying the completeness and congruity of the contractual data entered by the agencies. This process, carried out by Hera Comm personnel or external companies, provides that, if the regularity checks have a negative outcome, the contract is returned to the agency for specific checks. If the outcome is positive, the process moves to the second phase” (see minutes of 17 April 2023, page 4); quality call [hereinafter also “check call”]: Hera Comm S.p.A “will make, with reference to all the proposals received, a confirmation call to the telephone number present in the same. The Company will make a maximum of 15 contact attempts, over the course of a few days” (see minutes of 17 April 2023, pages 4-5). If the interested party does not respond to the aforementioned confirmation call (so-called untraceable result or Not found of the quality call), the contractualization process continues anyway, with reference to the contractual proposals procured by agencies, with a "high quality score (i.e. higher than 88% of check calls completed with a positive outcome, in the previous month)"; in such cases, "the contractualization process therefore continues and the customer receives text messages/emails on the progress of the practice". Otherwise, if the agency that collected the contractual proposal does not reach the rating percentage indicated above, and is therefore subjected to so-called "Active monitoring", the untraceable result of the check call blocks the aforementioned process. It was clarified in this regard that the “rating for Agency/Agent, [is] given by the ratio between positive Quality calls (i.e. the number of quality calls that resulted in the confirmation of the contract by the customer) compared to the total Quality calls that were successful (i.e. the number of quality calls that received a response from the customer, regardless of whether or not the contract was confirmed) for the same Agency/Agent” (see note of 19 May 2023, Annex 3, paragraph 6.3). It was also specified that the rating of the agencies aimed at defining the score mentioned above “does not take into account any subsequent reports or complaints or the actual activation of the supply” (see minutes of 17 April 2023, page 5). The Company, following a positive outcome of the quality call and before switching, “sends a welcome letter to the physical address or email provided by the agent, at the time of signing the proposal. The transmission of the aforementioned letter/email does not include tracking systems aimed at providing confirmation of delivery or receipt of the same. Following this sending, switching activities are started and concluded on average within 45 days of the welcome letter. During this period, information relating to the progress of the practice is communicated to the customer via SMS/email”. After switching, “the company does not carry out further checks on the regularity of the contractualization (e.g. [further] quality call)” (see minutes of 17 April 2023, page 5). With regard to the procedures adopted by the Company to verify the accuracy of the personal data contained in the contractual proposals procured by the agencies, the latter "has set up the CRM so that contractual proposals are not accepted in which a telephone number or an email already present in 5 personal data sheets appear". It was also represented that "the Company does not carry out further checks" due to which alert systems are generated that are sensitive to various procedural anomalies, such as for example the discrepancy between the supply address and the customer's contact address; the inaccuracy or incompleteness of the contractual data acquired; the uploading to the system of multiple contract proposals in the name of the same subject; the excessive and unusual number of contracts stipulated by each agent; etc. (see minutes of 17 April 2023, page 9 and Annex 6). With reference instead to the checks regarding the accuracy of the personal data of the customers contained in the contracts that are the subject of a complaint for unsolicited activation, the Company has implemented a procedure called “Non-compliance management procedure”. According to the same, Hera Comm S.p.A., where it highlights a serious imperfection in the acquisition of the contract, records a “Non-Compliance” against the agency which may also lead to the application of penalties (see minutes of 18 April 2023, Annex 11; note of 19 May 2023, Annexes 2 and 3). On this point, during the investigations, it was specifically pointed out that, in the case of a “complaint for unsolicited activation, with disavowal of the signature, the Company sends a certified email to the agency to request the removal of the agent who followed the signing of the proposal, and applies the reversal of the commission and possibly further sanctions provided for in the contract. If the number of complaints regarding the signed contracts exceeds a certain threshold [in this case 5% of Non-conformities recorded in the previous quarter], the contract with the agency is terminated”. Furthermore, “the Company does not carry out checks on other and additional contractual proposals stipulated by the same agent regarding which a complaint has been submitted for the activation of an unsolicited contract, aimed at checking the correct acquisition of the customer's adhesion to the formulated proposal” (minutes of 17 April 2023, page 7 and Annex 2; see also minutes of 18 April 2023, pages 2-3). More generally, with regard to the methods of verifying the quality of the customer contracting process through door-to-door agencies, the Company intended to point out that, following the investigation activity of the Guarantor, in “September 2023 the ‘Sales Support & Control’ office was established which (…) has the objective of designing and implementing an ‘Internal Control System’ designed to measure and contribute to improving the quality of sales” (see note of 10 November 2023, pages 3 and 4). The inspections, including access to the Company’s systems, then revealed that the contracts relating to the complainants were procured by MAS S.r.l. and NTS Group S.r.l., agencies with respect to which the highest incidence of cases of “Non-Compliance” was found (see minutes of 18 April 2023, Annex 7), and that, with respect to the same, Hera Comm S.p.A. was found to have activated unsolicited contracts (see minutes of 17 April 2023, pages 6 and 8). Lastly, it was also highlighted that, “with reference to the data of customers with respect to which a contract for unsolicited activation was accepted, no methods of limiting the processing are envisaged in order to guarantee the segregation of the aforementioned data with respect to those processed in the context of ordinary customer management activities”. In any case, “in the event of unsolicited activation, privacy consents are revoked directly by the Company, upon receipt of the customer complaint, and changed to “NO consent” in the CRM” (minutes of 17 April 2023, page 7). With regard to the retention times of customers’ personal data, Hera Comm S.p.A. represented, with reference to the Siebel system, that “specific retention techniques have not been included in consideration of the complexity and cost associated with this implementation”, while, with regard to the Salesforce platform, it provided a document called “Hera BBP migration and archiving”. In particular, with specific regard to customer data for which a complaint for unsolicited activation was accepted, the same specified that “they are retained in the CRM for 10 years from the termination of the contract, since the Company does not have a specific data retention policy in relation to this type of information” (see minutes of 17 April 2023, page 7 and minutes of 18 April 2023, Annex 3; see also note of 19 May 2023, Annex 7). Finally, with regard to the measures adopted by Hera Comm S.p.A. in order to verify the work of the agencies as data controllers pursuant to art. 28 of the Regulation, the Company declared that “no audit activity [in terms of personal data protection] is carried out on the work of [them]” (see minutes of 17 April 2023, page 9; see also note of 19 May 2023, Annex 3, par. 6.1). At the same time, Hera Comm S.p.A. represented “the intention to start an audit activity by administering a checklist on privacy compliance (..) towards the agencies, using the “privacy compliance checklist for external data controllers already prepared” (minutes of 18 April 2023, page 3). Likewise, with regard to the training activities of agencies and individual agents, the Company has declared that these are “focused [exclusively] on the sales process” and that “specific training on personal data protection is not provided” (see minutes of 17 April 2023, page 9; see minutes of 18 April 2023, Annex 6; see note of 19 May 2023, Annex 1). 2.2. Complaints regarding the exercise of the rights of the interested party. The Guarantor has also received two complaints, regarding the exercise of rights, concerning the incorrect and/or late response, by Hera Comm S.p.A., to the requests for access to its data submitted, pursuant to art. 15 of the Regulation, respectively on 16 November 2022 and 3 January 2023. In general terms, from the checks carried out, it emerged first of all that the Company, in order to fulfill the obligations pursuant to art. 12 of the Regulation, has adopted a specific procedure (see minutes of 18 April 2023, Annex 15, paragraphs 5.2 and 5.4) aimed at defining the management methods of "all types of complaints/requests for information received (..) both through the Customer Value Management structure and through the DPO Office". Complaints are entered into a system called S.Co.Re. and are "managed, as a rule, within 30 days on the basis of company policy; specifically, with reference to privacy complaints, it is expected that they must be processed within 30 calendar days" (see minutes of 18 April 2023, page 5). Furthermore, with specific regard to the aforementioned complaints received by the Authority, the following was ascertained: the request for access pursuant to art. 15 of the Regulation submitted on 16 November 2022 was simultaneously sent to Hera Comm S.p.A., the data controller, and to Covisian S.p.A., the company appointed to operate, as data processor, on behalf of the aforementioned data controller, pursuant to a specific contract signed pursuant to art. 28 of the Regulation. Covisian S.p.A., with communications dated 22 November and 16 December 2022, in compliance with the instructions provided by the data controller, represented the need, advanced by the latter, to avail of the institution of the extension of the deadline provided for by art. 12, par. 3 of the Regulation. The response to the interested party's requests was therefore provided by Hera Comm S.p.A. on 16 January 2023. In the aforementioned response note, the role of data controller pursuant to art. 28 of the Regulation entrusted to Covisian S.p.A. was confirmed and, with respect to the specific request for access to the data, it was stated "that this is common data, i.e. identification data (name, surname, tax code/VAT number), contact details (landline/mobile telephone number, email, certified email, fax), address of residence/domicile" (see response note of 16 January 2023, page 1). Lastly, in the context of the on-site accesses, “it was not possible to view the complaint in the [S.Co.Re.] system, as (..) it was directly managed by the DPO Office which provided the relevant feedback regarding the exercise of rights, via Hera Comm PEC, on 16 January 2023” (see minutes of 18 April 2023, page 6); the request for access, submitted on 3 January 2023, was made in order to “know all the personal information processed by Hera Comm, as well as, more specifically, the data (including their origin) used for the scoring relating to the credit reliability of the interested party in response to the request for activation of a gas and electricity supply”. With respect to the same, Hera Comm S.p.A., initially, did not provide any feedback. Following a request from the complainant (see complaint request dated 1 March 2023, Annex 4), on 21 March 2023, the Company responded by sending only “a copy of the privacy information including the privacy information pursuant to Articles 13 and 14 of EU Regulation no. 2016/679 and Article 6 of the Code of Conduct for information systems managed by private entities in the field of consumer credit, reliability and punctuality in payments” (see note from the complainant dated 22 March 2023, Annex 1). During the on-site visits, it emerged that the interested party’s request “was not present within S.Co.Re., but was displayed in the Siebel CRM”. In this regard, the Company has in fact specified that "when the complaint was registered due to a technical problem, the order line that would have allowed the passage to S.Co.Re. was not created. The responsible function (Customer value management) has in any case provided feedback (...), from the address comunicazioni.crm@gruppohera.it, on 21 March 2023; all this following the periodic consistency checks of what is present on Siebel carried out to recover the practices not uploaded to S.Co.Re. due to occasional misalignments between the systems" (see minutes of 18 April 2023, page 7). 3. Notification of violations and defense briefs. With communication dated 14 December 2023, the Office, on the basis of the documentation in the files and the elements acquired during the investigation, notified Hera Comm S.p.A. of the initiation of the procedure for the adoption of the provisions referred to in Articles 58, paragraph 2, and 83, of the Regulation in relation to the violation of Article 5, paragraph 1, letters a), b), d), e) and f), and paragraph 2; of Article 12, paragraph 3; of Article 15; of Article 24; of Article 28 and of Article 32 of the Regulation; this in accordance with the provisions of Article 166, paragraph 5, of the Code. In this regard, the Company, with a communication dated 26 January 2024, sent its defensive documents, further integrated at the hearing of 12 March 2024 and through a note dated 22 March 2024, representing, among other things, at that time that, with regard to the late response provided to the request to exercise rights dated 3 January 2023, the same was due to "a technical glitch in the systems that prevented the passage of the complaint on the Score platform, responsible for managing this type of request". It also highlighted that "it is the rule that the Company provides the response to the requests referred to in art. 15 of the Regulation by indicating in a timely manner all the data relating to the interested party that are subject to processing and not only the categories of data processed". Therefore, “the two requests [to exercise rights], represented as discrepancies, constitute a truly small number compared to the total number of cases managed” (see note of 26 January 2024, pages 7-8). It also highlighted that it promptly took action, following the inspections of the Guarantor and the notification of the violation transmitted by the same, by adopting the following measures: a) in relation to the methods of acquiring a copy of the customer's identity document, it evaluated the development of “an app that manages the acquisition of the image of the documentation and sending it to a company storage, without the image being saved on the agent's device”. In the instructions dedicated to the door-to-door channel, it was also expressly provided that, "in the phase of acquiring a copy of the valid identity document of the customer and any delegate, provided with a specific delegation, if the agent were to proceed with photographic acquisition, given the impossibility of proceeding otherwise, he/she must proceed with the immediate deletion of the related images from the mobile devices once the sending to Hera Comm or the insertion into the information system of the same has been completed" (see note of 26 January 2024, page 8); b) in relation to the instructions to be given to the data controllers pursuant to art. 28 of the Regulation, the Company, from December 2023, has introduced a new set of forms relating to the contractual relationship with the agencies, containing updates and additions to the instructions provided to the agents which also include "specific focus on the protection of personal data". These are distinguished in relation to each sales channel and are "collected in the Sales Manual, attached to the contract". The review activity in question was also aimed at "setting up a more incisive and effective internal control system; (..) updating the sanctioning system envisaged, also in light of the case law of the Guarantor; providing for evaluation processes of agencies and sub-agencies (..) that take into particular consideration the profiles inherent to the processing of personal data; providing for contractual measures for the control of the chain of sub-agencies, in particular with regard to the processing of personal data" (see note of 26 January 2024, pages 18-20); c) with reference to the training of agencies, a system has been implemented that provides for the provision of "initial training at the time of starting a new agency relationship, [as well as] periodic training sessions, delivered and reported at least annually". Furthermore, “with regard to agencies for which a contractual relationship is already in place, starting from January 2024, training sessions dedicated to the legislation on the protection of personal data are planned, with a specific focus on the operating instructions provided for agencies”. With regard to the training provided by the agencies, it is planned that this will be “carried out using the training material provided by Hera Comm” which can be consulted in a specifically dedicated area on the Company’s systems and that the agency must “document the training carried out through attendance registers signed by participants and teachers”. Furthermore, Hera Comm S.p.A. “will verify that the agencies (at least one user per agency) download the training materials by creating a specific report” (see note of 26 January 2024, pages 20-21); d) with reference to the transmission of the welcome letter, “Hera Comm, with a view to improving processes and greater caution towards customers, has decided to implement [probably by March 2024] a tracking system aimed at providing confirmation of the delivery and receipt of welcome letters”. The system provides in detail: in the event of sending by email or with an OTP flow with a negative outcome, sending the same on paper to the address defined in the contractual phase or, also to the supply address, if different from the first; in the event of sending by paper method with a negative delivery outcome, sending a notification via email/sms containing the notice of non-delivery of the documentation. If the customer's email/sms contact details are not present, an investigative agency will carry out, on behalf of Hera Comm S.p.A., a search for the address of residence/registered office resulting from the consultation of public databases. “If the search is successful, Hera Comm will correct the customer’s personal details and will resend the paper package, using the new address”. If this last shipment continues to have a negative outcome, the management of the case will be entrusted to a second-level structure (see note of 26 January 2024, pages 9-10); e) regarding the so-called Active Monitoring system of agencies, the same has been subjected to a review process, at the end of which, starting from 1 December 2023, the following evaluation parameters have been introduced: the “percentage of calls that have not been answered (so-called not found, i.e. without contact with the customer)”. The Company has established that all agents who have a number of not found calls (i.e. unreachable) exceeding a certain threshold (initially set at 80% and, from March 2024, at 50%) are directly subjected to Active Monitoring. Consequently, the Company “has increased the cases in which the quality call becomes blocking (…), further raising the rating levels below which an agent is placed under Active Monitoring as well as extending Active Monitoring to those agents/agencies for which events considered potentially indicative of improper conduct have been found”; “the acquisition of reports or complaints regarding a false signature, extorted will or unsolicited contract, against an agent which, following the investigation, prove to be well-founded”. Hera Comm S.p.A. has established that these circumstances are in themselves sufficient to cause the agent to be subjected to “Active Monitoring” (see note dated 26 January 2024, pages 11, 24 and 25; see also note dated 22 March 2024, page 3); f) in order to verify the agents' work, Hera Comm S.p.A. has made operational a "control and monitoring system aimed at verifying that the agencies and sales personnel act in compliance with the new instructions" provided. For this purpose, since September 2023, the "Sales Support & Control office" has been established with the task of "designing and implementing a second-level Internal Control System aimed at measuring and contributing to the improvement of the quality [of the agencies' work]". This activity is structured, among other things, on the use of a tool, called "Dashboard", aimed at "collecting, starting from the company databases, KPIs [i.e.] useful indicators both for quality control and for the prevention and detection of fraud". Furthermore, the Company, “with the aim of having all non-conformities detected with respect to the individual agent tracked in the system” to be taken into consideration “in order to apply the sanctions envisaged and to decide whether to subject the agent to active monitoring or whether to activate further controls”, has implemented a tracking process on Salesforce. The same concerns “the results of the privacy check in terms of contact methods (compliant/non-compliant) and methods of concluding the contract (compliant/non-compliant)”, as well as “all non-conformities, including those detected during the quality call”. Finally, “the period for opening the quality calls has been shortened, from 50 to 30 days, with the aim of being able to extract the list of non-conformities with a shorter frequency” (see note of 26 January 2024, pages 11, 26 and 27); g) in relation to the adoption of alert systems aimed at detecting procedural anomalies in the hands of agents and agencies, Hera Comm S.p.A. has implemented the IT tool called Dashboard (see above, letter f) of this decision) "which allows for a variety of [modular] analyses of the data relating to the sales of the Agencies"; this for each anomaly detected, "based on the hierarchical level and based on predetermined time intervals". The main anomaly indicators currently present in the Dashboard are: the percentage of quality calls closed with a KO outcome on the total number of calls answered; the percentage of quality calls closed without a response from the customer compared to the total number of calls activated; the number of contracts stipulated for each Agent; the percentage of Value Added Services sold compared to the total number of supply contracts acquired for each Agency; the percentage of non-compliance in a six-month period compared to the total number of contracts acquired in a given period; the number of contracts for which the customer has exercised the right to reconsider; the uploading into the system of multiple contract proposals in the name of the same subject; the number of contracts that show a discrepancy between the supply address and the contact address. The identification of the aforementioned anomaly indicators is however the subject of “continuous analysis and continuous refinements” by the Company. More specifically, for each newly implemented indicator, “a series of values are collected which are then evaluated in order to define the threshold within which the value appears congruent/average and beyond which appropriate in-depth analyses must be carried out”. Lastly, in relation to the implementation of anomaly alerts regarding the inaccuracy or incompleteness of the contractual data acquired by the agencies, Hera Comm S.p.A. stated that “subsequent to the uploading of the contract by the agency, [the Company] – through the Sales Support & Control structure – verifies (…) all the documentation that the agents must attach and that what is uploaded to the company information systems is compliant with what is present in the request for contractual activation”; this with particular reference to the customer data, to the verification of the identity document attached to the proposal, as well as to the signature placed by the customer in the contractual forms (see note of 26 January 2024, pages 13-16 and supplementary note of 22 March 2024); h) regarding data retention and data segregation measures, the Company represented that, with regard to the processing of information "of the interested parties with respect to whom a complaint for unsolicited activation has been accepted, data retention has been determined at ten years, starting from the closure of the complaint". In this regard, it has also been "provided that such data will remain on the system for the first two years, after which they will be archived in Azure - therefore on a separate and different system - where they will remain available for any consultation needs until the expiry of the aforementioned ten-year term" see note of 26 January 2024, pages 21-22); i) always with reference to the measures for segregating the personal information of the interested parties for whom a complaint for unsolicited activation must be accepted, Hera Comm S.p.A. intends to apply “processing limitation methods in order to guarantee the segregation [of the aforementioned data] (…) with respect to those processed in the context of ordinary customer management activities. In particular, the Company has defined that the processing limitation must be applied on the systems by limiting the processing of data (in terms of access and visibility) to a selected group of persons in charge, based on the specific role they play in managing practices relating to unsolicited activations”. With respect to these measures, some “feasibility assessments are underway, also in terms of technical solutions and implementation times” (see note of 26 January 2024, pages 21-22); j) in order to carry out checks and/or further investigations into the accuracy of the personal data acquired with reference to other contracts stipulated by the agents with respect to which irregularities had been highlighted, regardless of the presentation of a complaint by the interested parties, the Company has represented its intention to “adopt, within the first half of 2024, the following measures against the agents for whom serious non-conformities have been detected: with regard to the so-called in-flight contracts, for which the quality call activity has not yet been started, the contracts will be subjected to a blocking quality call; with regard to the contracts already active, however, the Company will carry out random checks regarding the presence of any further reports or complaints” (see note of 26 January 2024, page 16); k) with regard to the procedures concerning quality calls, Hera Comm S.p.A. has implemented the following measures to facilitate their finalization: sending e-mails/text messages to all customers, recipients of the aforementioned calls, containing the notice "that the Company is attempting to contact them to assess the quality of the contract, (...) inviting them to respond or, if unable to do so, to call back [Hera Comm S.p.A.] through a dedicated toll-free number"; the introduction of a single telephone number for making quality calls, "callable by customers who, by doing so, can contact the call center dedicated to the activity again and proceed to the conclusion of the quality call during the recontact phase"; the provision of the "possibility of carrying out contractual quality verification activities also at the Hera Comm branches" (see note 26 January 2024, pages 23-24); l) the Company has finally represented the intention to create, "within the first half of 2024, (..), within the personal area accessible from the Online Services and the APP, a portal dedicated to order confirmation and closing of the quality call, which the customer can access independently through a link that he will receive via SMS", as well as to insert "in the script of the quality call dedicated to the indirect physical network channel (Door to door Agency, Retail Agent, Master Dealer and HC Point) the so-called privacy check step". This step consists of a series of questions asked by the operator to the customer in order to verify the legitimacy or otherwise of the contact methods or the conclusion of the contract. The customer, at this stage, also has the possibility of confirming, through the so-called regularization procedure, his willingness to contract even if non-compliance by the agent has emerged (see note of 26 January 2024, pages 23-26). 4. The outcome of the investigation. First of all, it is stated that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False declarations to the Guarantor and interruption of the execution of the duties or exercise of the powers of the Guarantor". Having duly stated this, in light of the elements acquired during the proceeding as well as the subsequent assessments carried out by this Office, also with regard to the additional elements received after the aforementioned inspection activity, the following has been ascertained. 4.1. The unlawfulness of the processing of customers' personal data through door-to-door agents and complaints regarding unsolicited activations. With regard to complaints regarding unsolicited activations, it emerged that the processing at issue was carried out by Hera Comm S.p.A., in its capacity as data controller, through some door-to-door agencies, designated pursuant to art. 28 of the Regulation, as data controllers. All this during the period in which the aforementioned agencies operated in order to procure potential customers on behalf of the Company. This is the period included – on the basis of the documentation on file – from 1 January 2021 to 30 April 2023 (see minutes of 18 April 2023, Annex 7 and note of 10 November 2023, page 2 and Annex 1). The conduct in question, due to the organizational and management methods in place within the new customer acquisition system implemented by Hera Comm S.p.A. – as explained in more detail below –, resulted in processing of the personal data of complainants and other potential customers that does not comply with the regulations in force as it is contrary to the general principles of processing pursuant to art. 5 of the Regulation. All this with particular reference to the specific methods implemented by some agents when acquiring contractual proposals through the processing of inaccurate and outdated customer data. The investigation also highlighted that, although the processing that was the subject of the complaint was implemented by managers pursuant to art. 28 of the Regulation who operated, as agents, in violation of the instructions given by the owner (see minutes of 17, 18 and 19 April 2023), the technical and organizational measures adopted by Hera Comm S.p.A., in the context of customer acquisition processes via the door-to-door agency channel, were not adequate to the nature, context, purposes and risks of the aforementioned processing, constituting a violation of the principles of "accountability" and "integrity and confidentiality" (art. 5, par. 1, letter f) and par. 2, art. 24 and art. 32 of the Regulation). On this point, it is indeed appropriate to note that, pursuant to the aforementioned principle of accountability, the owner is the person who is attributed the "general responsibility" for the processing that he has implemented directly or that others have carried out on his behalf, thus placing on him the burden of implementing an organizational and management system characterized by real and effective data protection measures that are also verifiable (see paragraph 74 and articles 5, paragraph 2 and 24 of the Regulation); this not only through the correct and timely preparation of the obligations imposed by data protection legislation (information, register of processing activities, appointment of the data protection officer where mandatory, impact assessment where necessary, etc.), but above all through the implementation of procedures and organizational practices aimed at conforming the related processing to the same Regulation (e.g. processing mapping processes; rules for the attribution of responsibilities; staff training programs; procedures for verifying the work of the managers designated pursuant to art. 28; provision of internal and external audits on a periodic basis; etc.; see Art. 29 Group, WP 173 of 13 July 2010 - Opinion 3/2010 on the principle of accountability, pages 11-12). In the specific energy and gas sector, moreover, the Guarantor has already expressed itself, since December 2019, regarding the organizational and management methods that a data controller, operating as an energy supplier in the free market, must implement, when acquiring new customers, to guarantee and be able to demonstrate that the processing is carried out in compliance with the Regulation (see provision of 11 December 2019, web doc. no. 9244358; but see also, more recently, provision of 28 September 2023, web doc. no. 9940988 and provision of 12 October 2023, web doc. no. 9965217). These decisions, although addressed to specific operators, contain indications of general scope in relation to the technical and organizational measures that an energy supplier is required to adopt, during the contractualization operations of its customers, in order to guarantee the accuracy of the personal data processed by the managers appointed pursuant to art. 28 of the Regulation and to verify compliance with the instructions given to them. From the findings that emerged during the on-site inspections, as well as from the examination of the documentation in the files, on the other hand, several shortcomings were highlighted in the privacy policies implemented by Hera Comm S.p.A. in the sector under consideration; policies that appeared to be lacking and ineffective, especially in terms of guaranteeing the accuracy of the data processed, the security of the processing and the control of the actions of the persons authorized for this purpose. The inadequacy and incompleteness of these procedural methods have allowed some subjects (specifically the agents) to operate in violation of the instructions given by the owner with repercussions on the lawfulness of the related processing, in particular in terms of their correctness and the quality of the data processed. This is clearly evident from the procedures for verifying the work of the agencies designated as data controllers, implemented by Hera Comm S.p.A., as detailed in the terms that follow. 4.2. The inadequacy of the technical and organizational measures adopted by the Company in the context of customer contracting activities. First of all, it emerged that the collection of personal data of potential customers, by door-to-door agents, is carried out on the basis of instructions provided by Hera Comm S.p.A. to its agents in the "Sales Manual" attached to the agency contract (see minutes of 17 April 2023, Annex 2). On this point, the Company stated that the aforementioned collection takes place exclusively through the use of paper contractual forms to which a copy of the customer's identity document must be attached. The aforementioned document can be acquired, via the agent's personal mobile device, also via a photographic image (see minutes of 17 April 2023, page 4). In this regard, it should be noted that the instructions given by the Company with the aforementioned Manual do not contain detailed indications on the paper methods of collecting the personal data of potential customers, nor specific instructions on the procedures for verifying their identity, leaving the agent with excessive margins of discretion regarding the tools to be used for this purpose. This deficiency means that the latter can acquire − as also declared by the Company during inspections (see minutes of 17 April 2023, page 4) − a copy of the customers' identification document, also via a photographic image, taken via their personal mobile device. However, the aforementioned procedure does not appear to be suitable given the measures that the owner must adopt to ensure that the processing complies with the principle of integrity and confidentiality of the same (art. 5, par. 1, letter f) and art. 32 of the Regulation). In fact, the same is not able to ensure that the personal data in question is only transmitted to the Company's systems and that, after such transmission, it is immediately deleted from the agent's device. All this entails the risk that the aforementioned documentation remains in the full availability of the agent and that it is therefore used by the latter inappropriately for the future activation of further unsolicited contracts. Otherwise, providing agents with specific equipment that allows them to directly upload customer data to the Company's CRM (such as tablets or mobile applications to be used exclusively for the acquisition of contractual proposals or, at least, for the phase of collecting a copy of the customer's identity document), would allow the owner to have greater certainty about the security of the processing carried out by agents on behalf of Hera Comm S.p.A. With reference to this issue, it is noted that Hera Comm S.p.A. has implemented, following the notification of violation, a mobile application (hereinafter "App") aimed at acquiring the image contained in the customer's identification document; App that provides for the sending of the latter to the Company's systems, without saving it on the agent's devices (see paragraph 3, letter a) of this decision). In this regard, however, it is stated that, in order to prevent illicit use of the same by agents (also possibly through any sub-agents), it appears necessary to adopt a series of additional measures, such as the provision that the App in question can be downloaded exclusively from official stores, that it can only be installed on the device uniquely associated with the agent (for example by sending a confirmation PIN), and that it can only be used through one device at a time. Beyond the implementation of the aforementioned technical measures, the Company is in any case required to carry out periodic checks aimed at monitoring any anomalous use of the App (e.g. excessive uploads by some agents compared to the average; use of the App at unconventional times; simultaneous access from the same account; etc.). It is also noted that, on this point, some additional critical issues still remain, given the clarification provided by Hera Comm S.p.A. in their defense documents, concerning the specific instructions given by the Company regarding the door-to-door channel (see note of January 26, 2024, page 8). The latter, in fact, continue to provide that the agent, if unable to use the aforementioned App, can still acquire a copy of the identity document via his own device. Indeed, these instructions, in the above-updated formulation, do not yet appear to be in line with what is required of the owner by Articles 5, paragraph 1, letter f) and 32 of the Regulation, considering that, although they establish that the agent, in the case cited above, must promptly proceed to the deletion of the acquired images, the Company has not, however, provided for measures to prevent any fraudulent use of the aforementioned documentation by operators (such as, for example, the use of BYOD MDM software). Hera Comm S.p.A. furthermore, it did not specify that the above-mentioned procedure must constitute an exceptional circumstance (limited, for example, exclusively to anomalous malfunctions of the App), nor did it adopt a system of specific organizational measures, such as periodic checks, aimed at assessing whether the acquisition of photographic images via the agent's mobile device was actually carried out only in the cases strictly provided for. During the on-site checks, it was also noted that, following the signing of the contractual package, the customer acquisition process by door-to-door agencies includes a "verification" phase of the contractual intention (and consequently of the quality of the data processed and entered by the agents in the company application) based on a confirmation call, the so-called quality call, to the telephone number indicated in the proposal. In this regard, it should be noted that the untraceable outcome of the aforementioned check call (i.e. the absence of a response from the customer), in most cases, does not interrupt the contractualization process which, therefore, still comes to a conclusion, determining, even in this case, the activation of the energy supply. In fact, the unavailability of the customer during the quality call phase prevents the completion of the contract only where "the contractual proposal comes from agencies subject to so-called active monitoring" (see minutes of 17 April 2023, page 5). On this point, with regard to the process according to which an agency is subjected to so-called Active Monitoring, it is worth specifying that the rating – “given by the ratio between positive Quality calls (i.e. the number of quality calls that resulted in the confirmation of the contract by the customer) compared to the total successful Quality calls (i.e. the number of quality calls that received a response from the customer, regardless of whether the contract was confirmed or not)” – is calculated “monthly by the Company for the same Agency”. Where “the rating of the previous month was lower than the defined percentage (88%)”, the agency “is placed in the Active Monitoring status (..) and if the customer does not respond to the call, the contract is cancelled due to lack of confirmation by the customer” (see note of 19 May 2022, Annex 3, par. 6.3; see also minutes of 17 April 2023, page 5). This system - which takes into account only the proportion between the check calls, following which the customer's contractual adhesion was confirmed, and the number of check calls to which the customer responded - does not appear to be sufficient to prevent possible illicit activities as it suffers the limitation of being set on a partial calculation. For example, it is noted that, if hypothetically out of 1000 quality calls carried out, only 10 receive a response from customers (9 of which confirm their contractual intention), the agency, due to the rating system mentioned above, would still obtain a high score despite the remaining number of quality calls carried out (990) having ended with an untraceable outcome. Therefore, given that only 10 customers were reached by the quality call, out of a total of 1000 contractual proposals acquired by the same agency, the latter would not fall within the so-called Active Monitoring and the contractualization process would continue in any case, with respect to the remaining 990 proposals. The verification system set up by Hera Comm S.p.A., in relation to the activities carried out by its agents, is therefore ineffective; this is because the rating process does not take into account a piece of data that is significantly relevant, in the context in question, namely the total number of check calls made by operators, including those with an untraceable outcome. These latter check calls, following which, despite the lack of response from the customer, the activation of the related supplies is still carried out, even if they refer to contractual proposals that could be the result of the illicit processing of potential customer data. In confirmation of the ineffectiveness of this system, it is also noted that, from the documentation acquired during the inspections, in April 2023, in the face of 176 complaints for unsolicited activation, received from 1 January to 30 April 2023, and 377 “Non-Conformities” found by the Company in the same period (see note of 10 November 2023, Annex 1), only one agency was subject to “Active Monitoring” (see minutes of 18 April 2023, Annex 2). It should also be added that, as expressly declared by the Company, the calculation of the agencies’ rating is not affected by the data relating to the receipt of “any reports or complaints” concerning contracts procured by the same agency, nor that concerning “the actual activation of the supply” (see minutes of 17 April 2023, page 5). On this point, it is noted that the Company, following the notification of violation, has increased the effectiveness of the “Active Monitoring” system of agents, first of all by introducing a further anomaly parameter consisting in the acquisition of reports or complaints concerning any non-compliance with an agent (where founded) and by reviewing, at the same time, the rating calculation process (see in this sense, paragraph 3, letter e), of this decision). However, these changes do not yet constitute sufficiently adequate measures in terms of accountability, since Hera Comm S.p.A. has not implemented a blocking quality call system (i.e. one that interrupts the continuation of the contractualization process) in all cases in which the customer has not responded to the call attempts made by the Company (so-called “not found” outcome of the verification call). The aforementioned measure appears necessary, on the other hand, given that, where the quality call has not been successful due to the unavailability of the customer, the processing of the related personal data does not comply with the principles of lawfulness, correctness and accuracy of the customer's personal data; this is because no confirmation has been provided by the latter of the will to adhere to the contract (and, therefore, by extension also of the accuracy of the personal information collected by the agent at the time of the proposal). It should also be noted that the adoption of the aforementioned organizational measure has already been subject to prescription, precisely in the context of activations of supply contracts in the energy sector, by the Guarantor in the decisions of 11 December 2019 and 28 September 2023 mentioned above. Finally, it is noted that the Company has also represented the intention to introduce, in the quality call script, a specific phase, called “privacy check”, which consists of a series of questions asked by the operator to the customer in order to verify the legitimacy or otherwise of the contact methods or the conclusion of the contract. This phase provides, among other things, the possibility for the interested party, where a presumed non-compliance by the agent emerges, to confirm, during the aforementioned call, through the so-called regularization procedure, his willingness to contract with Hera Comm S.p.A. in any case (see par. 3, letter l) of this decision). However, the aforementioned provision does not appear to comply with the Regulation, since the quality call, which by its nature consists of a call aimed at verifying the validity of the contractual will of the interested party (and consequently the accuracy of the data collected by the agent), must be carried out exclusively for the pursuit of this specific purpose and to protect the rights of the interested parties and cannot constitute a further opportunity to process the data of the latter - presumably illegally acquired by the agent - in order to convey contractual proposals to new potential customers. It has also been ascertained that, following the quality call, the contractualization process continues by sending, before switching, a welcome letter to the email or physical address indicated by the customer when signing the contract (see minutes of 17 April 2023, pages 5, 6 and 8). However, the system thus conceived, since it is based solely on contact details acquired by the agent, does not provide sufficient certainty of the correspondence of the latter with the actual user of the service; in doing so, Hera Comm S.p.A. accepts, without introducing adequate containment measures, the risk of acquiring unsolicited contracts containing inaccurate and out-of-date personal data. It should also be noted, in this regard, that the transmission of the aforementioned welcome letter is not carried out through methods that allow the owner to have evidence of the actual receipt of such documentation by the customer (such as, for example, the use of confirmation messages of receipt and reading of the content of the communication), with the possibility that it, if transmitted to an address not belonging to the potential customer, is never actually viewed by the latter. In this regard, it is therefore noted that the provision of a different communication system with the interested party (such as, for example, the transmission of the contractual proposal, in addition to the address in the contract, also by post to the address corresponding to the POD/PDR insisting on the supply through a delivery tracking service) could allow for greater certainty of the exact delivery of the documentation in question, making it possible to intercept the anomaly found in the affected agencies, at a stage even prior to the activation of the related contracts, limiting the negative consequences for the interested parties. Lastly, it emerged that Hera Comm S.p.A. did not equip itself, for the purposes of verifying the accuracy of the personal data contained in the contracts procured by the agencies, with alert systems sensitive to various procedural anomalies (such as, for example, the discrepancy between the supply address and the customer's contact address; the anomalous number of quality calls with an untraceable outcome; the inaccuracy or incompleteness of the contractual data acquired; the uploading into the system of multiple contract proposals in the name of the same subject; the excessive and unusual number of contracts stipulated by each agent; etc.; see minutes of 17 April 2023, page 9 and Annex 6). Likewise, the Company did not provide evidence of the performance of checks and/or investigations (not even on a sample basis) on the accuracy of the personal data acquired with reference to the other contracts stipulated by the agents with respect to which irregularities had been highlighted, regardless of the presentation of a complaint by the interested parties (for example, through a customer care activity of the customers contracted by the same agents, aimed at ascertaining the actual legitimacy of the contracts activated therein and of the processing carried out; see minutes of 17 April 2023, page 7 and Annex 2; see also minutes of 18 April 2023, pages 2-3). On this point, it is noted that the measures adopted by the Company following the notification of violation do not appear to be entirely compliant with what is contested therein, given that they provide, with regard to contracts already active, that random checks are limited exclusively to the "presence of any further reports or complaints" (see in this sense, paragraph 3, letter j), of this decision). The measures adopted by Hera Comm S.p.A. for the purposes of verifying the accuracy of the data processed by the agent, as described above, therefore appear, in consideration of the risks associated with the processing carried out, as well as the nature and context of the same, substantially inadequate to make the latter compliant with the provisions of the Regulation; this considering that the phenomenon of unsolicited activations, especially through the methods actually used in the cases under examination, has already been fully known for years in the reference sector, as demonstrated not only by the provision of the Guarantor of 11 February 2019 cited above, but also by the various and numerous decisions adopted by other Authorities in their respective areas of competence in relation to illicit conduct aimed at concluding contracts without the knowledge of potential customers (see, among many, AGCM, provisions of 21 December 2016, ref. PS6259, PS10114 and PS10338; AGCM, provision of 13 December 2022, no. 30422). As a whole, the above is therefore a violation by Hera Comm S.p.A. of the provisions of art. 5, par. 1, letters a), d) and f), and par. 2; art. 24 and art. 32 of the Regulation. 4.3. Failure to comply with the obligations to supervise the work of the agencies. With regard to the agents appointed, pursuant to art. 28 of the Regulation, to carry out personal data processing activities by Hera Comm S.p.A., it should be noted that the Company, as the data controller, is required to "use only data processors who provide sufficient guarantees to implement appropriate technical and organizational measures" to comply with the Regulation (art. 28, par. 1 of the Regulation). This provision, as highlighted by the European Data Protection Board itself (see EDPB, Guidelines of 7 July 2021, no. 07/2020 on the “concepts of data controller and data processor under the GDPR”, hereinafter “Guidelines 7/2020”), takes on the characteristics of “a permanent obligation” against which the controller must, “at appropriate intervals, (..) verify the guarantees offered by the data processor” (see EDPB, Guidelines 07/2020, paragraphs 94, 99 and 114, cit.). All this both - as already mentioned above (see par. 4.2. of this decision) - through the adoption of proactive behaviors aimed at promptly identifying any pathological situations in the contractualization process (and therefore the processing activities that result from it), and through the provision of periodic audits aimed at monitoring the work of the agencies in charge and verifying the correct and timely fulfillment of the tasks entrusted to them (see art. 5, par. 2, art. 24 and art. 28, par. 3, letter h) of the Regulation). On this point, it is noted that such audits must be carried out in compliance with a predefined program of controls, to be carried out periodically, concerning compliance with the legislation on the protection of personal data and must include document verification activities, as well as on-site inspections. In addition, the outcome of the same must also be documented in detail by the owner, by drafting reports in this regard containing, also, any corrective (and/or preventive) measures to be adopted. Likewise, the application of the same regulatory provisions (art. 24, par. 1 and art. 28, paragraphs 1 and 3, of the Regulation) also entails for the owner, in compliance with the principle of accountability, the necessary preparation, on a regular basis, of training sessions, directed at the managers appointed pursuant to art. 28 of the Regulation, aimed at ensuring the correct understanding and timely application of the specific instructions given to the latter (see EDPB, Guidelines 07/2020, par. 19, cit.). With respect to the obligations referred to above, on-site inspections revealed that the Company has not, to date, carried out any audit activity aimed at verifying the work of the agencies designated as data controllers in relation to the obligations set out in the Regulation (see minutes of 17 April 2023, page 9; see also note of 19 May 2023, Annex 3, par. 6.1). Similarly, Hera Comm S.p.A. has not implemented specific initiatives, beyond those of a more general scope focused on the sales process, aimed at training agencies and individual agents on the protection of personal data (see minutes of 17 April 2023, page 9; see minutes of 18 April 2023, Annex 6; see note of 19 May 2023, Annex 1). Finally, it is noted that, although the Company, following the notification of violation, has expressed its intention to strengthen its control activities towards the agencies in order to evaluate their work (see paragraph 3, letter f), of this decision), the Company has not, to date, provided suitable assurances regarding the implementation in the future, with reference to the aforementioned data controllers, of audits in the field of personal data protection, having not transmitted any documentation in this regard, suitable for describing the structure and timing of the audit program to be carried out and the methodology used for this purpose. Failure to assume the obligations mentioned overall determines, for the Company, the violation of art. 5 par. 2, art. 24 and art. 28 of the Regulation. 4.4. Violations in the exercise of the rights of the interested parties. With regard to the complaints received in the exercise of the rights pursuant to art. 15-22 of the Regulation, based on the elements in the files and those subsequently acquired during the inspection activity, it is established that Hera Comm S.p.A. provided, in both cases, an inadequate response to the requests for access to their data submitted by the interested parties. In fact, with regard to the requests referred to in the request of 16 November 2022, the Company limited itself to listing the categories of data processed − in particular: "identification data (Name, Surname, Tax Code/VAT number), Contact details (landline/mobile telephone number, email, PEC, fax), Residence/domicile address" (see response note of 16 January 2023, page 1) − without reporting the details of the personal data relating to the interested party, available within its systems. With regard to the request submitted on 3 January 2023, the Company provided a late response, as it arrived more than two months after the submission of the same and only following the request of the complainant, and in any case inadequate. All this, taking into account the circumstance that the Company did not provide the interested party with the information requested, limiting itself exclusively to transmitting the documentation containing a copy of the information pursuant to art. 13 of the Regulation. In this regard, it is worth highlighting that the right of access pursuant to art. 15 of the Regulation is mainly conceived as a tool aimed at allowing, in general, the interested party to exercise "control" over the personal data concerning him, ensuring full awareness of the information being processed and the actual methods of the latter. The purpose of the right of access, in fact, is primarily to disclose “which” data and “how” they have been processed by the data controller in order to provide the data subject with the tools to “know and verify the lawfulness and accuracy of the processing” referred to them (see recommendation 63 of the Regulation; EDPB, “Guidelines 01/2022 on data subject rights - Right of access”, adopted on 28 March 2023, paragraphs 10-13). Pursuant to art. 15 of the Regulation, therefore, the data controller, in response to a request for access, cannot limit himself to providing “a general description of the data [or] a simple reference to the categories of personal data processed”, nor can he omit information in his possession where it refers to the data subject; on the contrary, he is rather required to provide “access to all personal data relating to the data subject” actually being processed. Such information “must be complete, correct and up-to-date, corresponding as much as possible to the state of data processing at the time of receipt of the request” and must be provided “in a concise, transparent, intelligible and easily accessible form” to the latter (EDPB, “Guidelines 01/2022 on data subject rights - Right of access”, cit., paragraphs 34-35; art. 12, par. 1 of the Regulation). It should also be noted that the feedback, in the terms above, must be provided by the data controller without justified delay and in any case no later than one month from receipt of the request (art. 12, par. 3 of the Regulation). Given the failure by Hera Comm S.p.A. of the provisions referred to above - as is clearly evident from the documentation in the files and from the checks carried out during the inspection - the argument put forward by the Company in this regard cannot be accepted for the purposes of archiving the dispute concerning this specific type of violation. In fact, the Company, in its defence papers, limited itself on this point to stating that the findings at issue constitute an isolated case with respect to "the totality of the practices managed" by Hera Comm S.p.A. (see paragraph 3 of this decision). Likewise, with specific regard to the request to exercise rights dated 3 January 2023, what the Company claimed regarding the circumstance that the lateness of the response was due to a misunderstanding of a predominantly technical nature is irrelevant (see note of 26 January 2024, page 7). In this regard, it is in fact stated, as already highlighted above, that the response in question was not adequate. It follows, therefore, in the cases in question, that the latter has violated art. 15 and art. 12, par. 3 of the Regulation. In any case, the aforementioned circumstances will be taken into consideration, in the context of quantifying the administrative pecuniary sanction, as mitigating factors pursuant to art. 83, par. 2 of the Regulation. 4.5. Further violation profiles. During the investigation, further violation profiles were found concerning the methods and times of retention of customer data, as explained below. With regard to the policies adopted by the Company regarding data retention of customer data present in the CRM, from the statements made by the Company, it emerged that, with respect to the Siebel system, no specific retention times have been provided for the data processed by Hera Comm S.p.A. (see minutes of 17 April 2023, page 7). It has also been ascertained that the oldest data contained in the aforementioned CRM are those relating to a former customer, whose contract ended on 23 October 1984, and to a prospect (i.e. an interested party who has never been a customer of the Company), whose last contact was on 1 September 2004 (see note dated 19 May 2023, Annex 7). This retention period (of 39 years in the first case and 19 in the second) - in fact adopted by the Company with respect to the aforementioned personal data - appears disproportionate to the purposes of the processing actually carried out and therefore not "limited to the minimum necessary" as provided for by art. 5, par. 1, letter e) of the Regulation (see in this regard, cons. 39 of the Regulation); this in consideration of the considerable period of time elapsed, in the first case from the termination of the contract, in the second due to the pre-contractual purposes for which it was collected. Differently, with respect to the Salesforce platform, the Company has identified some timeframes in the document called "Hera BBP migration and archiving" (minutes of 18 April 2023, Annex 3, par. 4.4.3). In this regard, however, it should be noted that the framework provided therein does not appear sufficiently clear, nor exhaustive, as it is limited to listing a multiplicity of categories (so-called functional entities) to which various retention terms are associated, without it being possible to identify the personal data and the processing included therein, nor the criteria on the basis of which such association is made. In this document, the Company, in fact, has exclusively indicated a ten-year term for customer data without any distinction that takes into account the purposes pursued from time to time (e.g. marketing, profiling, execution of the contract, etc.), as well as additional retention terms of 10 and 4 years referring to indeterminate categories, called "RDS/RDO/Case/Order" and "RDS/Case (request for information)". Confirming the inadequacy of the data retention policy mentioned above, it is also relevant to the circumstance - ascertained during the inspection activities - that Hera Comm S.p.A. does not have specific timeframes for the retention of data of data subjects for whom a complaint for unsolicited activation has been accepted, applying to them the ten-year term generally provided for the processing of customer data (see minutes of 17 April 2023, page 7). In this regard, it is indeed worth highlighting that art. 5, par. 1, letter e) of the Regulation provides that personal data must be retained in a way that allows the identification of the data subject for a period of time not exceeding that necessary to achieve the purposes of the processing. The principle of limitation of storage, in fact, imposes on the controller the burden of evaluating the duration of the processing in necessary correlation with the specific purposes set upstream at the time of collection; this in order to "ensure that the period of retention of personal data is limited to the minimum necessary" (see recital 39 of the Regulation). In fact, this is the obligation of the owner to guarantee a "correct" duration of the processing which, otherwise, could extend beyond the achievement of the specific purposes of the same with an impact on the principles of lawfulness, correctness and transparency (art. 5 of the Regulation). In light of the above, it follows that the processing carried out by Hera Comm S.p.A. appears to be in conflict with the principle of limitation of conservation in consideration of the ascertained failure to foresee retention times for the personal data recorded in the Siebel CRM, as well as the inadequacy of the data retention policy envisaged for the Salesforce system. This inadequacy remains due to the failure of the Company to reformulate the data retention policy in light of the objections raised in the notice of dispute. All this considering that the same has limited itself, following the notification of violation, to introducing only the provision regarding the ten-year term of retention of the data of the interested parties with respect to which a complaint for unsolicited activation has been accepted, starting from the date of definition of the same. Lastly, during the accesses carried out on site, it emerged that the personal data of the customers, whose contract has ceased following a complaint for unsolicited activation, were present in the CRM of Hera Comm S.p.A., without the introduction of any measure, such as the physical and logical segregation of the aforementioned information, aimed at guaranteeing the limitation of the related processing in order to distinguish them from those subject to ordinary customer management activities (art. 5, par. 1, letter b) and par. 2; art. 24 of the Regulation). Furthermore, the Company has not provided evidence regarding the implementation of a system suitable for providing, pending the definition of a complaint for an unsolicited contract, the timely limitation, pending subsequent checks, of any further and different processing activity of customer data in order to suspend as a precaution any unlawful processing of the aforementioned data (e.g. access by internal or external personnel authorised to operate on the CRM for ordinary customer management purposes); the latter measure, moreover, already expressly indicated by the Guarantor in the aforementioned provisions of 11 December 2019, 28 September 2023 and 12 October 2023. From the examination of the documentation acquired, it was noted in particular that, from 1 January 2021 to 30 April 2023, the number of interested parties for whom the aforementioned measures of segregation of the related personal data were not provided for was 2309 (see minutes of 18 April 2023, Annex 7 and note of 10 November 2023, Annex 1, documents from which a total of 713 "Complaints" and 1596 "Non-Conformities" result). Finally, with specific reference to the methods introduced by the Company, following the notification of the violation, to implement the aforementioned data limitation measures (see above, par. 3, letter h) of this decision), it is noted that the same do not appear to be entirely suitable to conform the processing activities in question to the Regulation. In particular, reference is made to the information of data subjects with respect to whom a complaint for unsolicited activation has been accepted and which, based on what has recently been introduced by the Company, are not promptly archived in a system separate from the CRM, but instead remain available there for a period of two years (see note of 26 January 2024, pages 21-22). In this regard, it is worth highlighting that the controller, with reference to such information - relating to data subjects whose data had been unlawfully processed from the outset by the agent - is required to ensure effective logical and physical segregation (i.e., the data must be immediately marked and transferred to another system). 5. Conclusions: declaration of unlawfulness of processing. Corrective measures pursuant to art. 58, par. 2, Regulation. In light of the overall findings, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the proceeding to be overcome and are therefore unsuitable for ordering the archiving of this proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. The processing of personal data carried out by Hera Comm S.p.A., in the context of customer contracting activities through door-to-door agencies, is in fact unlawful, in the terms set out above, as it was carried out in violation of art. 5, par. 1, letters a), b), d), e) and f), and par. 2; of art. 12, par. 3; of art. 15; of art. 24; of art. 28 and art. 32 of the Regulation. Violation of the provisions referred to above entails the application of the administrative sanction provided for by art. 83, par. 4, letter a) and par. 5, letters a) and b) of the Regulation. With regard to the exercise of the corrective powers referred to in art. 58, par. 2, of the Regulation, it is noted that Hera Comm S.p.A., during the proceedings, has taken steps to adopt some initial measures aimed at aligning, in compliance with the regulatory framework described above, the processing of customer data with the Regulation as detailed in this decision (see above, par. par. 3, letters b), c), f), g) and k) of this decision). Account is also taken of the statements made by Hera Comm S.p.A., in the context of the defense briefs, regarding the upcoming adoption of some measures for which feasibility assessments are underway, including of a technical nature (see paragraph 3, letters d) and i) of this decision). Therefore, taking into account the above and without prejudice to the aforementioned actions already initiated by the Company, it is deemed necessary in any case, in light of the additional critical issues identified against the data controller, to order the same, pursuant to art. 58, paragraph 2, letter d), of the Regulation, to take the following corrective measures: a) with regard to the above-mentioned measures being adopted by the Company (see paragraph 3, letters d) and i) of this decision), to confirm their definitive implementation, providing adequately documented feedback in this regard pursuant to art. 157 of the Code; b) with reference to the App introduced for the purpose of acquiring the image of the contractual documentation by the agents, adopt measures aimed at preventing illicit uses of the same, such as, for example, the provision that the App can be downloaded exclusively from official stores, that it can be installed only on the device uniquely associated with the agent (for example by sending a confirmation PIN), and that it can be used via one device at a time. The Company must also carry out periodic checks in order to monitor any anomalous uses of this application (e.g.excessive uploads by some agents compared to the average; use of the App at unconventional times; simultaneous access from the same account; etc.); c) evaluate the opportunity to maintain, within the instructions given by Hera Comm S.p.A. to its door-to-door agents, the indication of the ability to acquire the image of the customer's identification document on their personal device and not via the App designated for this purpose (see note of 26 January 2024, page 8). In this regard, if the Company deems it appropriate to confirm the aforementioned indication, it is deemed necessary for the relevant instructions to specify the exceptional nature of this procedure (exampling the limited cases in which it can be used). The Company should also adopt a system of periodic checks aimed at assessing the actual residual use of the same with respect to the App, as well as introducing measures specifically aimed at preventing any fraudulent use (such as, for example, the use of BYOD MDM software), by door-to-door agents, of the customer's identification document thus acquired; d) adopt a blocking quality call system (i.e. one that interrupts the continuation of the contractualization process) in all cases in which the customer has not responded to the call attempts made by the Company (so-called "not found" outcome of the verification call); e) provide for procedural rules in relation to which, in the event of the receipt of anomalous volumes of contractual proposals, rejections, complaints for unsolicited activation relating to contracts procured by an agency, Hera Comm S.p.A. is expected to carry out specific verification activities on the generality of the contractualization operations carried out by the aforementioned agency (for example by examining the proposals uploaded by the same agents and/or by the same agency affected by the complaint in the same reference period, as well as by carrying out a caring activity towards other customers procured by the same agents with respect to whom irregularities had been highlighted). All this in order to have tools capable of contributing to ensuring the accuracy of the personal data acquired in the context of the aforementioned contractual proposals, regardless of the submission of a complaint or report by the interested parties. The anomaly threshold aimed at determining the start of the above-described control activity could be identified by taking into account, for example, the average number of proposals procured by individual agencies and the average number of complaints/refusals of the same nature received every six months by the Company. The aforementioned activity could be carried out on a sample basis or in any case in a manner that is not invasive for the customer (for example, by means of a notice placed on the bill); f) identify adequate retention times for customer data, distinguished by data categories and specific purposes of the processing carried out; this is in line with the principle of limitation of retention established by art. 5, par. 1, letter e) of the Regulation; g) eliminate from the quality call script the reference, within the "privacy check" phase, to the so-called regularization procedure that allows the Company, in the event of an alleged non-compliance by the agent, to acquire, during the same call, in any case its willingness to contract with Hera Comm S.p.A.; h) with reference to the processing of customer data for which, following the various preventive checks described above, it appears appropriate as a precaution to interrupt the contractualization procedure or for which a complaint for unsolicited activation has been accepted, implement a system that provides for the timely limitation of any further processing activity of the data; this by adopting adequate measures to guarantee the immediate segregation of the aforementioned data from those processed in the context of ordinary customer management activities. This measure, as already represented (see above, par. 4.5. of this decision), cannot be effectively implemented with the methods proposed by Hera Comm S.p.A., requiring that the blacking out of the data and the logical and physical segregation of the same occur immediately and not, as envisaged by the Company, after the passing of two years (the data, in other words, must be immediately marked and transferred to another system); i) provide for periodic audits to evaluate the work of the agencies in charge, pursuant to art. 28 of the Regulation, to process customer data for contractual purposes. Finally, with reference to the personal data relating to the 2309 customers as identified in paragraph 4.5. of this decision, pursuant to art. 58, paragraph 2, letter f) of the Regulation, the definitive limitation of any further processing activity of the same other than that inherent to the aforementioned segregation of the aforementioned information is ordered. The aforementioned requirement is also necessary in relation to the personal data of customers contained in any further contractual proposals acquired through the door-to-door channel in the period between 1 May 2023 and the date of notification of this decision with respect to which a complaint has been submitted in the meantime for unsolicited activation and the same has been accepted with consequent termination of the related contract. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Hera Comm S.p.A., the unlawfulness of which has been ascertained, in the terms set out above. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that “if, in relation to the same processing or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement”, the total amount of the fine is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5. With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the case in question, the circumstances reported below have been taken into account: the significant seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation), in relation to the nature (concerning the failure to comply with the principles of processing pursuant to Article 5 of the Regulation), the methods (the plurality of unlawful conducts repeated over time) and the duration of the same (approximately two years). Also considered relevant, for this purpose, are the characteristics of the processing in terms of its purpose and broad scope, as well as the high number of data subjects involved and the type of damage suffered by them. All this having been noted that: the disputed operations were carried out in order to conclude energy supply contracts in the free market, an economic activity that falls within the core business of the owner; the unlawful conduct ascertained involved 2309 interested parties; the critical issues found in terms of data protection refer to the processes and policies implemented by the owner for carrying out customer contractualization operations through the agency channel, highlighting systemic shortcomings and inadequacies of the aforementioned processes and therefore cannot be referred to sporadic episodes of misalignment of the same; the ascertained violations have determined, for the potential customers indicated above, in addition to damages directly connected to the identity theft suffered by them, also the conclusion without their knowledge of unsolicited contracts in the free energy market (together with the activation of insurance policies related to the same) with the consequent need for the same to take on the related administrative costs connected to the establishment of the actions (judicial and/or administrative) envisaged in such cases to protect the consumer; the significantly negligent behavior and the significant degree of responsibility of the data controller with regard to the technical and organizational measures implemented (art. 83, par. 2, letter b) and letter d) of the Regulation); this with specific reference to the inadequacy of the data protection policies implemented by Hera Comm S.p.A. in the sector under consideration and explained in detail in paragraphs 4.1.-4.5. of this decision, as well as in light of the indications already provided for some time by the Guarantor with regard to the organizational and management methods that a data controller, operating as an energy supplier in the free market, must implement, when acquiring new customers, in order to comply with the Regulation (see provisions of 11 December 2019, 28 September 2023 and 12 October 2023, cit.); the adoption, by the controller, of measures to mitigate or eliminate the consequences of the violation (art. 83, par. 2, letter c) of the Regulation). In this regard, the circumstance that Hera Comm S.p.A. promptly adopted, once it became aware of the violations, some initial measures to mitigate the effects of the unlawful processing must be considered positively; measures that, although only partially sufficient to eliminate the risks, can be considered reasonable; the circumstance that the Company actively cooperated with the Authority during the proceedings (art. 83, par. 2, letter f) of the Regulation); the fact that there are no previous violations committed by the controller or previous measures referred to in art. 58 of the Regulation (art. 83, par. 2, letter e) of the Regulation); other mitigating factors (art. 83, par. 2, letter k) of the Regulation). To this end, it is relevant, with respect to the violation ascertained in par. 4.4. of this decision, that the late response provided by the Company to the request to exercise rights dated 3 January 2023, was mainly due to "a technical glitch in the systems that prevented the passage of the complaint to the Score platform, responsible for managing this type of request" (see note of 26 January 2024, page 7). It is also taken into account that the inadequacy of the feedback provided in the cases that are the subject of the complaint appear, as claimed by the Company, to be isolated cases compared to the totality of the practices managed by the latter as a whole (see paragraph 4.4. of this decision). It is also believed that the economic conditions of the offender, determined on the basis of the turnover of the Company, as per the financial statements for the year 2023 (last available), are relevant in this specific case, due to the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (art. 83, par. 1, of the Regulation). In this regard, it is stated that, due to the nature of the treatments that are the subject of the complaint, only the turnover relating to the sale of electricity and gas has been taken into consideration for this purpose. Finally, the costs that the Company is required to face in order to comply with the provisions of point 5 of the aforementioned decision are taken into account, as well as the amount of the sanctions imposed by the Guarantor in similar cases. In light of the elements indicated above and the assessments carried out, it is believed, in this specific case, that the following should be applied to Hera Comm S.p.A. the administrative sanction of the payment of a sum equal to €5,000,000.00 (five million/00). In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this provision should be published on the Guarantor's website. This is in consideration of the type of violations found that affected the general principles of processing, in particular the principles of lawfulness, correctness, transparency, accuracy and accountability. To this end, account is also taken of the significant damage suffered by the interested parties following the conclusion of unsolicited contracts in the free energy market (often together with the activation of insurance policies related to the same) with the consequent need for them to take on all administrative burdens also connected to the initiation of judicial and/or administrative actions envisaged in such cases for their own protection. Finally, it is believed that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 are met. GIVEN ALL THE ABOVE, THE GUARANTOR a) pursuant to art. 57, par. 1, letter f) and 83, of the Regulation, the unlawfulness of the processing carried out by Hera Comm S.p.A., with registered office in Imola (BO), VAT no. 02221101203 is noted in the terms set out in the reasons, for the violation of art. 5, par. 1, letters a), b), d), e) and f), and par. 2; of art. 12, par. 3; of art. 15; of art. 24; of art. 28 and art. 32 of the Regulation; b) pursuant to art. 58, par. 2, letter f) d) of the Regulation orders the aforementioned Company to comply, within three months from the date of notification of this provision, with the provisions set out in paragraph 5, letter a) of this decision, while at the same time requesting the same to provide, within the aforementioned deadline, adequately documented feedback pursuant to art. 157 of the Code; any failure to provide feedback may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, letter e) of the Regulation; c) pursuant to art. 58, paragraph 2, letter d) of the Regulation orders the aforementioned Company to comply, within nine months from the date of notification of this provision, with the provisions set out in par. 5, letters b) to i) of this decision, while at the same time requesting the latter to communicate what initiatives it intends to undertake in order to implement the provisions and to provide, within the aforementioned deadline, adequately documented feedback pursuant to art. 157 of the Code; any failure to provide feedback may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, letter e) of the Regulation; d) pursuant to art. 58, paragraph 2, letter f) of the Regulation, orders, with respect to Hera Comm S.p.A., the definitive limitation of any further processing of customer data as identified in paragraph 5 of this decision and within the terms provided therein; e) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. ORDER a) pursuant to art. 58, par. 2, letter i) of the Regulation to the same Hera Comm S.p.A., to pay the sum of Euro 5,000,000.00 (five million/00) as an administrative pecuniary sanction for the violations indicated in this provision. ORDERS b) therefore to Hera Comm S.p.A. to pay the aforementioned sum of Euro 5,000,000.00 (five million/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below remains intact. ORDERS c) the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 17 July 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei SEE ALSO: Newsletter of 13 September 2024 [web doc. no. 10053211] Provision of 17 July 2024 Register of provisions no. 440 of 17 July 2024 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN TODAY'S meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, Members, and Council Member Fabio Mattei, Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the “Regulation”); HAVING SEEN Legislative Decree no. 196 of 30 June 2003 (Personal Data Protection Code, hereinafter the “Code”) as amended by Legislative Decree no. 101 of 10 August 2018 containing “Provisions for the adaptation of national legislation to the provisions of Regulation (EU) 2016/679”; HAVING EXAMINED the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Prof. Pasquale Stanzione; WHEREAS 1. Complaints received. This Authority has received several requests concerning the processing of inaccurate and out-of-date personal data of customers, carried out by Hera Comm S.p.A. (hereinafter also “Company”), through door-to-door agents, in the context of the supply of electricity and gas, by concluding unsolicited contracts in the free market. In particular, the complainants complained that they learned of the establishment of the supply relationship, only following the delivery by Hera Comm S.p.A. of contractual documentation bearing a fake signature or the receipt of communications aimed at updating the activation status of energy supplies, asserting that they had never had any contact, either personal or remote, with the aforementioned Company. The simultaneous activation by Hera Comm S.p.A. of insurance policies, also bearing a false signature, related to the aforementioned supply contracts was also reported. The requests sent to the Authority also highlighted the significant difficulties and inconveniences endured by the aforementioned customers due to the unsolicited activations suffered. First of all, those relating to the need to have access to the contractual documentation (often repeatedly requested from Hera Comm S.p.A.), as well as those relating to the time lost and costs incurred (both in relation to the higher tariffs incurred and in relation to the need to appoint a lawyer) to initiate the administrative and judicial actions provided for by law to protect the consumer (such as, for example, the submission of requests for access to the contractual documentation; the forwarding of complaints to the supplier; the initiation of the restoration procedure at the Regulatory Authority for Energy, Networks and the Environment; actions related to the cancellation of activated insurance policies; the possible submission of a criminal complaint; etc.). Some complaints have also been submitted against the same Company regarding incorrect and/or late response to requests to exercise rights made pursuant to Articles 15-22 of the Regulation. 2. The preliminary investigation. The Authority, by virtue of the multiple requests submitted, decided to proceed with the merger of the individual proceedings referred to above, in order to carry out a comprehensive examination of the issues underlying them. Therefore, as part of the aforementioned investigation, some on-site inspections were carried out at the Company, specifically on 17, 18 and 19 April 2023. Subsequently, further elements were also acquired due to the supplementary documentation, sent by Hera Comm S.p.A. on 19 May 2023, in resolution of the reservations formulated during the inspection activity, as well as in response to the note sent by the Company on 10 November 2023, in response to a request for information from the Authority dated 23 October 2023. During the proceedings, in relation to the profiles highlighted in the introduction, the following emerged. 2.1. The processing of customers' personal data through door-to-door agents. Hera Comm S.p.A. is a company that operates, at a national level, in the sector of sales of electricity and gas to end customers. "The number of individual customers in the free market, as of 12/31/2022, is equal to 769,662 for the energy sector and 944,956 for the gas sector" (see minutes of 17 April 2023, page 3). Customer contractualization activities are carried out through "various channels such as: teleselling; door-to-door agencies; "inbound" channel (call center); web-based contractualization; Hera Comm counters (physical points managed by the Company's employees); Hera Comm points (stores managed by agencies in the area)". In particular, “sales through door-to-door channels and (..) Hera Comm Points are carried out through the use of agencies. The latter “are designated as responsible pursuant to art. 28 of the Regulation” and, for each activity carried out (door-to-door agent or Hera Comm Point), “sign a specific contract” (see minutes of 17 April 2023, pages 3-4). More specifically, the agencies “operate, by means of an agency mandate, as multi-mandate agents with exclusivity for the sale of electricity and gas services”, while the Hera Comm Points “are sales points opened in territories of commercial expansion, the management of which is usually entrusted to the same agency that commercially oversees [the aforementioned perimeter]” and “are responsible for acquiring new customers; providing after-sales support for customers (..); ensuring a permanent presence in the territory” (see note of 19 May 2023, Annex 3, page 3). For the purposes of managing the data of the customers thus acquired, the Company uses two CRM systems, respectively based on the Siebel and Salesforce platforms. In this regard, it was specified that the Siebel CRM "is being replaced starting from June 2022" through a "migration [of the customer data contained therein] to the different Salesforce system [recently implemented]. The data of customers from some regions (Marche and Abruzzo) are entirely on Salesforce, while for the remaining customers, Salesforce is used in the proposal entry phase until its validation; the information relating to the subsequent phases (precheck, switching, etc.) is entered into the Siebel system" (see minutes of 17 April 2023, page 6). The Company "has established the rules that the [door-to-door] agents must follow when signing the contractual proposals, which are specified in the agency contract, in the attachment called "Sales Manual" (..). Agents use only paper contract forms, which the customer signs with an autograph signature. The agent also acquires a copy of the identity document and, in some cases, a copy of the latest bill (possibly via a photo with the agent's mobile phone). The agent then brings the contract to the agency, which, via the back-office function, scans the document and uploads the data into the system [Customer Relationship Management - hereinafter "CRM"], attaching the scanned copy. The paper document is then sent by courier to the Company. The data is uploaded into a verticalization of the CRM (..), used for the data entry function (see minutes of 17 April 2023, page 4). The "contractual proposal uploaded by the agency into the CRM is first subjected to a validation process that is divided into two phases: document control: aimed at verifying the completeness and congruity of the contractual data entered by the agencies. This process, carried out by Hera Comm personnel or external companies, provides that, if the regularity checks have a negative outcome, the contract is returned to the agency for specific checks. If the outcome is positive, the process moves to the second phase” (see minutes of 17 April 2023, page 4); quality call [hereinafter also “check call”]: Hera Comm S.p.A “will make, with reference to all the proposals received, a confirmation call to the telephone number present in the same. The Company will make a maximum of 15 contact attempts, over the course of a few days” (see minutes of 17 April 2023, pages 4-5). If the interested party does not respond to the aforementioned confirmation call (so-called untraceable result or Not found of the quality call), the contractualization process continues anyway, with reference to the contractual proposals procured by agencies, with a "high quality score (i.e. higher than 88% of check calls completed with a positive outcome, in the previous month)"; in such cases, "the contractualization process therefore continues and the customer receives text messages/emails on the progress of the practice". Otherwise, if the agency that collected the contractual proposal does not reach the rating percentage indicated above, and is therefore subjected to so-called "Active monitoring", the untraceable result of the check call blocks the aforementioned process. It was clarified in this regard that the “rating for Agency/Agent, [is] given by the ratio between positive Quality calls (i.e. the number of quality calls that resulted in the confirmation of the contract by the customer) compared to the total Quality calls that were successful (i.e. the number of quality calls that received a response from the customer, regardless of whether the contract was confirmed or not) for the same Agency/Agent” (see note of 19 May 2023, Annex 3, par. 6.3). It was also specified that the rating of the agencies aimed at defining the aforementioned score “does not take into account any subsequent reports or complaints or the actual activation of the supply” (see minutes of 17 April 2023, page 5). The Company, in the event of a positive outcome of the quality call and before switching, “sends a welcome letter to the physical address or email provided by the agent, at the time of signing the proposal. The transmission of the aforementioned letter/email does not include tracking systems aimed at providing confirmation of delivery or receipt of the same. Following this sending, switching activities are started and are concluded on average within 45 days of the welcome letter. During this period, information relating to the progress of the practice is communicated to the customer via SMS/email”. After switching, “the company does not carry out further checks on the regularity of the contractualization (e.g. [further] quality call)” (see minutes of 17 April 2023, page 5). With regard to the procedures adopted by the Company in order to verify the accuracy of the personal data contained in the contractual proposals procured by the agencies, the latter “has set up the CRM so that contractual proposals in which a telephone number or an email already present in 5 personal data sheets appear are not accepted”. It was also stated that "the Company does not carry out further checks" due to which alert systems are generated that are sensitive to various procedural anomalies, such as for example the discrepancy between the supply address and the customer's contact address; the inaccuracy or incompleteness of the acquired contractual data; the uploading to the system of multiple contract proposals in the name of the same subject; the excessive and unusual number of contracts stipulated by each agent; etc. (see minutes of 17 April 2023, page 9 and Annex 6). With reference instead to the checks regarding the accuracy of the personal data of the customers contained in the contracts that are the subject of the complaint for unsolicited activation, the Company has implemented a procedure called "Non-compliance management procedure". According to the same, Hera Comm S.p.A., if it highlights a serious imperfection in the acquisition of the contract, records a "Non-Conformity" against the agency which may also lead to the application of penalties (see minutes of 18 April 2023, Annex 11; note of 19 May 2023, Annexes 2 and 3). On this point, during the investigations, it was specifically pointed out that, in the case of "complaint for unsolicited activation, with disavowal of the signature, the Company sends a certified email to the agency to request the removal of the agent who followed the signing of the proposal, and applies the reversal of the commission and any additional sanctions provided for in the contract. If the number of complaints with respect to the signed contracts exceeds a certain threshold [in this case 5% of Non-Conformities recorded in the previous quarter], the contract with the agency is terminated". Furthermore, “the Company does not carry out checks on other and additional contractual proposals stipulated by the same agent with respect to which a complaint was submitted for the activation of an unsolicited contract, aimed at checking the correct acquisition of the customer's adhesion to the formulated proposal” (minutes of 17 April 2023, page 7 and Annex 2; see also minutes of 18 April 2023, pages 2-3). More generally, with regard to the methods of verifying the quality of the customer contractualization process through door-to-door agencies, the Company intended to point out that, following the investigation activity of the Guarantor, in “September 2023 the ‘Sales Support & Control’ office was established which (…) has the objective of designing and implementing an ‘Internal Control System’ designed to measure and contribute to improving the quality of sales” (see note of 10 November 2023, pages 3 and 4). The inspections, including access to the Company's systems, revealed that the contracts relating to the complainants were procured by MAS S.r.l. and NTS Group S.r.l., agencies with respect to which the highest incidence of cases of "Non-Compliance" was found (see minutes of 18 April 2023, Annex 7), and that, with respect to the same, Hera Comm S.p.A. found that unsolicited contracts had been activated (see minutes of 17 April 2023, pages 6 and 8). Lastly, it was also highlighted that, “with reference to customer data for which a contract for unsolicited activation was accepted, there are no methods of limiting the processing in order to guarantee the segregation of the aforementioned data from those processed in the context of ordinary customer management activities”. In any case, “in the event of unsolicited activation, the privacy consents are revoked directly by the Company, upon receipt of the customer complaint, and changed to “NO consent” in the CRM” (minutes of 17 April 2023, page 7). With regard to the retention times of customers’ personal data, Hera Comm S.p.A. represented, with reference to the Siebel system, that “specific retention techniques have not been included in consideration of the complexity and cost associated with this implementation”, while, with regard to the Salesforce platform, it provided a document called “Hera BBP migration and archiving”. In particular, with specific regard to customer data for which a complaint for unsolicited activation was accepted, the same specified that “they are retained in the CRM for 10 years from the termination of the contract, since the Company does not have a specific data retention policy in relation to this type of information” (see minutes of 17 April 2023, page 7 and minutes of 18 April 2023, Annex 3; see also note of 19 May 2023, Annex 7). Finally, with regard to the measures adopted by Hera Comm S.p.A. in order to verify the work of the agencies as data controllers pursuant to art. 28 of the Regulation, the Company declared that “no audit activity [in terms of personal data protection] is carried out on the work of [them]” (see minutes of 17 April 2023, page 9; see also note of 19 May 2023, Annex 3, par. 6.1). At the same time, Hera Comm S.p.A. represented “the intention to start an audit activity by administering a checklist on privacy compliance (..) towards the agencies, using the “privacy compliance checklist for external data controllers already prepared” (minutes of 18 April 2023, page 3). Likewise, with regard to the training activities of agencies and individual agents, the Company has declared that these are “focused [exclusively] on the sales process” and that “specific training on personal data protection is not provided” (see minutes of 17 April 2023, page 9; see minutes of 18 April 2023, Annex 6; see note of 19 May 2023, Annex 1). 2.2. Complaints regarding the exercise of the rights of the interested party. The Guarantor has also received two complaints, regarding the exercise of rights, concerning the incorrect and/or late response, by Hera Comm S.p.A., to the requests for access to its data submitted, pursuant to art. 15 of the Regulation, respectively on 16 November 2022 and 3 January 2023. In general terms, from the checks carried out, it emerged first of all that the Company, in order to fulfill the obligations pursuant to art. 12 of the Regulation, has adopted a specific procedure (see minutes of 18 April 2023, Annex 15, paragraphs 5.2 and 5.4) aimed at defining the management methods of "all types of complaints/requests for information received (..) both through the Customer Value Management structure and through the DPO Office". Complaints are entered into a system called S.Co.Re. and are "managed, as a rule, within 30 days on the basis of company policy; specifically, with reference to privacy complaints, it is expected that they must be processed within 30 calendar days" (see minutes of 18 April 2023, page 5). Furthermore, with specific regard to the aforementioned complaints received by the Authority, the following was ascertained: the request for access pursuant to art. 15 of the Regulation submitted on 16 November 2022 was simultaneously sent to Hera Comm S.p.A., the data controller, and to Covisian S.p.A., the company appointed to operate, as data processor, on behalf of the aforementioned data controller, pursuant to a specific contract signed pursuant to art. 28 of the Regulation. Covisian S.p.A., with communications dated 22 November and 16 December 2022, in compliance with the instructions provided by the data controller, represented the need, advanced by the latter, to avail of the institution of the extension of the deadline provided for by art. 12, par. 3 of the Regulation. The response to the interested party's requests was therefore provided by Hera Comm S.p.A. on 16 January 2023. In the aforementioned response note, the role of data controller pursuant to art. 28 of the Regulation entrusted to Covisian S.p.A. was confirmed and, with respect to the specific request for access to the data, it was stated "that this is common data, i.e. identification data (name, surname, tax code/VAT number), contact details (landline/mobile telephone number, email, certified email, fax), address of residence/domicile" (see response note of 16 January 2023, page 1). Lastly, in the context of the on-site accesses, “it was not possible to view the complaint in the [S.Co.Re.] system, as (..) it was directly managed by the DPO Office which provided the relevant feedback regarding the exercise of rights, via Hera Comm PEC, on 16 January 2023” (see minutes of 18 April 2023, page 6); the request for access, submitted on 3 January 2023, was submitted in order to “know all the personal information processed by Hera Comm, as well as, more specifically, the data (including their origin) used for the scoring relating to the credit reliability of the interested party in response to the request for activation of a gas and electricity supply”. With respect to the same, Hera Comm S.p.A., initially, did not provide any feedback. Following a request from the complainant (see complaint request dated 1 March 2023, Annex 4), on 21 March 2023, the Company responded by sending only “a copy of the privacy information including the privacy information pursuant to Articles 13 and 14 of EU Regulation no. 2016/679 and Article 6 of the Code of Conduct for information systems managed by private entities in the field of consumer credit, reliability and punctuality in payments” (see note from the complainant dated 22 March 2023, Annex 1). During the on-site visits, it emerged that the interested party’s request “was not present within S.Co.Re., but was displayed in the Siebel CRM”. In this regard, the Company has in fact specified that "when the complaint was registered due to a technical problem, the order line that would have allowed the passage to S.Co.Re. was not created. The responsible function (Customer value management) has in any case provided feedback (...), from the address comunicazioni.crm@gruppohera.it, on 21 March 2023; all this following the periodic consistency checks of what is present on Siebel carried out to recover the practices not uploaded to S.Co.Re. due to occasional misalignments between the systems" (see minutes of 18 April 2023, page 7). 3. Notification of violations and defense briefs. With communication dated 14 December 2023, the Office, on the basis of the documentation in the files and the elements acquired during the investigation, notified Hera Comm S.p.A. the initiation of the procedure for the adoption of the measures referred to in Articles 58, paragraph 2, and 83, of the Regulation in relation to the violation of Article 5, paragraph 1, letters a), b), d), e) and f), and paragraph 2; of Article 12, paragraph 3; of Article 15; of Article 24; of Article 28 and Article 32 of the Regulation; this in accordance with the provisions of Article 166, paragraph 5, of the Code. In this regard, the Company, with a communication dated 26 January 2024, sent its defence papers, further integrated at the hearing of 12 March 2024 and through a note dated 22 March 2024, representing, among other things, at that time that, with regard to the late response provided to the request to exercise rights dated 3 January 2023, the same was due to "a technical glitch in the systems that prevented the passage of the complaint on the Score platform, responsible for managing this type of request". It also highlighted that "it is the rule that the Company provides the response to the requests referred to in art. 15 of the Regulation by indicating in a timely manner all the data relating to the interested party that are subject to processing and not only the categories of data processed". Therefore, “the two requests [to exercise rights], represented as discrepancies, constitute a truly small number compared to the total number of cases managed” (see note of 26 January 2024, pages 7-8). It also highlighted that it promptly took action, following the inspections of the Guarantor and the notification of the violation transmitted by the same, by adopting the following measures: a) in relation to the methods of acquiring a copy of the customer's identity document, it evaluated the development of “an app that manages the acquisition of the image of the documentation and sending it to a company storage, without the image being saved on the agent's device”. In the instructions dedicated to the door-to-door channel, it was also expressly provided that, "in the phase of acquiring a copy of the valid identity document of the customer and any delegate, provided with a specific delegation, if the agent were to proceed with photographic acquisition, given the impossibility of proceeding otherwise, he/she must proceed with the immediate deletion of the relative images from the mobile devices once the sending to Hera Comm or the insertion into the information system of the same has been completed" (seenote of 26 January 2024, page 8); b) in relation to the instructions to be given to data controllers pursuant to art. 28 of the Regulation, the Company, from December 2023, has introduced new forms relating to the contractual relationship with the agencies, containing updates and additions to the instructions provided to the agents which also include "specific focus on the protection of personal data". These are distinguished in relation to each sales channel and are "collected in the Sales Manual, attached to the contract". The review activity in question was also aimed at "setting up a more incisive and effective internal control system; (..) updating the envisaged sanctioning system, also in light of the case law of the Guarantor; providing for evaluation processes of agencies and sub-agencies (..) which take into particular consideration the profiles inherent to the processing of personal data; provide for contractual measures to control the chain of sub-agencies, in particular with regard to the processing of personal data” (see note of 26 January 2024, pages 18-20); c) with reference to the training of agencies, a system has been implemented that provides for the provision of “initial training at the start of a new agency relationship, [as well as] periodic training sessions, delivered and reported on at least an annual basis”. Furthermore, “with regard to agencies for which a contractual relationship is already in place, starting from January 2024, the provision of training sessions dedicated to the legislation on the protection of personal data with a specific focus on the operating instructions provided for agencies has been [been] provided for”. With regard to the training provided by the agencies, it has been established that the same be "carried out using the training material provided by Hera Comm" which can be consulted in a specifically dedicated area present on the Company's systems and that the agency must "document the training carried out through attendance registers signed by participants and teachers". Furthermore, Hera Comm S.p.A. "through the construction of a specific report, will verify that the agencies (at least one user per agency) download the training materials" (see note of 26 January 2024, pages 20-21); d) with reference to the transmission of the welcome letter, "Hera Comm, with a view to improving processes as well as greater caution towards customers, has decided to implement [probably by March 2024] a tracking system aimed at providing confirmation of the delivery and receipt of the welcome letters". The system provides in detail: in the event of sending by email or with an OTP flow with a negative outcome, sending the same on paper to the address defined in the contractual phase or, also to the supply address, if different from the first; in the event of transmission by paper method with a negative shipment outcome, sending a notification via email/sms containing the notice of non-delivery of the documentation. If the customer's email/sms contact details are not present, an investigative agency will carry out, on behalf of Hera Comm S.p.A., a search for the address of residence/registered office resulting from the consultation of public databases. "If the search has a positive outcome, Hera Comm will correct the customer's personal details and will resend the paper package, using the new address". If even this last shipment continues to have a negative outcome, the management of the case will be entrusted to a second level structure (see note of 26 January 2024, pages 9-10); e) regarding the system of so-called Active Monitoring of agencies, the same has been subjected to a review process, at the end of which, starting from 1 December 2023, the following evaluation parameters have been introduced: the "percentage of calls that have not had an outcome (so-called not found, i.e. without contact with the customer)". The Company has established that all agents who have a number of not found calls (i.e. unreachable) higher than a certain threshold (initially set at 80% and, from March 2024, at 50%) are directly subjected to Active Monitoring. Consequently, the Company “has increased the cases in which the quality call becomes blocking (…), further raising the rating levels below which an agent is placed under Active Monitoring as well as extending Active Monitoring to those agents/agencies for which events considered potentially indicative of improper conduct have been found”; “the acquisition of reports or complaints regarding a false signature, extorted will or unsolicited contract, against an agent which, following the investigation, prove to be well-founded”. Hera Comm S.p.A. has established that these circumstances are in themselves sufficient to cause the agent to be subjected to “Active Monitoring” (see note dated 26 January 2024, pages 11, 24 and 25; see also note dated 22 March 2024, page 3); f) in order to verify the agents' work, Hera Comm S.p.A. has implemented a "control and monitoring system aimed at verifying that the agencies and sales personnel act in compliance with the new instructions" provided. For this purpose, since September 2023, the "Sales Support & Control office" has been established with the task of "designing and implementing a second-level Internal Control System aimed at measuring and contributing to the improvement of the quality [of the agencies' work]". This activity is structured, among other things, on the use of a tool, called "Dashboard", aimed at "collecting, starting from the company databases, KPIs [i.e.] useful indicators both for quality control and for the prevention and detection of fraud". Furthermore, the Company, “with the aim of having all non-conformities detected with respect to the individual agent tracked in the system” to be taken into consideration “in order to apply the sanctions envisaged and to decide whether to subject the agent to active monitoring or whether to activate further controls”, has implemented a tracking process on Salesforce. The same concerns “the results of the privacy check in terms of contact methods (compliant/non-compliant) and methods of concluding the contract (compliant/non-compliant)”, as well as “all non-conformities, including those detected during the quality call”. Finally, “the period for opening the quality calls has been shortened, from 50 to 30 days, with the aim of being able to extract the list of non-conformities with a shorter frequency” (see note of 26 January 2024, pages 11, 26 and 27); g) in relation to the adoption of alert systems aimed at detecting procedural anomalies in the hands of agents and agencies, Hera Comm S.p.A. has implemented the IT tool called Dashboard (see above, letter f) of this decision) "which allows for a variety of [modular] analyses of the data relating to the sales of the Agencies"; this for each anomaly detected, "based on the hierarchical level and based on predetermined time intervals". The main anomaly indicators currently present in the Dashboard are: the percentage of quality calls closed with a KO outcome on the total number of calls answered; the percentage of quality calls closed without a response from the customer compared to the total number of calls activated; the number of contracts stipulated for each Agent; the percentage of Value Added Services sold compared to the total number of supply contracts acquired for each Agency; the percentage of non-compliance in a six-month period compared to the total number of contracts acquired in a given period; the number of contracts for which the customer has exercised the right to reconsider; the uploading into the system of multiple contract proposals in the name of the same subject; the number of contracts that show a discrepancy between the supply address and the contact address. The identification of the aforementioned anomaly indicators is in any case the subject of “continuous analysis and continuous refinements” by the Company. More specifically, for each newly implemented indicator, “a series of values are collected that are then evaluated in order to define the threshold within which the value appears congruent/average and beyond which appropriate in-depth analyses should be carried out”. Lastly, in relation to the implementation of anomaly alerts regarding the inaccuracy or incompleteness of the contractual data acquired by the agencies, Hera Comm S.p.A. stated that “subsequent to the uploading of the contract by the agency, [the Company] – through the Sales Support & Control structure – verifies (…) all the documentation that the agents must compulsorily attach and that what is uploaded to the company information systems is compliant with what is present in the request for contractual activation”; this with particular reference to the customer data, to the verification of the identity document attached to the proposal, as well as to the signature placed by the customer in the contractual forms (see note of 26 January 2024, pages 13-16 and supplementary note of 22 March 2024); h) regarding data retention and data segregation measures, the Company represented that, with regard to the processing of information "of the interested parties with respect to whom a complaint for unsolicited activation has been accepted, data retention has been determined at ten years, starting from the closure of the complaint". In this regard, it has also been "provided that such data will remain on the system for the first two years, after which they will be archived in Azure - therefore on a separate and different system - where they will remain available for any consultation needs until the expiry of the aforementioned ten-year term" seenote of 26 January 2024, pages 21-22); i) still with reference to the measures for segregating the personal information of data subjects for whom a complaint for unsolicited activation must be accepted, Hera Comm S.p.A. intends to apply “processing limitation methods in order to guarantee the segregation [of the aforementioned data] (…) with respect to those processed in the context of ordinary customer management activities. In particular, the Company has defined that the processing limitation must be applied on the systems by limiting the processing of data (in terms of access and visibility) to a selected group of persons in charge, based on the specific role they play in managing practices relating to unsolicited activations”. With respect to these measures, some “feasibility assessments are underway, also in terms of technical solutions and implementation times” (see note of 26 January 2024, pages 21-22); j) in order to carry out checks and/or further investigations into the accuracy of the personal data acquired with reference to other contracts stipulated by the agents with respect to which irregularities had been highlighted, regardless of the presentation of a complaint by the interested parties, the Company has represented its intention to “adopt, within the first half of 2024, the following measures against the agents for whom serious non-conformities have been detected: with regard to the so-called in-flight contracts, for which the quality call activity has not yet been started, the contracts will be subjected to a blocking quality call; with regard to the contracts already active, however, the Company will carry out random checks regarding the presence of any further reports or complaints” (see note of 26 January 2024, page 16); k) with regard to the procedures concerning quality calls, Hera Comm S.p.A. has implemented the following measures to facilitate their finalization: sending e-mails/text messages to all customers, recipients of the aforementioned calls, containing the notice "that the Company is attempting to contact them to assess the quality of the contract, (...) inviting them to respond or, if unable to do so, to call back [Hera Comm S.p.A.] through a dedicated toll-free number"; the introduction of a single telephone number for making quality calls, "callable by customers who, by doing so, can contact the call center dedicated to the activity again and proceed to the conclusion of the quality call during the recontact phase"; the provision of the "possibility of carrying out contractual quality verification activities also at the Hera Comm branches" (see note 26 January 2024, pages 23-24); l) the Company has finally represented the intention to create, "within the first half of 2024, (..), within the personal area accessible from the Online Services and the APP, a portal dedicated to order confirmation and closing of the quality call, which the customer can access independently through a link that he will receive via SMS", as well as to insert "in the script of the quality call dedicated to the indirect physical network channel (Door to door Agency, Retail Agent, Master Dealer and HC Point) the so-called privacy check step". This step consists of a series of questions asked by the operator to the customer in order to verify the legitimacy or otherwise of the contact methods or the conclusion of the contract. The customer, at this stage, also has the possibility of confirming, through the so-called regularization procedure, his willingness to contract even if non-compliance by the agent has emerged (see note of 26 January 2024, pages 23-26). 4. The outcome of the investigation. First of all, it is stated that, unless the fact constitutes a more serious crime, anyone who, in a proceeding before the Guarantor, falsely declares or certifies information or circumstances or produces false acts or documents is liable pursuant to art. 168 of the Code "False declarations to the Guarantor and interruption of the execution of the duties or exercise of the powers of the Guarantor". Having duly stated this, in light of the elements acquired during the proceeding as well as the subsequent assessments carried out by this Office, also with regard to the additional elements received after the aforementioned inspection activity, the following has been ascertained. 4.1. The unlawfulness of the processing of customers' personal data through door-to-door agents and complaints regarding unsolicited activations. With regard to complaints regarding unsolicited activations, it emerged that the processing at issue was carried out by Hera Comm S.p.A., in its capacity as data controller, through some door-to-door agencies, designated pursuant to art. 28 of the Regulation, as data controllers. All this during the period in which the aforementioned agencies operated in order to procure potential customers on behalf of the Company. This is the period included – on the basis of the documentation on file – from 1 January 2021 to 30 April 2023 (see minutes of 18 April 2023, Annex 7 and note of 10 November 2023, page 2 and Annex 1). The conduct in question, due to the organizational and management methods in place within the new customer acquisition system implemented by Hera Comm S.p.A. – as explained in more detail below –, resulted in processing of the personal data of complainants and other potential customers that does not comply with the regulations in force as it is contrary to the general principles of processing pursuant to art. 5 of the Regulation. All this with particular reference to the specific methods implemented by some agents when acquiring contractual proposals through the processing of inaccurate and outdated customer data. The investigation also highlighted that, although the processing that was the subject of the complaint was implemented by managers pursuant to art. 28 of the Regulation who operated, as agents, in violation of the instructions given by the owner (see minutes of 17, 18 and 19 April 2023), the technical and organizational measures adopted by Hera Comm S.p.A., in the context of customer acquisition processes via the door-to-door agency channel, were not adequate to the nature, context, purposes and risks of the aforementioned processing, constituting a violation of the principles of "accountability" and "integrity and confidentiality" (art. 5, par. 1, letter f) and par. 2, art. 24 and art. 32 of the Regulation). On this point, it is indeed appropriate to note that, pursuant to the aforementioned principle of accountability, the owner is the person who is attributed the "general responsibility" for the processing that he has implemented directly or that others have carried out on his behalf, thus placing on him the burden of implementing an organizational and management system characterized by real and effective data protection measures that are also verifiable (see paragraph 74 and articles 5, paragraph 2 and 24 of the Regulation); this not only through the correct and timely preparation of the obligations imposed by the data protection legislation (information, register of processing activities, appointment of the data protection officer where mandatory, impact assessment where necessary, etc.), but above all through the implementation of procedures and organizational practices aimed at conforming the related processing to the same Regulation (e.g. processing mapping processes; rules for the attribution of responsibilities; staff training programs; procedures for verifying the work of the managers designated pursuant to art. 28; provision of internal and external audits on a periodic basis; etc.; see Art. 29 Group, WP 173 of 13 July 2010 - Opinion 3/2010 on the principle of accountability, pages 11-12). In the specific energy and gas sector, moreover, the Guarantor has already expressed itself, since December 2019, regarding the organizational and management methods that a data controller, operating as an energy supplier in the free market, must implement, when acquiring new customers, to guarantee and be able to demonstrate that the processing is carried out in compliance with the Regulation (see provision of 11 December 2019, web doc. no. 9244358; but see also, more recently, provision of 28 September 2023, web doc. no. 9940988 and provision of 12 October 2023, web doc. no. 9965217). These decisions, although addressed to specific operators, contain indications of general scope in relation to the technical and organizational measures that an energy supplier is required to adopt, during the contractualization operations of its customers, in order to guarantee the accuracy of the personal data processed by the managers appointed pursuant to art. 28 of the Regulation and to verify compliance with the instructions given to them. From the findings that emerged during the on-site inspections, as well as from the examination of the documentation in the files, on the other hand, several shortcomings were highlighted in the privacy policies implemented by Hera Comm S.p.A. in the sector under consideration; policies that appeared to be lacking and ineffective, especially in terms of guaranteeing the accuracy of the data processed, the security of the processing and the control of the actions of the persons authorized for this purpose. The inadequacy and incompleteness of these procedural methods have allowed some subjects (specifically the agents) to operate in violation of the instructions given by the owner with repercussions on the lawfulness of the related processing, in particular in terms of their correctness and the quality of the data processed. This is clearly evident from the procedures for verifying the work of the designated agencies responsible for processing, implemented by Hera Comm S.p.A., as detailed in the terms that follow. 4.2. The inadequacy of the technical and organizational measures adopted by the Company in the context of customer contracting activities. First of all, it emerged that the collection of personal data of potential customers, by door-to-door agents, is carried out on the basis of instructions provided by Hera Comm S.p.A. to its agents in the "Sales Manual" attached to the agency contract (see minutes of 17 April 2023, Annex 2). On this point, the Company declared that the aforementioned collection takes place exclusively through the use of paper contractual forms to which a copy of the customer's identity document must be attached. The aforementioned document can be acquired, via the agent's personal mobile device, also via a photographic image (see minutes of 17 April 2023, page 4). In this regard, it should be noted that the instructions given by the Company with the aforementioned Manual do not contain detailed indications on the paper methods of collecting the personal data of potential customers, nor specific instructions on the procedures for verifying their identity, leaving the agent with excessive margins of discretion regarding the tools to be used for this purpose. This deficiency means that the latter can acquire − as also declared by the Company during inspections (see minutes of 17 April 2023, page 4) − a copy of the customers' identification document, also via a photographic image, taken via their personal mobile device. However, the aforementioned procedure does not appear to be suitable given the measures that the owner must adopt to ensure that the processing complies with the principle of integrity and confidentiality of the same (art. 5, par. 1, letter f) and art. 32 of the Regulation). In fact, the same is not able to ensure that the personal data in question is only transmitted to the Company's systems and that, after such transmission, it is immediately deleted from the agent's device. All this entails the risk that the aforementioned documentation remains in the full availability of the agent and that it is therefore used by the latter inappropriately for the future activation of further unsolicited contracts. Otherwise, providing agents with specific equipment that allows them to directly upload customer data to the Company's CRM (such as tablets or mobile applications to be used exclusively for the acquisition of contractual proposals or, at least, for the phase of collecting a copy of the customer's identity document), would allow the owner to have greater certainty about the security of the processing carried out by agents on behalf of Hera Comm S.p.A. With reference to this issue, it is noted that Hera Comm S.p.A. has implemented, following the notification of violation, a mobile application (hereinafter "App") aimed at acquiring the image contained in the customer's identification document; App that provides for the sending of the latter to the Company's systems, without saving it on the agent's devices (see paragraph 3, letter a) of this decision). In this regard, however, it is stated that, in order to prevent illicit use of the same by agents (also possibly through any sub-agents), it appears necessary to adopt a series of additional measures, such as the provision that the App in question can be downloaded exclusively from official stores, that it can only be installed on the device uniquely associated with the agent (for example by sending a confirmation PIN), and that it can only be used through one device at a time. Beyond the implementation of the aforementioned technical measures, the Company is in any case required to carry out periodic checks aimed at monitoring any anomalous use of the App (e.g. excessive uploads by some agents compared to the average; use of the App at unconventional times; simultaneous access from the same account; etc.). It is also noted that, on this point, some additional critical issues still remain, given the clarification provided by Hera Comm S.p.A. in their defense documents, concerning the specific instructions given by the Company regarding the door-to-door channel (see note of January 26, 2024, page 8). The latter, in fact, continue to provide that the agent, if unable to use the aforementioned App, can still acquire a copy of the identity document via his own device. Indeed, these instructions, in the above-updated formulation, do not yet appear to be in line with what is required of the owner by Articles 5, paragraph 1, letter f) and 32 of the Regulation, considering that, although they establish that the agent, in the case cited above, must promptly proceed to the deletion of the acquired images, the Company has not, however, provided for measures to prevent any fraudulent use of the aforementioned documentation by operators (such as, for example, the use of BYOD MDM software). Hera Comm S.p.A. furthermore, it did not specify that the above-mentioned procedure must constitute an exceptional circumstance (limited, for example, exclusively to anomalous malfunctions of the App), nor did it adopt a system of specific organizational measures, such as periodic checks, aimed at assessing whether the acquisition of photographic images via the agent's mobile device was actually carried out only in the cases strictly provided for. During the on-site checks, it was also noted that, following the signing of the contractual package, the customer acquisition process by door-to-door agencies includes a "verification" phase of the contractual intention (and consequently of the quality of the data processed and entered by the agents in the company application) based on a confirmation call, the so-called quality call, to the telephone number indicated in the proposal. In this regard, it should be noted that the untraceable outcome of the aforementioned check call (i.e. the absence of a response from the customer), in most cases, does not interrupt the contractualization process which, therefore, still comes to a conclusion, determining, even in this case, the activation of the energy supply. In fact, the unavailability of the customer during the quality call phase prevents the completion of the contract only where "the contractual proposal comes from agencies subject to so-called active monitoring" (see minutes of 17 April 2023, page 5). On this point, with regard to the process according to which an agency is subjected to so-called Active Monitoring, it is worth specifying that the rating – “given by the ratio between positive Quality calls (i.e. the number of quality calls that resulted in the confirmation of the contract by the customer) compared to the total successful Quality calls (i.e. the number of quality calls that received a response from the customer, regardless of whether the contract was confirmed or not)” – is calculated “monthly by the Company for the same Agency”. Where “the rating of the previous month was lower than the defined percentage (88%)”, the agency “is placed in the Active Monitoring status (..) and if the customer does not respond to the call, the contract is cancelled due to lack of confirmation by the customer” (see note of 19 May 2022, Annex 3, par. 6.3; see also minutes of 17 April 2023, page 5). This system - which takes into account only the proportion between the check calls, following which the customer's contractual adhesion was confirmed, and the number of check calls to which the customer responded - does not appear to be sufficient to prevent possible illicit acts as it suffers from the limitation of being set on a partial calculation. For example, it should be noted that, if hypothetically out of 1000 quality calls carried out, only 10 receive a response from customers (9 of which confirm their contractual intention), the agency, due to the rating system mentioned above, would still obtain a high score despite the remaining number of quality calls carried out (990) having ended with an untraceable outcome. Therefore, given that only 10 customers were reached by the quality call, out of a total of 1000 contractual proposals acquired by the same agency, the latter would not fall within the so-called Active monitoring and the contractualization process would continue in any case, with respect to the remaining 990 proposals. The verification system set up by Hera Comm S.p.A., in relation to the activities carried out by its agents, is therefore ineffective; this is because the rating process does not take into consideration a piece of data that is significantly relevant, in the context in question, namely the total number of check calls made by the operators, including those with an untraceable outcome. These latter check calls, following which, despite the lack of response from the customer, the activation of the relative supplies is carried out in any case, even if they refer to contractual proposals that could be the result of the illicit processing of potential customer data. In confirmation of the ineffectiveness of this system, it is also noted that, from the documentation acquired during the inspections, in the month of April 2023, in the face of 176 complaints for unsolicited activation, received from 1 January to 30 April 2023, and 377 “Non-Conformities” found by the Company in the same period (see note of 10 November 2023, Annex 1), only one agency was found to be subjected to “Active Monitoring” (see minutes of 18 April 2023, Annex 2). It should also be added that, as expressly stated by the Company, the calculation of the agencies' ratings is not affected by the data relating to the receipt of "any reports or complaints" concerning contracts procured by the same agency, nor by that concerning "the actual activation of the supply" (see minutes of 17 April 2023, page 5). On this point, it should be noted that the Company, following the notification of violation, has increased the effectiveness of the "Active Monitoring" system of the agents, first of all by introducing a further anomaly parameter consisting in the acquisition of reports or complaints concerning any non-compliance with an agent (where founded) and, at the same time, by reviewing the rating calculation process (see, in this sense, paragraph 3, letter e), of this decision). However, these changes do not yet constitute sufficiently adequate measures in terms of accountability, since Hera Comm S.p.A. has not implemented a blocking quality call system (i.e. one that interrupts the continuation of the contractualization process) in all cases in which the customer has not responded to the call attempts made by the Company (so-called “not found” outcome of the verification call). The aforementioned measure appears necessary, on the other hand, given that, where the quality call has not been successful due to the customer being unavailable, the processing of the related personal data does not comply with the principles of lawfulness, correctness and accuracy of the customer's personal data; this is because no confirmation has been provided by the latter of the will to adhere to the contract (and, therefore, by extension also of the accuracy of the personal information collected by the agent at the time of the proposal). It should also be noted that the adoption of the aforementioned organizational measure has already been subject to prescription, precisely in the context of activations of supply contracts in the energy sector, by the Guarantor in the decisions of 11 December 2019 and 28 September 2023 mentioned above. Finally, it should be noted that the Company has also represented the intention to introduce, in the script of the quality call, a specific phase, called "privacy check", which consists of a series of questions asked by the operator to the customer in order to verify the legitimacy or otherwise of the contact methods or conclusion of the contract. This phase provides, among other things, the possibility for the interested party, where a presumed non-compliance by the agent emerges, to confirm, during the aforementioned call, through the so-called regularization procedure, his willingness to contract with Hera Comm S.p.A. in any case (see paragraph 3, letter l) of this decision). However, the aforementioned provision does not appear to comply with the Regulation, since the quality call, which by its nature consists of a call aimed at verifying the validity of the contractual will of the interested party (and consequently the accuracy of the data collected by the agent), must be carried out exclusively for the pursuit of this specific purpose and to protect the rights of the interested parties and cannot constitute a further opportunity to process the data of the latter - presumably illegally acquired by the agent - in order to convey contractual proposals to new potential customers. It has also been ascertained that, following the quality call, the contractualization process continues by sending, before switching, a welcome letter to the email or physical address indicated by the customer when signing the contract (see minutes of 17 April 2023, pages 5, 6 and 8). However, the system thus conceived, since it is based solely on contact details acquired by the agent, does not provide sufficient certainty of the correspondence of the latter with the actual user of the service; in doing so, Hera Comm S.p.A. accepts, without introducing adequate containment measures, the risk of acquiring unsolicited contracts containing inaccurate and out-of-date personal data. It should also be noted, in this regard, that the transmission of the aforementioned welcome letter is not carried out through methods that allow the owner to have evidence of the actual receipt of such documentation by the customer (such as, for example, the use of confirmation messages of receipt and reading of the content of the communication), with the possibility that it, if transmitted to an address not belonging to the potential customer, is never actually viewed by the latter. In this regard, it is therefore noted that the provision of a different communication system with the interested party (such as, for example, the transmission of the contractual proposal, in addition to the address in the contract, also by post to the address corresponding to the POD/PDR insisting on the supply through a delivery tracking service) could allow for greater certainty of the exact delivery of the documentation in question, making it possible to intercept the anomaly found in the affected agencies, at a stage even prior to the activation of the related contracts, limiting the negative consequences for the interested parties. Lastly, it emerged that Hera Comm S.p.A. did not equip itself, for the purposes of verifying the accuracy of the personal data contained in the contracts procured by the agencies, with alert systems sensitive to various procedural anomalies (such as, for example, the discrepancy between the supply address and the customer's contact address; the anomalous number of quality calls with an untraceable outcome; the inaccuracy or incompleteness of the contractual data acquired; the uploading into the system of multiple contract proposals in the name of the same subject; the excessive and unusual number of contracts stipulated by each agent; etc.; see minutes of 17 April 2023, page 9 and Annex 6). Likewise, the Company did not provide evidence of the performance of checks and/or investigations (not even on a sample basis) on the accuracy of the personal data acquired with reference to the other contracts stipulated by the agents with respect to which irregularities had been highlighted, regardless of the presentation of a complaint by the interested parties (for example, through a customer care activity of the customers contracted by the same agents, aimed at ascertaining the actual legitimacy of the contracts activated therein and of the processing carried out; see minutes of 17 April 2023, page 7 and Annex 2; see also minutes of 18 April 2023, pages 2-3). On this point, it is noted that the measures adopted by the Company following the notification of violation do not appear to be entirely compliant with what is contested therein, given that they provide, with regard to contracts already active, that random checks are limited exclusively to the "presence of any further reports or complaints" (see in this sense, paragraph 3, letter j), of this decision). The measures adopted by Hera Comm S.p.A. for the purposes of verifying the accuracy of the data processed by the agent, as described above, therefore appear, in consideration of the risks associated with the processing carried out, as well as the nature and context of the same, substantially inadequate to make the latter compliant with the provisions of the Regulation; this considering that the phenomenon of unsolicited activations, especially through the methods actually used in the cases under examination, was already fully known for years in the reference sector, as demonstrated not only by the provision of the Guarantor of 11 February 2019 cited above, but also by the various and numerous decisions adopted by other Authorities in their respective areas of competence in relation to illicit conduct aimed at concluding contracts without the knowledge of potential customers (see among many, AGCM, provisions of 21 December 2016, ref. PS6259, PS10114 and PS10338; AGCM, provision of 13 December 2022, no. 30422). Overall, the above findings therefore imply the violation, by Hera Comm S.p.A., of the provisions of art. 5, par. 1, letters a), d) and f), and par. 2; art. 24 and art. 32 of the Regulation. 4.3. Failure to comply with the obligations to supervise the work of the agencies. With regard to the agents appointed, pursuant to art. 28 of the Regulation, to carry out personal data processing activities by Hera Comm S.p.A., it should be noted that the Company, as the data controller, is required to "use only data processors who provide sufficient guarantees to implement appropriate technical and organizational measures" to comply with the Regulation (art. 28, par. 1 of the Regulation). This provision, as highlighted by the European Data Protection Board itself (see EDPB, Guidelines of 7 July 2021, no. 07/2020 on the “concepts of data controller and data processor under the GDPR”, hereinafter “Guidelines 7/2020”), takes on the characteristics of “a permanent obligation” against which the controller must, “at appropriate intervals, (..) verify the guarantees offered by the data processor” (see EDPB, Guidelines 07/2020, paragraphs 94, 99 and 114, cit.). All this both - as already mentioned above (see par. 4.2. of this decision) - through the adoption of proactive behaviors aimed at promptly identifying any pathological situations in the contractualization process (and therefore the processing activities that result from it), and through the provision of periodic audits aimed at monitoring the work of the agencies in charge and verifying the correct and timely fulfillment of the tasks entrusted to them (see art. 5, par. 2, art. 24 and art. 28, par. 3, letter h) of the Regulation). On this point, it is noted that such audits must be carried out in compliance with a predefined program of controls, to be carried out periodically, concerning compliance with the legislation on the protection of personal data and must include document verification activities, as well as on-site inspections. In addition, the outcome of the same must also be documented in detail by the owner, by drafting reports on the matter, also containing any corrective (and/or preventive) measures to be adopted. Similarly, the application of the same regulatory provisions (Article 24, paragraph 1 and Article 28, paragraphs 1 and 3, of the Regulation) also entails for the controller, in compliance with the principle of accountability, the necessary preparation, on a regular basis, of training sessions, directed at the managers appointed pursuant to Article 28 of the Regulation, aimed at ensuring the correct understanding and timely application of the specific instructions given to the latter (see EDPB, Guidelines 07/2020, paragraph 19, cit.). With respect to the obligations referred to above, on-site inspections revealed that the Company has not, to date, carried out any audit activity aimed at verifying the work of the agencies designated as data controllers in relation to the obligations set out in the Regulation (see minutes of 17 April 2023, page 9; see also note of 19 May 2023, Annex 3, par. 6.1). Similarly, Hera Comm S.p.A. has not implemented specific initiatives, beyond those of a more general scope focused on the sales process, aimed at training agencies and individual agents on the protection of personal data (see minutes of 17 April 2023, page 9; see minutes of 18 April 2023, Annex 6; see note of 19 May 2023, Annex 1). Finally, it is noted that, although the Company, following the notification of violation, has expressed its intention to strengthen its control activities towards the agencies in order to evaluate their work (see paragraph 3, letter f), of this decision), the Company has not, to date, provided suitable assurances regarding the implementation in the future, with reference to the aforementioned data controllers, of audits in the field of personal data protection, having not transmitted any documentation in this regard, suitable for describing the structure and timing of the audit program to be carried out and the methodology used for this purpose. Failure to assume the obligations mentioned overall determines, for the Company, the violation of art. 5 par. 2, art. 24 and art. 28 of the Regulation. 4.4. Violations in the exercise of the rights of the interested parties. With regard to the complaints received in the exercise of the rights pursuant to art. 15-22 of the Regulation, based on the elements in the files and those subsequently acquired during the inspection activity, it is established that Hera Comm S.p.A. provided, in both cases, an inadequate response to the requests for access to their data submitted by the interested parties. In fact, with regard to the requests referred to in the request of 16 November 2022, the Company limited itself to listing the categories of data processed − in particular: "identification data (Name, Surname, Tax Code/VAT number), Contact details (landline/mobile telephone number, email, PEC, fax), Residence/domicile address" (see response note of 16 January 2023, page 1) − without reporting the details of the personal data relating to the interested party, available within its systems. With regard to the request submitted on 3 January 2023, the Company provided a late response, as it arrived more than two months after the submission of the same and only following the request of the complainant, and in any case inadequate. All this, taking into account the circumstance that the Company did not provide the interested party with the information requested, limiting itself exclusively to transmitting the documentation containing a copy of the information pursuant to art. 13 of the Regulation. In this regard, it is worth highlighting that the right of access pursuant to art. 15 of the Regulation is mainly conceived as a tool aimed at allowing, in general, the interested party to exercise "control" over the personal data concerning him, ensuring full awareness of the information being processed and the actual methods of the latter. The purpose of the right of access, in fact, is primarily to disclose “which” data and “how” they have been processed by the data controller in order to provide the data subject with the tools to “know and verify the lawfulness and accuracy of the processing” referred to them (see recommendation 63 of the Regulation; EDPB, “Guidelines 01/2022 on data subject rights - Right of access”, adopted on 28 March 2023, paragraphs 10-13). Pursuant to art. 15 of the Regulation, therefore, the data controller, in response to a request for access, cannot limit himself to providing “a general description of the data [or] a simple reference to the categories of personal data processed”, nor can he omit information in his possession where it refers to the data subject; on the contrary, he is rather required to provide “access to all personal data relating to the data subject” actually being processed. Such information “must be complete, correct and up-to-date, corresponding as much as possible to the state of data processing at the time of receipt of the request” and must be provided “in a concise, transparent, intelligible and easily accessible form” to the latter (EDPB, “Guidelines 01/2022 on data subject rights - Right of access”, cit., paragraphs 34-35; art. 12, par. 1 of the Regulation). It should also be noted that the feedback, in the terms above, must be provided by the data controller without justified delay and in any case no later than one month from receipt of the request (art. 12, par. 3 of the Regulation). Given the failure by Hera Comm S.p.A. of the provisions referred to above - as is clearly evident from the documentation in the files and from the checks carried out during the inspection - the argument put forward by the Company in this regard cannot be accepted for the purposes of archiving the dispute concerning this specific type of violation. In fact, the Company, in its defence papers, limited itself on this point to stating that the findings at issue constitute an isolated case with respect to "the totality of the practices managed" by Hera Comm S.p.A. (see paragraph 3 of this decision). Likewise, with specific regard to the request to exercise rights dated 3 January 2023, what the Company claimed regarding the circumstance that the lateness of the response was due to a misunderstanding of a predominantly technical nature is irrelevant (see note of 26 January 2024, page 7). In this regard, it is in fact stated, as already highlighted above, that the response in question was not adequate. It follows, therefore, in the cases in question, that the latter has violated art. 15 and art. 12, par. 3 of the Regulation. In any case, the aforementioned circumstances will be taken into consideration, in the context of quantifying the administrative pecuniary sanction, as mitigating factors pursuant to art. 83, par. 2 of the Regulation. 4.5. Further violation profiles. During the investigation, further violation profiles were found concerning the methods and times of retention of customer data, as explained below. With regard to the policies adopted by the Company regarding data retention of customer data present in the CRM, from the statements made by the Company, it emerged that, with respect to the Siebel system, no specific retention times have been provided for the data processed by Hera Comm S.p.A. (see minutes of 17 April 2023, page 7). It has also been ascertained that the oldest data contained in the aforementioned CRM are those relating to a former customer, whose contract ended on 23 October 1984, and to a prospect (i.e. an interested party who has never been a customer of the Company), whose last contact was on 1 September 2004 (see note of 19 May 2023, Annex 7). This retention period (of 39 years in the first case and 19 in the second) −in fact adopted by the Company with respect to the aforementioned personal data− appears disproportionate to the purposes of the processing actually carried out and therefore not "limited to the minimum necessary" as provided for by art. 5, par. 1, letter e) of the Regulation (see in this regard, cons. 39 of the Regulation); this in consideration of the considerable period of time that has passed, in the first case since the termination of the contract, in the second due to the pre-contractual purpose for which it was collected. Differently, with respect to the Salesforce platform, the Company has identified some timeframes in the document called “Hera BBP migration and archiving” (minutes of 18 April 2023, Annex 3, par. 4.4.3). In this regard, however, it is noted that the framework provided therein does not appear sufficiently clear, nor exhaustive, as it is limited to the listing of a multiplicity of categories (so-called functional entities) to which various retention terms are associated, without it being possible to identify the personal data and the processing included therein, nor the criteria on the basis of which this association is made. In this document, the Company, in fact, has exclusively indicated a ten-year term for customer data without any distinction that takes into account the purposes pursued from time to time (e.g. marketing, profiling, execution of the contract, etc.), as well as additional retention terms of 10 and 4 years referring to indeterminate categories, called “RDS/RDO/Case/Order” and “RDS/Case (request for information)”. Confirming the inadequacy of the above-mentioned data retention policy, it is also relevant to the circumstance – ascertained during the inspection activities – that Hera Comm S.p.A. does not have specific timeframes for the retention of data of interested parties with respect to whom a complaint for unsolicited activation has been accepted, applying to them the ten-year term generally envisaged for the processing of customer data (see minutes of 17 April 2023, page 7). In this regard, it is indeed worth highlighting that art. 5, par. 1, letter. e) of the Regulation provides that personal data must be stored in a way that allows the identification of the interested party for a period of time not exceeding that necessary to achieve the purposes of the processing. The principle of limitation of storage, in fact, imposes on the owner the burden of evaluating the duration of the processing in necessary correlation with the specific purposes set upstream at the time of collection; this in order to "ensure that the period of retention of personal data is limited to the minimum necessary" (see recital 39 of the Regulation). This is, in fact, the obligation of the owner to guarantee a "correct" duration of the processing which, otherwise, could continue beyond the achievement of the specific purposes of the same with an impact on the principles of lawfulness, correctness and transparency (art. 5 of the Regulation). In light of the above, it follows that the processing carried out by Hera Comm S.p.A. appears to be in conflict with the principle of limitation of storage in consideration of the ascertained failure to provide for retention times of personal data recorded in the Siebel CRM, as well as the inadequacy of the data retention policy envisaged for the Salesforce system. This inadequacy persists due to the Company's failure to reformulate the data retention policy in response to the concerns raised in the notice of dispute. All this considering that, following the notification of violation, the Company limited itself to introducing only the provision regarding the ten-year term for the retention of data of interested parties in respect of whom a complaint for unsolicited activation was accepted, starting from the date of definition of the same. Lastly, during the on-site visits, it emerged that the personal data of customers, whose contract ended following a complaint for unsolicited activation, were present in the CRM of Hera Comm S.p.A., without the introduction of any measure, such as the physical and logical segregation of the aforementioned information, aimed at guaranteeing the limitation of the related processing in order to distinguish them from those subject to ordinary customer management activities (art. 5, par. 1, letter b) and par. 2; art. 24 of the Regulation). Furthermore, the Company has not provided evidence regarding the implementation of a system suitable for providing, pending the definition of a complaint for an unsolicited contract, the timely limitation, pending subsequent checks, of any further and different processing activity of customer data in order to suspend as a precaution any unlawful processing of the aforementioned data (e.g. access by internal or external personnel authorised to operate on the CRM for ordinary customer management purposes); the latter measure, moreover, already expressly indicated by the Guarantor in the aforementioned provisions of 11 December 2019, 28 September 2023 and 12 October 2023. From the examination of the documentation acquired, it was noted in particular that, from 1 January 2021 to 30 April 2023, the number of interested parties for whom the aforementioned measures of segregation of the related personal data were not provided for was 2309 (see minutes of 18 April 2023, Annex 7 and note of 10 November 2023, Annex 1, documents from which a total of 713 "Complaints" and 1596 "Non-Conformities" result). Finally, with specific reference to the methods introduced by the Company, following the notification of the violation, to implement the aforementioned data limitation measures (see above, par. 3, letter h) of this decision), it is noted that the same do not appear to be entirely suitable to conform the processing activities in question to the Regulation. In particular, reference is made to the information of data subjects with respect to whom a complaint for unsolicited activation has been accepted and which, based on what has recently been introduced by the Company, are not promptly archived in a system separate from the CRM, but instead remain available there for a period of two years (see note of 26 January 2024, pages 21-22). In this regard, it is worth highlighting that the controller, with reference to such information - relating to data subjects whose data had been unlawfully processed from the outset by the agent - is required to ensure effective logical and physical segregation (i.e., the data must be immediately marked and transferred to another system). 5. Conclusions: declaration of unlawfulness of processing. Corrective measures pursuant to art. 58, par. 2, Regulation. In light of the overall findings, the Authority believes that the statements, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office with the act of initiation of the proceeding to be overcome and are therefore unsuitable for ordering the archiving of this proceeding, since none of the cases provided for by art. 11 of the Regulation of the Guarantor no. 1/2019 apply. The processing of personal data carried out by Hera Comm S.p.A., in the context of customer contracting activities through door-to-door agencies, is in fact unlawful, in the terms set out above, as it was carried out in violation of art. 5, par. 1, letters a), b), d), e) and f), and par. 2; of art. 12, par. 3; of art. 15; of art. 24; of art. 28 and art. 32 of the Regulation. Violation of the provisions referred to above entails the application of the administrative sanction provided for by art. 83, par. 4, letter a) and par. 5, letters a) and b) of the Regulation. With regard to the exercise of the corrective powers referred to in art. 58, par. 2, of the Regulation, it is noted that Hera Comm S.p.A., during the proceedings, has taken steps to adopt some initial measures aimed at aligning, in compliance with the regulatory framework described above, the processing of customer data with the Regulation as detailed in this decision (see above, par. par. 3, letters b), c), f), g) and k) of this decision). Account is also taken of the statements made by Hera Comm S.p.A., in the context of the defense briefs, regarding the upcoming adoption of some measures for which feasibility assessments are underway, including of a technical nature (see paragraph 3, letters d) and i) of this decision). Therefore, taking into account the above and without prejudice to the aforementioned actions already initiated by the Company, it is deemed necessary in any case, in light of the additional critical issues identified against the data controller, to order the same, pursuant to art. 58, paragraph 2, letter d), of the Regulation, to take the following corrective measures: a) with regard to the above-mentioned measures being adopted by the Company (see paragraph 3, letters d) and i) of this decision), to confirm their definitive implementation, providing adequately documented feedback in this regard pursuant to art. 157 of the Code; b) with reference to the App introduced for the purpose of acquiring the image of the contractual documentation by the agents, adopt measures aimed at preventing illicit use of the same, such as, for example, the provision that the App can be downloaded exclusively from official stores, that it can be installed only on the device uniquely associated with the agent (for example by sending a confirmation PIN), and that it can be used via one device at a time. The Company must also carry out periodic checks in order to monitor any anomalous use of this application (e.g. excessive uploads by some agents compared to the average; use of the App at unconventional times; simultaneous access from the same account; etc.); c) evaluate the opportunity to maintain, within the instructions given by Hera Comm S.p.A. to its door-to-door agents, the indication of the possibility of acquiring the image of the customer's identification document on their personal device and not through the App designated for this purpose (see note of 26 January 2024, page 8). In this regard, if the Company deems it appropriate to confirm the aforementioned indication, it is considered necessary that the relevant instructions specify within them the exceptional nature of this procedure (exemplifying the limited cases in which it can be used). The Company should also adopt a system of periodic checks aimed at assessing the actual residual use of the same with respect to the App, as well as introducing measures specifically aimed at preventing any fraudulent use (such as, for example, the use of BYOD MDM software), by door-to-door agents, of the customer's identification document thus acquired; d) adopt a blocking quality call system (i.e. one that interrupts the continuation of the contractualization process) in all cases in which the customer has not responded to the call attempts made by the Company (so-called “not found” outcome of the verification call); e) provide for procedural rules in relation to which, in the event of the receipt of anomalous volumes of contractual proposals, disavowals, complaints for unsolicited activation relating to contracts procured by an agency, Hera Comm S.p.A. is expected to carry out specific verification activities on the generality of the contractualization operations carried out by the aforementioned agency (for example by examining the proposals uploaded by the same agents and/or by the same agency affected by the complaint in the same reference period, as well as by carrying out a caring activity towards other customers procured by the same agents with respect to whom irregularities had been highlighted). All this in order to have tools capable of contributing to ensuring the accuracy of the personal data acquired within the scope of the aforementioned contractual proposals, regardless of the presentation of a complaint or report by the interested parties.The anomaly threshold aimed at determining the start of the above-described control activity could be identified by taking into account, for example, the average number of proposals procured by individual agencies and the average number of complaints/refusals of the same nature received every six months by the Company. The aforementioned activity could be carried out on a sample basis or in any case in a manner that is not invasive for the customer (for example, by means of a notice placed on the bill); f) identify adequate retention times for customer data, distinguished by data categories and specific purposes of the processing carried out; this is in line with the principle of limitation of retention established by art. 5, par. 1, letter e) of the Regulation; g) eliminate from the quality call script the reference, within the "privacy check" phase, to the so-called regularization procedure that allows the Company, in the event of an alleged non-compliance by the agent, to acquire, during the same call, in any case its willingness to contract with Hera Comm S.p.A.; h) with reference to the processing of customer data for which, following the various preventive checks described above, it appears appropriate as a precaution to interrupt the contractualization procedure or for which a complaint for unsolicited activation has been accepted, implement a system that provides for the timely limitation of any further processing activity of the data; this by adopting adequate measures to guarantee the immediate segregation of the aforementioned data from those processed in the context of ordinary customer management activities. This measure, as already represented (see above, par. 4.5. of this decision), cannot be effectively implemented with the methods proposed by Hera Comm S.p.A., requiring that the blacking out of the data and the logical and physical segregation of the same occur immediately and not, as envisaged by the Company, after the passing of two years (the data, in other words, must be immediately marked and transferred to another system); i) provide for periodic audits to evaluate the work of the agencies in charge, pursuant to art. 28 of the Regulation, to process customer data for contractual purposes. Finally, with reference to the personal data relating to the 2309 customers as identified in paragraph 4.5. of this decision, pursuant to art. 58, paragraph 2, letter f) of the Regulation, the definitive limitation of any further processing activity of the same other than that inherent to the aforementioned segregation of the aforementioned information is ordered. The aforementioned requirement is also necessary in relation to the personal data of customers contained in any further contractual proposals acquired through the door-to-door channel in the period between 1 May 2023 and the date of notification of this decision with respect to which a complaint has been submitted in the meantime for unsolicited activation and the same has been accepted with consequent termination of the related contract. 6. Adoption of the injunction order for the application of the administrative pecuniary sanction and accessory sanctions (articles 58, par. 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code). The Guarantor, pursuant to art. 58, par. 2, letter i) of the Regulation and art. 166 of the Code, has the power to impose an administrative pecuniary sanction provided for by art. 83 of the Regulation, by adopting an injunction order (art. 18. L. 24 November 1981 n. 689), in relation to the processing of personal data carried out by Hera Comm S.p.A., the unlawfulness of which has been ascertained, in the terms set out above. Considering it necessary to apply paragraph 3 of art. 83 of the Regulation where it provides that “if, in relation to the same processing or linked processing, a controller […] infringes, intentionally or negligently, several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the most serious infringement”, the total amount of the fine is calculated so as not to exceed the maximum amount provided for by the same art. 83, par. 5. With reference to the elements listed in art. 83, par. 2 of the Regulation for the purposes of applying the administrative pecuniary sanction and its quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that, in the case in question, the circumstances reported below have been taken into account: the significant seriousness of the violations (Article 83, paragraph 2, letter a) of the Regulation), in relation to the nature (concerning the failure to comply with the principles of processing pursuant to Article 5 of the Regulation), the methods (the plurality of unlawful conducts repeated over time) and the duration of the same (approximately two years). Also considered relevant, for this purpose, are the characteristics of the processing in terms of its purpose and broad scope, as well as the high number of data subjects involved and the type of damage suffered by them. All this having been noted that: the disputed operations were carried out in order to conclude energy supply contracts in the free market, an economic activity that falls within the core business of the owner; the unlawful conduct ascertained involved 2309 interested parties; the critical issues found in terms of data protection refer to the processes and policies implemented by the owner for carrying out customer contractualization operations through the agency channel, highlighting systemic shortcomings and inadequacies of the aforementioned processes and therefore cannot be referred to sporadic episodes of misalignment of the same; the ascertained violations have determined, for the potential customers indicated above, in addition to damages directly connected to the identity theft suffered by them, also the conclusion without their knowledge of unsolicited contracts in the free energy market (together with the activation of insurance policies related to the same) with the consequent need for the same to take on the related administrative costs connected to the establishment of the actions (judicial and/or administrative) envisaged in such cases to protect the consumer; the significantly negligent behavior and the significant degree of responsibility of the data controller with regard to the technical and organizational measures implemented (art. 83, par. 2, letter b) and letter d) of the Regulation); this with specific reference to the inadequacy of the data protection policies implemented by Hera Comm S.p.A. in the sector under consideration and explained in detail in paragraphs 4.1.-4.5. of this decision, as well as in light of the indications already provided for some time by the Guarantor with regard to the organizational and management methods that a data controller, operating as an energy supplier in the free market, must implement, when acquiring new customers, in order to comply with the Regulation (see provisions of 11 December 2019, 28 September 2023 and 12 October 2023, cit.); the adoption, by the controller, of measures to mitigate or eliminate the consequences of the violation (art. 83, par. 2, letter c) of the Regulation). In this regard, the circumstance that Hera Comm S.p.A. promptly adopted, once it became aware of the violations, some initial measures to mitigate the effects of the unlawful processing must be considered positively; measures that, although only partially sufficient to eliminate the risks, can be considered reasonable; the circumstance that the Company actively cooperated with the Authority during the proceedings (art. 83, par. 2, letter f) of the Regulation); the fact that there are no previous violations committed by the controller or previous measures referred to in art. 58 of the Regulation (art. 83, par. 2, letter e) of the Regulation); other mitigating factors (art. 83, par. 2, letter k) of the Regulation). To this end, it is relevant, with respect to the violation ascertained in par. 4.4. of this decision, that the late response provided by the Company to the request to exercise rights dated 3 January 2023, was mainly due to "a technical glitch in the systems that prevented the passage of the complaint to the Score platform, responsible for managing this type of request" (see note of 26 January 2024, page 7). It is also taken into account that the inadequacy of the feedback provided in the cases that are the subject of the complaint appear, as claimed by the Company, to be isolated cases compared to the totality of the practices managed by the latter as a whole (see paragraph 4.4. of this decision). It is also believed that the economic conditions of the offender, determined on the basis of the turnover of the Company, as per the financial statements for the year 2023 (last available), are relevant in this specific case, due to the aforementioned principles of effectiveness, proportionality and dissuasiveness to which the Authority must adhere in determining the amount of the sanction (art. 83, par. 1, of the Regulation). In this regard, it is stated that, due to the nature of the treatments that are the subject of the complaint, only the turnover relating to the sale of electricity and gas has been taken into consideration for this purpose. Lastly, the costs that the Company is required to face in order to comply with the provisions set out in point 5 of the aforementioned decision are taken into account, as well as the amount of the sanctions imposed by the Guarantor in similar cases. In light of the elements indicated above and the assessments carried out, it is believed, in this specific case, that the following should be applied to Hera Comm S.p.A. the administrative sanction of the payment of a sum equal to Euro 5,000,000.00 (five million/00). In this context, it is also believed that, pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019, this provision should be published on the website of the Guarantor. This is in consideration of the type of violations found that have affected the general principles of processing, in particular the principles of lawfulness, correctness, transparency, accuracy and accountability. To this end, account is also taken of the significant damage suffered by the interested parties following the conclusion of unsolicited contracts in the free energy market (often together with the activation of insurance policies related to the same) with the consequent need for them to take on all administrative burdens also connected to the establishment of judicial and/or administrative actions envisaged in such cases for their own protection. Finally, it is believed that the conditions set out in art. 17 of the Regulation of the Guarantor no. 1/2019 are met. CONSIDERING ALL THE ABOVE, THE GUARANTOR a) pursuant to articles 57, par. 1, letter f) and 83 of the Regulation, finds the processing carried out by Hera Comm S.p.A., with registered office in Imola (BO), VAT no. 02221101203 to be unlawful in the terms set out in the reasons, for the violation of art. 5, par. 1, letters a), b), d), e) and f), and par. 2; of art. 12, par. 3; of art. 15; of art. 24; of art. 28 and art. 32 of the Regulation; b) pursuant to art. 58, par. 2, letter d) of the Regulation orders the aforementioned Company to comply, within three months from the date of notification of this provision, with the provisions set out in par. 5, letter a) of this decision, while at the same time requesting the Company to provide, within the aforementioned deadline, adequately documented feedback pursuant to art. 157 of the Code; any failure to provide feedback may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, letter e) of the Regulation; c) pursuant to art. 58, paragraph 2, letter d) of the Regulation, orders the aforementioned Company to comply, within nine months of the date of notification of this provision, with the provisions set out in paragraph 5, letters b) to i) of this decision, while at the same time requesting the Company to communicate what initiatives it intends to undertake in order to implement the provisions and to provide, within the aforementioned deadline, adequately documented feedback pursuant to art. 157 of the Code; any failure to provide feedback may result in the application of the administrative pecuniary sanction provided for by art. 83, par. 5, letter e) of the Regulation; d) pursuant to art. 58, par. 2, letter f) of the Regulation, orders, with respect to Hera Comm S.p.A., the definitive limitation of any further processing of customer data as identified in par. 5 of this decision and within the terms provided therein; e) believes that the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor, are met. ORDERS a) pursuant to art. 58, par. 2, letter i) of the Regulation to the same Hera Comm S.p.A., to pay the sum of Euro 5,000,000.00 (five million/00) as an administrative pecuniary sanction for the violations indicated in this provision. ORDER b) therefore Hera Comm S.p.A. to pay the aforementioned sum of Euro 5,000,000.00 (five million/00), according to the methods indicated in the attachment, within thirty days of notification of this provision, under penalty of the adoption of the consequent executive actions pursuant to art. 27 of Law no. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, the right of the offender to settle the dispute by paying - again according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the deadline referred to in art. 10, paragraph 3, of Legislative Decree no. 150 of 1 September 2011 provided for the filing of the appeal as indicated below. ORDERS c) the publication of this provision on the website of the Guarantor pursuant to art. 166, paragraph 7, of the Code and art. 16, paragraph 1, of the Regulation of the Guarantor no. 1/2019. Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 17 July 2024 THE PRESIDENT Stanzione THE REPORTER Stanzione THE GENERAL SECRETARY Mattei
