Garante per la protezione dei dati personali (Italy) - 10127930
From GDPRhub
| Garante per la protezione dei dati personali - 10127930 | |
|---|---|
 | |
| Authority: | Garante per la protezione dei dati personali (Italy) |
| Jurisdiction: | Italy |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 7 GDPR Article 13 GDPR Article 24 GDPR Article 25 GDPR Article 28 GDPR Article 32 GDPR Art. 130 d. lg.s 196/2003 |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 10.04.2025 |
| Published: | |
| Fine: | 3,000,000 EUR |
| Parties: | Acea Energia SPA |
| National Case Number/Name: | 10127930 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Italian |
| Original Source: | GPDP (in IT) |
| Initial Contributor: | cci |
The DPA fined an energy provider €3,000,000 for unlawful telemarketing practices. The controller failed to watch over the processing which resulted in the engagement of a sub-processor without a data processing agreement conducting the illegal practices.
English Summary
Facts
Energy provider Acea Energia S.p.a. (the controller) relied on a number of processors and sub-processors for marketing purposes. In particular, the controller relied on a one-person company called Stefanelli Federica (the processor), which in turn relied on sub-processor MG Company.
The controller concluded a DPA with the processor. However, the processor did not conclude a DPA with the sub-processor. Additionally, the sub-processor was not registered as a marketing operator, in violation of Italian national law.
The sub-processor engaged in a long list of illegal practices such as contacting prospects without their consent, lying to prospects about (non-existing) billing issues, and eluding telemarketing laws under the pretence that it engaged in door-to-door marketing rather than telemarketing. Over one and a half years, the sub-processor concluded about 30.000 contracts and earned the processor about €2,000,000 in provisions.
In 2024 a popular TV show aired a report on the sub-processor’s marketing practices. The authors of the show also reported their findings to the Italian DPA. In turn, the DPA opened a joint investigation with the financial police.
Holding
The controller claimed that it was unaware of the sub-controller's involvement in its telemarketing activities and blamed the processor for engaging with the sub-processor without the controller’s knowledge.
The DPA rejected the argument. The controller was responsible for appointing a reliable processor, and for watching over the compliance of the data processing chain.
The controller clearly failed to do so in the case at hand. The appointed processor was a one-person business with no registered employees and could not possibly have concluded tens of thousands of contracts on behalf of the controller. So, the DPA held that the controller knew or should have known that the marketing involved unauthorized personnel.
For this reason, the DPA held the controller responsible for several GDPR violations, including violations committed by the sub-processor:
- A large number of data subjects were contacted without their consent and without receiving any information on the processing of their data, in violation of Articles 5(1)(a), 6, and 7 GDPR as well as 130 d. lgs. 196/2003[1];
- The controller violated Articles 5(1)(f) and 32 GDPR, by allowing access to personal data from unauthorized staff (as MG Company was not appointed as a processor or sub-processor);
- The controller failed to watch over the correct processing of personal data from its processor and sub-processor, in violation of Articles 24 and 25 GDPR;
- Finally, the controller did not appoint the sub-processor as a processor or sub-processor, in violation of Article 28 GDPR.
The DPA fined the controller €3,000,000 and ordered it to bring its marketing activities into compliance.
Comment
The investigation uncovered a broader picture of non-compliance involving other processors and sub-processors. In another decision related to the same investigation[2], the DPA fined Stefanelli Federica, MG Company, and three other companies for a total of €850,000.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.
SEE ALSO Press release of May 7, 2025 [web doc. no. 10127930] Provision of April 10, 2025 Register of provisions no. 228 of April 10 THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, president, Prof. Ginevra Cerrina Feroni, vice-president, Dr. Agostino Ghiglia and the lawyer Guido Scorza, members, and Dr. Claudio Filippi - Acting Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); HAVING SEEN the Personal Data Protection Code (Legislative Decree 30 June 2003, no. 196), as amended by Legislative Decree 10 August 2018 no. 101, containing provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter “Code”); HAVING SEEN Guidelines 07/2020 on the “concepts of data controller and data processor under the GDPR”, version 2.0, adopted by the European Data Protection Board on 7 July 2021 (hereinafter also “Guidelines 07/2020”) HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the regulation of the Guarantor no. 1/2000; REPORTER Dr. Agostino Ghiglia; WHEREAS 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT The Guarantor, in exercising the powers of investigation and control referred to in articles. 157 and 158 of the Code, carried out some inspection activities in conjunction with the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza, following a complaint that the same Unit received from an editor of the television program “Striscia la notizia”, Mr. XX. In short, the complaint reported a phenomenon already known to the Authority, namely the activities of abusive call centers (without a formal assignment from the clients and not registered in the Register of Communications Operators – ROC – established at the Communications Guarantee Authority – AGCOM) in possession of lists of personal data of subjects to be contacted by telephone to propose the activation of supplies of telephone or energy services (gas and electricity) also by switching from one operator to another. In particular, starting from the information received from a former call center operator, the complaint denounced the unfair practices for the procurement of contracts in favor of Acea Energia S.p.A. (hereinafter also only “Acea” or “Acea Energia” or the “Company”) implemented mainly by the company M.G. Company s.r.l., with registered office in Fiumicino and operational offices in Rome, Fiumicino, Ladispoli and Terracina. M.G. Company was not formally included in the Acea commercial chain but used an agency directly contracted with Acea, the sole proprietorship Stefanelli Federica (hereinafter, "Stefanelli or the "company"). In order to have potential customers sign electricity and gas supply contracts, it used the following operating scheme: a) use of lists with data of users who had recently switched from one electricity and/or gas supplier to another (so-called "switch-out" lists); b) suggestion of non-existent technical problems in the switch from the "outgoing" supplier to the "incoming" supplier to overcome distrust and induce the contacted parties to activate a supply with Acea, fearing the non-existent risk of receiving double billing from the two companies (the deactivated one and the new one in the process of being activated) with consequent economic damages for the customer; c) presentation of the solution: the call center operator then proposed to the customer the solution of a “technical return” to Acea “for the time necessary to resolve the problem and align supplies”. This return would have occurred at extremely advantageous tariff conditions (with a 40% discount) due to the inconvenience suffered; d) sending a door-to-door agent to sign the contract proposal: once the potential customer had been convinced to adhere to the proposed solution, the call center operator would schedule an appointment with what was called an “Acea representative”. The latter would then go to the customer’s home, not before receiving the audio file of the telephone conversations made via WhatsApp from the operator, and there proceeded to have a new contract signed with Acea. The sending of the audio file had the very purpose of informing the runner (i.e. the door-to-door salesman) of the fictitious arguments used to convince the potential customer in order to adopt more credible conversations during the home visit. In other words, the contracts, the result of illicit promotional telephone contacts made by M.G. Company, during which misleading information was also conveyed and often in an aggressive and intimidating tone, flowed into Acea through the Individual Company Stefanelli Federica, making such contracts appear as if they were made in the context of ordinary door-to-door promotions and thus attempting to restore, with this operation, an apparent framework of legality to the overall initiative, fundamentally flawed by the illicit trafficking of switch-out lists. Having received the complaint, the Guardia di Finanza proceeded to carry out in-depth investigations by consulting the databases used by the Corps, acquiring information from open sources and carrying out inspections. On the basis of what was represented by the Guardia di Finanza, and considering that in all likelihood the contract procurement activities, as illustrated in the complaint, were attributable to the phenomenon of wild telemarketing, the Guarantor ordered the carrying out of inspections against the following entities (inspections carried out simultaneously on 26 March 2024 by personnel of the Guardia di Finanza and the Guarantor): 1) M.G. Company s.r.l., at the registered office in Fiumicino (via dei Delfini 1, at the shop with the sign “Energia e non solo…”) and at the operational offices in Latina (piazza dell’Agorà, premises with the sign M.G. Company s.r.l.), Terracina (piazza Gregorio Antonelli 14/16) and Ladispoli (via delle Rose 12-14-16); 2) Diemme Group di Di Vico Luigi, at the shop with the sign “Energia e non solo…” located in Rome, via Carlo Zucchi n. 13/15, whose premises are owned by the company Elanim s.r.l., whose sole shareholder is Mr. Di Vico Luigi, premises that are rented to the company M.G. Company s.r.l., which in turn granted their use to Diemme Group; 3) Sole Proprietorship Stefanelli Federica, with tax domicile in Terracina and place of business in Fiumicino, via Brunelleschi 47, a company that is no longer operating today; 4) M&M s.r.l.s., with registered office and operational headquarters in Terracina, piazza Gregorio Antonelli 14/16, also the operational headquarters of M.G. Company s.r.l.; 5) Sole Proprietorship XX, in the Turin offices, which were not operational: XX was operationally linked to both M.G. Company s.r.l. that to Di Vico Luigi, from whom he received emoluments in the context of the activity of "business agent without prevalence"; 6) Acea Energia S.p.A., at the registered office in Piazzale Ostiense n. 2, Rome. Based on the findings that emerged during the activities of 26 March 2024, the Guarantor ordered further investigations to be carried out at the offices of Fer-Energy Call s.r.l., given that this company was found to operate at the Ladispoli office (via delle Rose 12-14-16), where there was also a call center of M.G. Company s.r.l., and of Fer-Energy s.r.l. With respect to these additional companies, the inspection activities were carried out on 29 March 2024, respectively, at the offices of Rome, viale Palmiro Togliatti n. 1613, and Civitavecchia, via delle Azalee snc. From all the inspection activities it was possible to acquire a considerable amount of information and documents, which were made available to the Authority by the Guardia di Finanza with notes acquired in the files and registered on 19 April 2024 and 29 May 2024. The Office requested some additional information from Acea (see prot. no. 107799/24 of 13 September 2024, found by Acea with prot. no. 225799/24 of 4 October 2024)), focusing attention on the relationships with M.G. Company, with the legal representatives of the same company or with employees or collaborators of the latter, also requesting to provide the contract proposals uploaded to the Acea systems by two operators, whose names had emerged during the inspections at M.G. Company. Following the investigation activities indicated, limited to Acea's position, the Authority notified the Company of the act of initiation of the proceeding pursuant to art. 166, paragraph 5 of the Code; the Company, for its part, first requested and obtained access to the investigation documents, and subsequently filed its own defense briefs, further illustrating its position during the hearing held on 4 March 2025. 2. DISPUTE OF VIOLATIONS As anticipated, the Office sent Acea the act of initiation of the proceeding pursuant to art. 166, paragraph 5 of the Code (prot. 8687/25 of 23 January 2025), which is hereby deemed to be fully recalled, with which it contested the possible violation of art. 5, par. 1, letter a), 6, 7, 13, 24, 25, 28 and 32 of the Regulation and art. 130 of the Code in relation to the processing of personal data carried out by the then D.I. Stefanelli Federica and M.G. Company on behalf of Acea and the failure to adopt adequate security and organizational measures. This is due to the fact that the lack of controls on the data controller and on its commercial chain, as well as the inadequacy of the security measures adopted had allowed the carrying out, for a long time, of unwanted promotional calls, using data of illicit origin, without any consent from the interested parties who, unaware of any information on the processing, had also suffered potential economic damages deriving from the distortion of their contractual will. Furthermore, the Office analyzed, on a sample basis, the contact lists illegally acquired from M.G. Company and found among them numerous names present in the documentation produced by Acea in October 2024 relating to the contract proposals registered in its company systems. With reference to the relationship with the Sole Proprietorship Stefanelli Federica, the lack of adequate controls by Acea on the company structure and on the organization of commercial activities was also highlighted, controls that should have been aimed at verifying that an agency that guaranteed a volume of contracts equal to just under 10% of Acea's door-to-door turnover did not obtain such results by carrying out conduct contrary to the instructions received, also by making use of the commercial support of third parties not authorized by Acea. Specifically, the following violations were contested: a) art. 5, par. 1, lett. a), 6, 7 and 13 of the Regulation, as well as 130 of the Code, for having allowed promotional telephone contacts to be made, using lists of personal data acquired in the absence of specific consent and in the absence of the provision of prior information, lists for which the lawful methods of data collection and acquisition of consent for commercial and promotional purposes were not proven. On this point, it is important to point out that the awareness attributed to Acea was, in fact, declined as knowledge of certain circumstances by the head of the Mass Market Sales Unit of the company, Ms. XX, as represented and described in the defense phase by M.G. Company, against which the Office had initiated specific proceedings; b) art. 5, par. 1, letter a) and 28 of the Regulation, for having factually entrusted M.G. Company s.r.l. with the processing of the data of contracted customers, in the absence of regular designation as data controller or sub-controller; c) articles 5, par. 1, letter f) and 32 of the Regulation, for having allowed employees of M.G. Company to access the IT systems of Acea Energia S.p.A. in the absence of the designations indicated in the previous point; d) articles 24 and 25 of the Regulation, for having failed to implement organizational measures, checks and controls, suitable for verifying that the marketing activities carried out by the Sole Proprietorship Stefanelli Federica, also in light of the number of contracts signed, were carried out in compliance with the “door-to-door” sales mandate and with the legislation in force regarding the protection of personal data. 3. ACEA'S DEFENSES The Company, after having accessed the documentation in the files for defensive purposes, filed its own briefs (prot. nos. 23935/25 and 24074/25 of 24 February 2025), which are hereby considered to be fully recalled, observing what is briefly reported below: - on the alleged awareness of Ms. XX (Head of the Mass Market Sales Unit) regarding the use of switch-out lists by M.G. Company, the Company filed a statement by the same in order to clarify the content of the audio reported by the Office in the contested act. On this point, Ms. XX denied being aware of the use of unauthorized lists by M.G. Company/D.I. Stefanelli, specifying that "in the reported conversation the term "lists" refers to contracts that were KO'd by the distributor after the contractualization with Acea Energia" in relation to which a new processing had been requested in order not to lose the related commissions; - on the alleged awareness of Ms. XX regarding the commercial activities carried out by Ms. XX, from the aforementioned deposited declaration it emerges that Ms. XX clarified that she had provided Ms. XX (indicated as administrative support of D.I. Stefanelli) with suggestions regarding the so-called Commissioning policies, i.e. the methods of collecting commissions, denying that the indications had a commercial nature towards end customers. The same declaration, moreover, contains clarifications regarding the introduction of a maximum production limit for each agency, called "CAP" and the fact that "the Stefanelli agency expressed discontent with its assigned CAP, lower than the historical production". Ms. XX, to address "this discontent, communicated that compared to the original "cap", the latter had been raised to + 400 quarterly contracts, lowering it from the "cap" of another structure". In light of what was clarified, Acea denied that, in the conversations contained in the audio files, its employee intended to provide information relating to commercial activities and also held to specify that "following a further specific internal check, it emerged that the aforementioned number for the year 2022 is not equal to 17,000 supply points but rather to 11,585 supply points"; - on “having factually entrusted MG Company s.r.l. with the processing of contractual customer data, in the absence of a regular designation as data controller or sub-processor” (articles 5, par. 1, letter a) and 28 of the Regulation), Acea stated that it had not been aware of any sub-processors of the Sole Proprietorship Federica Stefanelli, designated Data Controller, as the latter had not declared their presence in the questionnaire attached to the deed of designation. Furthermore, “the Undersigned clarifies that the absence of specific designations as data controllers or sub-processors in relation to Ms XX and Ms XX is due to the fact that, to the best of the Undersigned’s knowledge, they were included in the administrative staff of D.I. Stefanelli, which should have proceeded to designate the XX, as persons in charge of processing, pursuant to art. 29 of the Regulation, and not as sub-processors”. In the defenses filed, therefore, Acea argued that D.I. Stefanelli proceeded autonomously, and without due communication, to use M.G. Company personnel to carry out the activities covered by the mandate and, therefore, "not having been informed about the presence of a sub-manager, was not in a position to intervene in advance as it was completely unrelated and lacked any power of influence on the use of D.I. Stefanelli employees/collaborators for the performance of the work agreements, as well as on the actual activity carried out by them, which did not comply with what was stipulated between Acea Energia and D.I. Stefanelli"; - on “having allowed M.G. Company employees to access Acea Energia’s IT systems in the absence of the designations indicated in the previous point” (articles 5, par. 1, letter f) and 32 of the Regulation), Acea described the procedures for assigning credentials to runners associated with its agencies, specifying that for each agency the credentials are differentiated between back office credentials and runner credentials. “Specifically, for the paper door-to-door, runners do not have access credentials to the XX system and the Contract Proposals (hereinafter also “PdC”) are uploaded by back office users assigned to personnel of the same agency; on the contrary, for the digital door-to-door process, runners are assigned access credentials to XX since the uploading takes place by them during the contractual proposal phase; there are also some figures in the company who have a user enabled both for uploading digital PdC and for uploading paper PdC in the back office”. Furthermore, after reporting the procedures established for the creation of a user profile and to avoid unauthorized use, Acea concluded by stating that "to the best of the writer's knowledge, those who operated on behalf of D.I. Stefanelli processed personal data as data processors pursuant to art. 29 of the D.I. Stefanelli Regulation. It follows that the credentials were never delivered by Acea Energia to M.G. Company, but rather to Stefanelli"; - on having failed to implement organizational measures, checks and controls, suitable for verifying that the marketing activities carried out by the sole proprietorship Stefanelli Federica, also in light of the number of contracts signed, were carried out in compliance with the "door-to-door" sales mandate and with the legislation in force on the protection of personal data, therefore without making use of telemarketing and teleselling (arts. 24 and 25 of the Regulation), Acea indicated all the checks carried out for the evaluation of D.I. Stefanelli, specifying that, in relation to the “telemarketing” activities carried out in a hidden manner by this agency, the Company did not carry out any checks as the activity was not the subject of the mandate stipulated between the parties. Finally, in the defense briefs and during the hearing, the Company illustrated the corrective measures implemented after the inspection of March 2024, specifying the planned and not yet completed activities as well as the planned auditing program. In particular, Acea first of all recalled that the promotion and sales activities of its services are carried out mainly through the door to door channel, having already excluded telemarketing and teleselling activities on prospects for some time (these activities remained for the conveyance of promotions only towards the customer base or towards users who requested recontact via forms on the web). Furthermore, Acea described the following guarantee measures subsequently adopted: a) from October 2024, automated and timely control (previously it was random) on the geolocation of the sales agent at the time of creation of the PDC (contract proposal) to verify its conformity with the address of the contracted customer; b) from 1 July 2024, automatic blocking in the event of multi-session access with the same credentials to the XX company system; c) from 1 July 2024, automatic blocking in the systems in the event of activation of contracts for users over seventy-five years of age; d) from 1 July 2024, introduction of access to the XX system with multi-factor authentication; e) from 11 July 2024, automatic monitoring of all digital contracts signed by the door-to-door channel, with the imposition of a threshold of 5 daily PDCs per agent, in order to identify productivity levels that are not consistent with what is normally expected; f) from 11 July 2024, introduction of the process for managing agent records in order to automate some checks on the work of each individual agent to reveal any conduct that does not correspond to the instructions given to data controllers and to block the coding of authorisations for agents who have already ceased due to malpractice. Lastly, the Company recalled that each PDC originating from the door-to-door channel is followed by a quality call, carried out by an Acea call center, to verify the actual will of the customer and to have confirmation of the correct action of the agent; regarding this last aspect, the Company specified that with the control call the customer was asked to confirm that the agent had physically gone to his home and, more recently, a specific question was also introduced aimed at verifying that the home visit had not been preceded by an unauthorized telephone contact. 4. AUTHORITY'S EVALUATIONS 4.1. General overview Before going into the merits of the individual violations ascertained, it seems appropriate to outline a brief overview of the system brought to light by the Office with the collaboration of the Guardia di Finanza. In particular, the set of investigations indicated leads to considering the activities carried out by the various subjects referred to in the previous point 1 and by the numerous collaborators who revolved around them, as unequivocally aimed at carrying out a massive procurement of contracts for the supply of energy services through illicit methods. These contracts were found to be largely channeled towards the energy company Acea Energia S.p.A., which was able to avail itself, from 2020 to 2021, of the direct collaboration of M.G. Company. Upon termination of the formal relationship with M.G. Company, which took place in March 2021, the contract procurement activities on behalf of Acea Energia continued with the Individual Company Stefanelli Federica (whose owner was a collaborator of M.G. Company from 2019 to 2022) which, between 2022 and 2024, sent the energy company a volume of contracts relating to approximately 27,000 supply points, collecting over two million euros in commissions. It should be noted that, despite the alternation of different subjects in the formal collaboration relationships with Acea Energia, the inspections made it possible to detect the substantial continuity of the contract procurement activities in favor of Acea Energia, and this within a system that had its organizational center in the offices of M.G. Company. Furthermore, despite the mandate given to D.I. Stefanelli was formally limited to “door-to-door”, the actual operation with which the contracts for Acea were concluded fell within a teleselling activity (moreover, illicit and with the use of fraudulent methods). As mentioned, Acea formally terminated the collaboration with M.G. Company in March 2021 and, subsequently in August 2022, entrusted the same mandate (formerly of M.G. Company) to D.I. Federica Stefanelli, a former collaborator of the same M.G. Company, who made use of the staff and call centers of M.G. Company for the commercial activities of concluding the contract proposals on behalf of Acea. That said, the Authority, based on the specific defensive observations, is primarily called upon to assess whether the declared lack of knowledge of a factual state by Acea, which benefited from the illicit processing, carried out on a large scale, with fraudulent means by its partners, and which is the consequence of omissions on its part, is in some way justifiable or whether such a situation, due to the characteristics of the specific case, is, instead, to be considered inexcusable and, therefore, relevant from the point of view of liability within the framework of the legislation on the protection of personal data. In other words, it is necessary first of all to assess whether the unlawfulness of the conduct carried out by the Stefanelli company and, through it, by M.G. Company - allegedly carried out in breach of the instructions given by Acea as well as of what was contractually agreed - are also attributable to Acea itself, not only because of the economic benefit obtained, but also in consideration of the adequacy of the control measures adopted by the client in order to prevent, as far as is known in the state of the art and on the basis of the expected professional diligence, the implementation of conduct of the type implemented in the case in question. Furthermore, in the particular context of energy supplies, characterized by the presence of a large "undergrowth" of agencies that operate illegally by contacting millions of customers by telephone, several times a day, and who then try to remedy this deteriorating practice by making the related contracts appear as if they were made through door-to-door activities, the question that must be asked is whether or not a major player such as Acea Energia was aware of this massive phenomenon, which is constantly addressed in debates, parliamentary initiatives and also in the activities of at least four independent administrative authorities (Guarantor, AGCOM, AGCM, ARERA), and had developed the necessary "antibodies" to activate precisely in the presence of suspicious practices and business volumes. The answer that can be drawn, even before the analytical examination of the specific disputes, is that Acea Energia, although aware of the risks inherent in a widespread promotional activity carried out through a vast network of external agencies, was not able to intercept a phenomenon of enormous dimensions whose profitable results flowed into its own company systems, a phenomenon that, it should be remembered, originated from the illicit acquisition of switch-out lists, then continued with the massive telephone contact of tens of thousands of customers who were threatened with economic damages if they did not accept the offers, and ended with the creation of almost 30,000 supply contracts in favor of Acea in the short space of a year and a half, formally conveyed by an individual company that appeared to have only one employee. 4.2. Guilt “in eligendo” and “in vigilando” As anticipated, the defense arguments presented by Acea Energia do not allow to exclude its liability in relation to the violations contested for the following reasons, to be considered together with the observations already expressed in the aforementioned notice of contestation. Acea’s entire defense line is based on the lack of knowledge of the involvement of M.G. Company in the data processing, due to the circumstance that D.I. Stefanelli had not correctly indicated the company as its sub-processor; this situation, moreover, would have generated in Acea the belief that all the collaborators of D.I. Stefanelli, including the legal representative of M.G. Company and 16 of its employees and collaborators, were included in the structure of the same agency and, therefore, fell within the scope of art. 29 of the Regulation. Furthermore, Acea also declared that it had no knowledge of the teleselling activities carried out for the conclusion of the contract proposals uploaded by D.I. Stefanelli. For the violations that can be traced back to this profile, Acea, with its own briefs, stated that “it is quite clear that Acea Energia was in no way aware of the existence of a sub-processor of D.I. Stefanelli as it was never communicated by the company either in advance at the time of signing the contract, or during its execution. In confirmation of this, the Undersigned clarifies that the absence of specific designations as data controllers or sub-processors in relation to Ms. XX and Ms. XX is due to the fact that they were included, as far as the Undersigned is aware, in the administrative staff of D.I. Stefanelli, which should have proceeded to designate the XX, as persons in charge of processing, pursuant to art. 29 of the Regulation, and not as sub-processors”. Therefore, from a systematic point of view it is considered appropriate to address this issue (excusability of the possible “not knowing” of the conduct of its partners), before proceeding to specific assessments relating to the findings of the investigation, which also include the extensive documentation regarding the direct relationships between Acea and M.G. Company. First of all, it is necessary to evaluate the adequacy of the checks carried out by Acea to reach the conviction that D.I. Stefanelli presented those sufficient guarantees referred to in art. 28 of the Regulation. In this regard, the Company stated that "For example, Acea Energia carries out, in line with its internal procedures, an integrity check on potential BPs as well as on their directors/shareholders using a platform made available by Cerved, which returns a summary data with evidence of any critical elements (so-called red flags) based on the information collected in terms of type of corporate structure, presence of politically exposed individuals, presence of any proceedings or convictions against the BP or its representatives. In this regard, it should be noted that, before proceeding with the contractualization of the Stefanelli Company (which took place in August 2022), Acea Energia carried out the aforementioned check and the platform did not return evidence as per the reports archived at the undersigned Company". Yet, from what has emerged, the Chamber of Commerce certificate of its agent is missing from the documentation collected and assessed by Acea, from which consultation it could easily be learned that, in relation to the years 2022-2024, the D.I. Stefanelli had employed only 1 employee in the business, namely the owner Stefanelli herself. Furthermore, the checks that Acea declared to carry out are only aimed at verifying a generic compliance with the requirements of honorability and the absence of previous crimes of the contractual counterpart; profiles that are certainly relevant in the selection of any supplier but that do not provide particular information regarding the suitability of the partner to cover the role of manager in the specific treatment implemented. On this point, it is useful to recall the Guidelines 07/2020, according to which “94. The data controller has the duty to employ «only processors providing sufficient guarantees to implement appropriate technical and organizational measures», so that the processing meets the requirements of the GDPR, including with regard to the security of the same, and ensures the protection of the rights of the data subjects. The data controller is therefore responsible for assessing the adequacy of the guarantees presented by the data processor and should be able to demonstrate that it has taken into serious consideration all the elements referred to in the GDPR. 95. The guarantees «presented» by the data processor are those that the data processor is able to demonstrate to the satisfaction of the data controller, these being the only ones that can actually be taken into account by the data controller in assessing the fulfillment of his obligations. This will often require an exchange of relevant documentation (e.g. privacy policy, terms of service, records of processing activities, log management mechanisms, information security policy, external data protection audit reports and recognised international certifications, such as the ISO 27000 series). […] 97. The data controller should take into account the following elements in order to assess the adequacy of the guarantees: the specialist knowledge (for example, technical skills in security measures and data breaches), the reliability and resources of the data processor”. From the evidence collected, however, it emerged that D.I. Federica Stefanelli was substantially lacking its own structure and resources, so much so that, to carry out the “door-to-door” commercial activity on behalf of Acea, it made use of collaborators and structures of the company M.G. Company, as emerges from the assignments in place between the two companies from 2022 to 2024 and from the fact that 18 collaborators indicated to Acea as its own were, in reality, employees, collaborators and even legal representatives of M.G. Company. Acea therefore entrusted the processing of personal data of its customers to D.I. Stefanelli who, due to its size and experience in the sector, did not present sufficient guarantees to implement adequate technical and organizational measures to ensure the application of the protections prescribed by the Regulation; nor, moreover, does it appear that Acea has ever carried out audits on its partner, either during the selection phase or subsequently. With regard to relationships with employees and collaborators of M.G. Company, Acea itself, in a note dated 3 October 2024, stated that it had continued "to maintain commercial relationships with the following names [...] these are, in fact, runners/collaborators who, after having worked for MG Company s.r.l., operated as runners for the company Stefanelli Federica [...]". The names indicated are 16 to which must be added those of Ms XX and Ms XX who, despite their respective roles as legal representative, the first, and previous legal representative, the second, of M.G. Company, according to what Acea claimed, should have carried out only “administrative activities (for example, invitation to invoice, application of penalties, etc.) and back office, as well as aimed at recruiting runners and in any case did not carry out sales activities” on behalf of Stefanelli. On this point, first of all, it is represented that Acea has not provided any evidence of what has just been reported, neither with regard to the request of its agent, nor above all of the purely administrative role of the XX sisters. During the hearing, on this point, Acea stated that “We knew instead that Stefanelli would have made use of the XX sisters due to their experience and due to Stefanelli’s lesser experience, in a logic of tutoring, back-office activities and administrative support. And this was also plausible due to the constant use of Stefanelli’s email and not those of MG Company”. Furthermore, from the conversations between XX and Mrs. XX, head of the Mass Market Sales Unit of Acea, conversations acquired in the records following the hearing of the M.G. Company, it emerges that the representative of the aforementioned company had a decision-making role that went well beyond the mere performance of administrative activities for Stefanelli, being able to agree, in person, and obtain from XX: the expansion of the number of contracts that could be carried out (so-called CAP); the commercial training of personnel; the intervention and the likely “accommodation” on the blocks caused by instant calls (calls to verify the presence of the door-to-door seller at the customer's home – see file “WhatsApp Audio 2024-12-05 at 14.36.262 in which XX reassures XX "now I've found a solution just...for your people and that's it" or see file “WhatsApp Audio 2024-12-05 at 14.29.15” in which XX addresses XX saying “I'm on instant calls too to cover your ass”); furthermore, from the file “WhatsApp Image 2024-12-05 at 15.15.42 (1)” it emerges that, in response to XX's complaints regarding the recognition of commissions, XX responded “You tell me. I advised you. Then if you don't want to go on any longer, that's another matter. I support you more than you should”. In light of these findings, which among other things reinforce the unsuitability of D.I. Stefanelli, in relation to the provisions of art. 28 of the Regulation, it emerged from the tabulas that: - as anticipated, from the Chamber of Commerce register of D.I. Stefanelli, the same from 2022 to 2024 employed only 1 employee, namely the same owner of the company. This implies that all the collaborators associated with the same individual company could only be subjects external to the same structure whose actual classification had to be the subject of specific checks by Acea; - from the Chamber of Commerce register of M.G. Company, Ms. XX was and is the legal representative of the same M.G. Company, therefore her inclusion as a subordinate collaborator in the structure of D.I. Stefanelli does not seem to adhere to the documentary reality, taking into account the weight, in commercial terms and experience, of M.G. Company compared to D.I. Stefanelli and the fact that the two corporate entities operated in the same context, taking turns in carrying out the same commercial activity. Both circumstances were quite easy to verify with a simple consultation of the information available in the Company Register and with a preliminary audit at the registered office of Stefanelli, but, from Acea's statements, no such verification appears. In this case, moreover, Acea's previous knowledge of M.G. Company's role as legal representative of M.G. Company should have made it necessary to carry out any checks aimed at ascertaining that M.G. Company did not carry out, as in the past, telemarketing activities on behalf of the sole proprietorship Stefanelli, and therefore of Acea, and should have highlighted the need for verification of the actual corporate size of the aforementioned sole proprietorship, also in order to ascertain whether XX, and her sister XX, the previous owner of M.G. Company, were actually mere collaborators of M. Stefanelli, or held the role of hidden owner of the overall business activity. It should in fact be specified that M.G. Company and its legal representatives were well known to some Acea corporate representatives who, by virtue of their role, had established direct and long-term contacts with them. Furthermore, from what emerged from the parallel investigation and the proceedings initiated against M.G. Company, the frequentation between the Acea representative, Ms. XX, and the XX sisters, even during the contract with D.I. Stefanelli, was constant and also went beyond the simple working context. Greater caution, moreover, should have been suggested also by the critical issues, now well known, of the energy market and of the phenomenon of the so-called undergrowth as well as the use of lists of illicit origin which, according to what Acea declared, the energy company knew well enough to have also filed a complaint in 2021, indicating Ms. XX as a person aware of the practice indicated. Based on the above considerations, it is clear that Acea's alleged unawareness of the unfair practices in use at D.I. Stefanelli, also through M.G. Company, cannot be reasonably invoked, since the energy company had at its disposal all the information necessary to initiate a process of checks and controls on its partners aimed at ascertaining the real nature of their activities, checks and controls which, from what emerged in the investigation, do not appear to have been implemented at the time of the facts. Based on the above observations, it is therefore possible to analyse the liability profiles relating to the individual objections formulated in the act initiating the procedure. a) articles 5, par. 1, letter a), 6, 7 and 13 of the Regulation, as well as 130 of the Code; In order to affirm the existence of the violation in question, it must first be observed that the circumstance that Acea's sales manager, Ms XX, during the term of office with D.I. Stefanelli, carried out commercial training activities for personnel allegedly belonging to Stefanelli but, in fact, recruited by M.G. Company constitutes unavoidable external evidence (among the material in the files - also provided to Acea in the defense phase - there is, for example, the poster of a training course organized in Pomezia on 14 October 2022 where the logo of M.G. Company appears together with that of Acea Energia). Furthermore, still with regard to the organization of the said course, it turned out that Ms. XX made specific requests to XX because “those from Turin also had to come down”. From the inspection checks carried out, the Turin collaborators are connected to another company of the so-called undergrowth identified, specifically, as Ditta Individuale XX, operationally linked to both M.G. Company s.r.l. and Diemme Group di Di Vico Luigi. From the tenor of the conversations reported in the documents, it is clear that Ms. XX was aware of the subject of the conversation, having agreed to XX's requests to also take into account the represented needs of “those from Turin”. It follows that, despite the formal termination of relations with M.G. Company, this in practice - from the second half of 2022 to the spring of 2024 - was instead fully active in the procurement and conclusion of contracts on behalf of Acea, and this occurred without the energy company having adopted adequate security measures to intercept and detect this activity. On the other hand, there is no doubt that the processing carried out by the M.G. Company call centers is to be attributed to the ownership of Acea and that the same processing generated, between 2022 and 2024, contracts for approximately 27,000 supply points, guaranteeing commissions to the Stefanelli Company, paid by Acea, for over two million euros. The operating methods found included, as mentioned, the use of "non-consented" lists and of presumably illicit origin, the failure to communicate the information to the interested parties and the use of artifices in order to induce the interested parties to sign the supply contract with Acea, conduct that M.G. Company was able to implement for two years precisely because of the substantial acquiescence of the energy company which, through the constant dialogue with Ms. XX, provided explicit approval for all the practices conducted in person by M.G. Company, to the point of interceding with the external subjects responsible for the control activities through the so-called instant calls, to unblock practices evidently considered non-compliant. It is worth specifying that the instant calls were carried out to prove that the supply contract was signed in the customer's home and therefore in door-to-door mode, while the intervention of Mrs. XX casts a shadow on the effective control procedure, given that an official from the commercial sector of Acea personally intervened with the external entities responsible for the control. In this context, the passive approach of Acea, which limited itself to stating that D.I. Stefanelli had hidden the involvement of M.G. Company, represents a merely formalistic application of data protection that ends up exempting the owner from responsibility, and this is in total contrast with the principles of the Regulation and with the provisions adopted by the Guarantor on the subject. Marketing activities carried out by third parties - and the related responsibility of the clients - have been the subject of so many and constant rulings by the Guarantor that they can now be considered consolidated especially among large economic operators who make massive use of these channels(1). The Guarantor has repeatedly recalled that the entire structure of the Regulation is based on the accountability of the data controller. The latter, by acquiring in its systems the personal data of the subjects who, after being contacted, have accepted the offers proposed, should adopt particular guarantee measures in order to prove that such contracts originate from contacts made in full compliance with the provisions on the protection of personal data, in particular those referred to in Articles 5, 6 and 7 of the Regulation relating to consent, as well as the provisions of Article 130 of the Code. According to the constant interpretation of this Authority, the subjects who act on behalf of the principal, generating a legitimate expectation in the recipients of the communications regarding the actual ownership of the promotional contact, are qualified as data controllers. And this qualification in relation to the legal relationships between the parties can be considered to exist even in the case in which the subject who physically makes the contact, while remaining unknown to the data controller, actually creates a contractual relationship similar to that in place with the directly contracted partners. This address has been developed with particular regard to the context of telephone and automated marketing, taking into account the high level of risk determined by the numerous illegalities generated by the lack of control of the supply chain, as ascertained in years of verification activities. The same reasoning can however also be applied to door-to-door promotional activities which present critical issues, also well known both to the market and to the control authorities, critical issues which, as mentioned, largely derive from the circumstance that the activity at the customer's home is often preceded by illegal promotional telephone contacts. In this context, the justification of a client of the calibre of Acea Energia based solely on the alleged ignorance of conduct that it was instead required to control can hardly be accepted, since the illegalities that emerged from this investigation should have been considered among the foreseeable circumstances: the "strengthening" of the door-to-door results through preliminary and unauthorised telephone contacts is a conduct that has already emerged in the sector; this eventuality should have been taken into account and avoided through ordinary means of control of the results achieved by the agents, especially in the case in which these were particularly distant from what was reasonably expected. b) art. 5, par. 1, letter a) and 28 of the Regulation; Recalling the observations already expressed in the section relating to the fault “in eligendo” and “in vigilando”, it must be reiterated that the circumstance that Acea was not aware of the factual situation or that, indeed, it was convinced that Ms XX were “in the administrative staff of D.I. Stefanelli”, demonstrates that the organizational measures for the checks required by art. 28 of the Regulation were not adequate, especially in the face of a rather widespread phenomenon such as the one in question. Added to this lack is the lack of an auditing plan for the companies designated as data controllers, as emerges from the declarations made by Acea during the inspection. c) art. 24 and 25 of the Regulation; The fact that Acea did not know the real circumstances of the data processing carried out on its behalf and the involvement of M.G. Company, moreover due to shortcomings attributable to it, do not relieve the Company of its responsibility, which is required to adopt suitable measures to prevent such events. Therefore, despite the preparation of procedures and measures deemed suitable and adequate by the Company, conduct that did not comply with the regulatory provisions was carried out in practice by individuals who, even when "unknown" to Acea, operated in the interest of the latter. In this regard, from a systematic perspective, it is necessary to reiterate that the regulatory provisions (articles 24 and 25 of the Regulation) outline a precise framework of general responsibility weighing on the data controller, not only in the sense of requiring the latter to adopt adequate and effective measures to ensure compliance with the regulations on the protection of personal data but also in the sense of requiring that the controller demonstrate, in concrete terms and with evidence, the conformity of any processing activity that he has carried out directly or that others have carried out on his behalf (see also “whereas” no. 74 of the Regulation). It is therefore necessary to provide evidence of overall assessments carried out on the characteristics of the processing, on the risks associated with them and on the effectiveness and adequacy of the measures adopted on a case-by-case basis. Effectiveness and adequacy that can only be tested and demonstrated through structured and systematic verification and audit mechanisms that, in this case and by Acea’s own admission, had not been implemented. The rationale of the above provisions lies in the need to ensure that the set of obligations regarding the protection of personal data is not reduced to a merely paper-based assembly, as already mentioned above, and that the "chain" of responsibilities in the context of processing does not provide for undue "buck-passing" but is always, ultimately, attributable to the owner. The latter, in fact, is the primary driver of the complex mechanisms that determine the compatibility of the various activities carried out with the provisions of the Regulation and the Code aimed at allowing the interested party full control of their data and the full exercise of their rights and freedoms. The principle of accountability, therefore, outlined both in a legal perspective (art. 5, par. 2 and art. 24) and in a more modern technological dimension (art. 25) involves overcoming an exclusively formalistic logic but requiring the data controller to prepare systematic verification mechanisms, even ex ante and ex post, of compliance with the legislation on the protection of personal data by all the subjects involved in the chain of processing that concern him, which can be traced back to him or that can bring advantages, including economic ones, to the data controller. The scenario reconstructed at the end of the investigative activities by the Guarantor has brought to light a system of illicit processing of personal data that, in various aspects, was known or, at least, knowable by Acea itself and its commercial branches and which, ultimately, has determined economic advantages for Acea to the detriment of the protection of the rights of the interested parties. In this context, therefore, there are symptomatic factual elements that Acea was unable to intercept, to which are added further circumstances that strengthen the belief that Acea was aware of the involvement of M.G. Company in the signing of the contract proposals, at least in the person of Ms. XX. In fact, although Acea and Ms. XX have clarified some of the contested aspects (the content of some chats relating to alleged commissioning activities), it emerged that the latter directly contacted Ms. XX for issues relating to: - production volumes, indicating "we need to increase the XX numbers" or that the contracts she was making were too many and that "[…] if in July you give me the best, I will burn all those 400 pieces [editor's note: the contracts] that I managed to give you with sweat [...] for August I hope you have other strategies [...]"; - the contractual volumes covered by the agency contract (“I went to great lengths to get you to give me the pieces” and again “[…] I even gave you 400 pieces from another agency […]”); - the nature of the activity to be carried out (“you also do door-to-door” – a phrase referring to the need to invoice the income as a whole, including “also” the door-to-door activities, which instead should have been the exclusive source of remuneration); - the fact that there were “New Agents who are walking around without a badge”; - the M.G. Company store and the number on the window (“The number on the window. They are checking everything. Please have it changed if you can”), dated after the inspection and the television reports of March 2024. Furthermore, there are numerous exchanges in which the confidentiality between the interlocutors is evident, making it difficult to maintain total ignorance of the involvement of M.G. Company. Therefore, the Authority believes that Acea could and should have known about M.G. Company's involvement in the management of its customers' data and contracts concluded in its interest, but also that it could have avoided, through appropriate processes (connected to the obligations set forth in the aforementioned Articles 24 and 25 of the Regulation), the performance of unauthorized teleselling activities. The failure to activate such processes, which continued from 2022 to 2024, represents a non-excusing circumstance: Acea, in fact, could have overcome the critical issues that the collaboration with M.G. Company and the Stefanelli Company could have determined by using the diligence required, in this case, of a primary national reality. This interpretative approach also seems to be in line with the constant jurisprudence of the Supreme Court, with reference to the principle according to which "everyone is responsible for their own action or omission, conscious and voluntary, whether intentional or negligent", as indicated by art. 3 of Law 689/81: this consolidated approach states that “the rule places a presumption of guilt in relation to the prohibited act on the person who committed it, reserving to the latter the burden of proving that he acted without fault” (see Cass. 10508/1995; no. 7143/2001; no. 8343/2001; no. 14107/2003; no. 5304/2004; no. 15155/2005; no. 20930/2009; 9546/2018; no. 1529/2018; no. 4114/2016). The Authority does not believe that Acea has fulfilled the aforementioned burden of proof, strengthened by the specific provisions on accountability and privacy by design provided for by the Regulation. d) art. 5, par. 1, letter f) and 32 of the Regulation; The findings of the investigation lead to the belief that specific elements connected to the correct configuration of Acea's IT systems in terms of security, subsequently adopted, could have been prepared in order to prevent the unauthorized activities carried out by Ditta Stefanelli and M.G. Company (and potentially also by other subjects), from determining the conclusion of supply contracts subsequently transferred to the energy company's personal data assets. In fact, Acea declared that it had authorized, as runners, 16 employees from M.G. Company on the assumption that they belonged to the structure of D.I. Stefanelli and without verifying that these subjects were actually included in the company's corporate structure and authorized to process personal data. Nor does it appear that these subjects had received specific training in data protection on behalf of Acea and for the correct use of its IT platforms. Two of these runners associated by Acea with D.I. Stefanelli not only worked at M.G. Company but also managed the call centers of two of the offices of the indicated company and concluded the contracts on behalf of Acea by operating as telesellers and then uploading the contract proposals to Acea's systems dedicated to door-to-door. In particular, among the runners of D.I. Stefanelli - who Acea has registered in its systems - were Mr. XX and Mrs. XX. Well, from the inspections conducted by the Guardia di Finanza and the Office at the offices of M.G. Company and D.I. Stefanelli it emerged that: - Mr. XX managed the Latina call center of M.G. Company as a collaborator of D.I. Stefanelli Federica; - Mrs. XX managed the Ladispoli call center of M.G. Company as a collaborator of the same M.G. Company. Furthermore, among the runners of D.I. Stefanelli also was Mr. XX who, again from the inspection activities conducted on March 26, 2024 at the offices of M.G. Company, was indicated as the previous manager of the Ladispoli call center of M.G. Company. Therefore, Acea enabled the employees and collaborators of M.G. Company, considering them runners of D.I. Stefanelli, to access its systems even though they operated for a subject (M.G. Company, precisely) not formally included in its commercial chain and, therefore, not authorized to access. Furthermore, it was verified that even the individual call center operators of M.G. Company (and not the runners) accessed Acea's systems with the same account issued by Acea to accredited subjects (for example, the account used by the various call-center operators was that of XX, one of the runners of D.I. Stefanelli) and this was also possible due to the absence, at the time of the facts, of access control measures and the ban on multi-session access with the same account, a circumstance also confirmed by Acea in its defense. In addition to the above, during the inspection phase a further significant circumstance emerged that could have indicated a method of concluding contracts other than door-to-door: in particular, by accessing Acea's systems and activating a simple query it was found that one of the runners of D.I. Stefanelli had managed to conclude two contracts in six minutes (the first at 9.14, the second at 9.20 on March 26, 2024) in relation to two customers more than 100 km apart, and then returned within a short period of ten minutes to the Ladispoli headquarters of M.G. Company, where the inspection activities were taking place. These temporal and geographical indications were not analyzed by Acea, nor were they alerted by the systems; otherwise, an analysis of these elements could have allowed verifying the correctness of the treatments carried out by the runners and their compliance with the type of contract (teleselling or door-to-door) in place with the specific agency. That said, the Authority cannot but welcome all the initiatives and implementations of the control procedures that Acea indicated in its defenses and during the hearing (reported in the previous point 3) and which, however, are all subsequent to the contested facts and, therefore, can constitute a valid mitigating element in the measurement of the sanction to be imposed. However, it should be emphasized that, among those described, the only measure indicated by Acea and already present since 2023 was the one relating to the manual and random comparison between the geolocation address of the place from which the contract proposal is uploaded and the customer's headquarters; this measure, however, did not allow Acea to intercept some of the anomalies indicated above and, in fact, was subject to review by the Company which, to date, carries out such checks in an automated manner. 5. CONCLUSIONS For the above reasons, the responsibility of Acea Energia S.p.A. is deemed to be established with regard to the following violations: a) art. 5, par. 1, letter a), 6, 7 and 13 of the Regulation, as well as 130 of the Code, for having allowed third parties to make promotional telephone contacts, using lists of personal data acquired in the absence of specific consent and in the absence of the release of prior information, lists for which the lawful methods of data collection and acquisition of consent for commercial and promotional purposes were not proven; b) art. 5, par. 1, letter a) and 28 of the Regulation, for having factually entrusted M.G. Company s.r.l. with the processing of contracted customer data, in the absence of a regular designation as data controller or sub-controller; c) art. 5, par. 1, letter f) and 32 of the Regulation, for having allowed M.G. Company employees to access Acea Energia S.p.A.'s IT systems in the absence of the designations indicated in the previous point; d) art. 24 and 25 of the Regulation, for having failed to implement organizational measures, checks and controls, suitable to verify that the marketing activities carried out by the Sole Proprietorship Stefanelli Federica, also in light of the number of contracts signed, were carried out in compliance with the "door-to-door" sales mandate and with the legislation in force regarding the protection of personal data, therefore without the use of illicit telemarketing and teleselling tools. Furthermore, it is useful to make some considerations regarding a “system” that, from the inspections carried out by the Guardia di Finanza and subsequent investigative activities, has allowed us to outline an extremely serious and alarming picture in relation to the complex of activities that, ultimately, was fueled by the commissions paid by Acea itself. These activities were found to be carried out with constant non-compliance with the provisions on the protection of personal data, so that the entire system of processing carried out by the companies involved was found to be completely unsuitable to allow the interested parties to exercise the necessary control over their data, also violating the fundamental principles of correctness and transparency established to protect any processing. Furthermore, the activities were found to be carried out in contempt of the provisions that allow us to stem the phenomenon of wild telemarketing and to bring to light the so-called “undergrowth” that operates on the margins of the official sales networks of energy companies and that the latter have shown themselves unable to address. It follows that extremely relevant personal information has passed from hand to hand, without any guarantee of the correctness of the actions of the numerous subjects involved and of the security of the data processed, thus further fueling the sources of supply of wild telemarketing and generating a vicious circle of nuisance calls and illicit contacts - sometimes even with threatening and insulting tones - completely unrelated to the intent of offering the customer economically advantageous services and linked only to the need to increase the number of promotional initiatives, contracts signed and profits made by the companies. Therefore, having ascertained the unlawfulness of Acea Energia's conduct with reference to the treatments under examination, it is necessary to: - order Acea Energia, pursuant to art. 58, par. 2, letters d) and e) of the Regulation, to communicate to all interested parties, whose personal data have flowed into the Company's systems following the illicit acquisitions by D.I. Stefanelli and M.G. Company s.r.l., the results of today's proceedings based on a text to be agreed with the Authority when applying this provision; - order Acea Energia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adequately check that the agencies enter into contracts with any sub-agents that are fully compliant with the standard contract stipulated between Acea Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by art. 28 of the Regulation; - adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application against Acea Energia of the administrative pecuniary sanction provided for by art. 83, par. 3 and 5 of the Regulation 6. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE SANCTION The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Acea Energia of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5 of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher); To determine the maximum fine of the pecuniary sanction, it is therefore necessary to refer to the turnover of Acea Energia, as obtained from the latest available financial statement (31 December 2023) in accordance with the previous provisions adopted by the Authority, and therefore this maximum fine is determined, in the case in question, at 91,000,983,270 euros. To determine the amount of the sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation; In the case in question, the following are relevant: - the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purposes of the data processed, attributable to the overall phenomenon of unwanted promotional contacts, in relation to which the Authority has adopted, in particular in the last five years, numerous measures that have fully examined the multiple critical elements by providing the owners with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the interested parties; also taking into account the number of subjects involved (based on the approximately 27,000 distribution points affected by the contracts conveyed by the Individual Firm Stefanelli and by M.G. Company) and the duration of the illicit activities (from 2022 until March 2024, activities interrupted only following the inspection activities carried out by the Authority); - as an aggravating factor, the grossly negligent nature of the violations, resulting from omissions carried out with awareness and will that have in fact weakened the security measures and the system of controls and accountability of the various parties operating in the Acea Energia sales network, taking into account the level of professional diligence that could be expected from a controller of the calibre of Acea Energia (Article 83, paragraph 2, letter b) of the Regulation); - as an aggravating factor, the degree of responsibility of the controller (Article 83, paragraph 2, letter d) of the Regulation) due to the ineffectiveness of the technical and organizational measures, which did not allow the interception of the illicit activities carried out by Ditta Stefanelli and M.G. Company and which, in some cases, allowed their consolidation, as well as due to the primary role that Acea Energia plays in the Italian energy market; - as a mitigating factor, the circumstance that Acea Energia introduced, following the investigations involving it, a significant series of measures (Article 83, paragraph 2, letter c) of the Regulation), which affected the management phase of individual runners, IT security and the identification of the chain of responsibility from the first contact to the final contract; - as a mitigating factor, the significant collaboration with the Authority, both during the inspection activities and in the continuation of the investigation and the procedure, which leads to considering favorably the commitment of the energy company in the adoption of effective future measures aimed at countering the phenomenon of illicit promotional contacts (Article 83, paragraph 2, letter f) of the Regulation). Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by Article 83, paragraph 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €3,000,000 should be applied to Acea Energia, equal to 3.26% of the maximum statutory sanction and 0.13% of the annual turnover. In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the particular seriousness of the violations and the disvalue of the conduct both with reference to the evasion of the legislation to combat unwanted promotional contacts, and with regard to the number of subjects involved and the potential economic damage suffered by them. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letters a) and h), of the Regulation, declares the processing described in the terms set out in the reasons carried out by Acea Energia S.p.A., with registered office in Rome, Piazzale Ostiense n. 2, VAT no. 07305361003, to be unlawful and, consequently: a) orders Acea Energia, pursuant to art. 58, par. 2, letters d) and e) of the Regulation, to communicate to all interested parties, whose personal data have been entered into the Company's systems following the unlawful acquisitions by D.I. Stefanelli and M.G. Company s.r.l., the results of today's proceedings based on a text to be agreed with the Authority when applying this provision; b) orders Acea Energia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adequately check that the agencies enter into contracts with any sub-agents that are fully compliant with the standard contract stipulated between Acea Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by art. 28 of the Regulation; c) orders Acea Energia, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation. ORDERS pursuant to art. 58, par. 2, letter i), of the Regulation, to Acea Energia S.p.A., in the person of its legal representative pro-tempore, with registered office in Rome, piazzale Ostiense n. 2, C.F. 07305361003, to pay the sum of €3,000,000.00 (three million/00) as an administrative pecuniary sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €3,000,000.00 (three million/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS a) the publication of this provision, pursuant to art. 154-bis of the Code and 37 of Regulation no. 1/2019, as well as the application of the accessory sanction of the publication on the website of the Guarantor of this injunction order, as provided for by art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019; b) the annotation of this provision in the internal register of the Authority - provided for by art. 57, par. 1, letter u), of the Regulation, as well as by art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor - relating to the violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself. Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree no. 1 September 2011, 150, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 10 April 2025 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE ACTING SECRETARY GENERAL Filippi ---------- 1) See, for example, in www.garanteprivacy.it provision of 15 June 2011, web doc. no. 1821257; provision of 9 July 2020, web doc. no. 9435753; prov. 12 November 2020, web doc. no. 9485681; prov. 25 March 2021, web doc. no. 9570997; prov. 13 May 2021, web doc. no. 9670025; prov. 16 December 2021, web doc. no. 9735672; prov. 11 April 2024, web doc. no. 1008019; prov. 11 April 2024, web doc. no. 1008076; prov. 6 June 2024, web doc. no. 10029424. SEE ALSO Press release of 7 May 2025 [web doc. no. 10127930] Provision of 10 April 2025 Register of provisions n. 228 of 10 April THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA IN today's meeting, attended by Prof. Pasquale Stanzione, President, Prof. Ginevra Cerrina Feroni, Vice President, Dr. Agostino Ghiglia and Attorney Guido Scorza, members, and Dr. Claudio Filippi - Acting Secretary General; HAVING SEEN Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter “Regulation”); HAVING SEEN the Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003), as amended by Legislative Decree no. 101 of 10 August 2018, containing provisions for the adaptation of national legislation to the aforementioned Regulation (hereinafter the “Code”); HAVING SEEN Guidelines 07/2020 on the “concepts of data controller and data processor under the GDPR”, version 2.0, adopted by the European Data Protection Board on 7 July 2021 (hereinafter also “Guidelines 07/2020”) HAVING SEEN the documentation in the files; HAVING SEEN the observations formulated by the Secretary General pursuant to art. 15 of the Regulation of the Guarantor no. 1/2000; REPORTER Dr. Agostino Ghiglia; WHEREAS 1. THE INVESTIGATIVE ACTIVITY CARRIED OUT The Guarantor, in exercising the powers of investigation and control pursuant to Articles 157 and 158 of the Code, carried out some inspection activities in conjunction with the Special Unit for the Protection of Privacy and Technological Fraud of the Guardia di Finanza, following a complaint that the same Unit received from an editor of the television program "Striscia la notizia", Mr. XX. In short, the complaint reported a phenomenon already known to the Authority, namely the activities of abusive call centers (without a formal assignment from the clients and not registered in the Register of Communications Operators - ROC - established at the Authority for Communications Guarantees - AGCOM) in possession of lists of subjects to be contacted by telephone to propose the activation of supplies of telephone or energy services (gas and electricity) also by switching from one operator to another. In particular, starting from the information received from a former call center operator, the complaint denounced the unfair practices for the procurement of contracts in favor of Acea Energia S.p.A. (hereinafter also referred to as “Acea” or “Acea Energia” or the “Company”) implemented mainly by the company M.G. Company s.r.l., with registered office in Fiumicino and operational offices in Rome, Fiumicino, Ladispoli and Terracina. M.G. Company was not formally included in the Acea commercial chain but used an agency directly contracted with Acea, the sole proprietorship Stefanelli Federica (hereinafter, "Stefanelli or the "company"). In order to have potential customers sign electricity and gas supply contracts, it used the following operating scheme: a) use of lists with data of users who had recently switched from one electricity and/or gas supplier to another (so-called "switch-out" lists); b) suggestion of non-existent technical problems in the switch from the "outgoing" supplier to the "incoming" supplier to overcome distrust and induce the contacted parties to activate a supply with Acea, fearing the non-existent risk of receiving double billing from the two companies (the deactivated one and the new one in the process of being activated) with consequent economic damages for the customer; c) presentation of the solution: the call center operator then proposed to the customer the solution of a “technical return” to Acea “for the time necessary to resolve the problem and align supplies”. This return would have occurred at extremely advantageous tariff conditions (with a 40% discount) due to the inconvenience suffered; d) sending a door-to-door agent to sign the contract proposal: once the potential customer had been convinced to adhere to the proposed solution, the call center operator would schedule an appointment with what was called an “Acea representative”. The latter would then go to the customer’s home, not before receiving the audio file of the telephone conversations made via WhatsApp from the operator, and there proceeded to have a new contract signed with Acea. The sending of the audio file had the very purpose of informing the runner (i.e. the door-to-door salesman) of the fictitious arguments used to convince the potential customer in order to adopt more credible conversations during the home visit. In other words, the contracts, the result of illicit promotional telephone contacts made by M.G. Company, during which misleading information was also conveyed and often in an aggressive and intimidating tone, flowed into Acea through the Individual Company Stefanelli Federica, making such contracts appear as if they were made in the context of ordinary door-to-door promotions and thus attempting to restore, with this operation, an apparent framework of legality to the overall initiative, fundamentally flawed by the illicit trafficking of switch-out lists. Having received the complaint, the Guardia di Finanza proceeded to carry out in-depth investigations by consulting the databases used by the Corps, acquiring information from open sources and carrying out inspections. On the basis of what was represented by the Guardia di Finanza, and considering that in all likelihood the contract procurement activities, as illustrated in the complaint, were attributable to the phenomenon of wild telemarketing, the Guarantor ordered the carrying out of inspections against the following entities (inspections carried out simultaneously on 26 March 2024 by personnel of the Guardia di Finanza and the Guarantor): 1) M.G. Company s.r.l., at the registered office in Fiumicino (via dei Delfini 1, at the shop with the sign “Energia e non solo…”) and at the operational offices in Latina (piazza dell’Agorà, premises with the sign M.G. Company s.r.l.), Terracina (piazza Gregorio Antonelli 14/16) and Ladispoli (via delle Rose 12-14-16); 2) Diemme Group di Di Vico Luigi, at the shop with the sign “Energia e non solo…” located in Rome, via Carlo Zucchi n. 13/15, whose premises are owned by the company Elanim s.r.l., whose sole shareholder is Mr. Di Vico Luigi, premises that are rented to the company M.G. Company s.r.l., which in turn granted their use to Diemme Group; 3) Sole Proprietorship Stefanelli Federica, with tax domicile in Terracina and place of business in Fiumicino, via Brunelleschi 47, a company that is no longer operating today; 4) M&M s.r.l.s., with registered office and operational headquarters in Terracina, piazza Gregorio Antonelli 14/16, also the operational headquarters of M.G. Company s.r.l.; 5) Sole Proprietorship XX, in the Turin offices, which were not operational: XX was operationally linked to both M.G. Company s.r.l. that to Di Vico Luigi, from whom he received emoluments in the context of the activity of "business agent without prevalence"; 6) Acea Energia S.p.A., at the registered office in Piazzale Ostiense n. 2, Rome. Based on the findings that emerged during the activities of 26 March 2024, the Guarantor ordered further investigations to be carried out at the offices of Fer-Energy Call s.r.l., given that this company was found to operate at the Ladispoli office (via delle Rose 12-14-16), where there was also a call center of M.G. Company s.r.l., and of Fer-Energy s.r.l. With respect to these additional companies, the inspection activities were carried out on 29 March 2024, respectively, at the offices of Rome, viale Palmiro Togliatti n. 1613, and of Civitavecchia, via delle Azalee snc. From all the inspection activities it was possible to acquire a considerable amount of information and documents, which were made available to the Authority by the Guardia di Finanza with notes acquired in the files and registered on 19 April 2024 and 29 May 2024. The Office requested some additional information from Acea (see prot. no. 107799/24 of 13 September 2024, found by Acea with prot. no. 225799/24 of 4 October 2024)), focusing attention on the relationships with M.G. Company, with the legal representatives of the same company or with employees or collaborators of the latter, also requesting to provide the contract proposals uploaded to the Acea systems by two operators, whose names had emerged during the inspections at M.G. Company. Following the investigation activities indicated, limited to Acea's position, the Authority notified the Company of the act of initiation of the proceeding pursuant to art. 166, paragraph 5 of the Code; the Company, for its part, first requested and obtained access to the investigation documents, and subsequently filed its own defense briefs, further illustrating its position during the hearing held on 4 March 2025. 2. DISPUTE OF VIOLATIONS As anticipated, the Office sent Acea the act of initiation of the proceeding pursuant to art. 166, paragraph 5 of the Code (prot. 8687/25 of 23 January 2025), which is hereby deemed to be fully recalled, with which it contested the possible violation of art. 5, par. 1, letter a), 6, 7, 13, 24, 25, 28 and 32 of the Regulation and art. 130 of the Code in relation to the processing of personal data carried out by the then D.I. Stefanelli Federica and M.G. Company on behalf of Acea and the failure to adopt adequate security and organizational measures. This is due to the fact that the lack of controls on the data controller and on its commercial chain, as well as the inadequacy of the security measures adopted had allowed the carrying out, for a long time, of unwanted promotional calls, using data of illicit origin, without any consent from the interested parties who, unaware of any information on the processing, had also suffered potential economic damages deriving from the distortion of their contractual will. Furthermore, the Office analyzed, on a sample basis, the contact lists illicitly acquired from M.G. Company and found among them numerous names present in the documentation produced by Acea in October 2024 relating to the contract proposals registered in its company systems. With reference to the relationship with the Sole Proprietorship Stefanelli Federica, the lack of adequate controls by Acea on the structure of the company and on the organization of commercial activities was also highlighted, controls that should have been aimed at verifying that an agency that guaranteed a volume of contracts equal to just under 10% of Acea's door-to-door turnover did not obtain such results by carrying out conduct contrary to the instructions received, also by making use of the commercial support of third parties not authorized by Acea. Specifically, the following violations were contested: a) articles 5, par. 1, letter a), 6, 7 and 13 of the Regulation, as well as 130 of the Code, for having allowed promotional telephone contacts to be made, using lists of personal data acquired in the absence of specific consent and in the absence of the release of prior information, lists for which the lawful methods of data collection and acquisition of consent for commercial and promotional purposes were not proven. On this point, it is important to point out that the awareness attributed to Acea was, in fact, declined as knowledge of certain circumstances by the head of the Mass Market Sales Unit of the company, Ms. XX, as represented and described in the defense phase by M.G. Company, against which the Office had initiated specific proceedings; b) art. 5, par. 1, letter a) and 28 of the Regulation, for having factually entrusted M.G. Company s.r.l. with the processing of the data of contractual customers, in the absence of regular designation as data controller or sub-controller; c) art. 5, par. 1, letter f) and 32 of the Regulation, for having allowed employees of M.G. Company to access the IT systems of Acea Energia S.p.A. in the absence of the designations indicated in the previous point; d) art. 24 and 25 of the Regulation, for having failed to implement organizational measures, checks and controls, suitable to verify that the marketing activities carried out by the Sole Proprietorship Stefanelli Federica, also in light of the number of contracts signed, were carried out in compliance with the “door-to-door” sales mandate and with the legislation in force regarding the protection of personal data. 3. ACEA’S DEFENSES The Company, after having accessed the documentation in the files for defensive purposes, filed its own briefs (prot. nos. 23935/25 and 24074/25 of 24 February 2025), which are hereby deemed to be fully recalled, observing what is briefly reported below: - on the alleged awareness of Ms. XX (Head of the Mass Market Sales Unit) regarding the use of switch-out lists by M.G. Company, the Company filed a statement of the same in order to clarify the content of the audio reported by the Office in the notice of dispute. On this point, Ms. XX denied being aware of the use of unauthorized lists by M.G. Company/D.I. Stefanelli, specifying that "in the reported conversation the term "lists" refers to contracts that were KO'd by the distributor after contracting with Acea Energia" in relation to which a new processing had been requested in order not to lose the related commissions; - on the alleged awareness of Ms. XX regarding the commercial activities carried out by Ms. XX, from the aforementioned filed statement it emerges that Ms. XX clarified that she had provided Ms. XX (indicated as administrative support of D.I. Stefanelli) with suggestions regarding the so-called Commissioning policies, i.e. the methods of collecting commissions, denying that the indications had a commercial nature towards end customers. The same statement also contains clarifications regarding the introduction of a maximum production limit for each agency, called "CAP" and the fact that "the Stefanelli agency expressed discontent with its assigned CAP, which was lower than its historical production". To address "this discontent, I communicated that compared to the original "cap", the latter had been raised to + 400 quarterly contracts, lowering it from the "cap" of another structure". In light of what was clarified, Acea denied that, in the conversations contained in the audio files, its employee intended to provide information relating to commercial activities and also held to specify that "following a further specific internal check, it emerged that the aforementioned number for the year 2022 is not equal to 17,000 supply points but rather to 11,585 supply points"; - on “having factually entrusted MG Company s.r.l. with the processing of contractual customer data, in the absence of a regular designation as data controller or sub-processor” (articles 5, par. 1, letter a) and 28 of the Regulation), Acea stated that it had not been aware of any sub-processors of the Sole Proprietorship Federica Stefanelli, designated Data Controller, as the latter had not declared their presence in the questionnaire attached to the deed of designation. Furthermore, “the Undersigned clarifies that the absence of specific designations as data controllers or sub-processors in relation to Ms XX and Ms XX is due to the fact that, to the best of the Undersigned’s knowledge, they were included in the administrative staff of D.I. Stefanelli, which should have proceeded to designate the XX, as persons in charge of processing, pursuant to art. 29 of the Regulation, and not as sub-processors”. In the defenses filed, therefore, Acea argued that D.I. Stefanelli proceeded autonomously, and without due communication, to use M.G. Company personnel to carry out the activities covered by the mandate and, therefore, "not having been informed about the presence of a sub-manager, was not in a position to intervene in advance as it was completely unrelated and lacked any power of influence on the use of D.I. Stefanelli employees/collaborators for the performance of the work agreements, as well as on the actual activity carried out by them, which did not comply with what was stipulated between Acea Energia and D.I. Stefanelli"; - on “having allowed M.G. Company employees to access Acea Energia’s IT systems in the absence of the designations indicated in the previous point” (articles 5, par. 1, letter f) and 32 of the Regulation), Acea described the procedures for assigning credentials to runners associated with its agencies, specifying that for each agency the credentials are differentiated between back office credentials and runner credentials. “Specifically, for the paper door-to-door, runners do not have access credentials to the XX system and the Contract Proposals (hereinafter also “PdC”) are uploaded by back office users assigned to personnel of the same agency; on the contrary, for the digital door-to-door process, runners are assigned access credentials to XX since the uploading takes place by them during the contractual proposal phase; there are also some figures in the company who have a user enabled both for uploading digital PdC and for uploading paper PdC in the back office”. Furthermore, after reporting the procedures established for the creation of a user profile and to avoid unauthorized use, Acea concluded by stating that "to the best of the writer's knowledge, those who operated on behalf of D.I. Stefanelli processed personal data as data processors pursuant to art. 29 of the D.I. Stefanelli Regulation. It follows that the credentials were never delivered by Acea Energia to M.G. Company, but rather to Stefanelli"; - on having failed to implement organizational measures, checks and controls, suitable for verifying that the marketing activities carried out by the sole proprietorship Stefanelli Federica, also in light of the number of contracts signed, were carried out in compliance with the "door-to-door" sales mandate and with the legislation in force on the protection of personal data, therefore without making use of telemarketing and teleselling (arts. 24 and 25 of the Regulation), Acea indicated all the checks carried out for the evaluation of D.I. Stefanelli, specifying that, in relation to the "telemarketing" activities carried out in a hidden manner by this agency, the Company did not carry out any checks as the activity was not the object of the mandate stipulated between the parties. Finally, in the defense briefs and during the hearing, the Company illustrated the corrective measures implemented after the March 2024 inspection, specifying the planned and not yet completed activities as well as the planned auditing program. In particular, Acea first of all recalled that the promotion and sales activities of its services are mainly carried out through the door-to-door channel, having already excluded telemarketing and teleselling activities on prospects for some time (these activities remained for the conveyance of promotions only to the customer base or to users who requested recontact through forms on the web). Furthermore, Acea described the following guarantee measures subsequently adopted: a) from October 2024, automated and timely control (previously it was random) on the geolocation of the sales agent at the time of creation of the PDC (contract proposal) to verify its conformity with the address of the contracted customer; b) from 1 July 2024, automatic blocking in the event of multi-session access with the same credentials to the XX company system; c) from 1 July 2024, automatic blocking in the systems in the event of activation of contracts for users over seventy-five years of age; d) from 1 July 2024, introduction of access to the XX system with multi-factor authentication; e) from 11 July 2024, automatic monitoring of all digital contracts signed by the door-to-door channel, with the imposition of a threshold of 5 PDCs per agent per day, in order to identify productivity levels that are not consistent with what is normally expected; f) from 11 July 2024, introduction of the agent personal data management process in order to automate some checks on the work of each individual agent to reveal any conduct that does not correspond to the instructions given to data controllers and to block the coding of authorizations for agents who have already ceased due to malpractice. Finally, the Company recalled that each PDC originating from the door-to-door channel is followed by a quality call, carried out by an Acea call center, to verify the actual will of the customer and to have confirmation of the correct action of the agent; regarding this last aspect, the Company specified that with the control call the customer was asked to confirm that the agent had physically gone to his home and, more recently, a specific question was also introduced aimed at verifying that the home visit had not been preceded by an unauthorized telephone contact. 4. AUTHORITY'S EVALUATIONS 4.1. General overview Before going into the merits of the individual violations ascertained, it seems appropriate to outline a brief overview of the system brought to light by the Office with the collaboration of the Guardia di Finanza. In particular, the set of investigations indicated leads to considering the activities carried out by the various subjects referred to in the previous point 1 and by the numerous collaborators who revolved around them, as unequivocally aimed at carrying out a massive procurement of contracts for the supply of energy services through illicit methods. These contracts were found to be largely channeled towards the energy company Acea Energia S.p.A., which was able to avail itself, from 2020 to 2021, of the direct collaboration of M.G. Company. Upon termination of the formal relationship with M.G. Company, which took place in March 2021, the contract procurement activities on behalf of Acea Energia continued with the Individual Company Stefanelli Federica (whose owner was a collaborator of M.G. Company from 2019 to 2022) which, between 2022 and 2024, sent the energy company a volume of contracts relating to approximately 27,000 supply points, collecting over two million euros in commissions. It should be noted that, despite the alternation of different subjects in the formal collaboration relationships with Acea Energia, the inspections made it possible to detect the substantial continuity of the contract procurement activities in favor of Acea Energia, and this within a system that had its organizational center in the offices of M.G. Company. Furthermore, despite the mandate given to D.I. Stefanelli was formally limited to “door-to-door”, the actual operation with which the contracts for Acea were concluded fell within a teleselling activity (moreover, illicit and with the use of fraudulent methods). As mentioned, Acea formally terminated the collaboration with M.G. Company in March 2021 and, subsequently in August 2022, entrusted the same mandate (formerly of M.G. Company) to D.I. Federica Stefanelli, a former collaborator of the same M.G. Company, who made use of the staff and call centers of M.G. Company for the commercial activities of concluding the contract proposals on behalf of Acea. That said, the Authority, based on the specific defensive observations, is primarily called upon to assess whether the declared lack of knowledge of a factual state by Acea, which benefited from the illicit processing, carried out on a large scale, with fraudulent means by its partners, and which is the consequence of omissions on its part, is in some way justifiable or whether such a situation, due to the characteristics of the specific case, is, instead, to be considered inexcusable and, therefore, relevant from the point of view of liability within the framework of the legislation on the protection of personal data. In other words, it is necessary first of all to assess whether the unlawfulness of the conduct carried out by the Stefanelli company and, through it, by M.G. Company - allegedly carried out in breach of the instructions given by Acea as well as of what was contractually agreed - are also attributable to Acea itself, not only because of the economic benefit obtained, but also in consideration of the adequacy of the control measures adopted by the client in order to prevent, as far as is known in the state of the art and on the basis of the expected professional diligence, the implementation of conduct of the type implemented in the case in question. Furthermore, in the particular context of energy supplies, characterized by the presence of a large "undergrowth" of agencies that operate illegally by contacting millions of customers by telephone, several times a day, and who then try to remedy this deteriorating practice by making the related contracts appear as if they were made through door-to-door activities, the question that must be asked is whether or not a major player such as Acea Energia was aware of this massive phenomenon, which is constantly addressed in debates, parliamentary initiatives and also in the activities of at least four independent administrative authorities (Guarantor, AGCOM, AGCM, ARERA), and had developed the necessary "antibodies" to activate precisely in the presence of suspicious practices and business volumes. The answer that can be drawn, even before the analytical examination of the specific disputes, is that Acea Energia, although aware of the risks inherent in a widespread promotional activity carried out through a vast network of external agencies, was not able to intercept a phenomenon of enormous dimensions whose profitable results flowed into its own company systems, a phenomenon that, it should be remembered, originated from the illicit acquisition of switch-out lists, then continued with the massive telephone contact of tens of thousands of customers who were threatened with economic damages if they did not accept the offers, and ended with the creation of almost 30,000 supply contracts in favor of Acea in the short space of a year and a half, formally conveyed by an individual company that appeared to have only one employee. 4.2. Guilt “in eligendo” and “in vigilando” As anticipated, the defense arguments presented by Acea Energia do not allow to exclude its liability in relation to the violations contested for the following reasons, to be considered together with the observations already expressed in the aforementioned notice of contestation. Acea’s entire defense line is based on the lack of knowledge of the involvement of M.G. Company in the data processing, due to the circumstance that D.I. Stefanelli had not correctly indicated the company as its sub-processor; this situation, moreover, would have generated in Acea the belief that all the collaborators of D.I. Stefanelli, including the legal representative of M.G. Company and 16 of its employees and collaborators, were included in the structure of the same agency and, therefore, fell within the scope of art. 29 of the Regulation. Furthermore, Acea also declared that it had no knowledge of the teleselling activities carried out for the conclusion of the contract proposals uploaded by D.I. Stefanelli. For the violations that can be traced back to this profile, Acea, with its own briefs, stated that “it is quite clear that Acea Energia was in no way aware of the existence of a sub-processor of D.I. Stefanelli as it was never communicated by the company either in advance at the time of signing the contract, or during its execution. In confirmation of this, the Undersigned clarifies that the absence of specific designations as data controllers or sub-processors in relation to Ms. XX and Ms. XX is due to the fact that they were included, as far as the Undersigned is aware, in the administrative staff of D.I. Stefanelli, which should have proceeded to designate the XX, as persons in charge of processing, pursuant to art. 29 of the Regulation, and not as sub-processors”. Therefore, from a systematic point of view it is considered appropriate to address this issue (excusability of any “ignorance” of the conduct of one’s partners), before proceeding with specific assessments relating to the findings of the investigation, which also include the extensive documentation regarding the direct relationships between Acea and M.G. Company. First, it is necessary to evaluate the adequacy of the checks carried out by Acea to arrive at the conviction that D.I. Stefanelli presented those sufficient guarantees referred to in Article 28 of the Regulation. In this regard, the Company stated that "For example, Acea Energia carries out, in line with its internal procedures, an integrity check on potential BPs as well as on their directors/shareholders using a platform made available by Cerved, which returns a summary data with evidence of any critical elements (so-called red flags) based on the information collected in terms of type of corporate structure, presence of politically exposed individuals, presence of any proceedings or convictions against the BP or its representatives. In this regard, it should be noted that, before proceeding with the contractualization of the Stefanelli Company (which took place in August 2022), Acea Energia carried out the aforementioned check and the platform did not return evidence as per the reports archived at the undersigned Company". Yet, from what has emerged, the Chamber of Commerce certificate of its agent is missing from the documentation collected and assessed by Acea, from which consultation it could easily be learned that, in relation to the years 2022-2024, the D.I. Stefanelli had employed only 1 employee in the business, namely the owner Stefanelli herself. Furthermore, the checks that Acea declared to carry out are only aimed at verifying a generic compliance with the requirements of honorability and the absence of previous crimes of the contractual counterpart; profiles that are certainly relevant in the selection of any supplier but that do not provide particular information regarding the suitability of the partner to cover the role of manager in the specific treatment implemented. On this point, it is useful to recall the Guidelines 07/2020, according to which “94. The data controller has the duty to employ «only processors providing sufficient guarantees to implement appropriate technical and organizational measures», so that the processing meets the requirements of the GDPR, including with regard to the security of the same, and ensures the protection of the rights of the data subjects. The data controller is therefore responsible for assessing the adequacy of the guarantees presented by the data processor and should be able to demonstrate that it has taken into serious consideration all the elements referred to in the GDPR. 95. The guarantees «presented» by the data processor are those that the data processor is able to demonstrate to the satisfaction of the data controller, these being the only ones that can actually be taken into account by the data controller in assessing the fulfillment of his obligations. This will often require an exchange of relevant documentation (e.g. privacy policy, terms of service, records of processing activities, log management mechanisms, information security policy, external data protection audit reports and recognised international certifications, such as the ISO 27000 series). […] 97. The data controller should take into account the following elements in order to assess the adequacy of the guarantees: the specialist knowledge (for example, technical skills in security measures and data breaches), the reliability and resources of the data processor”. From the evidence collected, however, it emerged that D.I. Federica Stefanelli was substantially lacking its own structure and resources, so much so that, to carry out the “door-to-door” commercial activity on behalf of Acea, it made use of collaborators and structures of the company M.G. Company, as emerges from the assignments in place between the two companies from 2022 to 2024 and from the fact that 18 collaborators indicated to Acea as its own were, in reality, employees, collaborators and even legal representatives of M.G. Company. Acea therefore entrusted the processing of personal data of its customers to D.I. Stefanelli who, due to its size and experience in the sector, did not present sufficient guarantees to implement adequate technical and organizational measures to ensure the application of the protections prescribed by the Regulation; nor, moreover, does it appear that Acea has ever carried out audits on its partner, either during the selection phase or subsequently. With regard to relationships with employees and collaborators of M.G. Company, Acea itself, in a note dated 3 October 2024, stated that it had continued "to maintain commercial relationships with the following names [...] these are, in fact, runners/collaborators who, after having worked for MG Company s.r.l., operated as runners for the company Stefanelli Federica [...]". The names indicated are 16 to which must be added those of Ms XX and Ms XX who, despite their respective roles as legal representative, the first, and previous legal representative, the second, of M.G. Company, according to what Acea claimed, should have carried out only “administrative activities (for example, invitation to invoice, application of penalties, etc.) and back office, as well as aimed at recruiting runners and in any case did not carry out sales activities” on behalf of Stefanelli. On this point, first of all, it is represented that Acea has not provided any evidence of what has just been reported, neither with regard to the request of its agent, nor above all of the purely administrative role of the XX sisters. During the hearing, on this point, Acea stated that “We knew instead that Stefanelli would have made use of the XX sisters due to their experience and due to Stefanelli’s lesser experience, in a logic of tutoring, back-office activities and administrative support. And this was also plausible due to the constant use of Stefanelli’s email and not those of MG Company”. Furthermore, from the conversations between XX and Mrs. XX, head of the Mass Market Sales Unit of Acea, conversations acquired in the records following the hearing of the M.G. Company, it emerges that the representative of the aforementioned company had a decision-making role that went well beyond the mere performance of administrative activities for Stefanelli, being able to agree, in person, and obtain from XX: the expansion of the number of contracts that could be carried out (so-called CAP); the commercial training of personnel; the intervention and the likely “accommodation” on the blocks caused by instant calls (calls to verify the presence of the door-to-door seller at the customer's home – see file “WhatsApp Audio 2024-12-05 at 14.36.262 in which XX reassures XX "now I've found a solution just...for your people and that's it" or see file “WhatsApp Audio 2024-12-05 at 14.29.15” in which XX addresses XX saying “I'm on instant calls too to cover your ass”); furthermore, from the file “WhatsApp Image 2024-12-05 at 15.15.42 (1)” it emerges that, in response to XX's complaints regarding the recognition of commissions, XX responded “You tell me. I advised you. Then if you don't want to go on any longer, that's another matter. I support you more than you should”. In light of these findings, which among other things reinforce the unsuitability of D.I. Stefanelli, in relation to the provisions of art. 28 of the Regulation, it emerged from the tabulas that: - as anticipated, from the Chamber of Commerce register of D.I. Stefanelli, the same from 2022 to 2024 employed only 1 employee, namely the same owner of the company. This implies that all the collaborators associated with the same individual company could only be subjects external to the same structure whose actual classification had to be the subject of specific checks by Acea; - from the Chamber of Commerce register of M.G. Company, Ms. XX was and is the legal representative of the same M.G. Company, therefore her inclusion as a subordinate collaborator in the structure of D.I. Stefanelli does not seem to adhere to the documentary reality, taking into account the weight, in commercial terms and experience, of M.G. Company compared to D.I. Stefanelli and the fact that the two corporate entities operated in the same context, taking turns in carrying out the same commercial activity. Both circumstances were quite easy to verify with a simple consultation of the information available in the Company Register and with a preliminary audit at the registered office of Stefanelli, but, from Acea's statements, no such verification appears. In this case, moreover, Acea's previous knowledge of M.G. Company's role as legal representative of M.G. Company should have made it necessary to carry out any checks aimed at ascertaining that M.G. Company did not carry out, as in the past, telemarketing activities on behalf of the sole proprietorship Stefanelli, and therefore of Acea, and should have highlighted the need for verification of the actual corporate size of the aforementioned sole proprietorship, also in order to ascertain whether XX, and her sister XX, the previous owner of M.G. Company, were actually mere collaborators of M. Stefanelli, or held the role of hidden owner of the overall business activity. It should in fact be specified that M.G. Company and its legal representatives were well known to some of Acea's corporate representatives who, by virtue of their role, had established direct and long-term contacts with them. Furthermore, from what emerged from the parallel investigation and the proceedings initiated against M.G. Company, the frequentation between the Acea representative, Mrs. XX, and the XX sisters, even during the contract with D.I. Stefanelli, was constant and also went beyond the simple context of a purely work-related nature. Moreover, greater caution should have been suggested by the now well-known critical issues of the energy market and the phenomenon of the so-called undergrowth as well as the use of lists of illicit origin which, according to Acea, the energy company knew well enough to have also filed a complaint in 2021, indicating Mrs. XX as a person aware of the indicated practice. Based on the above considerations, it clearly emerges that Acea's alleged unawareness of the unfair practices in use at D.I. Stefanelli also through M.G. Company, cannot be reasonably invoked, since the energy company had at its disposal all the necessary knowledge elements to start a process of checks and controls on its partners aimed at ascertaining the real nature of their activities, checks and controls which, from what emerged in the investigation, do not appear to have been put in place at the time of the facts. On the basis of the above observations, it is therefore possible to analyze the liability profiles relating to the individual objections formulated in the act initiating the proceedings. a) articles 5, par. 1, letter a), 6, 7 and 13 of the Regulation, as well as 130 of the Code; In order to affirm the existence of the violation in the epigraph, it must first be observed that the circumstance that the sales manager of Acea, Ms XX, pending a mandate with D.I. Stefanelli, carried out commercial training activities for personnel allegedly belonging to Stefanelli but, in fact, recruited by M.G. Company constitutes unavoidable external evidence (among the material in the files - also provided to Acea in the defense phase - there is, for example, the poster of a training course organized in Pomezia on 14 October 2022 where the logo of M.G. Company appears together with that of Acea Energia). Furthermore, still with regard to the organization of the said course, it turned out that Ms. XX made specific requests to XX because “those from Turin also had to come down”. From the inspection checks carried out, the collaborators from Turin are connected to another company of the so-called undergrowth identified, specifically, as Ditta Individuale XX, operationally linked to both M.G. Company s.r.l. and Diemme Group di Di Vico Luigi. From the tenor of the conversations reported in the documents, it is clear that Ms. XX was aware of the subject of the conversation, having agreed to XX's requests to also take into account the represented needs of “those from Turin”. It follows that, despite the formal termination of relations with M.G. Company, this in practice - from the second half of 2022 to the spring of 2024 - was instead fully active in the procurement and conclusion of contracts on behalf of Acea, and this occurred without the energy company having adopted adequate security measures to intercept and detect this activity. On the other hand, there is no doubt that the processing carried out by the M.G. Company call centers is to be attributed to the ownership of Acea and that the same processing generated, between 2022 and 2024, contracts for approximately 27,000 supply points, guaranteeing commissions to the Stefanelli Company, paid by Acea, for over two million euros. The operating methods found included, as mentioned, the use of "non-consented" lists and of presumably illicit origin, the failure to communicate the information to the interested parties and the use of artifices in order to induce the interested parties to sign the supply contract with Acea, conduct that M.G. Company was able to implement for two years precisely because of the substantial acquiescence of the energy company which, through the constant dialogue with Ms. XX, provided explicit approval for all the practices conducted in person by M.G. Company, to the point of interceding with the external subjects responsible for the control activities through the so-called instant calls, to unblock practices evidently considered non-compliant. It is worth specifying that the instant calls were carried out to prove that the supply contract was signed in the customer's home and therefore in door-to-door mode, while the intervention of Mrs. XX casts a shadow on the effective control procedure, given that an official from the commercial sector of Acea personally intervened with the external entities responsible for the control. In this context, the passive approach of Acea, which limited itself to stating that D.I. Stefanelli had hidden the involvement of M.G. Company, represents a merely formalistic application of data protection that ends up exempting the owner from responsibility, and this is in total contrast with the principles of the Regulation and with the provisions adopted by the Guarantor on the subject. Marketing activities carried out by third parties - and the related responsibility of the clients - have been the subject of so many and constant rulings by the Guarantor that they can now be considered consolidated especially among large economic operators who make massive use of these channels(1). The Guarantor has repeatedly recalled that the entire structure of the Regulation is based on the accountability of the data controller. The latter, by acquiring in its systems the personal data of the subjects who, after being contacted, have accepted the offers proposed, should adopt particular guarantee measures in order to prove that such contracts originate from contacts made in full compliance with the provisions on the protection of personal data, in particular those referred to in Articles 5, 6 and 7 of the Regulation relating to consent, as well as the provisions of Article 130 of the Code. According to the constant interpretation of this Authority, the subjects who act on behalf of the principal, generating a legitimate expectation in the recipients of the communications regarding the actual ownership of the promotional contact, are qualified as data controllers. And this qualification in relation to the legal relationships between the parties can be considered to exist even in the case in which the subject who physically makes the contact, while remaining unknown to the data controller, actually creates a contractual relationship similar to that in place with the directly contracted partners. This address has been developed with particular regard to the context of telephone and automated marketing, taking into account the high level of risk determined by the numerous illegalities generated by the lack of control of the supply chain, as ascertained in years of verification activities. The same reasoning can however also be applied to door-to-door promotional activities which present critical issues, also well known both to the market and to the control authorities, critical issues which, as mentioned, largely derive from the circumstance that the activity at the customer's home is often preceded by illegal promotional telephone contacts. In this context, the justification of a client of the calibre of Acea Energia based solely on the alleged ignorance of conduct that it was instead required to control can hardly be accepted, since the illegalities that emerged from this investigation should have been considered among the foreseeable circumstances: the "strengthening" of the door-to-door results through preliminary and unauthorised telephone contacts is a conduct that has already emerged in the sector; this eventuality should have been taken into account and avoided through ordinary means of control of the results achieved by the agents, especially in the case in which these were particularly distant from what was reasonably expected. b) art. 5, par. 1, letter a) and 28 of the Regulation; Recalling the observations already expressed in the section relating to the fault “in eligendo” and “in vigilando”, it must be reiterated that the circumstance that Acea was not aware of the factual situation or that, indeed, it was convinced that Ms XX were “in the administrative staff of D.I. Stefanelli”, demonstrates that the organizational measures for the checks required by art. 28 of the Regulation were not adequate, especially in the face of a rather widespread phenomenon such as the one in question. Added to this lack is the lack of an auditing plan for the companies designated as data controllers, as emerges from the declarations made by Acea during the inspection. c) art. 24 and 25 of the Regulation; The fact that Acea did not know the real circumstances of the data processing carried out on its behalf and the involvement of M.G. Company, moreover due to shortcomings attributable to it, do not relieve the Company of its responsibility, which is required to adopt suitable measures to prevent such events. Therefore, despite the preparation of procedures and measures deemed suitable and adequate by the Company, conduct that did not comply with the regulatory provisions was carried out in practice by individuals who, even when "unknown" to Acea, operated in the interest of the latter. In this regard, from a systematic perspective, it is necessary to reiterate that the regulatory provisions (articles 24 and 25 of the Regulation) outline a precise framework of general responsibility weighing on the data controller, not only in the sense of requiring the latter to adopt adequate and effective measures to ensure compliance with the regulations on the protection of personal data but also in the sense of requiring that the controller demonstrate, in concrete terms and with evidence, the conformity of any processing activity that he has carried out directly or that others have carried out on his behalf (see also recital no. 74 of the Regulation). It is therefore necessary to provide evidence of overall assessments carried out on the characteristics of the processing, on the risks associated with them and on the effectiveness and adequacy of the measures adopted on a case-by-case basis. Effectiveness and adequacy that can only be tested and demonstrated through structured and systematic verification and audit mechanisms that, in this case and by Acea's own admission, had not been implemented. The rationale of the provisions mentioned above lies in the need to ensure that the set of obligations regarding the protection of personal data is not reduced to a merely paper-based assembly, as already mentioned above, and that the "chain" of responsibilities in the context of processing does not provide for undue "buck-passing" but is always, ultimately, traceable to the owner. The latter, in fact, is the primary driver of the complex mechanisms that determine the compatibility of the various activities carried out with the provisions of the Regulation and the Code aimed at allowing the interested party full control of their data and the full exercise of their rights and freedoms. The principle of accountability, therefore, outlined both in a legal perspective (art. 5, par. 2 and art. 24) and in a more modern technological dimension (art. 25) involves overcoming an exclusively formalistic logic but requiring the data controller to set up systematic verification mechanisms, even ex ante and ex post, of compliance with the legislation on the protection of personal data by all the subjects involved in the chain of processing that concerns him, which can be traced back to him or that can bring advantages, including economic ones, to the data controller. The scenario reconstructed at the end of the investigative activities by the Guarantor has brought to light a system of illicit processing of personal data that, in various aspects, was known or, at least, knowable by Acea itself and its commercial branches and which, ultimately, has determined economic advantages to Acea to the detriment of the protection of the rights of the interested parties. In this context, therefore, there are symptomatic factual elements that Acea was unable to intercept, to which are added further circumstances that strengthen the belief that Acea was aware of the involvement of M.G. Company in the signing of the contract proposals, at least in the person of Ms. XX. In fact, although Acea and Ms. XX have clarified some of the contested aspects (the content of some chats relating to alleged commissioning activities), it emerged that the latter directly contacted Ms. XX for issues relating to: - production volumes, indicating "we need to increase the XX numbers" or that the contracts she was making were too many and that "[…] if in July you give me the best, I will burn all those 400 pieces [editor's note: the contracts] that I managed to give you with sweat [...] for August I hope you have other strategies [...]"; - the contractual volumes covered by the agency contract (“I went to great lengths to get you to give me the pieces” and again “[…] I even gave you 400 pieces from another agency […]”); - the nature of the activity to be carried out (“you also do door-to-door” – a phrase referring to the need to invoice the income as a whole, including “also” the door-to-door activities, which instead should have been the exclusive source of remuneration); - the fact that there were “New Agents who are walking around without a badge”; - the M.G. Company store and the number on the window (“The number on the window. They are checking everything. Please have it changed if you can”), dated after the inspection and the television reports of March 2024. Furthermore, there are numerous exchanges in which the confidentiality between the interlocutors is evident, making it difficult to maintain total ignorance of the involvement of M.G. Company. Therefore, the Authority believes that Acea could and should have known about M.G. Company's involvement in the management of its customers' data and contracts concluded in its interest, but also that it could have avoided, through appropriate processes (connected to the obligations set forth in the aforementioned Articles 24 and 25 of the Regulation), the performance of unauthorized teleselling activities. The failure to activate such processes, which continued from 2022 to 2024, represents a non-excusing circumstance: Acea, in fact, could have overcome the critical issues that the collaboration with M.G. Company and the Stefanelli Company could have determined by using the diligence required, in this case, of a primary national reality. This interpretative approach also seems to be in line with the constant jurisprudence of the Supreme Court, with reference to the principle according to which "everyone is responsible for their own action or omission, conscious and voluntary, whether intentional or negligent", as indicated by art. 3 of Law 689/81: this consolidated approach states that “the rule places a presumption of guilt in relation to the prohibited act on the person who committed it, reserving to the latter the burden of proving that he acted without fault” (see Cass. 10508/1995; no. 7143/2001; no. 8343/2001; no. 14107/2003; no. 5304/2004; no. 15155/2005; no. 20930/2009; 9546/2018; no. 1529/2018; no. 4114/2016). The Authority does not believe that Acea has fulfilled the aforementioned burden of proof, strengthened by the specific provisions on accountability and privacy by design provided for by the Regulation. d) art. 5, par. 1, letter f) and 32 of the Regulation; The findings of the investigation lead to the belief that specific elements connected to the correct configuration of Acea's IT systems in terms of security, subsequently adopted, could have been prepared in order to prevent the unauthorized activities carried out by Ditta Stefanelli and M.G. Company (and potentially also by other subjects), from determining the conclusion of supply contracts subsequently transferred to the energy company's personal data assets. In fact, Acea declared that it had authorized, as runners, 16 employees from M.G. Company on the assumption that they belonged to the structure of D.I. Stefanelli and without verifying that these subjects were actually included in the company's corporate structure and authorized to process personal data. Nor does it appear that these subjects had received specific training in data protection on behalf of Acea and for the correct use of its IT platforms. Two of these runners associated by Acea with D.I. Stefanelli not only worked at M.G. Company but also managed the call centers of two of the offices of the indicated company and concluded the contracts on behalf of Acea by operating as telesellers and then uploading the contract proposals to Acea's systems dedicated to door-to-door. In particular, among the runners of D.I. Stefanelli - who Acea has registered in its systems - were Mr. XX and Mrs. XX. Well, from the inspections conducted by the Guardia di Finanza and the Office at the offices of M.G. Company and D.I. Stefanelli it emerged that: - Mr. XX managed the Latina call center of M.G. Company as a collaborator of D.I. Stefanelli Federica; - Mrs. XX managed the Ladispoli call center of M.G. Company as a collaborator of the same M.G. Company. Furthermore, among the runners of D.I. Stefanelli also was Mr. XX who, again from the inspection activities conducted on March 26, 2024 at the offices of M.G. Company, was indicated as the previous manager of the Ladispoli call center of M.G. Company. Therefore, Acea enabled the employees and collaborators of M.G. Company, considering them runners of D.I. Stefanelli, to access its systems even though they operated for a subject (M.G. Company, precisely) not formally included in its commercial chain and, therefore, not authorized to access. Furthermore, it was verified that even the individual call center operators of M.G. Company (and not the runners) accessed Acea's systems with the same account issued by Acea to accredited subjects (for example, the account used by the various call-center operators was that of XX, one of the runners of D.I. Stefanelli) and this was also possible due to the absence, at the time of the facts, of access control measures and the ban on multi-session access with the same account, a circumstance also confirmed by Acea in its defense. In addition to the above, during the inspection phase a further significant circumstance emerged that could have indicated a method of concluding contracts other than door-to-door: in particular, by accessing Acea's systems and activating a simple query it was found that one of the runners of D.I. Stefanelli had managed to conclude two contracts in six minutes (the first at 9.14, the second at 9.20 on March 26, 2024) in relation to two customers more than 100 km apart, and then returned within a short period of ten minutes to the Ladispoli headquarters of M.G. Company, where the inspection activities were taking place. These temporal and geographical indications were not analyzed by Acea, nor were they alerted by the systems; otherwise, an analysis of these elements could have allowed verifying the correctness of the treatments carried out by the runners and their compliance with the type of contract (teleselling or door-to-door) in place with the specific agency. That said, the Authority cannot but welcome all the initiatives and implementations of the control procedures that Acea has indicated in its defenses and during the hearing (reported in the previous point 3) and which, however, are all subsequent to the contested facts and, therefore, can constitute a valid mitigating element in the measurement of the sanction to be imposed. However, it should be emphasized that, among those described, the only measure indicated by Acea and already present since 2023 was the one relating to the manual and random comparison between the geolocation address of the place from which the contract proposal is uploaded and the customer's headquarters; this measure, however, did not allow Acea to intercept some of the anomalies indicated above and, in fact, was the subject of a review by the Company which, to date, carries out such checks in an automated manner. 5. CONCLUSIONS For the above reasons, Acea Energia S.p.A. is deemed to be liable for the following violations: a) Articles 5, par. 1, letter a), 6, 7 and 13 of the Regulation, as well as 130 of the Code, for having allowed third parties to make promotional telephone contacts, using lists of personal data acquired in the absence of specific consent and in the absence of the release of prior information, lists for which the lawful methods of data collection and acquisition of consent for commercial and promotional purposes were not proven; b) Articles 5, par. 1, letter a) and 28 of the Regulation, for having factually entrusted M.G. Company s.r.l. with the processing of contracted customer data, in the absence of regular designation as data controller or sub-controller; c) Articles 5, par. 1, letter f) and 32 of the Regulation, for having allowed employees of M.G. Company to access the IT systems of Acea Energia S.p.A. in the absence of the designations indicated in the previous point; d) arts. 24 and 25 of the Regulation, for having failed to implement organizational measures, checks and controls, suitable for verifying that the marketing activities carried out by the Sole Proprietorship Stefanelli Federica, also in light of the number of contracts signed, were carried out in compliance with the “door-to-door” sales mandate and with the legislation in force on the protection of personal data, therefore without the use of illicit telemarketing and teleselling tools. Furthermore, it is useful to make some considerations regarding a “system” that, from the inspections carried out by the Guardia di Finanza and the subsequent investigative activities, has allowed us to outline an extremely serious and alarming picture in relation to the complex of activities that, ultimately, was fueled by the commissions paid by Acea itself. These activities were found to be carried out with constant non-compliance with the provisions on the protection of personal data, so that the entire system of processing carried out by the companies involved was found to be completely unsuitable to allow the interested parties to exercise the necessary control over their data, also violating the fundamental principles of correctness and transparency established to protect any processing. Furthermore, the activities were found to be carried out in contempt of the provisions that allow the phenomenon of wild telemarketing to be contained and to bring to light the so-called "undergrowth" that operates on the margins of the official sales networks of energy companies and which the latter have shown themselves unable to address. It follows that extremely relevant personal information has passed from hand to hand, without any guarantee of the correctness of the actions of the numerous subjects involved and of the security of the data processed, thus further fueling the sources of supply of wild telemarketing and generating a vicious circle of nuisance calls and illicit contacts - sometimes even with threatening and insulting tones - completely unrelated to the intent of offering the customer economically advantageous services and linked only to the need to increase the number of promotional initiatives, contracts signed and profits made by the companies. Therefore, having ascertained the unlawfulness of Acea Energia's conduct with reference to the treatments under examination, it is necessary to: - order Acea Energia, pursuant to art. 58, par. 2, letters d) and e) of the Regulation, to communicate to all interested parties, whose personal data have flowed into the Company's systems following the illicit acquisitions by D.I. Stefanelli and M.G. Company s.r.l., the results of today's proceedings based on a text to be agreed with the Authority when applying this provision; - order Acea Energia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adequately check that the agencies enter into contracts with any sub-agents that are fully compliant with the standard contract stipulated between Acea Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by art. 28 of the Regulation; - adopt an injunction order, pursuant to art. 166, paragraph 7, of the Code and 18 of Law no. 689/1981, for the application against Acea Energia of the administrative pecuniary sanction provided for by art. 83, par. 3 and 5 of the Regulation 6. INJUNCTION ORDER FOR THE APPLICATION OF THE ADMINISTRATIVE SANCTION The violations indicated above require the adoption of an injunction order, pursuant to articles 166, paragraph 7, of the Code and 18 of law no. 689/1981, for the application against Acea Energia of the administrative pecuniary sanction provided for by art. 83, paragraphs 3 and 5 of the Regulation (payment of a sum of up to € 20,000,000.00 or, for companies, up to 4% of the annual worldwide turnover of the previous financial year, if higher); To determine the maximum fine of the pecuniary sanction, it is therefore necessary to refer to the turnover of Acea Energia, as obtained from the latest available financial statement (31 December 2023) in accordance with the previous provisions adopted by the Authority, and therefore this maximum fine is determined, in the case in question, at 91,000,983,270 euros. To determine the amount of the sanction, it is necessary to take into account the elements indicated in art. 83, par. 2, of the Regulation; In the case in question, the following are relevant: - the seriousness of the violations (art. 83, par. 2, letter a) of the Regulation), taking into account the object and purposes of the data processed, attributable to the overall phenomenon of unwanted promotional contacts, in relation to which the Authority has adopted, in particular in the last five years, numerous measures that have fully examined the multiple critical elements by providing the owners with numerous indications to adapt the processing to the legislation in force and to mitigate the impact of nuisance calls on the interested parties; also taking into account the number of subjects involved (based on the approximately 27,000 distribution points affected by the contracts conveyed by the Individual Firm Stefanelli and by M.G. Company) and the duration of the illicit activities (from 2022 until March 2024, activities interrupted only following the inspection activities carried out by the Authority); - as an aggravating factor, the grossly negligent nature of the violations, resulting from omissions carried out with awareness and will that have in fact weakened the security measures and the system of controls and accountability of the various parties operating in the Acea Energia sales network, taking into account the level of professional diligence that could be expected from a controller of the calibre of Acea Energia (Article 83, paragraph 2, letter b) of the Regulation); - as an aggravating factor, the degree of responsibility of the controller (Article 83, paragraph 2, letter d) of the Regulation) due to the ineffectiveness of the technical and organizational measures, which did not allow the interception of the illicit activities carried out by Ditta Stefanelli and M.G. Company and which, in some cases, allowed their consolidation, as well as due to the primary role that Acea Energia plays in the Italian energy market; - as a mitigating factor, the circumstance that Acea Energia introduced, following the investigations involving it, a significant series of measures (Article 83, paragraph 2, letter c) of the Regulation), which affected the management phase of individual runners, IT security and the identification of the chain of responsibility from the first contact to the final contract; - as a mitigating factor, the significant collaboration with the Authority, both during the inspection activities and in the continuation of the investigation and the procedure, which leads to considering favorably the commitment of the energy company in the adoption of effective future measures aimed at countering the phenomenon of illicit promotional contacts (Article 83, paragraph 2, letter f) of the Regulation). Based on the set of elements indicated above, and on the principles of effectiveness, proportionality and dissuasiveness provided for by Article 83, paragraph 1, of the Regulation, and taking into account the necessary balance between the rights of the interested parties and the freedom of enterprise, also in order to limit the economic impact of the sanction on the organizational and functional needs of the Company, it is believed that the administrative sanction of the payment of a sum of €3,000,000 should be applied to Acea Energia, equal to 3.26% of the maximum statutory sanction and 0.13% of the annual turnover. In the case in question, it is believed that the accessory sanction of the publication of this provision on the website of the Guarantor should be applied, provided for by art. 166, paragraph 7 of the Code and art. 16 of the Guarantor Regulation no. 1/2019, taking into account the particular seriousness of the violations and the disvalue of the conduct both with reference to the evasion of the legislation to combat unwanted promotional contacts, and with regard to the number of subjects involved and the potential economic damage suffered by them. Finally, the conditions set out in art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor. GIVEN ALL THE ABOVE, THE GUARANTOR pursuant to art. 57, par. 1, letters a) and h), of the Regulation, declares the processing described in the terms set out in the reasons carried out by Acea Energia S.p.A., with registered office in Rome, Piazzale Ostiense n. 2, VAT no. 07305361003, to be unlawful and, consequently: a) orders Acea Energia, pursuant to art. 58, par. 2, letters d) and e) of the Regulation, to communicate to all interested parties, whose personal data have been entered into the Company's systems following the unlawful acquisitions by D.I. Stefanelli and M.G. Company s.r.l., the results of today's proceedings based on a text to be agreed with the Authority when applying this provision; b) orders Acea Energia, pursuant to art. 58, par. 2, letter d) of the Regulation, to adequately check that the agencies enter into contracts with any sub-agents that are fully compliant with the standard contract stipulated between Acea Energia and the agencies themselves and in which the distribution of responsibilities in the processing of personal data is clearly explained as indicated by art. 28 of the Regulation; c) orders Acea Energia, pursuant to art. 157 of the Code, to communicate to the Authority, within thirty days of notification of this provision, the initiatives undertaken in order to implement the measures imposed; any failure to comply with the provisions of this point may result in the application of the administrative pecuniary sanction provided for by art. 83, paragraph 5, of the Regulation. ORDERS pursuant to art. 58, par. 2, letter i), of the Regulation, to Acea Energia S.p.A., in the person of its legal representative pro-tempore, with registered office in Rome, piazzale Ostiense n. 2, C.F. 07305361003, to pay the sum of €3,000,000.00 (three million/00) as an administrative pecuniary sanction for the violations indicated in the reasons; it is represented that the offender, pursuant to art. 166, paragraph 8, of the Code, has the right to settle the dispute by paying, within 30 days, an amount equal to half of the sanction imposed. ORDERS the aforementioned Company, in the event of failure to settle the dispute pursuant to art. 166, paragraph 8, of the Code, to pay the sum of €3,000,000.00 (three million/00), according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of the adoption of the consequent executive acts pursuant to art. 27 of Law no. 689/1981; ORDERS a) the publication of this provision, pursuant to art. 154-bis of the Code and 37 of Regulation no. 1/2019, as well as the application of the accessory sanction of the publication on the website of the Guarantor of this injunction order, as provided for by art. 166, paragraph 7 of the Code and 16 of the Guarantor Regulation no. 1/2019; b) the annotation of this provision in the internal register of the Authority - provided for by art. 57, paragraph 1, letter. u), of the Regulation, as well as art. 17 of Regulation no. 1/2019 concerning internal procedures with external relevance, aimed at carrying out the tasks and exercising the powers assigned to the Guarantor - relating to violations and measures adopted in accordance with art. 58, par. 2, of the Regulation itself. Pursuant to art. 78 of the Regulation, as well as arts. 152 of the Code and 10 of Legislative Decree no. 150 of 1 September 2011, an appeal against this provision may be lodged with the ordinary judicial authority, with an appeal filed with the ordinary court of the place where the data controller is resident, or, alternatively, with the court of the place of residence of the interested party, within thirty days from the date of communication of the provision itself, or sixty days if the appellant resides abroad. Rome, 10 April 2025 THE PRESIDENT Stanzione THE REPORTER Ghiglia THE ACTING SECRETARY GENERAL Filippi ---------- 1) See, for example, in www.garanteprivacy.it provision of 15 June 2011, web doc. no. 1821257; provision of 9 July 2020, web doc. no. 9435753; provision of 12 November 2020, web doc. no. 9485681; provision of 25 March 2021, web doc. no. 9570997; provision of 13 May 2021, web doc. no. 9670025; provision December 16, 2021, web doc. no. 9735672; provision April 11, 2024, web doc. no. 1008019; provision April 11, 2024, web doc. no. 1008076; provision June 6, 2024, web doc. no. 10029424.
- ↑ This is the Italian implementation of the e-Privacy Directive's rules on unsolicited marketing communications.
- ↑ See Garante per la protezione dei dati personali (Italy) - 10127964.
