Garante per la protezione dei dati personali (Italy) - 9832979

From GDPRhub
Revision as of 16:03, 22 February 2023 by Kv (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Garante per la protezione dei dati personali - 9832979
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 12(3) GDPR
Article 24 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 24.11.2022
Published: 24.11.2022
Fine: 1,000,000 EUR
Parties: Signore XX (the data subject)
Areti S.p.A. (the controller)
National Case Number/Name: 9832979
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: Garante per la Protezione dei Dati Personali (in IT)
Initial Contributor: n/a

Areti S.p.A, a Rome-based electricity distributor, was fined €1,000,000 for affecting thousands of customers in the switch to another provider owing to erroneous data and systems that classified the customers as insolvent.

English Summary

Facts

Areti spa, a company that distributes electricity in the Italian capital (the controller), accidentally classified a customer (the data subject) as insolvent. As would become clear later, this inaccurate profile was shared with the insolvency registry. The data subject was consequently unable to switch to another supplier and thus lost any potential savings. The data subject lodged a complaint with the DPA on 6 March 2021.

The investigations from the DPA revealed that it was impossible for the user to change supplier as a result of the processing of inaccurate and outdated data. Due to a misalignment of the controller’s internal systems, incorrect information regarding customer accounts (in particular, customers with ongoing arrears) was communicated to the Integrated Information System (IIS), the database consulted by suppliers before signing a new contract.

Incoming suppliers were able to assess the convenience of acquiring a new customer in the free market by consulting the IIS, which included information provided by the controller. Unfortunately, however, during the period of December 2016 until January 2022, the methods used by the controller to extract information from its own systems had, due to a series of technical and application errors, actually resulted in the fact that a number of data subjects were declared insolvent. As a consequence, on the basis of this inaccurate information, the incoming sellers had denied over 47,767 potential customers.

Holding

Issuing its decision, the Italian DPA found that the incorrect use of the query for the extraction of delinquency data for the period between December 2016 and 4 January 2022 constituted a violation of Article Article 5(1)(d) GDPR. In addition, the DPA also contested the controller's inadequate data retention time (breach of Article 5(1)(e) GDPR); the migration of inaccurate data within its systems (breach of Article 5(1)(d) GDPR); and the inadequate response to access requests filed by the data subject, in violation of Article 12(3) and Article 15 GDPR. The DPA also held that the controller breached the principle of accountability as the technical and organisational measures adopted to bring data processing into line with the GDPR were not adequate to the nature, context and risks of the processing carried out (breach of Article 5(2) and Article 24 GDPR).

In determining the administrative fine, in accordance with the factors outlined in Article 83(2) GDPR, the Italian DPA took into account: the several thousand customers involved; the duration of the violation (approximately five years); the sensitivity of the information processed that could highlight the "trustworthiness" of the person; and the possible economic and social consequences that could result from their unlawful processing. The DPA also noted the negligent nature of the controller's violations, which were substantially determined by mere technical errors that did not result in any advantage to the controller’s business or profits. It also considered that the peculiarities and the extremely technical nature of the matter under dispute did not make it easy for the controller to adopt preventive measures, also due to the small number of complaints it received in this regard.

In line with these considerations, the DPA imposed a €1,000,000 fine upon the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.

SEE NEWSLETTER OF 22 DECEMBER 2022

[doc. web no. 9832979]
Injunction against Areti S.p.A. - November 24, 2022
Register of measures
no. 390 of 24 November 2022
THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA
IN today's meeting, which was attended by prof. Pasquale Stanzione, president, prof.ssa Ginevra Cerrina Feroni, vice president, dr. Agostino Ghiglia and the lawyer Guido Scorza, components and the cons. Fabio Mattei, general secretary;
HAVING REGARD TO Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter, the "Regulation");
HAVING REGARD TO the Code regarding the protection of personal data, containing provisions for the adaptation of the national legal system to Regulation (EU) 2016/679 (legislative decree 30 June 2003, n. 196, as amended by legislative decree 10 August 2018, n. 101, hereinafter "Code");
CONSIDERING the complaint of 6 March 2021 presented pursuant to art. 77 of the Regulation by Mr. XX against Areti S.p.A.;
HAVING EXAMINED the documentation in the deeds;
HAVING REGARD TO the observations made by the general secretary pursuant to art. 15 of the Guarantor's regulation n. 1/2000;
SPEAKER Prof. Geneva Cerrina Feroni;
WHEREAS
1. The complaint against the company.
With a complaint presented on 6 March 2021, Mr. XX reported that he had been erroneously classified as a 'defaulting customer' (in this case, with reference to the application of the so-called CMOR indemnity), by Areti S.p.A., in the context of communications transmitted by it within the Integrated Information System (hereinafter "SII"), by reason of participation in the indemnity system (see resolution of the Regulatory Authority for Energy, Networks and the Environment - "ARERA", of 3 August 2017, no. 593/2017/R/com); all this due to the processing, by the aforementioned owner, of inaccurate and outdated data referring to the complainant. The unsuitable response by Areti S.p.A. to the request to exercise the rights presented on 21 August 2020 by Mr. XX, pursuant to articles 15-22 of the Regulation.
The complaint made it necessary to preliminarily examine the functioning methods of the automated interaction processes between the systems of Areti S.p.A. and the SII with respect to the information conveyed within the Indemnity System; this with particular reference to the checks requested, to the aforementioned distributor in the switching phase, on the presence of previous arrears of end customers (in this case, the CMOR indemnity).
In this regard, it should first of all be recalled that the CMOR (i.e. 'Amount in default') - established by resolution of ARERA (resolution of 11 December 2009, no. ARG/elt 191/09 and subsequent amendments) and regulated within the ' TISIND' containing the 'Integrated text of the indemnity system for defaulting customers in the electricity and natural gas sectors' (see Annex A of ARERA resolution no. 593/2017/R/com) - consists of a specific expense item invoiced in the bill to the customer where the latter, at the time of the transfer (so-called switching) to another energy supplier on the free market, reports previous arrears towards the previous seller.
Pursuant to this regulation, the outgoing electricity supplier is guaranteed compensation for any failure to collect the credit relating to the invoices of the last three months of supply, before the actual transfer of the customer to the incoming supplier; this through an articulated mechanism for allocating economic duties and for the transmission of communication flows – within the ambit of the indemnity system and through the SII – between the incoming vendor, the distributor, the Fund for energy and environmental services (of hereinafter 'CSEA') and finally the outgoing supplier.
More specifically, the latter, where the regulatory conditions are met and within the terms provided therein (articles 4 and 7 of the TISIND), can present the CMOR compensation request to the SII, which is verified, for the formal aspects, by Acquirente Unico (hereinafter 'AU'), by consulting the official central register present in the SII (art. 8 of the TISIND).
In the event of a positive outcome of the aforementioned verification, AU informs the incoming seller of the acceptance of the practice, who invoices the amount of the CMOR to the customer. Seven months after the aforementioned acceptance, AU notifies the outcome to the distributor, who, in turn, invoices the CMOR amount to the incoming seller and, having received the amount relating to the CMOR, pays it to CSEA (articles 8 and 9 of the TISIND), communicating it, through the SII, pursuant to art. 11, paragraph 2, of the TISIND.
The regulation of the indemnity system, for the purposes of the disputed issues in the present case, must also be examined in conjunction with the regulation issued by ARERA on switching and, more specifically, with the institution of the so-called reserve switching.
This is the right, attributed to the incoming seller, to revoke the switching request once some information relating to the customer has been acquired in terms of: arrears of the same (i.e. presence of a CMOR indemnity procedure in progress or requests for suspension of the supply), propensity to change supplier (e.g. number of switching requests presented), as well as other characteristics of the supply subject to switching (cf. in this regard, article 6, paragraphs 3 and 4, of the TIMOE containing the 'Integrated text for electricity arrears', Annex A to the ARERA resolution of 29 May 2015, no. 258/2015/R/com and subsequent updates).
On the basis of the aforementioned regulation, therefore, the incoming seller is allowed, before confirming his will to acquire a new customer in the free market, to evaluate the 'convenience' of the aforementioned acquisition, on the basis of a series of information, provided by the distributor through the SII, including those relating to the insistence, on the relative POD, of an 'in progress' CMOR indemnity request (hereinafter also 'CMOR-SI') due to past arrears with the previous seller (see Article 6, paragraph 4, letter b) of the TIMOE).
2. The preliminary investigation by the Guarantor and the misalignment of the information systems.
Following the submission of the above complaint, the Office started a detailed preliminary investigation, through the transmission, with a note dated April 7, 2021, of a request for information - which was answered with a communication dated May 6, 2021- and by carrying out some inspections at Areti S.p.A. on 9 and 10 December 2021 as well as on 17 March 2022.
As part of the above-mentioned response and during the inspections carried out by the Authority, the controller declared, also through two explanatory notes dated 10 January and 31 March 2022, respectively, what is more widely reported below.
With reference to the complaints contained in the complaint, Areti S.p.A., following the presentation of the same, provided an initial reply to Mr. XX on August 28, 2020, inviting the same to "refer to the competent seller in order to remedy the situation of arrears , as the charge status of the CMOR can only be changed by the aforementioned vendor. Subsequently, following further insights and information from the interested party, the company detected a misalignment of the IT flows between its systems and the Integrated Information System, correcting the position of Mr. XX, within the Indemnity System (...) in April 2021. In fact, on 20 April 2021, the company sent the SII a request to change the indication relating to the CMOR (CMOR NO) [attributed to the POD pertaining to the complainant], which had a positive outcome" (see minutes of 9 December 2021, page 3).
With regard to the aforementioned 'misalignment', the Company represented that the same would derive from the application, in the period between December 2016 and January 2022, of an erroneous rule (hereinafter also "query") of extraction, from its own data basis, of the information relating to the presence of a CMOR indemnity in progress against the claimant (see minutes of December 9, 2021, page 4 and minutes of December 10, 2021, page 2). All this following the various adaptation activities of its systems and processes, implemented by Areti S.p.A., in order to comply with the regulatory changes that have affected, in recent years, the discipline relating to the indemnity system. Specifically, the Company has identified four distinct phases of intervention, as explained below.
A first phase, prior to December 2016, where the management of practices concerning the Indemnity System "was based (...) on the 'Request_Indemnity Table' which stored the practices processed up to the end of November 2016, [by updating the related] 'status' field [reporting changes in CMOR practices]. When the procedure was started, the 'status' was set to 'ADMITTED' [corresponding to a 'CMOR-YES'], while when the Cancellation request [from the CMOR] arrived, the 'status' was set to 'CANCELLED' [indicative of a 'CMOR-NO']” (see explanatory note of 10 January 2022, pages 8-10). The rule for extracting the value inherent in the presence of a previous arrears (in terms of 'CMOR-SI') was based on a query that "went (..) to look for the presence of a occurrence in the 'Request_Compensation Table', which presents [the field] 'status' equal to 'ADMITTED'" (see supplementary note of 10 January 2022, pages 8-10). Given this correct application of the rule described above, "the switching request of Mr. XX, which arrived on November 9, 2016, [unlike what happened later] had [regularly] received a 'CMOR NO' response as the row relating to his POD was present in the database, but had the status 'CANCELLED'" (see explanatory note dated 10 January 2022, pages 8-10).
A second phase, relating to the period between December 2016 and November 2018, involved a review of the Company's application systems, which took place in December 2016. On that occasion, a new table was created - called the 'Indemnity_Practice' table - in which the the practices relating to the indemnity system, present in the previous 'Request_Compensation' table migrated; this with the migration rule according to which, "for each occurrence, the 'status' was reported in 'ADMITTED' and, in the presence of a Cancellation, the field 'STATO_INVIO_ANNULLAMENTO' would have been filled in with the value 'SENT'. At the same time, the query to check the presence of the CMOR, used in the switching process, was updated in the following way: (...) [in order to verify the presence of a CMOR-SI indemnity] we went looking for, in relation to the POD communicated in the switching, the presence of an occurrence in the 'Pratica_Indennizzo' table which had the 'status' equal to 'ADMITTED' without however considering [the field] 'STATO_INVIO_ANNULLAMENTO' valued with 'SEND'. (..) Therefore, should a switching request have been received, starting from December 2016 until the subsequent modification of the rule made on October 28, 2021, (...) in cases similar to that of Mr. XX, the effect would have been that to return an [inexact] CMOR value equal to SI due to the incomplete interpretation of the data by the [aforesaid] rule" (see explanatory note of 10 January 2022, p. 8 and pp. 10-11).
A third phase involved the period between December 2018 and October 2021: in December 2018, as part of the activities to modify the systems of Areti S.p.A. necessary to fulfill the transition to the regime of the indemnity system (see Arera, resolution of 3 August 2017, n. 593/2017/R/com and subsequent amendments), "the 'Pratica_Indennizzo_SII' tables have been introduced [which contains the data relating to CMOR indemnities from 1 December 2018 to today] and 'Historico_Indennizzo_SII' [which records the historical data relating to changes in the 'status' of cases from 1 December 2018 to today] and, for a portion of cases present in the [ previous] 'Pratica_Indennizzo' table, a migration activity [of the files] was carried out in 'ADMITTED' status or with eligibility under verification" (see explanatory note of 10 January 2022, paragraph B.iii).
For the purpose of calculating the CMOR during switching, the rule for extracting the aforementioned value was further modified by implementing a query aimed at identifying an occurrence that presented the 'status' field equal to 'ADMITTED' in the tables ' Claim_Indemnity', 'SII_Indemnity_Claim' and 'SII_Compensation_History'.
In this circumstance, the problems contested by Mr. XX regarding the return to the IIS of information that does not correspond to the truth regarding his condition of arrears, are derived from the erroneous consultation, pursuant to the aforesaid rule, of a table that is not updated and no longer busy (the 'Pratica_indennizzo' table), as well as the 'History_indennizzo_SII' table which, in reporting the various status passages of the cases, always contained, for each case, the 'status' of 'Admitted' ( i.e. 'CMOR-SI'). "For this reason, the CMOR valued at YES continued to be returned for the files migrated in December 2016. Therefore, in response to this rule, Mr. XX was mistakenly returned the CMOR valued at YES for the requests formulated in 2019 and in 2020" (see explanatory note of 10 January 2022, paragraphs B.iii and C).
With specific reference to the aforementioned data migration activities relating to the application of the customer CMOR from the 'Indemnity_File' table to the 'SII_File_Indemnity' table, it also emerged that the "migrated cases were applied by default the migration rule which provided for the transcoding of the 'status' from 'ADMITTED' to 'CLOSED'. (..) The number of files [overall] migrated to the new table was 50,737" (see explanatory note of 10 January 2022, paragraph C); of these "the number of practices which, in the migration carried out in December 2018, despite having the 'STATO' field equal to 'ADMITTED' and the 'INVIO_ANNUULLAMENTO' field equal to 'SENT', were [erroneously] migrated with the 'status ' 'CLOSED', is 39,088, corresponding to 34,634 PODs, relating to 16,186 natural persons” (see minutes of 17 March 2022, page 4).
The last phase concerned the time interval from October 2021 to January 4, 2022. Starting from October 2021, an in-depth study was carried out on the rules [for extracting the data inherent to the presence of the CMOR] set [previously]: (..) [at first, i.e. until December 2021], by removing, from the rule [i.e. the query], the selection of the rows relating to the 'Pratica_Compensation' table"; subsequently, i.e. starting from 4 January 2022, the CMOR was valued by searching for files "in 'ADMITTED' 'status' only for [those] (...) that bear this 'status' only in the 'Pratica_Indennizzo_SII' table", removing therefore the search function in the 'Historic_indennizzo_SII' table (see explanatory note of 10 January 2022, par. B.iv; cf. also minutes of 10 December 2021, pages 2-3).
What emerged with reference to the extraction of the data relating to the customer's arrears within the Areti S.p.A. systems, indications were also provided regarding the technical specifications relating to the correspondence of the 'CMOR-SI/CMOR-NO' value with respect to the field 'status' of the files in the 'Pratica_Indennizzo' and 'Pratica_Indennizzo_SII' tables.
In this regard, the Company represented that, during the switching, the information relating to an 'indemnity in progress' pursuant to art. 6, paragraph 4, lett. b), of the TIMOE (so-called CMOR-SI) for the customer is valued with reference to the period in which the practice is recorded in the aforementioned tables with the 'status' field valued as 'ADMITTED' or 'ADMITTED-ESITATA' (see Minutes of 10 December 2021, Annex 8). The 'Pratica_Indennizzo_SII' table also shows additional types of 'status' fields aimed at keeping track of the various stages of progress of the case within Areti's systems; they consist of: 'REQUEST' (when the IIS communicates to Areti S.p.A. the acceptance of the file; see art. 8, paragraph 4 of the TISIND); 'IN PROCESSING SAP' (when from 'ADMITTED' the file is sent to the billing management system); 'BILLABLE' (when the same is acquired by the billing system); 'CLOSED' (when the invoice has been issued to the incoming seller); 'CANCELLED' (in the event of a subsequent cancellation request pursuant to articles 12-14 of the TISIND).
With the exception of the status 'ADMITTED' and 'ADMITTED-HESITED', the remaining 'states-practice' all correspond to a value of 'CMOR-NO'" (see explanatory note of 31 March 2022, pp. 3- 4; see Minutes of 10 December 2021, Annex 8).
With regard to the internal management of the 'status' transfer processes of the files, the Company also specified that "since 2018, when the Distributor receives the file from the IIS, it immediately invoices it, as it is the Sole Buyer who sends the communication to the Distributor according to the timescales established by law; it follows that, from December 2018, the change of status from 'ADMITTED' to 'CLOSED', within the 'Pratica_Indennizzo_SII' table, generally takes place in a very short period of time" quantifiable "in a few hours" (see report of 17 March 2022, page 5; explanatory note of 10 January 2022, paragraph B.iv).
In this regard, during the inspections conducted by the undersigned Authority, it was "verified that, in the 'Pratica_Indennizzo_SII' table there are, (..), [as of 17 March 2022], cases with the 'status' 'ADMITTED' ( see minutes of 17 March 2022, page 5).
As regards the retention times of the information present in the systems of Areti S.p.A. and aimed at managing the indemnity system practices, the Company declared that the aforesaid practices are stored in a special application, called the "PAD application", subject to the data retention policy prepared by Areti S.p.A. with reference to "all processing aimed at managing customer relations" (see explanatory note of 10 January 2022, page 23).
The aforementioned policy “provides for a data retention period of 10 years from the date of termination of the supply contract, in line with the general limitation period established by law. This timing is also consistent with the commercial life cycle of the POD, as well as with any actions necessary and/or requested by the user, such as refunds of charges in favor of the customer, complaints, out-of-court proceedings (conciliations) and legal proceedings (see explanatory note of 10 January 2022, pages 23 and 24).
Lastly, with reference to the ways in which the Company handles complaints regarding the exercise of rights, Areti S.p.A. clarified that the same "must be sent to a dedicated e-mail box, unique for all group companies, preferably by filling in the form prepared by the Authority for this purpose, with an attached copy of the complainant's identity document, for avoid possible homonyms. Complaints are examined by the group DPO who liaises, from time to time, with the group company receiving the same complaints. Before the establishment of the dedicated single box, complaints pursuant to art. 7 [of the Code in the previous regulation] which arrived at the general address of the group companies were often treated as complaints of another nature, with the risk of a management not consistent with the timescales established by the sector legislation. For this reason, on the occasion of the restructuring of the group's privacy governance, a single mailbox was initially set up for privacy complaints, in order to optimize its management. To date, the possibility of establishing dedicated email addresses for each company is being examined" (see minutes of 9 December 2021, page 3).
With regard to the request presented by the complainant, pursuant to art. 15 of the Regulation, on 21 August 2020 and regularized on 25 August 2020, the Company provided an initial response on 28 August 2020, reporting the list of categories of information pertaining to Mr. XX.
Following a further request for integration presented by the complainant on 28 September 2020, Areti S.p.A., with communication dated 7 October 2020, provided a list containing the personal data, relating to the latter, processed within its systems, specifying at the same time that "not [be] in possession of the information that allowed the application of the provisions of art. 6.3 of the TIMOE” (see minutes of 9 December 2021, Annex 3).
3. Notification of violations and initiation of proceedings.
On 16 June 2022, the Office notified, pursuant to art. 166, paragraph 5, of the Code, the alleged violations of the Regulation found with reference to art. 5, par. 1, letters d) and e) and par. 2, in art. 24 as well as the articles 12 and 15 of the Regulation.
On July 15, 2022, the Company sent its defense writings in which it represented that:
a) the duration of the violation, to be calculated starting from the moment in which the owner became aware of the technical errors that occurred in his systems, "cannot be traced back to the period after December 2016, but only to the approximately 16 months between 21 August 2020 (date of receipt of Mr. XX's request) and 9/10 December 2021 (start date of the inspections, following which the Company immediately carried out all the necessary investigations" (see note by Areti S.p.A. of 15 July 2022, page 4);
b) upon notification of violation pursuant to art. 166, paragraph 5 of the Code, a separate storage term has been established for the personal data of customers relating to CMOR practices and relating to the Indemnity System, which takes into account the peculiarities of the specific reference sector, as well as the prescription times applicable therein. "Consequently, the need to have all the data available to be able to provide the necessary feedback to the interested parties in the event of reports, complaints or disputes and (..) to exercise the rights of the Company in the appropriate offices, including the judicial , has led to the setting of a retention term in line with the longer limitation periods in force pursuant to the law"; this term has been identified as 10 years from the date of receipt of the CMOR indemnity request within the Areti S.p.A. systems, regardless of the life cycle of the POD concerned (see Areti S.p.A. note of 15 July 2022, page 5 ). Moreover, the ten-year retention of data relating to CMOR practices is functional and necessary for the correct management of the Indemnity System. "In fact, requests for cancellation of CMOR practices can be presented to the Company even after [several] years from the communication of the indemnity practice" (see note by Areti S.p.A. of 15 July 2022, page 6);
c) with reference to the reason for the inaccurate response provided to the request to exercise the rights pursuant to articles 15-22 of the Regulation, the same, which concerns only the data relating to the CMOR compensation, is to be identified in the difficulty, on the part of Areti S.p.A., of promptly reconstructing the position of Mr. XX, due to the incorrect configuration of the queries of extraction, as well as the erroneous migration that occurred in the Company's systems (see note by Areti S.p.A. of July 15, 2022, pages 6-7);
d) following the performance of the inspections by the Guarantor, "a process was undertaken [by Areti S.p.A.] to raise the levels of compliance with the applicable legislation" through:
‒ modification of the "data extraction query/rule, in line with the reconstruction carried out by the Authority, so as to consider the payment phase to CSEA as the final moment of the CMOR" (see note by Areti S.p.A. of 15 July 2022, page 7);
‒  correction "of the records that show the status of 'CLOSED' in the 'SII Compensation Practices' table, in order to correctly and completely implement the payment event in the new rule" (see Areti S.p.A. note of the 15 July 2022, page 8);
‒ launch of “a data deletion procedure in line with the aforementioned data retention policies. This procedure was initially defined for requests for services relating to PODs with the last supply contract terminated more than 10 years ago (…). The aforesaid procedure will also be extended to the data relating to the CMOR, in order to operate the cancellation from the databases for practices with an accrual date greater than 10 years" (see note by Areti S.p.A. of 15 July 2022, page 8);
‒ scheduling of "thematic training and in-depth analysis meetings, with the individual functions involved, aimed at implementing the provisions of the policies and procedures adopted by the Company, so as not to leave any of the processing operations without adequate supervision" (see Areti's note S.p.A. of 15 July 2022, page 8).
On 10 October 2022, during the hearing requested by the Company and through the explanatory note sent on 17 October 2022, the latter, in fully recalling the briefs mentioned above, also represented that:
1. Areti S.p.A., as a public service concessionaire with tasks of managing networks and distributing and measuring electricity, unlike companies that sell goods and services to consumers, does not operate according to market logic but at the contrary acts on the basis of "purely neutrality and impartiality logic to protect all operators (..) In confirmation of the [aforesaid] public role exercised by the company, the revenues are set by the sector regulator, and are aimed at guarantee coverage of the investment and operating costs incurred by the company in order to provide a service in compliance with regulatory standards". On this point, it is worth highlighting that "for some items, Areti plays a role that can essentially be qualified as a withholding agent on behalf of the other entities in the sector, such as, for example, Terna Spa, the Electricity and Environmental Services Fund, etc." with significant effects on the items referred to in the Company's financial statements. In this regard, in the light of the characteristics just illustrated, "it is necessary to provide a correct reading of the company's revenues reported in the latest financial statements approved by the company, relating to the year 2021 and equal to 613 million euros. In fact, it is necessary to purify the aforesaid economic figure from all pass-through tariff items for which the Company collects and then transfers, without withholding any margin, to other operators in the electricity sector, from all chargebacks of costs incurred, or reimbursements, or intercompany items . Therefore, following the unbundling of these economic items, it is believed that the actual profit/revenue achieved by the Company at the end of 2021 is approximately 240 million euros" (see explanatory note of 17 October 2022, page 1 -3 and Annex 1);
2. with regard to the criteria for quantifying the pecuniary administrative sanction, the slightly negligent nature of the violations contested by the Authority should be noted, as they were substantially determined by mere technical errors which did not give any advantage to the Company's business or profits. All this also taking into account the fact that the peculiarities and extremely technical nature of the disputed matter did not make it easy for the owner to adopt preventive measures, also due to the small number of complaints received regarding the Company ( see minutes of the hearing of 10 October 2022, page 2);
3. as regards the actions that Areti S.p.A. has launched in order to raise the levels of compliance with data protection legislation, we note, in addition to the measures already highlighted in the memorandum of 16 July 2022 (pages 7-8), the following planned activities:
a) the definition of "a procedure for certifying future DB migration operations which provides for the certification of the actions performed including the phases of testing and balancing the results and the preservation of the logics/metrics applied from time to time"; all in order to "support (..) the owner even in cases of outsourcing of these activities" (see Annex 1 of the explanatory note of 17 October 2022);
b) the preparation of "an ad hoc training course for the resources involved in the management of commercial processes that process personal data of customers" with the aim of "identifying and correcting characteristics of systems and projects that prove to be 'weak' on the topics covered and at the same time determine a higher quality of service" (see Annex 1 of the explanatory note of 17 October 2022);
c) the activation of a specific email address for each individual group company which makes access to the channel "more intuitive for users to exercise the rights pursuant to articles 15 ess GDPR" (see Annex 1 of the explanatory note of 17 October 2022).
4. Observations on the legislation on the protection of personal data relevant in the specific case and violations ascertained.
First of all, it should be noted that, unless the fact constitutes a more serious offence, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false deeds or documents is liable pursuant to art. 168 of the Code "False statements to the Guarantor and interruption of the performance of the duties or exercise of the powers of the Guarantor".
Dutifully stated, following the preliminary investigation and examination of the documentation acquired during the same, it was ascertained that the processing of customers' personal data, implemented by Areti S.p.A. in the context of its participation in the Indemnity System, it occurred in violation of art. 5, par. 1, lit. d), of the Regulation; this in relation to the various auditing activities of its systems, implemented by the Company between December 2016 and January 2022 (see infra, paragraphs 4.1-4.3), which in fact resulted in the processing, also through communication to the IIS, of inaccurate and outdated data relating to the aforementioned customers.
Violations of art. 5, par. 1, lit. e), of articles 12 and 15, as well as art. 5, par. 2, and of the art. 24 of the Regulation (see below, paragraphs 4.4-4.6); all of this as explained below.
4.1 Violation of the principle of accuracy due to failure to update data due to the incorrect application of the information extraction query relating to the arrears of end customers.
In compliance with the art. 6, paragraph 4, of the TIMOE, Areti S.p.A., as distributor assigned the management of the electricity grid of the municipalities of Rome and Formello, periodically transmits to the IIS the information relating to the presence, by a customer, of an indemnity file in course ('CMOR-SI'); the aforesaid valorisation is generated by extracting (via query) it from the specific database in use by the Company for the management of practices relating to the indemnity system, namely, respectively:
• from the 'Pratica_Compensation' table, for the period December 2016/November 2018;
• from the tables 'Practice_Compensation', 'Practice_Compensation_SII' and 'History_Compensation' in the period between December 2018/October 2021;
• from the tables 'Pratica_Compensation_SII' and 'History_Compensation' for the period November 2021/3 January 2022;
• from the 'Pratica_Indennizzo_SII' table from 4 January 2022 onwards (see above, paragraph 2).
In this regard, during the preliminary investigation and on-site inspections, it emerged that, starting from December 2016, the various queries used for this purpose by Areti S.p.A. have determined, due to a series of application errors of the same, an inaccurate valorisation of the information relating to the presence of a 'CMOR-SI' in the hands of the end customers, entailing, in fact, the attribution to the latter of a condition of default that does not correspond to the real situation of the same. On the basis of this inaccurate and outdated information, the incoming vendors, from time to time designated by the customer, in exercising the faculty of conditional switching, have, on several occasions, renounced the completion of the same by denying the activation of the relative supply of energy.
More specifically, it was ascertained that, between December 2016 and December 2018, the query applied by Areti S.p.A. provided the SII with confirmation of the existence of a condition of active arrears for end customers, without taking into account any cancellation of the CMOR already previously intervened in favor of the same.
From December 2018 to October 2021, the data extraction function erroneously included, among the tables to be consulted for information relating to the presence of the CMOR, an out-of-date historicized table (the 'Pratica_Compensation' table), determining, also in this case, the return of a 'CMOR-SI' that does not correspond to the actual condition of the aforementioned customers.
The duration of the violation, therefore, unlike what is claimed by the Company (see above, paragraph 3, letter a) of this decision) cannot be limited to the period between the receipt of the complaint request and the initiation inspections by the Authority (length of time in which the offender was aware of the harmful event), but must be calculated taking into account the actual time frame in which it occurred.
The aforementioned erroneous extractions of the CMOR value involved, in the aforementioned period, in addition to Mr. XX, all the end customers of Areti S.p.A. having a similar situation to that of the complainant, for a total of 16,743 interested parties; this also taking into account the fact that, from October 2021 to 4 January 2022, the query used, following further changes made to it, continued to refer not only to the updated 'Pratiche_Indennizzo_SII' table, but also to the 'Historical_Compensation_SII' table , containing the history of changes in the status of the cases, with the result of providing - even in the period November 2021/January 4, 2022 - an outcome, in terms of CMOR of the end customers, which does not correspond to the updated status of the cases present in the Indemnity System.
The inaccurate valorisation of the information relating to the arrears of end customers as explained above therefore led Areti S.p.A., in the period of time considered above (from December 2016 to 4 January 2022), to violate art. 5, par. 1, lit. d), of the Regulation with reference to the processing of personal data of 16,743 data subjects.
In addition, the consequent communication, during the switching phase, by the same Company of the aforementioned inaccurate and outdated information, resulted in the non-completion, due to the exercise of the incoming seller's right of revocation, of around 47,767 switching requests.
4.2 Violation of the principle of accuracy following the migration of data in the 'Pratica_Indennizzo_SII' table.
In 2018, following the adoption by ARERA of resolution no. 593/2017/R/com  which established the transition to the regime of the indemnity system, Areti S.p.A. proceeded, on the instructions of the Acquirente Unico (see report of, Attachment n. e-mail dated 9.11.2018), to recode the practices relating to the indemnity system, creating for this purpose a new table - called "Pratiche_Indennizzo_SII"- in which the migrated all the "ADMITTED" or 'being verified' practices in the previous 'Indemnity_Practices' table.
The same migration rule was applied to all the files subject to the aforementioned transfer which provided for the transcoding of the 'status' field from 'ADMITTED' to 'CLOSED', without any distinction of the files with respect to which a cancellation of the CMOR had already occurred .
The rule used on that occasion, in fact, did not take into account the circumstance that, in the previous 'Pratiche_Indennizzo' table, the cancellation of the CMOR was entered not in the 'status' field, but in the additional 'Send cancellation' field, determining thus the effect of reporting in the same valuation of the 'CLOSED' case both the cases with respect to which a CMOR was still present and those with reference to which the aforementioned indemnity had already been defined due to the occurrence of a cause for cancellation of the same and which, therefore, should have been migrated to the different 'state' of 'CANCELLED'.
As a result of the application of this imprecise transcoding rule, 39,088 files containing inaccurate and outdated information were reported in the new table 'Pratiche_Indennizzo_SII', with consequent violation of art. 5, par. 1, lit. d), of the Regulation. The aforementioned violation concerned PODs relating to 16,186 natural persons (see report of 17 March 2022, page 4).
It is also worth noting that, from the documentation in the records, the aforementioned 'Pratiche_Indennizzo_SII' table is still not correctly updated, reporting 38,595 CMOR files in the incorrect status of 'CLOSED'.
4.3 Violation of the principle of accuracy with reference to the time period for valorising the information relating to the 'CMOR-SI'.
The aforementioned disciplines referred to in the TISIND and in art. 6 of the TIMOE provide, as already explained (see above, paragraph 1 of this decision), that the information relating to the presence of an 'in progress' CMOR compensation request (so-called CMOR-SI pursuant to art. 6 , paragraph 4, letter b) of the TIMOE) is valued by the distributor within a specific period of time between the opening of the CMOR file by the distributor and its closure through the payment of the amount of the predicted CMOR to CSEA.
More specifically, the time interval in which the CMOR should be considered as a 'CMOR-SI' is identified by the sector regulation from the moment in which "the request for compensation referred to in Article 7 of the TISIND has been accepted" - i.e. the date on which AU notifies, through the SII, pursuant to art. 8, paragraph 4 of the TISIND, the acceptance of the file to the distributor - at the time in which the latter pays the amount of the CMOR to CSEA with relative communication to the SII pursuant to art. 11, paragraph 2 of the TISIND (see art. 11, paragraph 1, of Annex A of the Arera resolution of 14 October 2015, n. 487/2015/R/EE and subsequent updates; see also art. 6, paragraph 5 of the TIMOE).
This period of time generally corresponds to an interval of three/five months, except for the occurrence of any cancellations of the aforementioned CMOR (articles 12-14 of the TISIND).
On the other hand, it was ascertained that Areti S.p.A. applies, starting from January 2022, a rule of extraction of the value of the 'CMOR-SI' which causes it to start not from the moment identified by the legislation and referred to above (i.e. the one in which the Company receives the communication of acceptance of the file from the SII  and which corresponds, in the Company's systems, to the "REQUESTED" 'state-of-file'), but from a later time (i.e. from when the aforementioned file acquires the status of "ADMITTED"). Likewise, the final term of the valuation as 'CMOR-SI' of the customer's arrears condition is made to coincide with the passage of the case to the "IN PROCESSING SAP" phase and not with the different term envisaged by the sector regulation (art. 11, paragraph 2, of the TISIND).
It follows that the information relating to the 'CMOR-SI' of the end customers is present in the Areti S.p.A. systems. for a very short period of time (a few hours); this unlike what is otherwise provided for by the reference regulations and carried out by the other energy distributors participating in the indemnity system.
In the light of the considerations made above, therefore, the processing of personal data of the Company's end customers, in relation to the insistence on the related PODs of active arrears in terms of CMOR, is still carried out in violation of art. 5, par. 1, lit. d), of the Regulation, consisting in the processing of inaccurate and outdated information.
As proof of the above, during the inspections carried out at Areti S.p.A., it was ascertained that, as of 17 March 2022, there was no CMOR file 'in progress' in the systems of the aforementioned Company with the unlikely result of not finding, in the entire territorial area of the municipalities of Rome and Formello under the jurisdiction of this distributor, no active arrears in terms of CMOR-SI.
This violation refers to the personal data of the end customers contained within the CMOR files still present in the Areti S.p.A. systems. for a total which, at the date of the inspection of 17 March 2022, was 76,696 CMOR files (see report of 17 March 2022, Annex 4).
4.4 Violation of the retention limitation principle due to incorrect definition of the retention times of personal data.
With regard to the definition of the retention times for the data relating to the practices relating to the indemnity system, the declarations made by the Company revealed the application of single deadlines (identified as 10 years from the termination of the contract) for all types of processing relating to customer data; this not only with reference to the information contained in the 'Pratica_indennizzo_SII' and 'Storico_indennizzo' tables currently in use, but also with reference to those present in the 'Pratica_indennizzo' table which has not been updated or changed since December 2018.
In this regard, it is worth highlighting that, pursuant to art. 5, par. 1, lit. e), of the Regulation (so-called conservation limitation principle), personal data must be stored in such a way as to allow the identification of the interested party for a period of time not exceeding that necessary to achieve the purposes of the treatment. The principle of conservation, in fact, imposes on the holder the burden of evaluating the duration of the treatment in necessary correlation with the specific purposes set upstream at the time of collection; this in order to "ensure that the retention period of personal data is limited to the minimum necessary" (see cons. 39 of the Regulation).
Indeed, it is the obligation of the data controller to guarantee a "correct" duration of the processing which, otherwise, could continue beyond the achievement of the specific purposes of the same with an impact on the principles of lawfulness, correctness and transparency (Article 5 of the Regulation ).
In this regard, with particular reference to the personal data contained in the files relating to the CMOR compensation and in the light of the aforementioned regulatory framework relating to the indemnity system, the reasons connected with the application, to the treatments identified above, of the ten-year retention period starting from the date of termination of the contract envisaged in general by the internal policy of Areti S.p.A., nor was the compliance of this data retention provision with what is strictly necessary to achieve the purposes of the treatment connected to the management of the System duly justified compensation (see above, paragraph 3, letter b) of this decision).
All this considering in particular that:
• the information processed within the aforementioned System is aimed at ensuring the correct management of an event (the application of the CMOR indemnity) which concerns a limited time phase of the energy supply contract;
• the overall definition period of a file within the aforementioned System managed by AU through the SII can be approximately estimated at 12-14 months (including cases of possible cancellation or suspension pursuant to the TISIND);
• the permanence of the same, in terms of 'ongoing' CMOR practice, within the distributor's internal systems, is approximately 3-5 months from the moment of the notification of acceptance of the same, by AU, until the communication to the SII, by the distributor, of the payment of the CMOR to CSEA.
Lastly, in this regard, it should be noted that the data relating to the successful application, to a customer, of the CMOR indemnity, due to a previous arrears, constitutes personal data capable of highlighting the 'reliability' in terms of punctuality of payments by the customer and that, therefore, the methods of treatment of the same, including the identification of the relative retention times, must take into account the particular nature of the aforementioned information; this also in consideration of the impact of the related processing on the fundamental rights and freedoms of the data subject.
For all the reasons expressed above, Areti S.p.A. the violation of the art. 5, par. 1, lit. e), of the Regulation.
4.5 Methods of responding to the request to exercise rights presented by the complainant.
From the documentation acquired in the records, it emerged that the request for access to one's personal data, made by Mr. XX, on 21 August 2020 and further specified with a communication dated 28 September 2020, was confirmed by Areti S.p.A., through the Office of the Group Data Protection Officer, in a biased and inaccurate manner; this first of all with the note dated 28 August 2020, with which the Company limited itself to listing the categories of data processed - in this case "POD, Name and Surname of the holder of the supply, Supply address, Delivery address (... ), Telephone (...), Readings and Consumption, Technical data relating to the supply (power, voltage)" (see on the matter, report of 9 December 2021, All. 3 - '28 August 2020 - Areti - response vs. XX' )- without reporting the details of the personal data relating to the interested party.
Subsequently, on 7 October 2022, a further reply was provided which, although containing a list of personal data relating to the complainant, did not in any case contain any indication regarding the information relating to the CMOR attributed to the same and expressly requested by the latter ( see minutes of 9 December 2021, Annex 3 - '7 October 2020 - Acea - 3rd answer vs. XX'); information, on the other hand, contained in Areti S.p.A.'s internal systems, as verified during the inspections carried out by the Guarantor at the Company's headquarters (see report dated 9 December 2021, page 5 and report dated 10 December 2021, page 2 ).
In this regard, the claims made by the Company regarding Areti S.p.A.'s difficulties in accurately reconstructing Mr. XX's position (see above, paragraph 3, letter c) of this decision) are irrelevant, considering that, in any case, Areti S.p.A., as data controller, should have provided feedback in relation to the data subject's personal information which, although inaccurate, was nonetheless available within its own systems.
It is also worth adding that a more accurate treatment of the request to exercise the rights of the interested party could have allowed the Company to promptly detect the failure to update the data relating to the complainant, as well as to intervene autonomously in order to bring the aforementioned activities into line with the Regulation .
Dutifully stated, in the light of the above, it is established that the Company has failed to provide adequate response to the request for access formulated by the complainant pursuant to art. 15 of the Regulation, initially limiting itself to indicating only the list of mere 'categories' of information processed by the owner, and subsequently failing to report the data relating to the CMOR compensation, as expressly requested by the applicant; all this in violation of the articles 12, par. 3, and 15, of the Regulation.
4.6. Owner accountability.
From the set of violations identified above (in this case: erroneous application of the data extraction query relating to customer arrears; migration of inexact data in the 'Pratica_Indennizzo_SII' table; inadequacy of data retention times; inaccurate identification of the time period of valorisation of the information inherent to the 'CMOR-SI'; unsuitable response to the exercise of the rights of the interested party) it also emerges that the overall technical and organizational measures adopted by Areti S.p.A. in order to bring the processing into line with the Regulation, are not adequate to the nature, context, purposes and risks of the processing inferred in the dispute, configuring, for the aforementioned owner, the violation of the principle of "accountability" (Article 5, paragraph 2 and article 24 of the Regulation).
Pursuant to the aforementioned principle, in fact, the data controller is the subject to whom the "general responsibility" of the processing is attributed, thus weighing on the same the burden of implementing an organizational and management system characterized by real and effective data protection measures as well as verifiable (see also recital 74 of the Regulation); this not only through the correct and punctual preparation of the obligations imposed by the Regulation (information, register of processing activities, appointment of the data protection manager where mandatory, impact assessment where necessary, etc.), but above all through the implementation of procedures and organizational practices aimed at conforming the related treatments to the reference discipline (e.g. processes for the correct management of the data being processed; policies aimed at ensuring the accuracy of the information processed; rules for the attribution of responsibility; training programs for the staff; procedures for managing requests to exercise rights and complaints; provision of periodic internal and external audits, etc.; see Group art. 29, WP 173 of 13 July 2010 - Opinion 3/2010 on the principle of accountability, pages 11-12).
From the checks carried out during the inspections, as well as from the examination of the documentation in the deeds, on the other hand, various shortcomings emerged in the privacy policies implemented by Areti S.p.A. in the sector subject to attention, policies that appeared to be incomplete and ineffective above all in terms of guaranteeing the accuracy of the data processed (see above, paragraphs 4.1, 4.2 and 4.3 of this decision), respect for the conservation principle (see supra, paragraph 4.4 of this decision), as well as exact fulfillment of the obligations of the controller regarding the exercise of the rights of the interested parties (see above, paragraph 4.5 of this decision).
5. Conclusions: declaration of illegality of the treatment. Corrective measures pursuant to art. 58, par. 2 of the Regulation.
For the aforementioned reasons, the Authority believes that the declarations, documentation and reconstructions provided by the data controller during the investigation do not allow the findings notified by the Office to be overcome with the act of initiating the procedure and which are therefore unsuitable for ordering the filing of this proceeding, since none of the cases envisaged by art. 11 of the Regulation of the Guarantor n. 1/2019.
The processing of personal data carried out by the Company is therefore unlawful, in the overall terms indicated above, in relation to art. 5, par. 1, letters d) and e) and par. 2, to articles 12 and 15, as well as in art. 24 of the Regulation.
The violation of the aforementioned provisions entails the application of the administrative sanctions provided for by art. 83, par. 5, letters a), b), of the Regulation.
Lastly, as regards the exercise of the corrective powers pursuant to art. 58, par. 2, of the Regulation, we acknowledge the circumstance that Areti S.p.A., during the procedure:
• has undertaken to modify, by December 2022, the data extraction rule relating to the CMOR_SI, bringing it into line with the above;
• has declared its intention to proceed with the rectification of the personal information present in the Pratiche_Indennizzo_SII' table in the incorrect status of "CLOSED";
• has started a process of deleting the data present in the Company's systems in compliance with the ten-year retention terms indicated by the internal data retention policies;
• has identified, with specific reference to the processing of personal data carried out for the purposes of participation in the indemnity system, a retention term of ten years starting, not from the date of termination of the contract (as envisaged in general terms by the data retention mentioned above), but from the date of receipt of the CMOR compensation request within the systems of Areti S.p.A.
In the light of the above, therefore, it is deemed necessary to intervene, pursuant to art. 58, par. 2 of the Regulation, exclusively with reference to the violation referred to in par. 4.2 of this decision.
In fact, it is noted that the operations, correctly launched by Areti S.p.A., relating to the updating of the data contained in the files erroneously migrated in 2018 with the 'status' of 'CLOSED', must be carried out keeping track of the information relating to the event (l 'incorrect migration) and the interval between the same and the actual update of the data; this for example by affixing a note of the aforementioned circumstances (with an indication of the date, methods and reasons for the correction) in the margin of the files affected by the aforementioned problem. This annotation must be visible when searching for the file by number and by POD.
6. Adoption of the injunction order for the application of the pecuniary administrative sanction and accessory sanctions (articles 58, paragraph 2, letter i), and 83 of the Regulation; art. 166, paragraph 7, of the Code).
The Guarantor, pursuant to art. 58, par. 2, lit. i) of the Regulation and of the art. 166 of the Code, has the power to impose a pecuniary administrative sanction provided for by art. 83, par. 5, of the Regulation, through the adoption of an injunction order (art. 18. Law 24 November 1981 n. 689), in relation to the processing of personal data referring to the complainant, the illegality of which has been ascertained, within the terms exposed above.
Considering it necessary to apply paragraph 3 of the art. 83 of the Regulation where it provides that "if, in relation to the same treatment or to connected treatments, a data controller [...] violates, with malice or negligence, various provisions of this regulation, the total amount of the pecuniary administrative sanction does not exceed the amount specified for the most serious violation”, the total amount of the fine is calculated so as not to exceed the maximum prescribed by the same art. 83, par. 5.
With reference to the elements listed by art. 83, par. 2 of the Regulation for the purposes of applying the pecuniary administrative sanction and the relative quantification, taking into account that the sanction must be "in each individual case effective, proportionate and dissuasive" (Article 83, paragraph 1 of the Regulation), it is represented that , in the hypothesis in question, the following circumstances were taken into consideration:
a) the significant seriousness of the violation (Article 83, paragraph 2, letter a) of the Regulation), in relation to the nature -concerning the non-compliance with the principles of treatment-, to the methods -incorrect management of information processing processes - and the duration - quantifiable in about five years - of the same. To this end, the characteristics of the processing in terms of nature, object and purpose of the same were also considered, as well as the high number of interested parties involved and the type of damage suffered by them. All this recognized that:
• the violations ascertained involved several thousand interested parties and more specifically: 16,743 interested parties with reference to the incorrect configuration of the extraction query (see above, paragraph 4.1 of this decision); 16,186 natural persons regarding the migration operations of incorrect data in the 'Pratica_Indennizzo_SII' table (see par. 4.2 of this decision);
• the disputed transactions pertain to the core business of the business carried out by the owner (the activity of distributing energy);
• the violations that emerged resulted in the complainant not only suffering damage directly connected to the processing of inaccurate and outdated personal data, but also the impossibility, which occurred several times in the case in question, to switch to another energy supplier in the free market (see above, paragraph 4.1 of this decision); all this has led to the consequent loss for the same, in terms of potential savings on the price of energy, of the advantages deriving from the liberalization of the energy market. The same negative effects could also have occurred with respect to the other 16,743 customers of Areti S.p.A. subject to unlawful processing (see above, paragraph 4.1 of this decision);
b) the significant degree of responsibility of the controller (Article 83, paragraph 2, letters b) and d), of the Regulation) with specific reference to the failure to adopt technical and organizational measures aimed at ensuring the processing of accurate and up-to-date personal data . In this regard, particular account is taken of the fact that the technical errors underlying the aforesaid violations generally concerned the methods used by the Company for managing the compensation system (extraction of information from the tables created for this purpose; operations of migration of the same from one database to another, etc.). The aforesaid errors, therefore, far from constituting sporadic and isolated episodes of misalignment of single individual positions, have on the other hand highlighted systemic deficiencies of the entire management process, by Areti S.p.A., of the practices pertaining to the indemnity system, with consequent prejudice in terms of compliance with the Regulation of the related processing of personal data;
c) the type of information subject to the violation (art. 83, paragraph 2, letter g) of the Regulation) which, although not included in the context of particular data, are still to be considered delicate as they are capable of highlighting 'the' reliability in terms of punctuality of customer payments; this also taking into account the possible economic and social consequences that may derive, for the interested parties, from their unlawful treatment;
d) the adoption, by the data controller, of measures aimed at mitigating or eliminating the consequences of the violation (Article 83, paragraph 2, letter c) of the Regulation). In this regard, the circumstance that Areti S.p.A. has promptly adopted, once it has become aware of the violation, measures aimed at mitigating the effects of the unlawful processing, at the same time launching an intense activity to raise the levels of compliance with the Regulation; in particular, reference is made to: the updating of the data extraction query, in line with the reconstruction carried out by the Authority; the initiation of the deletion of personal data present within the Company's systems in line with the data retention policy; the identification of a ten-year conservation term specifically referring to personal data processed in the context of practices relating to the indemnity system; the programming of staff training activities as well as in-depth meetings for individual topics; the start of an intervention to correct the records that show the status of 'CLOSED' in the 'SII Compensation Practices' table; the definition of a specific email address dedicated to the exercise of the rights of the interested parties; the definition of procedures aimed at certifying data migration operations even if outsourced to a data controller (see above, paragraph 3 of this decision);
e) the fact that the Company has actively cooperated with the Authority during the proceeding (article 83, paragraph 2, letter f) of the Regulation), as well as the fact that there are no previous violations committed by the data controller or previous provisions pursuant to art. 58 of the Regulation (art. 83, paragraph 2, letter e) of the Regulation).
Furthermore, it is believed that they assume relevance, in the present case, in consideration of the aforementioned principles of effectiveness, proportionality and dissuasiveness with which the Authority must comply in determining the amount of the fine (Article 83, paragraph 1, of the Regulation ), the economic conditions of the infringer, determined on the basis of the Company's turnover, referred to the financial statements for the year 2021 (latest available). To this end, with regard to the identification of the revenues therein achieved by Areti S.p.A., we acknowledge what it has declared regarding the "pass-through" balance sheet items for which the Company collects and then transfers, without withholding any margin, to other operators in the electricity sector" as well as "chargebacks of costs incurred, or reimbursements, or intercompany items" (see note by Areti S.p.A. of 17 October 2022, page 2; see also paragraph 3 of this provision).
It should also be noted that the conduct in question is part of an activity - participation in the Indemnity System - carried out by Areti S.p.A. as a public service concessionaire on the basis of a significantly complex and constantly updated regulatory framework.
Based on all the elements set out above, evaluated as a whole, it is deemed appropriate to determine the amount of the pecuniary sanction in the amount of Euro 1,000,000 (one million) for the violation of art. 5, par. 1, lit. a), letter. b), lett. c) and lett. e) and of the art. 10 of the Regulation, as well as art. 2-octies of the Code.
In this context, also in consideration of the type of violation ascertained, which concerned the principles of protection of personal data, as well as the large number of interested parties involved by the same, it is noted, pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/2019, of having to proceed with the publication of this provision on the website of the Guarantor.
Finally, it is believed that the conditions set forth in art. 17 of regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ALL THAT BEING CONSIDERED, THE GUARANTOR
notes, pursuant to articles 57, par. 1, lit. f) and 83, of the Regulation, the illegality of the processing carried out by Areti S.p.A., with registered office in Rome, VAT number 05816611007, in the terms referred to in the justification, for the violation of art. 5, par. 1, letters d) and e) and par. 2, of the articles 12 and 15, as well as art. 24 of the Regulation;
believes that the conditions set forth in art. 17 of Regulation no. 1/2019 concerning internal procedures having external relevance, aimed at carrying out the tasks and exercising the powers delegated to the Guarantor.
ORDER
pursuant to art. 58, par. 2, lit. i) of the Regulation to the same Areti S.p.A, to pay the sum of Euro 1,000,000 (one million) as a pecuniary administrative sanction for the violations indicated in this provision.
ENJOYS
a) pursuant to art. 58, par. 2, lit. g) of the Regulation, the Company to update, within six months of notification of this decision, the personal data contained in the 'Pratiche_Indennizzo_SII' table subject to erroneous migration, proceeding at the same time to note the circumstance inherent to the aforementioned migration in the terms identified in motivation;
b) pursuant to art. 58, par. 2, lit. i) of the Regulations, to the Company to pay the aforementioned sum of 1,000,000 (one million) euros, according to the methods indicated in the attachment, within 30 days of notification of this provision, under penalty of adopting the consequent executive acts pursuant to art. 27 of the law n. 689/1981. It is represented that pursuant to art. 166, paragraph 8 of the Code, without prejudice to the offender's right to settle the dispute by paying - always according to the methods indicated in the attachment - an amount equal to half of the fine imposed within the term referred to in art. 10, paragraph 3, of Legislative Decree lgs. no. 150 of 1 September 2011 envisaged for the filing of the appeal as indicated below.
HAS
the publication of this provision on the Guarantor's website pursuant to art. 166, paragraph 7, of the Code and of the art. 16, paragraph 1, of the Guarantor's regulation n. 1/20129.
Pursuant to 157 of the Code, it requests Areti S.p.A. to communicate what initiatives have been undertaken in order to implement the provisions of this provision and in any case to provide adequately documented feedback, within the term of 6 months from the date of notification of this decision; any failure to reply may result in the application of the pecuniary administrative sanction provided for by art. 83, par. 5, letter. e) of the Regulation.
Pursuant to art. 78 of the Regulation, as well as articles 152 of the Code and 10 of Legislative Decree no. 150/2011, opposition to the ordinary judicial authority may be lodged against this provision, with an appeal lodged with the ordinary court of the place identified in the same art. 10, within the term of thirty days from the date of communication of the measure itself, or sixty days if the appellant resides abroad.
Rome, 24 November 2022
PRESIDENT
Station
THE SPEAKER
Cerrina Feroni
THE SECRETARY GENERAL
Matthew