Axpo Italia, a producer and trader of renewable energy products, was penalized under the General Data Protection Regulation (GDPR) by the Italian data protection authority (Garante) for processing inaccurate and outdated personal data of customers.

Garante assessed a fine of 10 million euros (then-U.S. $10.5 million) against Axpo on Sept. 28. The penalty was announced in an Oct. 23 newsletter. The company said in an emailed statement to Compliance Week on Nov. 1 that it cooperated with the regulator’s investigation and reserved the right to potentially appeal the ruling.

The details: Garante said it received complaints from customers about the activation of Axpo electricity and gas contracts registered in their name without their knowledge. The customers became aware of the accounts after receiving closure letters from previous suppliers or payment reminders of unpaid invoices, according to the regulator’s translated newsletter.

Garante said its investigation found Axpo “acquired new contracts for the supply of electricity and gas through a network of approximately 280 sellers (agents and subagents) door to door, without having equipped itself with suitable tools and procedures to be certain that the data entered by the sellers into their database actually corresponded to the real users of the utilities. … These shortcomings have resulted in the acquisition of unsolicited contracts, often filled with inaccurate and out-of-date personal data.”

The regulator said the company unlawfully processed the personal data of more than 5,000 users. Axpo violated Articles 5(1)(a), 5(1)(d), 5(2), and 24 of the GDPR, according to Garante.

Compliance considerations: In addition to the penalty, Garante ordered Axpo to adopt corrective measures to ensure contracts acquired through its seller network have verified information.

The company must introduce an alert system for detecting misconduct in the acquisition of potential customer data by sellers, implement mechanisms to verify the receipt of communications sent to customers during the contracting phase, and strengthen its audit activities regarding the work of its agents.

Garante noted Axpo already acted to address some of the problem areas, including through awareness and training and privacy audits of its agents.

Company response: “As acknowledged by the authority itself, the company had already implemented measures to limit and rectify the issues addressed in the provision,” said Axpo in its emailed statement. “Axpo Italia continues its ongoing efforts to enhance its operations on the national territory, reaffirming its commitment to transparency and the improvement of its services to ensure customer protection and the security of their personal data.”