Italy’s data protection authority, known as the Garante per la protezione dei dati personali, has issued a €2 million administrative fine against Acea Energia S.p.A., one of the country’s leading energy suppliers. The penalty addresses multiple breaches of the European Union’s General Data Protection Regulation (GDPR) that impacted the personal information of more than 1,200 customers involved in electricity and natural gas supply agreements.
The case originated from a wave of consumer complaints received by the Garante. Affected individuals reported discovering new energy contracts activated in their names without ever having contacted Acea Energia or given any form of consent. Many only became aware of the situation when they received unexpected activation letters, welcome packages, or invoices demanding payment for services they had never requested. In several instances, complainants described aggressive or deceptive practices carried out by door-to-door sales agents working on behalf of Acea Energia or its commercial partners.
After conducting a thorough investigation, which included unannounced on-site inspections at Acea’s premises, the Garante concluded that the company had failed to put in place sufficient technical and organisational safeguards. These measures should have ensured proper oversight of the external sales network, including the subcontractors and individual agents responsible for acquiring new customers. Investigators found evidence that agents had photographed identity documents using mobile devices, captured sensitive personal details without authorization, and in some cases forged customer signatures to complete contract activations fraudulently.
The authority criticised Acea Energia’s existing verification procedures, which mainly consisted of outbound telephone calls intended to confirm customer consent after the initial sales contact. According to the Garante, this reactive approach proved inadequate to detect and prevent systematic abuse within the sales chain. The decision also noted additional GDPR infringements: several complainants experienced significant delays – or received no reply at all – when they exercised fundamental data subject rights, such as the right to access their personal data, the right to rectification, or the right to erasure (the so-called “right to be forgotten”).
In its formal ruling, identified as Doc-Web no. 10229452 and dated March 10, 2026, the Garante not only imposed the €2 million fine but also mandated a series of corrective actions. Acea Energia must now introduce real-time alert mechanisms capable of flagging deviations from agreed sales protocols, carry out regular audits to verify the accuracy and lawfulness of customer data collected in the field, and define precise time limits for the retention of personal information gathered during commercial interactions. These obligations aim to reduce the risk of future unauthorised processing and to strengthen accountability throughout the company’s commercial network.
This enforcement action fits into a wider pattern of regulatory scrutiny directed at Italy’s liberalised energy market. Since the full opening of the retail electricity and gas sectors, door-to-door and telesales channels have become major sources of consumer complaints. Regulators and consumer associations frequently highlight cases in which vulnerable individuals – including elderly people or non-native speakers – are particularly exposed to misleading or high-pressure sales techniques. Privacy violations often occur alongside unfair commercial practices, creating a dual layer of harm for victims who face both unwanted contracts and unauthorised use of their personal data.
The Garante has repeatedly emphasised that companies operating in high-volume, consumer-facing sectors bear a heightened duty of care. Energy providers, telecommunications operators, and similar businesses are expected to design their commercial processes in a way that minimises the possibility of data misuse from the outset, rather than relying on after-the-fact controls. In recent years the authority has applied progressively larger fines and more detailed remedial orders in an effort to drive genuine cultural and operational change within these industries.
Acea Energia has not yet released an official statement responding to the decision. Industry observers expect the company may choose to accept the fine and implement the required changes rather than pursue a lengthy appeal before the administrative courts, a path that has been followed – with mixed results – by other sanctioned utilities in the past.
The ruling serves as a reminder that GDPR compliance remains a priority for Italian regulators, especially in sectors where personal data is routinely collected through physical or remote sales interactions. As the energy transition accelerates and new digital tools enter the market, the Garante is likely to maintain close watch over how companies balance commercial growth with robust protection of individual privacy rights.
For the complete official press release and full text of the decision (in Italian), refer to the Garante’s website at: https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/10229452
