Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Italy: Garante fines Axpo Italia €10M for concluding unsolicited contracts containing incorrect personal data

The Italian data protection authority (Garante) announced, on October 23, 2023, in its newsletter, its decision No. 427, as issued on September 28, 2023, in which it imposed a fine of €10 million on Axpo Italia S.p.A., for violations of the General Data Protection Regulation (GDPR), following multiple complaints from individuals.

Background to the decision

The Garante explained that the complaints had reported the processing of inaccurate and outdated personal data of customers and prospects by Axpo Italia, in the context of the supply of electricity and gas, through the conclusion of unsolicited contracts. Specifically, the complainants highlighted to the Garante that they had learned about the new contracts with Axpo Italia only upon receiving a termination letter from the previous energy supplier, the first bills from Axpo Italia, or communications aimed at soliciting payment of outstanding bills. 

Findings of the Garante

At the end of its investigation, the Garante found that Axpo Italia acquired new contracts for the supply of electricity and gas through a network of approximately 280 salesmen (agents and sub-agents), without having appropriate tools and procedures in place to ensure that the data entered by the salesmen in its database corresponded to the real users of the utilities. According to the Garante, these shortcomings led to the conclusion of unsolicited contracts, which were often filled in with inaccurate and outdated personal data. 

Moreover, the Garante found that Axpo Italia's database contained 2,462 contract proposals in which the same email address of the potential customer was repeated more than five times.

As such, the Garante determined that Axpo Italia had violated Articles 5(1)(a), 5(1)(d), 5(2), and 24 of the GDPR. Taking into account, among other factors, the seriousness of the violations, the duration of the unlawful processing activities (about one year and six months), and the number of individuals affected (more than 5,000), the Garante decided to impose on Axpo Italia a fine of €10 million.


In conclusion, the Garante imposed on Axpo Italia the aforementioned fine and ordered the company to adopt a series of corrective measures, including:

  • the use of a blocking system to verify the accuracy of contracts acquired through the salespersons' network;
  • the introduction of alert systems suitable for detecting any improper and/or fraudulent behavior in the acquisition of potential customers' data by salespersons;
  • the implementation of mechanisms to ascertain the actual receipt of communications transmitted to the customer during the contracting phase; and
  • the adoption of procedural rules aimed at strengthening audit activities against the work of agencies.

Moreover, the Garante ordered the halt of any further processing activities of personal data of customers whose contracts were terminated as a result of complaints about unsolicited service activations.

You can read the newsletter here and the decision here, both only available in Italian.