Inadequate security measures: Italian Supervisory Authority sanctions Aimag
Background information
- Date of final decision: 27 November 2025
- National case
- Controller: Aimag Spa
Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 7 (Conditions for consent), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 21 (Right to object) - Decision: administrative fine, compliance order, erasure order
- Key words: administrative fine, principles relating to processing of personal data, consent, transparency, right to object, data retention, direct marketing, exercise of data subject rights
Summary of the Decision
Origin of the case
In a report, a data subject complained about the lack of security measures to verify the identity of users registering in the customer area of the company's website, which is used to view bills and energy consumption history.
Key Findings
During the investigation, the Italian Supervisory Authority (SA) found that anyone could register in the customer's name by entering his tax code and any email address, illegally accessing other personal information, including home address and telephone number.
Among the multiple violations that came to light, the Italian SA found that the company processed personal data for marketing purposes without a valid legal basis and without providing adequate information.
Investigation also revealed that at the bottom of the registration form, there were three consent boxes already pre-checked with ‘YES’, related to privacy policy, the use of data for advertisement purposes, and processing for customer satisfaction.
This processing was also carried out in breach of the principle of storage limitation.
Decision
Given the seriousness of the violations, which continued even during the investigation phase, and the large number of individuals involved, the Italian SA imposed a fine of 300 000 EUR on the company.
For further information: Misure di sicurezza inadeguate, Garante privacy sanziona Aimag