European Data Protection Board logo
Close menu

Inadequate security measures: Italian Supervisory Authority sanctions Aimag

  • National News

Background information

  • Date of final decision: 27 November 2025
  • National case
  • Controller: Aimag Spa
    Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 7 (Conditions for consent), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 13 (Information to be provided where personal data are collected from the data subject), Article 21 (Right to object)
  • Decision: administrative fine,  compliance order,  erasure order 
  • Key words: administrative fine, principles relating to processing of personal data, consent, transparency, right to object, data retention, direct marketing, exercise of data subject rights

Summary of the Decision

Origin of the case  

In a report, a data subject complained about the lack of security measures to verify the identity of users registering in the customer area of the company's website, which is used to view bills and energy consumption history.

Key Findings

During the investigation, the Italian Supervisory Authority (SA) found that anyone could register in the customer's name by entering his tax code and any email address, illegally accessing other personal information, including home address and telephone number. 

Among the multiple violations that came to light, the Italian SA found that the company processed personal data for marketing purposes without a valid legal basis and without providing adequate information. 

Investigation also revealed that at the bottom of the registration form, there were three consent boxes already pre-checked with ‘YES’, related to privacy policy, the use of data for advertisement purposes, and processing for customer satisfaction. 
This processing was also carried out in breach of the principle of storage limitation.

Decision

Given the seriousness of the violations, which continued even during the investigation phase, and the large number of individuals involved, the Italian SA imposed a fine of 300 000 EUR on the company.

For further information: Misure di sicurezza inadeguate, Garante privacy sanziona Aimag  
 

Relevant topics
Fines
Data subject rights
Marketing

Latest news

  • EDPB News

One-Stop-Shop case digest on right to object and right to erasure updated

  • EDPB News

Supporting GDPR consistency: EDPB launches dedicated form

  • EDPB News

EDPB gets a new look: discover the new website and brand identity

Všetky novinky