France’s data protection authority, the CNIL, sanctioned the company EDF with a fine of 600,000 euros, in particular for data security violations and for not having respected its obligations in terms of commercial prospecting and the rights of individuals.

The sanction came after the CNIL has received several complaints regarding the difficulties encountered by people in having their rights taken into account by EDF, which is the first electricity supplier in France. The CNIL’s fine was based on three core violations of the GDPR.

– EDF failed to demonstrate to the CNIL that it had obtained prior valid consent from the individuals as part of its commercial prospecting campaign by electronic means (Article 7 of the GDPR).

– The sanction decision also highlighted the breaches of the obligation to inform (Articles 13 and 14 of the GDPR) and to respect the exercise of rights (Articles 12, 15 and 21 of the GDPR). Accordingly, it was noted that the personal data protection statement appeared on EDF’s website did not specify the legal basis corresponding to each case of data use and was not clear on the duration of storage, and that the source of the data was not clearly indicated. Moreover, the CNIL stated that EDF failed to respond to certain complaints within the one-month period provided for by the texts, individuals were given inaccurate information on the source of data collected and thus their right of access to data was not respected, and that EDF did not consider the individuals’ right to object to receive commercial prospecting.

– The violations lastly included failing to ensure the security of personal data (Article 32 of the GDPR). It was found that the passwords for accessing the customer portal to receive an energy bonus for more than 25,000 accounts were stored in an unsecured manner until July 2022, and that the passwords were only hashed, without having been salted (addition of random characters before the hash to avoid finding a password by comparing hashes) which put them at risk.

In deciding the amount of the fine, the CNIL regarded the breaches identified, as well as the cooperation of the company and all the measures it took during the procedure to reach compliance on all alleged breaches with it was charged.

How does your organisation secure the processing of personal data or handle data subject rights? Contact us, experts in data privacy, if you want to learn more via: