The CNIL has just announced that it has fined EDF 600,000 euros for offenses relating to personal data and commercial prospecting.
Seized of several complaints, the institution “considered that the company had breached several obligations provided for by the General Data Protection Regulations (GDPR) and the Post and Electronic Communications Code (CPCE)”.
According to the CNIL, the amount of the fine takes “into account the cooperation of the company and all the measures it has taken during the procedure to bring itself into compliance with all the breaches of which it was accused”. .
The question of the valid consent of the recipients of a commercial prospecting campaign
In particular, the leading electricity supplier in France was unable to prove that it had obtained the prior valid consent of the recipients of a commercial prospecting campaign by electronic means carried out between 2020 and 2021.
“During the checks, the company provided the CNIL with two examples of standard forms for collecting data from prospects made available to it by a data broker. However, it was not able to communicate to the CNIL the list of partners receiving the data, whereas such a list must be made available to people when giving their consent”, indicates the Commission.
EDF also failed in its obligation to inform people about the use of personal data on its website and did not respond in time to people wishing to exercise their rights of access or opposition to the use of their data.
“No verification on consent collection forms”
“The company acknowledged that on the date of the checks, it did not carry out any checks on the consent collection forms used and that it did not carry out audits on data brokers”, says the Commission on this subject. . Finally, the restricted training of the CNIL sanctioned a failure to secure passwords, which can cause risks for Internet users in the event of hacking.
This announcement is part of a series of sanctions made public by the CNIL. Last September, the Infogreffe service was fined 250,000 euros by the CNIL. His wrong? Have breached several obligations of the GDPR in terms of retention period and security of personal data.
And the CNIL also wants to move forward on health data and the GDPR. On November 16, the commission announced that it was calling for a law to specify the conditions under which supplementary health insurance organizations can collect the health data of policyholders in compliance with the GDPR and medical secrecy.