The National Commission for Computing and Liberties (Cnil) ordered EDF to pay €600,000. A decision announced in a press release this Tuesday, November 29. The electrician is accused of having failed in several of his obligations, in particular in terms of commercial prospecting and the security of personal data.
Commercial prospecting without consent
The Cnil had looked into the EDF file after the reports of several individuals. The administration conducted its investigation, checks within the group having been carried out for several months. The amount of the fine has been fixed “with regard to the shortcomings identified, as well as taking into account the cooperation of the company and all the measures it took during the procedure to bring itself into compliance with all the shortcomings of which it was accused.“
Electricité de France is notably accused of having violated several provisions of the general data protection regulations (RGPD) and the postal and electronic communications code (CPCE). The company canvassed consumers without first obtaining their consent during a prospecting campaign in 2020 and 2021. In addition, EDF was unable to provide the “list of data recipient partners [collectées]” by a CNIL broker. Keeping this list up to date is a legal obligation.
Wrong information
At the same time, EDF would not have kept its commitments relating to the information of people. “The personal data protection charter” present at the time on the website was deemed imprecise and non-compliant with the GDPR. At the same time, the Data Protection Officer (DPO) did not respond in time to several requests from complainants. As a reminder , the response time is set at one month by law.
Inaccurate answers would have been sent to people who made a request for access to their data. Worse still, EDF has not “taken into account the opposition to receive commercial prospecting.“
Clear passwords
More worryingly, during its investigations, the Cnil found serious shortcomings in terms of the security of the storage of personal data. Portal customer area passwords”premium energy“more than 25,000 accounts were stored in an unencrypted database. No form of encryption was used.
If the system were to be hacked, the data could very easily be used by a hacker. Storing this information in plain text also allows easy use of passwords for anyone with access to the database in the company. Since July 2022, changes would have been made.
Same problem with the EDF customer space database, with a few subtleties. The passwords of 2.4 million accounts were stored with an insecure hash procedure. In detail, the data has not been salted by “adding random characters before hashing.“The passwords could thus be easily found by comparison. Major security breaches for a European group of such scope.