€1 million fine imposed by CNIL on an energy company for several GDPR violations related to data subject’s rights and transparency obligations.
After receiving several complaints regarding the difficulties encountered by users in having their requests for access to their data and opposition to receiving calls for the purposes of direct marketing fulfilled by TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE (TotalEnergies), CNIL has hit the French energy producer and supplier with a fine of €1 million. The French authority also decided to make this decision public. According to this report from CNIL,
CNIL’s investigation revealed several GDPR infractions by TotalEnergies.
The investigation by CNIL revealed several infractions by the company. These include failure to allow individuals to object to commercial prospecting, failure to provide information and respect the exercise of rights, as well as failure to comply with the obligation to inform individuals solicited (article 14 of the GDPR). In addition, a form presented to users on the company’s website prompted a subscription to an energy contract in which users acknowledged that they agreed to the use of their personal data to receive commercial offers in the future, with no possibility to object. Users, when filling out this form, had no ability to decline the reuse of their data for the purposes of commercial canvassing for similar products and services. This violates article L. 34-5 of the French Post and Electronic Communications Code or CPCE.
There was essential information regarding the processing of users data, which has also not been communicated to the relevant persons, who in addition to this, were unable to access more information. The company also violated article 15 of the GDPR by failing to respect the right of access of users to their data. In addition the company’s failure to comply with users’ requests to access their personal data and to stop receiving prospecting calls from commercial entities, was a violation of article 21 of the GDPR. This company also failed to respond to those requests to exercise rights within one month as provided for the GDPR.
CNIL decided on a total fine of €1 million on TotalEnergies for these infractions.
In deciding the amount of this fine, the CNIL took into account the various breaches identified as well as any measures taken by the company during the procedure to come into compliance. The authorities settled on a fine of €1 million for failing to comply with its obligations regarding commercial prospecting and personal rights. In addition, CNIL decided to make this decision public.