Blog details

CNIL imposes €1 million fine for several infractions related to data subject’s rights and transparency obligations

CNIL imposes €1 million fine for several infractions related to data subject’s rights and transparency obligations

€1 million fine imposed by CNIL on an energy company for several GDPR violations related to data subject’s rights and transparency obligations. 


After receiving several complaints regarding the difficulties encountered by users in having their requests for access to their data and opposition to receiving calls for the purposes of direct marketing fulfilled by TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE (TotalEnergies), CNIL has hit the French energy producer and supplier with a fine of €1 million. The French authority also decided to make this decision public. According to this report from CNIL


CNIL’s investigation revealed several GDPR infractions by  TotalEnergies.


The investigation by CNIL revealed several infractions by the company. These include failure to allow individuals to object to commercial prospecting, failure to provide information and respect the exercise of rights, as well as failure to comply with the obligation to inform individuals solicited (article 14 of the GDPR). In addition, a form presented to users on the company’s website prompted a subscription to an energy contract in which users acknowledged that they agreed to the use of their personal data to receive commercial offers in the future, with no possibility to object. Users, when filling out this form, had no ability to decline the reuse of their data for the purposes of commercial canvassing for similar products and services. This violates article L. 34-5 of the French Post and Electronic Communications Code or CPCE. 


There was essential information regarding the processing of users data, which has also not been communicated to the relevant persons, who in addition to this, were unable to access more information. The company also violated article 15 of the GDPR by failing to respect the right of access of users  to their data. In addition the company’s failure to comply with users’ requests to access their personal data and to stop receiving prospecting calls from commercial entities, was a violation of article 21 of the GDPR. This company also failed to respond to those requests to exercise rights within one month as provided for the GDPR.


CNIL decided on a total fine of €1 million on TotalEnergies for these infractions.


In deciding the amount of this fine, the CNIL took into account the various breaches identified as well as any  measures taken by the company during the procedure to come into compliance. The authorities settled on a fine of €1 million for failing to comply with its obligations regarding commercial prospecting and personal rights. In addition, CNIL decided to make this decision public.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
Conforme a la autoridad de control de Polonia, se requiere una base legal para audio vigilancia.
July 12, 2022
Next post
La CNIL impone una multa de 1 millón de euros por infracciones relacionadas con los derechos de los interesados y las obligaciones de transparencia
July 14, 2022

Leave a Comment