French electric company EDF was fined by the CNIL for commercial prospecting and other GDPR violations.
The French electric company EDF has recently been fined a total of €600,000 after being found guilty of several GDPR violations. According to this report from the CNIL of France, the company was found guilty of commercial prospecting without first obtaining consent, as well as neglecting to inform individuals of the legal basis for the collection of their data. In addition, the company failed to respond to complaints within the allotted time frame, and also neglected to adequately secure customers’ personal data. The company’s actions failed to comply with its obligations under not just the GDPR, but also the French Postal and Electronic Communications Code. CNIL resolved to issue a fine to the company, and to make the decision public.
EDF was unable to demonstrate to CNIL that it had obtained prior consent from individuals for commercial prospecting.
EDF carried out an electronic prospecting campaign between 2020 and 2021. During an investigation by CNIL prompted by several complaints regarding difficulties experienced by individuals in having their rights considered by the company, EDF provided CNIL with two examples of a standard prospect data collection form provided by a data broker. CNIL found that the measures put in place by EDF to secure valid consent from individuals was insufficient. The company also admitted to not verifying the consent forms or conducting audits of the data brokers. This resulted in a violation of both Article L. 34-5 of the French Postal and Electronic Communications Code and Article 7 of the GDPR.
Verifications revealed further GDPR breaches by EDF, which increased the amount the electric company was fined by CNIL.
Upon further investigation of the electric company, CNIL discovered that the personal data protection charter displayed on the company’s website did not specify the legal basis for each case of data use and was unclear about the data retention periods. This is a breach of Article 13 of the GDPR. In addition, the company didn’t respond to certain complaints from individuals within the time frame prescribed in the GDPR. Furthermore, CNIL discovered that the company provided inaccurate information on the origin of the data collected and didn’t take into account the opposition to receive for commercial prospecting. This violated Articles 15 and 21 of the GDPR. Customers were also exposed to risks due to passwords being stored in an unsecured manner, resulting in a violation of Article 32 of the GDPR. These violations were all considered as part of this company’s sanction.