Commercial prospecting and personal rights: TOTALENERGIES fined 1 million euros
The CNIL has issued an administrative fine of 1 million euros on TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE, notably for failing to comply with its obligations regarding commercial prospecting and personal rights.
The CNIL has received several complaints concerning the difficulties encountered by individuals in having their requests for access to their data and opposition to receiving calls for the purposes of direct marketing taken into account by the French energy producer and supplier, TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE.
On the basis of the findings made during the investigations, the restricted committee - the CNIL's body in charge of imposing sanctions - issued a fine of 1 million euros against TOTALENERGIES ÉLECTRICITÉ ET GAZ FRANCE and decided to make it public.
The amount of this fine was decided in the light of the breaches identified as well as all the measures taken by the company during the procedure to bring itself into compliance.
Failure to allow individuals to object to commercial prospecting
The company offered on its website a form for subscribing to an energy contract in which the user acknowledged that they agreed to the use of their personal data in order to receive commercial offers at a later date, without having the possibility to object.
By filling in this form, the user therefore had no means of objecting to the re-use of their data for the purposes of commercial canvassing for similar products or services, which is contrary to the regulations (article L. 34-5 of the French Post and Electronic Communications Code or CPCE).
Failure to provide information and respect the exercise of rights
The verifications carried out by the CNIL also revealed four other violations which were included in the penalty decision:
- A failure to comply with the obligation to inform individuals solicited (article 14 of the GDPR). The essential information concerning the processing of their data was not communicated to the contacted persons, who were also not able to access more information, for example by pressing a button on their telephone keypad.
- A failure to respect the right of access to data (article 15 GDPR) and the right to object of data subjects (article 21 GDPR). The company did not comply with the complainants' requests to access their personal data and to stop receiving commercial prospecting calls.
- A failure to comply with the obligations relating to the modalities for exercising rights (Article 12 of the GDPR). The company did not respond to requests to exercise rights within the one-month period provided for in the texts.