Commercial prospecting and rights of individuals: EDF fined 600 000 euros


On 24 November 2022, the CNIL issued an administrative fine of 600 000 euros against the company EDF, in particular because it didn't respect its obligations regarding commercial prospecting and rights of individuals.

Background information

The CNIL has received many complaints regarding difficulties encountered by individuals in having their rights considered by the company EDF, which is the first electric utility in France.

Based on findings from investigations carried out, the restricted committee – body responsible for imposing sanctions – considered that the company failed to comply with its obligations provided for by the General Data Protection Regulation (GDPR) and the French Postal and Electronic Communications Code. It imposed a fine of 600 000 euros on EDF and made it public.

The amount of the fine was decided considering the breaches observed and the cooperation by the company and all the measures it has taken during the proceedings to reach compliance with all alleged breaches.

Breaches sanctioned

Breach of the obligation to collect consent of individuals to receive commercial prospecting by e-mail (Articles L. 34-5 of the French Postal and Electronic Communications Code and 7 of the GDPR)

Between 2020 and 2021, EDF carried out a commercial prospecting campaign by electronic means. However, it was not able to demonstrate to the CNIL that it had obtained prior valid consent from the individuals.

During the investigations, the company provided the CNIL with two examples of a standard prospect data collection form provided by a data broker. However, the company was not able to provide the CNIL with a list of the partners to whom the data would be sent, even though such a list must be made available to individuals when they give their consent.

Finally, the measures implemented by EDF with its data brokers to ensure that consent was validly given by individuals before being solicited were insufficient. Indeed, the company admitted that, at the time of the investigations, it did not verify the consent forms used and that it did not conduct any audits of the data brokers.

Breaches of the obligations of information (Articles 13 and 14 of the GDPR) and to respect the exercise of rights (Articles 13 and 14 of the GDPR)

Verifications carried out by the CNIL also allowed to reveal other breaches observed in the sanction decision:

  • Breach of the obligation to inform individuals: the personal data protection charter displayed on the company's website did not specify the legal basis for each case of data use and was unclear about the data retention periods (Article 13 of the GDPR). Moreover, in the first commercial prospecting letter sent by EDF to individuals, the origin of the data was not indicated in a sufficiently precise manner. EDF only wrote that the "data was collected from an organization specialized in data enrichment", without indicating precisely where the data came from (Article 14 of the GDPR).
  • Breach of the obligations regarding modalities for the exercise of the rights (Article 12 of the GDPR): in particular, the company didn't respond to certain complainants in the time limit provided for in the texts.
  • Breach of the obligation to respect the right of access by the data subject (Article 15 of the GDPR) and right to object of people concerned (Article 21 of the GDPR). The company provided inaccurate information on the origin of the data collected and didn't take into account the opposition to receive for commercial prospecting.

Breach of the obligation to ensure security of personal data (Article 32 of the GDPR)

The restricted committee also observed a breach of the obligation to ensure security of personal data since:

  • the passwords for accessing the customer area of the "energy bonus" portal for more than 25 000 accounts were stored in an unsecured manner until July 2022;
  • the passwords for access to customer area of EDF were only hashed (a series of characters calculated in place of the password) for more than 2,4 million accounts, without having been salted (addition of random characters before hashing, to avoid finding a password by comparing hashes), which exposed them to risks.