Seized of several complaints, the institution “considered that the company had breached several obligations provided for by the general regulations on data protection (RGPD) and the postal and electronic communications code (CPCE)”, and decided to make public the sanction pronounced on November 24, details a press release.
According to the Cnil, the amount of the fine takes “into account the cooperation of the company and all the measures it has taken during the procedure to bring itself into compliance with all the breaches for which it was accused” .
In particular, the leading electricity supplier in France was unable to prove that it had obtained the prior valid consent of the recipients of a commercial prospecting campaign by electronic means carried out between 2020 and 2021.
EDF also failed in its obligation to inform people about the use of personal data used on its website and did not respond in time to people wishing to exercise their rights of access or opposition to the use of their data.
Finally, the restricted training of the Cnil sanctioned a failure to secure passwords, which can cause risks for Internet users in the event of hacking.