ÉLECTRICITÉ DE FRANCE: Insufficient fulfilment of data subjects rights

The French DPA has imposed a fine of EUR 600,000 on ÉLECTRICITÉ DE FRANCE (EDF), France's largest electricity supplier. The DPA had received several complaints that individuals were experiencing difficulties in exercising their rights by EDF. During its investigation, the DPA found that EDF's privacy policy did not provide sufficient information on various aspects of data processing, such as the retention period of personal data. In addition, the DPA found that EDF had not responded to a number of data subject requests in a timely manner Also, EDF failed to respect data subjects' right to object to advertising requests in some cases. Furthermore, the DPA noted that EDF failed to demonstrate that it had obtained valid consent from data subjects in the context of a commercial solicitation campaign. Finally, the DPA concluded that EDF had failed to implement sufficient technical and organizational measures to protect personal data. EDF had insecurely stored passwords of more than 25,000 customer accounts. In addition, the company had merely hashed and not salted passwords of 2,4 million accounts.

GDPR Articles: Art. 7 GDPR, Art. 12 GDPR, Art. 13 GDPR, Art. 14 GDPR, Art. 15 GDPR, Art. 21 GDPR, Art. L. 34-5 CPCE
Industry: Transportation and Energy