CNIL (France) - Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE

From GDPRhub
Revision as of 21:54, 6 March 2024 by Annkathrin.a.dix (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE |ECLI= |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046650733?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortVal...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5 GDPR
Article 7 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Article 21 GDPR
Article 32 GDPR
L. 34-5 of the CPCE
Type: Investigation
Outcome: Violation Found
Started:
Decided: 24.11.2022
Published: 29.11.2022
Fine: 600,000 EUR
Parties: Electricité de France
Commission nationale de l'informatique et des libertés
National Case Number/Name: Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Annkathrin.a.dix

The National Commission on Informatics and Liberty imposed a fine of € 600, 000 on Electricité de France for breaches of Article 7, 12, 13, 14, 15, 21, and 32 of the GDPR.

English Summary

Facts

Electricité de France (hereinafter referred to as the EDF company or the company) is an entity active on the electricity markets—in particular, in the production of electricity, and the wholesale, trading, transportation, distribution, and supply of electricity. In its business activities, the company processed personal data of its customers and prospects (i.e. data controller). At the end of 2020, EDF had 25.7 million customers in its databases. The National Commission on Informatics and Liberty (hereinafter referred to as the CNIL or the Commission) received numerous complaints against the company relating to the exercise of rights between August 2019 and December 2020.

Holding

The Commission imposed an administrative fine of € 600, 000 against EDF for breaches of Article 7, 12, 13, 14, 15, 21, and 32 of the General Data Protection Regulation (GDPR).

Firstly, EDF failed to comply with its obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means as prescribed in Article 7(1) of GDPR. This was due to the fact that EDF was unable to provide proof of validly expressed consent by prospects whose data stems from data brokers prior to canvassing. In particular, the data broker was merely able to produce the standard form, as opposed forms completed individually by each prospect.

Secondly, the company failed to comply with its obligation to inform individuals as established in Articles 13 and 14 of the GDPR. There were shortcomings in the charter on personal data protection that appeared on the website of the company—no legal basis was mentioned and the periods of data retention were not sufficiently precise to ensure fair and transparent processing of the personal data. In addition, consumers were not informed of the (precise) source of their personal data (ie. the identity of EDF).

Thirdly, the company did not comply with its obligations related to the exercise of individual rights. CNIL found a breach of the obligation of transparency, as prescribed in Article 12 of the GDPR—the company did not provide a written response containing correct information within the prescribed time limit in regards to referrals made by data subjects. The Commission also held that EDF violated its obligations under Article 15 of the GDPR, as it provided erroneous information on the source of the data collected as part of the request made by data subjects to invoke their right to access. Additionally, CNIL found that the company failed to take into account oppositions made to the processing of personal data, thereby failing to comply with its obligations under Article 21 of the GDPR.

Fourthly, EDF breached its obligation to guarantee data security as prescribed in Article 32 of the GDPR. In particular, the implemented hash function did not apply to a significant amount of accounts—as a result, such data was not stored securely. These concerns were exacerbated as the company did not systematically use a salt in the transformation of passwords, thus failing to guarantee both the security and confidentiality of the personal data of its customers.

The Commission therefore imposed a fine and sought an injunction, and publicized its declaration based on Article 83 of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mr. Alain DRU and Mr. Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to the postal and electronic communications code;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to decision no. 2021-020C of January 4, 2021 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a verification mission of the processing implemented by the company ELECTRICITÉ DE FRANCE or on its behalf;

Having regard to the decision of the president of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated May 19, 2022;

Having regard to the report of Mrs. Valérie PEUGEOT, commissioner rapporteur, notified to the company ELECTRICITÉ DE FRANCE on June 23, 2022;

Having regard to the written observations submitted by the council of the company ELECTRICITÉ DE FRANCE on July 25, 2022;

Considering the response of the rapporteur to these observations notified on August 11, 2022 to the company's board;

Having regard to the written observations submitted by the council of the company ELECTRICITÉ DE FRANCE on September 9, 2022;

Considering the other documents in the file;

Were present during the restricted training session on October 13, 2022:

- Mrs. Valérie PEUGEOT, commissioner, heard in her report;

as representatives of the company ELECTRICITÉ DE FRANCE:

- […] ;

The company ELECTRICITÉ DE FRANCE having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. Created in 1955, the company ELECTRICITÉ DE FRANCE (hereinafter “the EDF company” or “the company”) is a public limited company with a board of directors whose head office is located at 22 avenue de Wagram in Paris (75008) .

2. The EDF group, which includes the parent company EDF and its subsidiaries, is mainly active in France and abroad on the electricity markets and, in particular, in the production of electricity (nuclear, renewable and fossil) and the wholesale, trading, transportation, distribution and supply of electricity. The EDF group is also present in the gas and energy services markets, as well as in the construction, operation and maintenance of power plants and electricity networks and provides waste recycling and energy services. The EDF group employs more than 131,000 employees, including more than 63,000 for the EDF company.

3. In 2020, the EDF group achieved a turnover of more than 69 billion euros for a net profit of […] euros. In 2021, its turnover amounted to more than 84 billion euros for a net profit of […] euros.

4. As part of the services provided by the company, personal data of its customers and prospects are processed. At the end of December 2020, the company had in its databases 25.7 million customers for the supply of electricity, gas and services and approximately […] prospects, regarding the individual market.

5. The National Commission for Information Technology and Liberties (hereinafter "the CNIL" or "the Commission") has received several complaints against the company EDF, relating to the exercise of rights between August 2019 and December 2020.

6. An online check was carried out on the website “www.edf.fr” on February 15, 2021. Report No. 2021-020-1, drawn up by the delegation at the end of the check, was notified to EDF on February 17, 2021.

7. A documentary inspection mission was also carried out by sending a questionnaire to the company on March 25, 2021, to which the company responded on April 29, 2021.

8. Two requests for additional information were sent to the company on July 13 and August 18, 2021. The company responded to them on July 30, August 31 and September 3, 2021.

9. For the purposes of examining this file, the President of the Commission appointed Ms. Valérie PEUGEOT as rapporteur, on May 19, 2022, on the basis of Article 39 of Decree No. 2019-536 of May 29, 2019. amended.

10. On June 23, 2022, the rapporteur notified the company of a report detailing the breaches of the GDPR that she considered to have occurred in this case. This report proposed to the restricted formation of the Commission to impose an administrative fine with regard to the breaches constituted in articles 7, paragraph 1, 12, 13, 14, 15, 21 and 32 of the GDPR and L. 34-5 of the postal code and electronic communications (hereinafter “the CPCE”). He also proposed that an injunction to bring the processing into compliance with the provisions of Articles 7, paragraph 1, 14 and 32 of the GDPR and L. 34-5 of the CPCE, accompanied by a penalty, be issued. Finally, he proposed that the sanction decision be made public, but that it would no longer be possible to identify the company by name after a period of two years from its publication.

11. On July 25, 2022, the company produced its observations in response to the sanction report.

12. The rapporteur responded to the company's observations on August 11, 2022.

13. On September 9, 2022, the company produced new observations in response to those of the rapporteur.

14. By letter dated September 15, 2022, the rapporteur informed the company's board that the investigation was closed, in application of article 40, III, of amended decree no. 2019-536 of May 29, 2019.

15. By letter of the same day, the company's council was informed that the file was included on the agenda for the restricted training of October 13, 2022.

16. The company and the rapporteur presented oral observations during the restricted training session.

II. Reasons for decision

A. On the failure to comply with the obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means

17. Under the terms of article L. 34-5 of the CPCE, “direct prospecting by means of an automated electronic communications system […], a fax machine or e-mails using the contact details of a natural person is prohibited […] who has not previously expressed their consent to receive direct marketing by this means. For the application of this article, consent means any manifestation of free, specific and informed will by which a person accepts that data of a personal nature concerning it are used for the purpose of direct prospecting. […] ".

18. Under the terms of Article 4, paragraph 11, of the GDPR, “For the purposes of this Regulation, […] “consent” of the data subject means any manifestation of will, free, specific, informed and unambiguous by in which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him or her are subject to processing.

19. Under Article 7(1) of the GDPR, "In cases where processing is based on consent, the controller is able to demonstrate that the data subject has given consent to the processing of data to personal character concerning her.

20. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from articles L. 34-5 of the CPCE and 7, paragraph 1, of the GDPR, as clarified by the provisions of article 4, paragraph 11, of the GDPR, is based on the fact that the company EDF, which carries out commercial prospecting operations by electronic means, is not able to have and provide proof of consent validly expressed by prospects whose data comes from data brokers before being canvassed. Furthermore, the rapporteur noted that, in the context of the investigation of three complaints, it appeared that the company had difficulty obtaining evidence from the data broker concerned regarding the collection of consent: the data broker produced the standard form, and not the form completed individually by each prospect, thus not being able to transmit individual proof of consent.

21. In defense, the company argues that none of the three complaints referred to in the report concerns electronic commercial prospecting operations and therefore that article L. 34-5 of the CPCE is inapplicable. The company adds that electronic commercial prospecting operations based on data collected from data brokers are very punctual and target an insignificant number of prospects ([…]%). In addition, the company indicates that it has always strictly regulated its contractual relations with the data brokers it uses and that frequent exchanges took place, even if they were not necessarily formalized in the form of audits. Finally, the company explains […] that data already collected as part of previous campaigns has been deleted. However, it adds that it has evolved the contracts concluded with data brokers and implemented, from November 2021, formalized audits.

22. Firstly, the restricted training recalls that, when the prospects' data have not been collected directly from them by the prospecting organization, consent may have been obtained at the time of the initial collection of the data by the first-time collector, on behalf of the organization which will carry out subsequent prospecting operations. Failing this, it is up to the prospecting organization to obtain such consent before carrying out prospecting acts. With regard to the provisions of Article 7(1) of the GDPR, the prospector must then be able to prove that he has this consent. In addition, for consent to be informed, individuals must be clearly informed of the identity of the prospector on whose behalf the consent is collected and the purposes for which the data will be used. To do this, an exhaustive and updated list must be made available to people at the time of obtaining their consent, for example directly on the collection medium or, if it is too long, via a hypertext link referring to to said list and the confidentiality policies of service providers and suppliers.

23. The restricted panel notes that the three complaints received by the CNIL and referred to by the rapporteur do not relate to electronic commercial prospecting operations. It notes, however, that […] prospects were the subject of commercial prospecting electronically by the company EDF between 2020 and January 2021, for which EDF is not able to provide documents demonstrating the obtaining consent validly obtained from individuals.

24. Furthermore, if the company provided the controlling delegation with two examples of standard form for collecting data from prospects made available by the data broker [...], the restricted training notes that no list of partners - including EDF- which must be made available to prospects at the time of consent, was not communicated as part of the procedure, despite requests from the rapporteur to this effect.

25. Secondly, the restricted training notes that, in the context of the documentary control, the company indicated that the data brokers are responsible for collecting the consent of the persons concerned and that it asks them to commit contractually to respect the GDPR and the rules applicable to commercial prospecting. The company acknowledged that it does not exercise any control over the collection forms used, nor carries out audits on its co-contractors, but affirmed that it conducts informal exchanges with them.

26. The restricted panel therefore considers that the measures put in place by the company EDF to ensure with its partners that consent was validly given by prospects before being approached were insufficient.

27. Under these conditions, the restricted panel considers that the company has failed to comply with its obligations resulting from articles L. 34-5 of the CPCE and 7, paragraph 1, of the GDPR, as clarified by the provisions of article 4, paragraph 11, GDPR.

28. It nevertheless notes that, in the context of the present procedure, the company indicated that it had deleted the data already collected in the context of previous campaigns.

B. On the failure to comply with the obligation to inform individuals

29. Article 13(1) of the GDPR lists the information that must be communicated by the data controller to data subjects when their personal data is collected directly from them, including "the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.

30. Paragraph 2 of the same article provides that "in addition to the information referred to in paragraph 1, the controller shall provide to the data subject, at the time when the personal data are obtained, the following additional information which is necessary to ensure fair and transparent treatment:

a) the duration of retention of personal data or, where this is not possible, the criteria used to determine this duration […]".

31. Article 14 of the GDPR lists the information that must be communicated by the data controller to the data subjects when their personal data has not been collected from them. Paragraph 2 of the same article provides that "in addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing with regard to the data subject: [ …]

f) the source from which the personal data come and, where applicable, a statement indicating whether or not they come from sources accessible to the public […]".

32. The guidelines on transparency within the meaning of Regulation (EU) 2016/679, adopted by the "Article 29" working group in their revised version on April 11, 2018, clarifying the provisions of Article 13, specify that : "the retention period [...] should be formulated in such a way that the data subject can assess, depending on the situation in which he or she finds himself, what the retention period will be with regard to specific data or in the case of specific purposes The controller cannot simply state generally that personal data will be kept for as long as the legitimate purpose of the processing requires. Where applicable, different storage periods should be mentioned for different categories of data. personal data and/or the different purposes of processing, in particular the periods for archival purposes.”

33. They also specify that "the waiver of the obligation to provide the data subject with information on the source of his or her personal data only applies where such provision is not possible due to the impossibility to attribute different elements of the personal data concerning the same person to a particular source. On the other hand, the simple fact that a database comprising the personal data of several data subjects has been compiled by a controller using more than one source is not sufficient to waive this obligation if it is possible (although time-consuming or tedious) to determine the source from which the personal data of the data subjects originate” (paragraph 60).

34. The rapporteur notes, on the one hand, a breach of Article 13 of the GDPR insofar as, at the time of the online check carried out on February 15, 2021, the legal basis was not mentioned and the retention periods data was not developed in a sufficiently precise manner in the “personal data protection charter” appearing on the subdomain “private.edf.fr”; it also notes a breach of Article 14 of the GDPR, insofar as the people contacted by post by the company were not informed of the precise source of their personal data, namely the the identity of the company from which EDF obtained them.

35. In defense, the company considers that the "personal data protection charter" which appeared on the website "private.edf.fr" during the online inspection of February 15, 2021 contained all of the information required under Article 13 of the GDPR and guaranteed “fair and transparent processing” of the data concerned. Regarding the retention periods, the company notes that certain retention periods were mentioned, although not exhaustive because the company was carrying out, at the date of the online check, a large overhaul of the retention periods. She considers that it was therefore not possible to indicate all the retention periods, since they were being reviewed and modified. Regarding the legal bases, the company indicates that Article 13(1)(c) of the GDPR does not require the controller to indicate to the data subjects each legal basis for each purpose pursued, but simply that it informs of the legal bases used. It specifies that it has nevertheless undertaken a profound modification of the charter mentioned, the update of which was published in April 2021 on the site "private.edf.fr".

36. Regarding the breach of Article 14, the company indicates that the nature of the source was at least referred to in the information notices brought to the attention of the persons concerned, namely an "organization specializing in data enrichment". She adds that limiting herself to fairly general information on the origin of the data made it possible to avoid confusion by suggesting to the person concerned that they were only registered in the data broker's database, whereas it was likely to appear simultaneously in several databases held by different data brokers. The company finally argues that there was no harm caused to people who could contact EDF in order to obtain more information.

37. Firstly, the restricted training notes that the "personal data protection charter" present on the subdomain "private.edf.fr" constituted the information delivered by the company under Article 13 of the GDPR for types of processing other than prospecting (for example creation of a customer account or subscription to an online contract). However, the charter did not specify the legal basis corresponding to each purpose listed, an element required by Article 13 of the GDPR.

38. Furthermore, if the restricted panel takes note of the explanations provided by the company regarding the overhaul of the retention periods in progress at the time of the online findings made by the control delegation, the fact remains that , at the time of these findings, the said charter specified "We only keep your data for the period necessary for their processing according to the purpose that has been set", with an example relating to the retention periods for customers equipped with a Linky meter . The restricted training considers that the information on retention periods was vague and imprecise, so that it was not sufficient to guarantee "fair and transparent processing" of the personal data processed.

39. Therefore, the restricted panel considers that the company failed to comply with its obligations resulting from Article 13 of the GDPR. It nevertheless takes note of the fact that the company has remedied this breach, since the legal bases and retention periods are now detailed in the charter mentioned above.

40. Secondly, with regard to the breach of Article 14 of the GDPR, the restricted committee notes that, on the first prospecting letter sent to the complainants (referrals no. […], no. […] and no. […]), whose data was obtained indirectly, the following statement appears: “EDF, data controller, implements processing of personal data for prospecting purposes […]. Your data was collected from an organization specializing in data enrichment.

41. The restricted panel considers that the sole mention that the data was collected from an "organization specializing in data enrichment", appearing in the first commercial prospecting letter sent by EDF, is not sufficiently precise as to to the source from which the data comes. This information is therefore not likely to "guarantee fair and transparent treatment" with regard to the prospect, in particular in a context of successive resales of data between multiple actors and in the event that the prospect wishes to exercise its rights with the data broker whose identity he does not know.

42. The restricted panel considers that the absence of significant harm for people invoked by the company and the possibility of contacting EDF in order to obtain more information has no influence on the characterization of the failure to inform people , which is an obligation distinct from the right to obtain any available information as to the source of the data pursuant to Article 15(1)(g) of the GDPR.

43. Therefore, the restricted panel considers that the aforementioned facts constitute a breach of Article 14 of the GDPR.

44. The restricted committee notes that during the procedure, the company modified the information contained in the prospecting letters, in order to include the name of the data broker concerned.

C. On breaches linked to the exercise of individual rights

45. Under Article 12 of the GDPR:

"1. The controller shall take appropriate measures […] to make any communication under Articles 15 to 22 and Article 34 regarding the processing to the data subject in a concise, transparent, understandable and easily accessible, in clear and simple terms [...]. The information is provided in writing or by other means including, where appropriate, electronically. When the data subject requests it, the Information may be provided orally, provided that the identity of the person concerned is demonstrated by other means. […]

3. The controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any event within one month. from receipt of the request. If necessary, this deadline may be extended by two months, taking into account the complexity and number of requests. The data controller shall inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request. […]

4. If the data controller does not respond to the request made by the data subject, he shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for his request. inaction and the possibility of lodging a complaint with a supervisory authority and seeking legal recourse. […] ".

46. Article 15(1) of the GDPR provides for the right of an individual to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where they are, to access to personal data concerning them, in particular "g) when the personal data are not collected from the person concerned, any information available as to their source". It is also provided in paragraph 3 of the same article that “the data controller shall provide a copy of the personal data subject to processing. […]”.

47. Article 21(2) of the GDPR provides that, “When personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of the personal data concerning it for such prospecting purposes, including profiling to the extent that it is linked to such prospecting. […] "

1. On the breach of the obligation of transparency

48. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 12 of the GDPR, relies on two referrals to the CNIL, emanating from Mr […] (referral no. [… ]) and Mr […] (referral no […]). Regarding the first referral, the rapporteur noted that the company EDF had contacted the complainant by telephone to provide him with a response, without sending him a written letter, in violation of Article 12, paragraph 1, of the GDPR. In addition, the answer given to him about the organization behind the data was incorrect. Finally, the company answered his questions, again by phone, more than nine months later. Regarding the second referral, the rapporteur noted that the company had closed the complainant's request instead of transmitting it to the department in charge of requests to exercise rights and had not responded to Mr. […]. It was only six months after his initial request – as part of the control procedure – that a response was provided to the complainant.

49. In defense, the company indicates that EDF's policy has always been to respond in writing to all requests to exercise rights from its prospects and customers. It specifies that, for any written complaint, the advisor attempts to contact the prospect or client by telephone, before sending them a documented response in written form. The company adds that the lack of a written response to Mr. […] is a simple human error committed by the advisor, who did not follow internal procedures. The company adds that the processing of requests to exercise rights from complainants took place in the particularly difficult context of both the health crisis, which led to an increase in the number of requests to exercise rights, and postponement of the end of the winter break to September 1, 2020, which may explain why their mail could not be correctly processed within the usual deadlines.

50. The restricted panel notes that the company recognizes an error in the direction of the complainants' requests which resulted in "either a lack of response within the time limit, or a poor quality of response". A breach of the obligations of Article 12 of the GDPR is constituted when the company did not provide a written response and gave the complainant incorrect information regarding the referral to Mr. […]. In addition, the company did not process these requests to exercise rights within the time limit with regard to the two referrals.

51. Consequently, the restricted panel considers that the breach of Article 12 of the GDPR has been established.

2. On the failure to comply with the obligation to respect the right of access

52. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 15 of the GDPR in terms of right of access, relies on two referrals to the CNIL, emanating from Mr. (referral no […]) and Madam (referral no […]). Regarding the referral from Mr […], the first response given by telephone to the complainant on the source of the data collected was incorrect. As for the referral from Madame […], the company specifies that a response was sent to it on July 17, 2020, indicating that it had no other data concerning her than her first and last name in its databases . The rapporteur considered that such a statement was inaccurate and that the company at least had its address – or former address – to make the comparison with the first and last name of the complainant since the EDF company sent her a letter to her home. parents.

53. In defence, with regard to the referral relating to Mr […], the company acknowledges that the advisor's response to the complainant was "partly inaccurate" due to an error regarding the source of the data. As for the referral relating to Mrs […], the company considers that the response given to it by the advisor was correct since the only data relating to the complainant were her first and last name.

54. In view of the elements provided by the company, the rapporteur proposes to the restricted panel not to consider the breach of Article 15 of the GDPR with regard to the referral relating to Mrs […].

55. The restricted panel notes that the facts noted by the rapporteur are not contested by the company with regard to the referral from Mr […] and that it is proven that an inaccurate response was provided to him in the context of his request for right of access. She considers that a breach of the obligations of Article 15 has occurred with regard to this complaint, since the company provided her with erroneous information on the source of the data collected as part of her right of access request. . On the other hand, with regard to the complaint of Mrs […], the restricted panel takes note of the elements provided by the company and considers that the alleged breach is not characterized.

3. On the failure to comply with the obligation to respect the right of opposition

56. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 21 of the GDPR, relies on the referral from Mr. […] (no. […]). The rapporteur indicates that the company did not take into account the complainant's opposition to the processing of the personal data of his minor son for commercial prospecting purposes. Indeed, the minor son of Mr […] received a second commercial prospecting letter, despite the latter's request for the deletion of personal data relating to his son.

57. In defense, the company explains that, in the May 2020 “Complaint” guide for all advisors, the latter were instructed, for any request to delete a prospect’s data, to “systematically collect the prospect's objection". Concerning the referral from Mr […], the advisor did proceed with the erasure of the data as he had indicated by telephone to the complainant but did not completely follow the internal procedure by not proceeding with the opposition before erase data. The company adds that it has simplified this deletion procedure. Thus, since July 2021, when the advisor processes a deletion request, an opposition is automatically implemented.

58. The restricted panel notes that the facts noted by the rapporteur regarding the complainant's situation are not contested by the company and constitute a breach of the obligations arising from Article 21 of the GDPR. It notes that during the sanction procedure, the company improved its procedure for managing erasure requests.

D. On the failure to comply with the obligation to ensure data security

59. Under Article 32(1) of the GDPR, "Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk , including among others, as needed:

has) […] ;

(b) means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;

vs) […] ;

(d) a procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing. ".

• On the password hashing function of the “prime energy” portal

60. Taking into account the company's initial declarations during the inspection procedure, the rapporteur noted that the passwords to the customer area of the "prime energy" portal were stored using the MD5 hash function. The rapporteur then took note of the company's new claims and the fact that, since January 2018, the SHA-256 hash function has been used. It nevertheless noted that, until July 2022, the passwords of more than 25,800 accounts were stored insecurely, with the MD5 hash function.

61. In defense, the company explains that, since January 2018, all registrations or modifications of a user password are recorded in the directory associated with the "prime energy" portal in SHA-256 with a random mechanism associated (salting). The MD5 hash corresponds only to the hashing level historically implemented by the company […], subcontractor of EDF, and for which only a few thousand accounts were still affected in April 2021. The company adds that these passwords were still stored with the robustness of the additional randomness mechanism (salting), preventing attacks by precomputed tables. She concluded that the passwords were secure. In addition, the company indicates that, since the beginning of 2022, a final purge of passwords that were still stored using the MD5 hash function (approximately 3.2% of the total number of prime energy customers ") was realized. It specifies that all the passwords of users of the “prime energy” site are today stored with a salt and a strong algorithm.

62. The restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller is required to ensure that the automated data processing that it implements is sufficiently secure. The sufficiency of the security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it induces, and on the other hand, taking into account the state of knowledge and the cost of the measures. Implementing a robust authentication policy constitutes a basic security measure which generally contributes to compliance with the obligations of Article 32 of the GDPR. Thus, it is necessary to ensure that a password allowing authentication to a system cannot be disclosed. Keeping passwords secure is a basic precaution when it comes to protecting personal data. As early as 2013, the National Information Systems Security Agency (ANSSI) alerted and recalled good practices regarding the retention of passwords, indicating that they must "be stored in a form transformed by a function one-way cryptographic (hash function) and slow to calculate such as PBKDF2" and that "the transformation of passwords must involve a random salt to prevent an attack by precomputed tables". Indeed, non-robust hash functions present known vulnerabilities which do not guarantee the integrity and confidentiality of passwords in the event of a brute force attack after compromise of the servers which host them. To the extent that a large number of Internet users use the same password to authenticate to their different online accounts, attackers could exploit the compromised data to increase intrusions on their other accounts to commit, for example, theft or scams.

63. Likewise, the Commission also specifies in its deliberation no. 2017-012 of January 19, 2017, with regard to the storage methods, that "the password must never be stored in clear text. It recommends that it be transformed by means of a non-reversible and secure cryptographic function (i.e. using a public algorithm deemed strong whose software implementation is free of known vulnerabilities), integrating the use of a salt or a key. The Commission further considers that the salt or the key must be generated by means of a cryptographically secure pseudo-random number generator (that is to say based on a public algorithm deemed strong whose implementation software is free of known vulnerabilities), and not be stored in the same storage space as the password verification item.

64. In addition to these recommendations, the restricted committee emphasizes that it has, on several occasions, adopted financial sanctions where the characterization of a breach of Article 32 of the GDPR is the result of insufficient measures to guarantee the security of the data processed. . She thus had the opportunity to recall that "the use of the MD5 hash function by the company has no longer been considered state of the art since 2004 and its use in cryptography or security is prohibited. Thus , the use of this algorithm would allow a person with knowledge of the hashed password to decipher it without difficulty in a very short time (for example, by means of freely accessible websites which make it possible to find the value corresponding to the hash of the password) "(deliberation SAN-2021-008 of June 14, 2021).

65. However, the restricted panel notes that, until July 2022, the passwords of more than 25,800 accounts were kept insecurely, with the MD5 hash function. Under these conditions, having regard to the risks incurred by individuals, the restricted committee considers that the company has failed to fulfill its obligations under Article 32 of the GDPR.

66. It nevertheless notes that, in the context of this procedure, the company has justified having taken measures to comply with the obligations arising from Article 32 of the GDPR.

• On the password hashing function in the EDF customer area

67. Taking into account the company's initial declarations during the control procedure, the rapporteur noted that the passwords to the EDF customer area, accessible at the URL "www.particuliers.edf.fr", were stored in chopped and salted form using the SHA-1 function, although it is considered obsolete. It therefore considered that the methods for storing passwords do not guarantee the security and confidentiality of customers' personal data.

68. In defense, the company indicates that the hashing algorithm used to store passwords in the directory […], which manages the authentication of customer areas, is in reality SHA-512 supplemented by a mechanism of the addition of hazard (salting) since May 17, 2017, and not SHA-1, contrary to what it had indicated to the control delegation. The company adds that the renewal of passwords and the purging of old passwords were carried out in a phased manner.

69. In the latest state of her submissions, the rapporteur notes that, if 11,241,166 account passwords are hashed and salted, 2,414,254 account passwords are hashed only, without having been salted.

70. In defense, the company recalls that it deploys significant resources, both human and material, in terms of cybersecurity. She adds that, since her last observations, the company implemented the mechanism of adding randomness (salting) to the fraction of passwords in the directory [...] which did not have it, but which were however already hashed with SHA-512. Thus, to this day there is no longer any SHA-512 hashed password without a random addition mechanism (salting).

71. Restricted training refers to the developments above regarding the need to use a random salt for the transformation of passwords (§§ 62 and 63). It further notes that, in its guide “Recommendations relating to multi-factor authentication and passwords” of October 8, 2021, ANSSI writes: “It is recommended to use a salt chosen randomly for each account and to a length of at least 128 bits".

72. The restricted panel notes that, here again, the company does not contest the breach itself but requests not to be sanctioned to the extent that it has now remedied the breach. The restricted panel considers that the company has failed to fulfill its obligations under Article 32 of the GDPR, since it has not taken the necessary measures to ensure the security of all the data it processes. and which are accessible from user accounts at the URL "www.particuliers.edf.fr", by not systematically using a salt in the transformation of passwords.

73. It nevertheless notes that, in the context of this procedure, the company has justified having taken measures to comply with the obligations arising from Article 32 of the GDPR.

III. On corrective measures and their publicity

74. Under the terms of article 20, III, of the law of January 6, 1978 as amended, "When the data controller or its subcontractor does not comply with the obligations resulting from regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Information Technology and Liberties may also, where appropriate after having sent him the warning provided for in I of this article or, where appropriate in addition to a notice remains provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncing, after adversarial procedure, one or more of the following measures: […]

7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the global annual turnover total of the previous financial year, the highest amount being retained. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83".

75. Article 83 of the GDPR provides that "each supervisory authority shall ensure that administrative fines imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each case , effective, proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.

76. Firstly, on the principle of issuing a sanction, the company indicates that in addition to the fact that it contests the failings alleged by the rapporteur or justifies them, it has already taken all measures to remedy all of the alleged facts and ensure compliance with applicable legislation. She emphasizes the goodwill and efforts she demonstrated throughout the procedure. The company considers that the mitigating factors posed by Article 83, paragraph 2, of the GDPR should lead the restricted body not to impose a financial sanction or at the very least to very significantly reduce the amount of the fine proposed by the rapporteur. It considers that the alleged breaches are not substantial in this case, since they represented a limited or even non-existent impact on the rights and freedoms of the persons concerned given their small number and their non-structural nature.

77. The restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the violation.

78. The restricted training underlines that the breaches committed by the company relate to obligations relating to the fundamental principles of the protection of personal data and that numerous breaches are made.

79. The restricted training then notes that the company is the leading player in electricity in France, since it counted, at the end of December 2020, 25.7 million customers for the supply of electricity, gas and services and approximately […] prospects, regarding the individual market. It therefore has significant resources enabling it to deal with personal data protection issues.

80. Consequently, the restricted panel considers that it is appropriate to impose an administrative fine with regard to the breaches constituted by article L. 34-5 of the CPCE and articles 7, paragraph 1, 12, 13, 14, 15, 21 and 32 of the GDPR.

81. The restricted training nevertheless underlines the efforts that the company EDF demonstrated within the framework of the procedure, since it complied with all the shortcomings noted by the rapporteur. It further considers that the failure to comply with the obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means, although being a structural failure, is in this case of limited seriousness in the to the extent that the number of prospects whose data has been collected from data brokers and who have received commercial prospecting electronically only represents […]% over the period 2020-2022 of all people targeted by actions commercial prospecting carried out by EDF with prospects whose data was obtained via data brokers. Regarding the failure to comply with the information obligation, the restricted committee takes note of the company's declarations, according to which it was carrying out a large overhaul of the retention periods, thus preventing it from indicating them all since they were in review and modification course. It further notes, with regard to the referrals made to the debates, that the breaches of people's rights are not structural and result from human errors.

82. The restricted panel recalls that the violations of the GDPR noted in this case are breaches of principles likely to be subject, under Article 83 of the GDPR, to an administrative fine of up to 20,000,000 euros or up to 4% of the global annual turnover of the previous financial year, whichever is higher.

83. The restricted panel also recalls that administrative fines must be both dissuasive and proportionate. It considers in particular that the activity of the company and its financial situation must be taken into account in determining the amount of the administrative fine. It notes in this regard that the EDF group achieved a turnover of more than 69 billion euros for a net result of […] euros in 2020 and more than 84 billion euros for a net result of [ …] euros in 2021.

84. Therefore, in view of these elements, the restricted panel considers that the imposition of an administrative fine in the amount of 600,000 euros appears justified.

85. Secondly, an injunction to bring the processing into compliance with the provisions of Articles 7, paragraph 1, 14 and 32 of the GDPR and L. 34-5 of the CPCE was initially proposed by the rapporteur.

86. The company maintains that the actions it has implemented with regard to all the breaches noted must result in not issuing an injunction under penalty.

87. As indicated previously, the restricted panel notes that the company has taken compliance measures with regard to all of the shortcomings noted by the rapporteur. It therefore considers that there is no need to issue an injunction.

88. Thirdly, with regard to the publication of the sanction decision, the company asks the restricted body not to publish it or, in the alternative, to anonymize it immediately or at the latest within eight days.

89. The restricted panel considers that the publicity of the sanction is justified in view of the nature and number of breaches committed, as well as the number of people affected by said violations, in particular more than 2,400,000 customers with regard to the breach. to data security.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• impose an administrative fine against the company ÉLECTRICITÉ DE FRANCE in the amount of 600,000 (six hundred thousand) euros for breaches of article L. 34-5 of the CPCE and articles 7, paragraph 1, 12, 13, 14, 15, 21 and 32 of the GDPR;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within two months of its notification.