CNIL (France) - SAN-2022-011

From GDPRhub
Revision as of 07:43, 13 July 2022 by Riealeksandra (talk | contribs) (Improved language, added GDPR hyperlinks and machine translation)
CNIL - Délibération SAN-2022-011
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 12 GDPR
Article 14 GDPR
Article 15 GDPR
Article 21 GDPR
Article 83 GDPR
B) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (Privacy Directive)
Article L. 34-5 of the French Post and Electronic Telecommunications Code (CPCE)
Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 23.06.2022
Fine: 1,000,000 EUR
Parties: XXXXXXXX
TOTAL ENERGIES ELECTRICITY AND GAS FRANCE
National Case Number/Name: Délibération SAN-2022-011
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: LegiFrance (in FR)
Initial Contributor: Samuel Uzoigwe

The French DPA fined a controller €1,000,000 for failing to properly respond to data subject requests in time and for the lack of option on the website for users to object to the processing of their personal data for marketing purposes at the time of collection.

English Summary

Facts

The controller is a limited liability company whose business is the supply and production of electricity and gas in France.

Several data subjects sent complainants to the French DPA (CNIL) that they had encountered difficulties in exercising their rights of access to personal information about them, and objection to receiving commercial prospecting telephone calls from the controller.

The complaints concerned data subject requests for rectification of personal data, late, erroneous, or no response to access to personal data and access to the origin of personal data, failure to cease processing of personal data after objection to the processing of data for commercial prospecting (marketing) purposes, and request for personal data deletion.

The DPA appointed a rapporteur that carried out an audit of the website of the controller and investigated the various complaints of the data subjects.

The controller in its defence argued that 1) the data subjects' access requests were not sent by the data subjects to the controller’s dedicated unit and that the person who received the requests did not know how to identify their purpose; 2) the procedures it had put in place were not respected because of human error; 3) there were a large number of requests received in 2020 during the health crisis and this was impeded by the disruptions that followed; 4) there were difficulties in obtaining the necessary information from its business partners, thus unable to properly inform data subjects about the source of their data; 3) It had taken steps to modify its processing activities to comply with the relevant applicable laws; 4) The breach affected barely a fraction of its customers.

Beyond the direct complaints made by the data subjects, the DPA in its investigation noted that when subscribing online on the controller's website, the subscription form had no option for users to object to the use of their personal data for marketing purposes. The subscription form informed users that their personal data may be used by the controller to present offers to them at a later date.

On this point, the controller argued that 5) the CPCE did not apply to the online subscription form, since the collection of personal data through the form was not intended to promote the company's products or services, but to offer assistance to the user in order to help them finalize the current subscription.

Holding

The DPA held that the lack of an option for a user to object to the processing of their personal data for marketing purposes, at the time of collection, constitutes a breach of the provisions of article L. 34-5 of the French Post and Electronic Telecommunications Code (CPCE).

The DPA observed that, in certain cases, the data subjects contacted for marketing purposes were not provided with any information required in Article 14 GDPR, such as the purposes of the processing or the existence of the various rights. They were not informed that the call was being recorded, nor of their right to object to it.

The DPA observed that the controller had failed to respond, supplied erroneous responses, or responded late to several data subject requests, beyond the deadlines set by Article 12, often after several reminders from the data subject.

The DPA observed that the controller failed to process the various data subject’s requests for access to personal data, their origin, as well as access to recordings of telephone conversations concerning the data subjects within the time limit set with the obligations of Article 15.

The DPA finally observed that the controller continued to process the personal data of data subjects after objections from the data subjects to the processing of their personal data in breach of Article 21.

The DPA held that the controller cannot rely on its difficulties in obtaining information from its commercial partners to justify its failure to provide a response to the applicants in accordance with the applicable provisions. It is the duty of the controller to organize itself in such a way as to be able to ensure that requests for access are processed in accordance with the applicable provisions and, in particular, to provide information on the origin of the data.

The DPA further held that although data subjects did not send their access requests directly to the unit in charge of responding to them, it is up to the controller, as long as the requests, one of which was directly addressed to the data protection officer, were received in clear terms by the controller, to process them within the time limits provided for and to ensure that they were transmitted to the competent department responsible for handling such requests.

For these violations, the DPA fined the controller €1,000,000.

The controller argued against the publication of the penalty decision, on the ground that publication would be disproportionate in light of the limited nature of the alleged breaches and its compliance. It also claimed that publication of the penalty would have a significant impact on the controller’s image and that it would be favorable to its main competitors, in a very competitive market.

The DPA also decided to make its decision public on the CNIL website and on the Légifrance website and held that the controller will no longer be identified by name after a period of two years from its publication.

The DPA noted that the company has taken measures to bring its processing into compliance with the applicable laws, and the efforts made by the company to comply throughout the procedure. The DPA also noted that the controller’s agents have had to attend awareness training on the subjects of the complaints.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation SAN-2022-011 of June 23, 2022
National Commission for Computing and Liberties
Nature of the deliberation: Sanction
Legal status: In force
Date of publication on Légifrance: Thursday, June 30, 2022
Deliberation of the restricted formation n°SAN-2022-011 of June 23, 2022 concerning the company TOTALENERGIES ELECTRICITÉ ET GAZ FRANCE
The National Commission for Computing and Liberties, meeting in its restricted formation composed of Mr. Alexandre LINDEN, President, Mr. Philippe-Pierre CABOURDIN, Vice-President, Mrs. Christine MAUGÜÉ, Mr. Alain DRU and Mr. Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data (GDPR);

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to the postal and electronic communications code;

Considering the law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties;

Having regard to decision n° 2020-113C of May 12, 2020 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or to have carried out a mission to verify the processing implemented by TOTAL DIRECT ENERGIE or on its behalf;

Having regard to the decision of the President of the National Commission for Computing and Freedoms appointing a rapporteur before the restricted formation, dated July 29, 2021;

Having regard to the report of Mr. François PELLEGRINI, reporting commissioner, notified to the company TOTALENERGIES ELECTRICITÉ ET GAZ FRANCE on February 25, 2022;

Having regard to the written observations submitted by the company TOTALENERGIES ELECTRICITÉ ET GAZ FRANCE on March 25, 2022;

Having regard to the other documents in the file;

Were present at the restricted training session of April 21, 2022:

- Mr. François PELLEGRINI, commissioner, heard in his report;

As representatives of TOTALENERGIES ELECTRICITÉ ET GAZ FRANCE:

- […]

TOTALENERGIES ELECTRICITÉ ET GAZ FRANCE having the last word;

The Restricted Committee adopted the following decision:

I. Facts and procedure

1. TOTALENERGIES ELECTRICITÉ ET GAZ FRANCE (hereinafter "the company"), formerly known as TOTAL DIRECT ENERGIE, whose registered office is located at 2 bis rue Louis Armand in Paris (75015), is a public limited company whose business is the supply and production of electricity and gas in France. Founded in 2003, the company has approximately 650 employees.

2. For the year 2020, the company achieved a turnover of […] euros, for a net result of […] euros. In 2021, the company had nearly 8 million customers and prospects, which ranked it third among the main electricity and gas suppliers in France.

3. Between October 2019 and July 2020, the National Commission for Computing and Liberties (hereinafter "the CNIL" or "the Commission") received 27 complaints against of the society. Of these complaints, 18 were examined in the context of this sanction procedure. The complainants notably mentioned the difficulties encountered in exercising their rights of access or opposition to receiving commercial prospecting telephone calls.

4. For the purposes of investigating complaints, an online check was carried out on the "total.direct-energie.com" website on August 10, 2020. Minutes No. 2020-113-1, drawn up by the delegation on the day of the inspection, was notified to the company on August 19, 2020. The CNIL delegation focused in particular on verifying the management, by the company, of the rights of individuals, and more particularly the way in which it had dealt with requests for the exercise of the rights of persons who had lodged complaints with the Commission. This control was also intended to verify the information provided by the company to prospects contacted in the context of cold-calling operations as well as the possibility offered to them of being able to oppose it.

5. Three requests for additional information were then sent to the company by registered letter with acknowledgment of receipt, dated August 19, 2020, November 25, 2020 and February 19, 2021. The company replied by letters dated October 1, 2020, December 11, 2020 and March 5, 2021.

6. For the purpose of examining these elements, the President of the Commission, on July 29, 2021, appointed Mr François PELLEGRINI as rapporteur on the basis of Article 22 of the law of January 6, 1978 as amended.

7. By letter dated January 6, 2022, the rapporteur asked the company to provide its balance sheet for the year 2020, which it did not do.

8. On February 25, 2022, the rapporteur notified the company of a report detailing the breaches of the GDPR that he considered to have occurred in this case, accompanied by a notice to attend the restricted training session of April 21, 2022.

9. This report proposed that the restricted committee of the Commission impose an administrative fine and an injunction to bring the processing into compliance with the provisions of Article L. 34-5 of the Post and Electronic Telecommunications Code (CPCE) and of Articles 12, 14, 15 and 21 of the GDPR, together with a penalty payment for each day of delay at the end of a period of three months following the notification of the deliberation of the restricted formation. He also proposed that this decision be made public, but that it would no longer be possible to identify the company by name after the expiry of a period of two years from its publication.

10. On March 25, 2022, the company filed its observations in response to the sanction report.

The company and the rapporteur presented oral observations during the restricted committee session.

I. Reasons for decision

A. On the breach of the obligations of Article L. 34-5 of the Postal and Electronic Communications Code

11.

According to article L. 34-5 of the CPCE:

" Direct prospecting by means of an automated electronic communications system within the meaning of 6° of Article L. 32, a fax machine or e-mails using the contact details of a natural person, subscriber or user, who does not has not previously expressed its consent to receive direct prospecting by this means. (…) / However, direct prospecting by e-mail is authorized if the contact details of the recipient have been collected from him, in compliance with the provisions of the law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms, on the occasion of a sale or the provision of services, if the direct prospecting concerns similar products or services provided by the same natural or legal person, and if the recipient is offered, in an express and unambiguous manner, the possibility of objecting, free of charge, except for those linked to the transmission of the refusal, and in a simple manner , to the use of his contact details at the time they are collected and each time a prospecting e-mail is sent to him in the event that he has not refused such use from the outset. (…) ".

12. The rapporteur first observes that during the inspection carried out on August 10, 2020, the company indicated to the CNIL that it was carrying out different types of commercial prospecting campaigns, including so-called "relaunch" campaigns during which it contacts in particular prospects who have communicated their data through forms available on its website. Prospects can be contacted by phone or email.

13. The rapporteur then notes that the delegation of control noted that, when subscribing online on the company's website, the user must fill in the corresponding collection form with his email address and telephone number below the statement informing him that: "By providing the following information, you acknowledge that you agree to their use by Total Direct Energie to subsequently present its offers to you". He emphasizes that this mention is not accompanied by any modality, such as a checkbox, allowing the user to oppose the use of his contact details for such purposes, at the time when these are collected.

14. In defence, the company provides answers in connection with two forms available on its website. It first argues that the online quote request form complies with the applicable rules in that it informs the user that his contact details are provided on an optional basis and that it contains a checkbox, not pre-checked by default, allowing him to accept to receive commercial offers from the company by email, SMS or telephone. The company also maintains that Article L. 34-5 of the CPCE is not intended to apply to the online subscription form since telephone calls and emails sent to persons who have not finalized their subscription are not in principle intended to promote the company's products or services but are intended to offer assistance to the user in order to help him finalize his current subscription. However, the company specifies that it has taken measures within the framework of the sanction procedure to add a checkbox to this form and adds that it no longer sends, since September 2020, emails to people who start an online subscription without finalizing it.

15. Firstly, the Restricted Committee notes that, with regard to the quote request form, the rapporteur specified during the procedure that its conformity was not disputed, only the online subscription form being referred to in its report. It also considers that the methods of data collection through this quote request form comply with the applicable rules.

16. Secondly, with regard to the online subscription form, the Restricted Committee recalls that it follows from the aforementioned provisions of Article L. 34-5 of the CPCE that data controllers may, on the occasion of a sale or provision of services, collect personal data for commercial prospecting purposes for similar products or services, without obtaining the consent of the interested parties, subject to collection in accordance with the requirements of the Data Protection Act et Libertés, carried out with the person concerned and offering him the possibility of opposing such processing of data at the time they are collected, then during each prospecting message.

17. In this case, the Restricted Committee considers that the fact that the user, when he completes the online subscription form, cannot oppose the use of his data for the purposes of electronic commercial prospecting, when they are collected, constitutes a breach of the obligations of article L. 34-5 of the CPCE when the form informs him that the information provided, including his email address, can be used by the company to to "present its offers at a later date".

18. Under these conditions, the Restricted Committee considers that the company has failed to comply with its obligations resulting from Article L. 34-5 of the CPCE.

19. It nevertheless notes that, in the context of this procedure, the company indicated that it no longer sent emails to persons starting a subscription without finalizing it and inserted a checkbox on the online subscription form accompanied by the mention following: "Please tick this box if you do not wish your telephone number to be used by TotalEnergies Electricité and Gaz de France to help you finalize your subscription and offer you its offers and services".

B. On the breach of the obligation to inform pursuant to Article 14 of the GDPR

20. According to Article 14 of the GDPR:

1. Where personal data has not been collected from the data subject, the controller shall provide the data subject with all of the following information:

a) The identity and contact details of the controller and, where applicable, of the controller's representative;

b) Where applicable, the contact details of the data protection officer;

c) The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d) The categories of personal data concerned;

e) Where applicable, the recipients or categories of recipients of the personal data;

f) If applicable, the fact that the controller intends to transfer personal data to a recipient in a third country or an international organization (…) /

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing vis-à-vis the data subject (…) /

a) the period for which the personal data will be stored or, where this is not possible, the criteria used to determine this period;

b) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;

c) the existence of the right to request from the controller access to personal data, rectification or erasure thereof, or restriction of processing relating to the person concerned, as well as the right to s object to processing and the right to data portability;

d) where the processing is based on Article 6, paragraph 1, point a), or on Article 9, paragraph 2, point a), the existence of the right to withdraw consent at any time, without prejudice the lawfulness of the processing based on the consent given before its withdrawal;

e) the right to lodge a complaint with a supervisory authority;

f) the source from which the personal data originated and, where appropriate, a statement indicating whether or not they originated from sources accessible to the public (…)”

According to Article 14, paragraph 3:

"The controller shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable period of time after obtaining the personal data, but not exceeding one month, having regard to the particular circumstances in which the personal data is processed;

b) if the personal data is to be used for the purposes of communication with the data subject, at the latest at the time of the first communication to said person (…)”.

21. The rapporteur notes that, as part of the check, the company provided the CNIL delegation with a sample consisting of eighty-four recordings of telephone calls made by three advisers on October 20, 2020. These calls were carried out as part of prospecting campaigns carried out using data collected by the company from its partners providing prospect data.

22. The rapporteur notes that the listening to this sample revealed the absence of information provided to people contacted by telephone or the incomplete nature of this information. Indeed, it appears from these recordings that, in some cases, the people contacted did not receive any information relating to the protection of their data during the call. In other cases, the information provided was incomplete, some of the aforementioned information provided for in Article 14 of the GDPR not being brought to the attention of the persons contacted. Finally, the company offered no possibility to the people contacted to access more complete information, for example by activating a key on their telephone keypad.

23. In defence, the company first emphasizes that the calls examined in the report do not reflect the practices of all the advisers since it concerns only eighty-four call recordings and that they correspond to calls for which the advisers did not follow the instructions given. These instructions, however, made it possible to provide the persons concerned with the "essential / priority information" according to the company. The company then adds that it modified, as part of the procedure, the script provided to advisers, in order to highlight more the essential information at the start of the call and to invite people who wish to have more information, by pressing a key on the phone. The company also indicates that it has reinforced its second level of information by recording a message containing all the information required by article 14 of the GDPR, accessible from this button. Finally, it specifies that its agents had to attend awareness training on this subject.

24. The Restricted Committee notes that the eighty-four recordings of canvassing calls collected as part of the check reveal a lack of knowledge of Article 14 of the GDPR.

25. The Restricted Committee observes that, in some cases, the people contacted for prospecting purposes did not receive any information. In other cases, certain information mentioned above provided for in Article 14 of the GDPR – such as the purposes of the processing or the existence of the various rights – was not brought to their attention. In most cases, essential information, such as that relating to the very principle of recording the call and the right to oppose it, was not communicated. People were also not offered the possibility of obtaining more complete information relating to the processing of their personal data, for example by pressing a key on their telephone keypad.

26. Therefore, the Restricted Committee considers that the aforementioned facts constitute a breach of Article 14 of the GDPR.

27. The Restricted Committee notes that the company has justified having taken measures to comply during the procedure, in particular by modifying the instructions contained in the script provided to advisers contacting prospects, and detailing the message to be delivered to them at the start of the call. This mentions all the essential information, as well as the possibility of obtaining additional information relating to the processing of personal data implemented by the company by pressing a key on the telephone keypad. The information thus made available to individuals complies with Article 14 of the GDPR.

2 On breaches in connection with the exercise of rights

28. Under Article 12 of the GDPR:

"1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to carry out any communication under Articles 15 to 22 and Article 34 in relation to the processing to the person concerned in a concise, transparent, comprehensible and easily accessible manner, in clear and simple terms, in particular for any information intended specifically for a child. The information is provided in writing or by other means including, when is appropriate, by electronic means.When the data subject requests it, the information may be provided orally, provided that the identity of the data subject is demonstrated by other means.

2. The controller shall facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject to exercise the rights conferred on him by Articles 15 to 22, unless the controller demonstrates that he is unable to identify the data subject.

3. The controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any case within one month. from receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and the number of requests. The controller informs the data subject of this extension and the reasons for the postponement within one month of receiving the request. Where the data subject submits the request in electronic form, the information shall be provided electronically where possible, unless the data subject requests otherwise.

4. If the controller does not comply with the request made by the data subject, he shall inform the latter without delay and at the latest within one month of receipt of the request of the reasons for his refusal. inaction and the possibility of lodging a complaint with a supervisory authority and of lodging a judicial remedy. (…) ".

29. Article 15(1) of the GDPR provides the right for a person to obtain confirmation from the controller whether personal data relating to him or her are being processed and, where they are, the access to personal data concerning him and in particular "g) when the personal data are not collected from the person concerned, any information available as to their source". It is also provided in paragraph 3 of the same article that "the data controller provides a copy of the personal data undergoing processing. (…)".

30. Under Article 21 of the GDPR:

2. Where personal data is processed for prospecting purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such prospecting purposes, including profiling. insofar as it is linked to such prospecting. (…)"

1. On the breach of obligations relating to the procedures for exercising the rights of individuals (Article 12 of the GDPR)

31. The rapporteur, to propose to the Restricted Committee to consider that the company has breached its obligations resulting from Article 12 of the GDPR, relies on four referrals to the CNIL, from Mesdames […] (complaint no. [… ]) and […] (complaint no. […]), and of Messrs. […] (complaint no. […]) and […] (complaint no. […]), in the context of which the complainants alleged difficulties encountered in exercising their rights.

32. The rapporteur indicates that these four referrals concern respectively a request for rectification of the consumer's address, the taking into account of an opposition to the processing of data for commercial prospecting purposes, a request for the origin of the data and finally a opposition to the processing of data for commercial prospecting purposes accompanied by a request for their deletion.

33. The rapporteur observes that it emerges from the observations made during the inspection procedure or from the information communicated subsequently by the company, that although the latter took the requests into account, it only provided satisfactory responses late in the process, beyond the deadlines set by Article 12 of the GDPR, often after several reminders from the complainant and initiation of the control procedure.

34. In defence, the company argues that the alleged breach under these four referrals only occurred in isolated or complex cases and is essentially indicative of human error, during a period of health crisis and successive confinements during individuals have had more time to exercise their rights. It specifies that, according to the detailed procedure that the company developed in 2018 for the agents of the customer relations department and its partner […] (subcontractor in charge of managing requests for the exercise of rights) , requests must be taken care of immediately and no later than D+1 from their receipt, and they must be processed no later than D+30. It also details the actions taken for each of these referrals and emphasizes that a response has been provided to all these requests.

35. The Restricted Committee recalls that it follows from Article 12 of the GDPR that when a request to exercise a right is addressed to it, the data controller must provide the data subject with information on the measures taken to respond to the request. his request as soon as possible and in any case within one month. The Restricted Committee also recalls that it is possible to extend this period by two months due to the complexity of the request.

36. The Restricted Committee notes that the facts noted by the rapporteur are not disputed by the company. It considers that a breach of the obligations of Article 12 of the GDPR is constituted when the company has not processed certain requests to exercise rights within the time limit, the time taken being up to two years. In the case of a complainant, even though her situation was settled, the company had not informed her of the actual processing of her request. As a result, the persons concerned were unaware of the follow-up to their requests.

37. Consequently, the Restricted Committee considers that, even though the company has justified having processed the aforementioned requests and having taken measures to comply, the breach of Article 12 of the GDPR has been established.

2. On the breach relating to the obligation to respect the right of access (article 15 of the GDPR)

38. The rapporteur, to propose to the Restricted Committee to consider that the company has breached its obligations resulting from Article 15 of the GDPR in terms of right of access, is based on eight referrals to the CNIL, from Mr. […] ] (complaint no. […]), […] (complaint no. […]), […] (complaint no. […]), […] (complaint no. […]), […] ( complaint No […]), […] (complaint No […]), […] (complaint No […]) and […] (complaint No […]). In the context of these complaints, people reported difficulties encountered in exercising this right, even though their requests had been received.

39. The rapporteur indicates that these eight referrals concern in particular access to personal data and more particularly their origin as well as access to recordings of telephone conversations.

40. The rapporteur observes that it emerges from the observations made during the inspection procedure or from the information communicated subsequently that the company did not provide a response to the applicants or provided late or incorrect responses.

41. In defence, the company argues that the procedures it had put in place were not followed due to human error but also a large number of requests received in 2020 as well as a disturbed context related to the health crisis. It states that if it did not consider certain requests for access within the time allowed, it was because of difficulties encountered in obtaining this information from its business partners, so that it found itself in failure to properly inform complainants of the source of their data. The company indicates that it has revised its internal process for managing requests to exercise rights in order to prevent the repetition of such incidents and has reinforced communication with the teams regarding the processing of requests. It argues that after extensive research an answer was able to be given to Messrs […] […] and […] and that it deleted all the data concerning them.

42. The Restricted Committee notes that the company had information relating to the complainants, but that due to internal malfunctions it did not deal satisfactorily with the various requests. It considers that the company cannot rely on its difficulties in obtaining information from its business partners to justify the lack of response provided to applicants in compliance with the applicable provisions. Indeed, the company calls on many commercial partners for the supply of prospect data and it is therefore up to it to organize itself to be able to ensure a rigorously compliant processing of access requests and, in particular , provide information on the origin of the data. These rights constitute a central element of individuals' control over the processing of their personal data. The company could also proceed in several stages to communicate the data it had immediately within one month.

43. The Restricted Committee notes that the facts noted by the rapporteur are not disputed by the company. It considers that a breach of the obligations of Article 15 is constituted for all of the aforementioned complaints since the company has not processed the access requests sent to it within the time limit allocated to it, thus leaving people in the dark about the data processed by the company and concerning them.

44. It notes that, in the context of this procedure, the company has justified having taken measures to comply with the obligations arising from Article 15 of the GDPR.

3. On the breach relating to the obligation to respect the right of opposition (article 21 of the GDPR)

45. The rapporteur, to propose to the Restricted Committee to consider that the company has failed to comply with its obligations resulting from Article 21 of the GDPR, relies on six referrals to the CNIL, from Mesdames […] (complaint no. [… ]) and […] (complaint no. […]) and of Mr. […] (complaint no. […]), […] (complaint no. […]), […] (complaint no. [… ]) and […] (complaint No. […]), in which the complainants reported their difficulties in exercising their right to object to commercial prospecting.

46. The rapporteur indicates that these six referrals concern requests for the deletion of data in order to no longer receive commercial prospecting calls and the pursuit of commercial solicitations notwithstanding the exercise of the right to oppose the processing of data for this purpose.

47. The rapporteur observes that it emerges from the observations made during the inspection procedure or from the elements communicated subsequently that the complainants either did not obtain a response to their requests for opposition formulated by registered letters and from which the company had yet acknowledged receipt, on the grounds that they had not been sent to the unit responsible for processing them, or were informed that their requests had been taken into account by the company, which confirmed to them the deletion of their personal data , but without implementing measures to satisfy their opposition requests, since they continued to receive telephone calls in the months following their requests. He adds that for one of the requests to object to the processing of personal data for prospecting purposes, the complainant did not obtain any satisfaction even though it had been received by the company.

48. In defence, the company first argues that the impact on the rights and freedoms of the persons concerned is limited and that these complaints should be put into perspective with the satisfactory treatment of the very many other requests managed by the company. during the year 2020. She then adds that, in these specific cases, the non-compliance with the procedures put in place by the company was due to human errors by agents who did not always have the appropriate reactions and did not did not follow the required procedures. It can also be explained by the disturbed context at the time of the events, due to the health crisis, which upset the organization in place and made exchanges between the company's departments more complex.

49. The company notes that three requests were not sent to the unit responsible for processing them. She acknowledges having received the letters. However, it emphasizes that the fact that the requests were not sent to the dedicated unit and that the person who received the letters was unable to identify their subject, and therefore did not forward them to the dedicated unit, explains their lack of treatment.

50. On this point, the Restricted Committee considers that while it is undisputed that the complainants did not address their requests directly to the unit in charge of responding to them, the fact remains that it belonged to the company, since the requests, one of which was addressed directly to the data protection officer, were indeed received by the latter and that they were clear in their terms, to process them within the time limits provided for by the GDPR and to ensure that they are forwarded to the competent department. Indeed, if the implementation of organizational measures making it possible to facilitate the exercise of the rights of individuals – such as the establishment of this dedicated unit – complies with the requirements and objectives pursued by the GDPR, this cannot, on the other hand, exempt the company of its obligation to respond to requests made to it by mail even if they are not sent to it through the channel provided for this purpose, a fortiori when, as is the case here, the content of the request is clear.

51. The Restricted Committee notes that, even if the company indicates that it took the complainants' requests into account, but did not satisfy them due to human error or technical problems, this does not mean that it provided a satisfactory response as the plaintiffs continued to receive business prospecting telephone calls.

52. The Restricted Committee notes that the facts noted by the rapporteur are not disputed by the company. It considers that a breach of the obligations arising from Article 21 of the GDPR is constituted when the company has not taken into account the opposition of the persons concerned by the processing of their personal data.

53. It notes that, in the context of this procedure, the company has justified having taken measures to comply with the obligations arising from Article 21 of the GDPR.

II. On corrective measures and their publicity

Under the terms of III of article 20 of the law of January 6, 1978 as amended:

"When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law, the President of the National Commission for Computing and Liberties may also , if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, one or more of the following measures: (…) 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of of a company, 2% of the total worldwide annual turnover of the previous financial year, whichever is higher In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 thousand lion euros and 4% of said turnover. The restricted formation takes into account, in determining the amount of the fine, the criteria specified in the same article 83. "

According to Article 83 of the GDPR:

"1. Each supervisory authority shall ensure that administrative fines imposed under this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.", before specify the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of that fine.

54. Firstly, on the principle of imposing a fine, the company maintains that such a measure is not necessary and would not be proportionate in view of the facts with which it is charged.

55. The Restricted Committee recalls that it must take into account, for the pronouncement of an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, gravity and duration of the violation, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the breach.

56. The Restricted Committee considers first of all that the company has demonstrated certain negligence with regard to the fundamental principles of the GDPR since five breaches have been established, relating in particular to information and the rights of individuals. The Restricted Committee adds that several shortcomings have given rise to complaints.

57. The Restricted Committee then notes that the company is a particularly important player in the energy production and supply sector since it had approximately 8 million customers and prospects in 2021, which ranked it third energy suppliers in France. It therefore has significant resources enabling it to deal with questions of protection of personal data.

58. The Restricted Committee also observes that the company makes extensive use of commercial prospecting carried out by telephone or e-mail.

59. Consequently, the Restricted Committee considers that an administrative fine should be imposed with regard to the breaches of Article L. 34-5 of the CPCE and Articles 12, 14, 15 and 21 of the GDPR.

60. Secondly, with regard to the amount of the fine, the Restricted Committee recalls that administrative fines must be both dissuasive and proportionate. In this case, the company disregarded its obligations resulting from Article L. 34-5 of the CPCE with regard to the 4.6 million prospects, recorded in September 2020, and for which a subscription, made from online form, was in progress. In addition to the shortcomings linked to the commercial prospecting carried out by the company which were noted in the context of the audit, the Restricted Committee observes that the complaints revealing the existence of shortcomings appear to be few in number - indeed, their number, of eighteen, must be related to the number of customers and prospects of approximately 8 million – so that these shortcomings cannot be regarded as having a systemic character.

61. The Restricted Committee also recalls that the activity of the company and its financial situation must be taken into account when determining the sanction and in particular, in the event of an administrative fine, its amount. It notes in this respect that the company reports a turnover of […] in 2020 for a net result amounting to […] euros.

62. The Restricted Committee also acknowledges the efforts made by the company to comply throughout the procedure.

63. Therefore, in view of these elements, the Restricted Committee considers that the imposition of an administrative fine of one million euros appears justified.

64. Thirdly, an injunction to bring the processing into compliance with the provisions of Article L. 34-5 of the CPCE and Articles 12, 14, 15 and 21 of the GDPR was proposed by the rapporteur during the notification of the report.

65. The company maintains that the actions it has taken with regard to all of the breaches identified should lead to the non-compliance with the rapporteur's proposal for an injunction.

66. As indicated above, the Restricted Committee notes that the company has taken measures to bring its processing into compliance with the provisions of Article L. 34-5 of the CPCE and Articles 12, 14, 15 and 21 of the GDPR . It therefore considers that there is no need to issue an injunction.

67. Finally, with regard to the publication of the sanction decision, the company argues that such a measure would be disproportionate in view of the limited nature of the alleged breaches and its compliance. It also considers that the publication of the sanction would have a significant impact in terms of image for the company and that it would be favorable to its main competitors, in a very competitive market.

The Restricted Committee considers that the publicity of the sanction is justified with regard to the nature of the breaches which relate essentially to the processing of millions of data, carried out within the framework of commercial prospecting campaigns and in particular to the information delivered to the persons concerned, as well as on the procedures for exercising rights. It also considers that this measure will make it possible to inform the persons concerned of the past existence of the breaches sanctioned, insofar as these facts have been the subject of several complaints.

FOR THESE REASONS

The CNIL Restricted Committee, after having deliberated, decides to:

• impose an administrative fine on TOTALENERGIES ELECTRICITÉ ET GAZ FRANCE in the amount of 1,000,000 (one million) euros for breaches of article L. 34-5 of the CPCE and articles 12 , 14, 15 and 21 GDPR;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.

President

Alexander LINDEN

This decision may be appealed to the Council of State within two months of its notification.