ÉLECTRICITÉ DE FRANCE – €600,000 Fine (France, 2022)

€600,000Commission Nationale de l'Informatique et des Libertés24 November 2022France
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

France's data protection authority fined ÉLECTRICITÉ DE FRANCE EUR 600,000 for not properly handling customer data and failing to obtain valid consent for marketing. EDF also had security issues with customer passwords. This case shows the need for companies to provide clear privacy information and protect customer data effectively.

What happened

EDF was fined for not providing adequate privacy information, mishandling customer requests, and insecurely storing passwords.

Who was affected

EDF customers who faced difficulties exercising their data rights and had their data insecurely stored.

What the authority found

The French DPA found EDF violated GDPR by failing to inform customers properly, respond to requests, and secure data.

Why this matters

This ruling stresses the importance of transparency in data processing and robust data security measures. Companies should ensure they meet GDPR standards to protect customer rights and data.

GDPR Articles Cited

AI-verified

Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 21 GDPR
Art. 32 GDPR
Art. 5(1)(f) GDPR
Art. 6(1) GDPR
View original scraped data
Art. 7 GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 14 GDPR
Art. 15 GDPR
Art. 21 GDPR

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 82 Loi Informatique et Libertes
Source verified 6 March 2026
articles corrected
national law identified
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll ÉLECTRICITÉ DE FRANCE actions
Full Legal Summary
Detailed

The French DPA has imposed a fine of EUR 600,000 on ÉLECTRICITÉ DE FRANCE (EDF), France's largest electricity supplier. The DPA had received several complaints that individuals were experiencing difficulties in exercising their rights by EDF. During its investigation, the DPA found that EDF's privacy policy did not provide sufficient information on various aspects of data processing, such as the retention period of personal data. In addition, the DPA found that EDF had not responded to a number of data subject requests in a timely manner Also, EDF failed to respect data subjects' right to object to advertising requests in some cases. Furthermore, the DPA noted that EDF failed to demonstrate that it had obtained valid consent from data subjects in the context of a commercial solicitation campaign. Finally, the DPA concluded that EDF had failed to implement sufficient technical and organizational measures to protect personal data. EDF had insecurely stored passwords of more than 25,000 customer accounts. In addition, the company had merely hashed and not salted passwords of 2,4 million accounts.

Related Enforcement Actions (0)

No other enforcement actions found for ÉLECTRICITÉ DE FRANCE in FR

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

24 November 2022

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€600,000

Enforcement Tracker ID

ETid-1506

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. ÉLECTRICITÉ DE FRANCE - France (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: