Online commercial prospecting and infringement of personal rights: analysis of recent CNIL decisions

Authors: Marine Vanhoucke, associated and Michela Navarra

Since the entry into force of the General Data Protection Regulation (GDPR), many data subjects have become aware of their rights relating to the processing of their personal data. They no longer hesitate to complain about potential attacks directly to the CNIL. 

Moreover, we observe a 4% increase in the number of complaints in 2022 compared to the previous year and above all a net increase in those relating to requests for right of access. At the same time, the CNIL has undoubtedly intensified its controls and imposed increasingly heavy administrative sanctions. 

Faced with these numerous requests for access from the persons concerned by the processing of personal data, businesses have no choice but to adapt in order to avoid being punished. However, compliance remains a fairly complex process, time-consuming and sometimes seeming unreachable. The major players in the market, although a priori better able to comply, are also subject to public and exemplary sanctions. The recent decisions of the CNIL against EDF or FREE MOBILE illustrate this phenomenon.

Decision against EDF

The CNIL investigation followed several complaints from users and revealed breaches of the GDPR, particularly in terms of commercial prospecting, access rights and password security. On November 24, 2022, the CNIL imposed an administrative fine on EDF in the amount of 600 euros.

On the breach of the obligation to obtain the consent of individuals to commercial prospecting by electronic means (articles L. 34-5 of the CPCE and 7 of the GDPR)

During the checks, EDF did not demonstrate to the CNIL that it had obtained the authorization of the persons targeted by its commercial prospecting campaign by electronic means which took place between 2020 and 2021. EDF admitted to having used a customer base purchased from a broker in personal data and not having checked the consent collection forms;

On the breach of the obligation to inform (art. 13 and 14 of the GDPR) and the respect of the exercise of rights (art. 12, 15 and 21 of the GDPR)

The CNIL indicates that EDF has not fulfilled its obligation to inform the persons concerned. Indeed, the personal data protection charter appearing on the website did not specify the legal basis corresponding to each case of use of the data and was imprecise on the retention periods;

On the breach of the obligation to ensure the security of personal data (Article 32 of the GDPR)

The CNIL considered that EDF was not respecting its obligation regarding the security of personal data. Indeed, the passwords for accessing the customer area of ​​the "prime energy" portal of more than 25 accounts were stored in an unsecured manner until July 000.

Decision against FREE MOBILE

After having received several complaints concerning FREE MOBILE's failure to take into account requests for access and opposition to receiving commercial prospecting messages, the CNIL investigated and imposed a penalty of 30 euros on November 2022, 300. against FREE MOBILE.

On the breach of the right of access (art. 15 of the GDPR):  

The CNIL noted a breach of the obligation to respect the right of access of individuals to data concerning them, FREE MOBILE not having responded within 30 days to requests for access made by the individuals concerned; 

On the breach of the right to object (Art. 21 of the GDPR):  

Furthermore, FREE did not respect the right of opposition of the persons concerned (art. 12 and 21 of the GDPR), since it did not grant the explicit requests to put an end to the commercial prospection;

On the breach of the “privacy by design” obligation (Art. 25 of the GDPR):  

The CNIL also considered that there was a breach of the obligation to protect data from the design stage (art. 25 of the GDPR), FREE MOBILE having continued to send invoices concerning telephone lines whose subscription had nevertheless been terminated;

On the breach of the obligation to ensure the security of personal data (Article 32 of the GDPR):

Finally, the CNIL noted a breach of the obligation to ensure the security of personal data (art. 32 of the GDPR). Indeed, FREE MOBILE transmitted by e-mail, in plain text, the passwords of users without these being temporary or requiring them to be changed.