https://gdprhub.eu/api.php?hidebots=1&urlversion=1&days=30&limit=50&target=Category%3AFrance&action=feedrecentchanges&feedformat=atomGDPRhub - Changes related to "Category:France" [en]2024-03-28T14:44:39ZRelated changesMediaWiki 1.39.6https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-003&diff=40337&oldid=40328CNIL (France) - SAN-2024-0032024-03-13T10:44:50Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:44, 13 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">CNIL </del>fined a controller who carried out telephone canvassing campaigns using data purchased with data suppliers €310,000 for, among other things, not having a legal basis for processing. The controller did not appear in the data supplier’s list of partners, which did not allow the use of legitimate interest, and the data suppliers <del style="font-weight: bold; text-decoration: none;">did not respect privacy by </del>design when collecting consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The <ins style="font-weight: bold; text-decoration: none;">DPA </ins>fined a controller who carried out telephone canvassing campaigns using data purchased with data suppliers €310,000 for, among other things, not having a legal basis for processing. The controller did not appear in the data supplier’s list of partners, which did not allow the use of legitimate interest, and the data suppliers <ins style="font-weight: bold; text-decoration: none;">used a deceptive </ins>design when collecting consent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40328:rev-40337 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-003&diff=40328&oldid=40316CNIL (France) - SAN-2024-0032024-03-13T10:11:02Z<p><span dir="auto"><span class="autocomment">Facts</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:11, 13 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l72">Line 72:</td>
<td colspan="2" class="diff-lineno">Line 72:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On 23 September 2021, the French DPA (“CNIL”) carried out an inspection on Foriou’s premises (“controller”), in particular regarding the legal basis of the processing and the security measures taken. The controller was in the business of marketing and managing loyalty programs and cards. In order to promote its programs, until 2021, the controller carried out telephone canvassing campaigns using prospect files purchased with several data suppliers who collected the data via entry forms for online competitions. The personal data collected was the following: surname, first name, <del style="font-weight: bold; text-decoration: none;">tile</del>, email address, date of birth and postal address.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On 23 September 2021, the French DPA (“CNIL”) carried out an inspection on Foriou’s premises (“controller”), in particular regarding the legal basis of the processing and the security measures taken. The controller was in the business of marketing and managing loyalty programs and cards. In order to promote its programs, until 2021, the controller carried out telephone canvassing campaigns using prospect files purchased with several data suppliers who collected the data via entry forms for online competitions. The personal data collected was the following: surname, first name, <ins style="font-weight: bold; text-decoration: none;">title</ins>, email address, date of birth and postal address.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>During its investigations, the CNIL discovered that the data suppliers all had similar forms on their websites: there were fields which enabled the data subject to enter their contact details. Underneath these fields were a “Validate”, “I validate” or “I answer questions to apply” button. Above or below this button, a text specified that by clicking on it, the user declared that they read the data supplier’s data protection policy and accepts that the data collected would be used to send them offers from the company’s partners. Hyperlinks were provided to access the data protection policy as well as the list of partners concerned. However, the list did not mention the controller. At the end of the text it was specified that if the user wished to continue without receiving <del style="font-weight: bold; text-decoration: none;">offer’s </del>from the data supplier’s partners, they could click a link in the text (“click here”). </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>During its investigations, the CNIL discovered that the data suppliers all had similar forms on their websites: there were fields which enabled the data subject to enter their contact details. Underneath these fields were a “Validate”, “I validate” or “I answer questions to apply” button. Above or below this button, a text specified that by clicking on it, the user declared that they read the data supplier’s data protection policy and accepts that the data collected would be used to send them offers from the company’s partners. Hyperlinks were provided to access the data protection policy as well as the list of partners concerned. However, the list did not mention the controller. At the end of the text it was specified that if the user wished to continue without receiving <ins style="font-weight: bold; text-decoration: none;">offers </ins>from the data supplier’s partners, they could click a link in the text (“click here”). </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Therefore, data subjects could either click on the “Validate” button and accept that their data would be used to send them offers from the data supplier’s partners or on the “click here” link to continue without receiving these offers.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Therefore, data subjects could either click on the “Validate” button and accept that their data would be used to send them offers from the data supplier’s partners or on the “click here” link to continue without receiving these offers.</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l87">Line 87:</td>
<td colspan="2" class="diff-lineno">Line 87:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Regarding the controller’s legitimate interest, the CNIL added that the controller must ensure that the processing does not infringe the rights and interests of the data subject, taking into account their reasonable expectations. The CNIL held that regarding the fact that the controller was not listed as a partner from the data supplier, the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to justify its commercial canvassing operations by telephone, as the protection of the interests, freedoms and fundamental rights of the data subjects took precedence over the legitimate interests of the controller. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Regarding the controller’s legitimate interest, the CNIL added that the controller must ensure that the processing does not infringe the rights and interests of the data subject, taking into account their reasonable expectations. The CNIL held that regarding the fact that the controller was not listed as a partner from the data supplier, the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to justify its commercial canvassing operations by telephone, as the protection of the interests, freedoms and fundamental rights of the data subjects took precedence over the legitimate interests of the controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Regarding consent, the CNIL stressed that concerning commercial canvassing operations, when the data subject’s data has not been collected directly from them by the canvassing organization, consent may be obtained by the initial collector on behalf of the organization that will carry out subsequent canvassing operations. If this is not the case, it is up to the prospecting organization to obtain such consent before proceeding with the processing. The CNIL considered that the design of the forms on the data supplier’s website did not allow data subject’s to express a valid choice as the interfaces particularly highlight the “Validate”, “I validate” or “I answer questions to apply” button, whose size and color make it stand out from the other information provided. The words used also suggested the conclusion of the data subject’s <del style="font-weight: bold; text-decoration: none;">journey </del>rather than the transmission of data to partners and the location of the button on the form gave the impression that it must be clicked to complete the registration and take part in the competition. The CNIL also found that the hyperlink text which allowed data subjects to partake in the competition without agreeing to the transmission of their data to partners was presented in the body of the text in characters much smaller in size than those used for the buttons and without any particular emphasis. The CNIL also found that the forms submitted by the controller in its observations did not sufficiently inform the data subjects either. Therefore, the CNIL considered that the consent was not unambiguous and free as per required under [[Article 4 GDPR#11|Article 4(11) GDPR]].</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Regarding consent, the CNIL stressed that concerning commercial canvassing operations, when the data subject’s data has not been collected directly from them by the canvassing organization, consent may be obtained by the initial collector on behalf of the organization that will carry out subsequent canvassing operations. If this is not the case, it is up to the prospecting organization to obtain such consent before proceeding with the processing. The CNIL considered that the design of the forms on the data supplier’s website did not allow data subject’s to express a valid choice as the interfaces particularly highlight the “Validate”, “I validate” or “I answer questions to apply” button, whose size and color make it stand out from the other information provided. The words used also suggested the conclusion of the data subject’s <ins style="font-weight: bold; text-decoration: none;">registration process </ins>rather than the transmission of data to partners and the location of the button on the form gave the impression that it must be clicked to complete the registration and take part in the competition. The CNIL also found that the hyperlink text which allowed data subjects to partake in the competition without agreeing to the transmission of their data to partners was presented in the body of the text in characters much smaller in size than those used for the buttons and without any particular emphasis. The CNIL also found that the forms submitted by the controller in its observations did not sufficiently inform the data subjects either. Therefore, the CNIL considered that the consent was not unambiguous and free as per required under [[Article 4 GDPR#11|Article 4(11) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of [[Article 6 GDPR|Article 6 GDPR]] was constituted.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of [[Article 6 GDPR|Article 6 GDPR]] was constituted.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40316:rev-40328 -->
</table>Mghttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-003&diff=40316&oldid=40315CNIL (France) - SAN-2024-0032024-03-12T16:04:14Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:04, 12 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l67">Line 67:</td>
<td colspan="2" class="diff-lineno">Line 67:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The CNIL fined a controller who carried out telephone canvassing campaigns using data purchased with data suppliers €310,000 for, among other things, not having a legal basis for processing.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The CNIL fined a controller who carried out telephone canvassing campaigns using data purchased with data suppliers €310,000 for, among other things, not having a legal basis for processing<ins style="font-weight: bold; text-decoration: none;">. The controller did not appear in the data supplier’s list of partners, which did not allow the use of legitimate interest, and the data suppliers did not respect privacy by design when collecting consent</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l91">Line 91:</td>
<td colspan="2" class="diff-lineno">Line 91:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of [[Article 6 GDPR|Article 6 GDPR]] was constituted.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of [[Article 6 GDPR|Article 6 GDPR]] was constituted.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the CNIL also pointed out that a simple contractual commitment by a data broker to comply with the GDPR as well as the rules applicable to commercial prospecting do not constitute a sufficient measure (see CNIL, SAN-2022-021). Thus, the DPA considered that the contractual obligations that the controller imposed on its suppliers did not exonerate the controller from its liability, despite the possible existence of liability on part of suppliers.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the CNIL also pointed out that a simple contractual commitment by a data broker to comply with the GDPR as well as the rules applicable to commercial prospecting do not constitute a sufficient measure (see <ins style="font-weight: bold; text-decoration: none;">[https://gdprhub.eu/index.php?title=CNIL_(France)_-_Deliberation_of_the_restricted_training_n%C2%B0SAN-2022-021_of_November_24,_2022_concerning_the_company_ELECTRICIT%C3%89_DE_FRANCE </ins>CNIL, SAN-2022-021<ins style="font-weight: bold; text-decoration: none;">]</ins>). Thus, the DPA considered that the contractual obligations that the controller imposed on its suppliers did not exonerate the controller from its liability, despite the possible existence of liability on part of suppliers.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the CNIL noted that during the phase of current use, which corresponds to the time required to achieve the purpose of the processing, the data is kept in an “active base” and is accessible to all departments responsible for implementing and processing. At the end of this phase, when the data is no longer used to achieve the set objective, but is still of administrative use to the controller (for example the management of a possible dispute), it must be possible to consult only on an ad hoc basis and for a specific reason, by specially authorized people. With regards to this case, the CNIL held that the information they found did not make it possible to establish that persons would have access to the data without having a need to know. Therefore, the DPA concluded that there was no breach of [[Article 32 GDPR|Article 32 GDPR]]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Finally, the CNIL noted that during the phase of current use, which corresponds to the time required to achieve the purpose of the processing, the data is kept in an “active base” and is accessible to all departments responsible for implementing and processing. At the end of this phase, when the data is no longer used to achieve the set objective, but is still of administrative use to the controller (for example the management of a possible dispute), it must be possible to consult only on an ad hoc basis and for a specific reason, by specially authorized people. With regards to this case, the CNIL held that the information they found did not make it possible to establish that persons would have access to the data without having a need to know. Therefore, the DPA concluded that there was no breach of [[Article 32 GDPR|Article 32 GDPR]]. </div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l99">Line 99:</td>
<td colspan="2" class="diff-lineno">Line 99:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>To grasp the notion of consent, the CNIL referred to several documents:</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>To grasp the notion of consent, the CNIL referred to several documents:</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>- <del style="font-weight: bold; text-decoration: none;">CJUE, grande chambre</del>, <del style="font-weight: bold; text-decoration: none;">1er octobre </del>2019, Planet49 GmbH, C-673/17</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">- </del>CE, 10ème et 9ème chambres réunies, 19 juin 2020, Google LLC, n° 430810</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">* [https://gdprhub.eu/index.php?title=CJEU_</ins>-<ins style="font-weight: bold; text-decoration: none;">_C-673/17_-_Planet49 CJEU</ins>, <ins style="font-weight: bold; text-decoration: none;">1 October </ins>2019, Planet49 GmbH, C-673/17<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">- </del>Guidelines 05/2020 on consent under Regulation 2016/679</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">* [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000042040546 </ins>CE, 10ème et 9ème chambres réunies, 19 juin 2020, Google LLC, n° 430810<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>- CNIL, SAN-2020-092</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">* [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202005_consent_en.pdf </ins>Guidelines 05/2020 on consent under Regulation 2016/679<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">* [https://www.cnil.fr/sites/cnil/files/atoms/files/recommandation-cookies-et-autres</ins>-<ins style="font-weight: bold; text-decoration: none;">traceurs.pdf </ins>CNIL, <ins style="font-weight: bold; text-decoration: none;">Délibération </ins>SAN-2020-092<ins style="font-weight: bold; text-decoration: none;">]</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Further Resources ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Further Resources ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40315:rev-40316 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-003&diff=40315&oldid=0CNIL (France) - SAN-2024-0032024-03-12T15:54:54Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2024-003 |ECLI= |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049231950?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT |Original_Source_Language_1=French |Original_So..."</p>
<a href="https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-003&diff=40315">Show changes</a>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_Deliberation_of_the_restricted_training_n%C2%B0SAN-2022-021_of_November_24,_2022_concerning_the_company_ELECTRICIT%C3%89_DE_FRANCE&diff=40275&oldid=0CNIL (France) - Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE2024-03-06T21:54:59Z<p>Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=Deliberation of the restricted training n°SAN-2022-021 of November 24, 2022 concerning the company ELECTRICITÉ DE FRANCE |ECLI= |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046650733?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortVal..."</p>
<a href="https://gdprhub.eu/index.php?title=CNIL_(France)_-_Deliberation_of_the_restricted_training_n%C2%B0SAN-2022-021_of_November_24,_2022_concerning_the_company_ELECTRICIT%C3%89_DE_FRANCE&diff=40275">Show changes</a>Annkathrin.a.dixhttps://gdprhub.eu/index.php?title=CE_-_474625&diff=40269&oldid=40260CE - 4746252024-03-06T15:29:27Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:29, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l53">Line 53:</td>
<td colspan="2" class="diff-lineno">Line 53:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Party_Link_3=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Party_Link_3=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Body=CNIL</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Body=CNIL <ins style="font-weight: bold; text-decoration: none;">(France)</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Case_Number_Name=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Case_Number_Name=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Status=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|Appeal_From_Status=</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40260:rev-40269 -->
</table>Sflhttps://gdprhub.eu/index.php?title=CE_-_474625&diff=40260&oldid=40233CE - 4746252024-03-06T13:56:01Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:56, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l66">Line 66:</td>
<td colspan="2" class="diff-lineno">Line 66:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">In an appeal against a CNIL decision, the </del>Supreme Administrative Court found that <del style="font-weight: bold; text-decoration: none;">the CNIL did not vitiate its decision </del>to <del style="font-weight: bold; text-decoration: none;">close </del>a <del style="font-weight: bold; text-decoration: none;">complaint as it reminded the controller of its legal obligation and invited the </del>data subject <del style="font-weight: bold; text-decoration: none;">to submit </del>a <del style="font-weight: bold; text-decoration: none;">new complaint if </del>the controller <del style="font-weight: bold; text-decoration: none;">did not comply </del>within 6 <del style="font-weight: bold; text-decoration: none;">months</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The </ins>Supreme Administrative Court found that <ins style="font-weight: bold; text-decoration: none;">a DPA’s order to reply </ins>to <ins style="font-weight: bold; text-decoration: none;">an access request is a sufficient corrective measure under Article 58(2) GDPR. However, if </ins>a data subject <ins style="font-weight: bold; text-decoration: none;">does not get </ins>a <ins style="font-weight: bold; text-decoration: none;">reply from </ins>the controller within 6 <ins style="font-weight: bold; text-decoration: none;">weeks, it can file a second complaint and the DPA’s discretion will be limited</ins>. <ins style="font-weight: bold; text-decoration: none;"> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l78">Line 78:</td>
<td colspan="2" class="diff-lineno">Line 78:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat considered that with regard to [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 Article 8] and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 20 of "Loi Informatique et Libertés"] it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the <del style="font-weight: bold; text-decoration: none;">complainant </del>may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to review the CNIL’s refusal, where appropriate. However, if the <del style="font-weight: bold; text-decoration: none;">complainant </del>alleges that a controller has disregarded the rights regarding personal data, guaranteed by law to the data subject.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat considered that with regard to [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 Article 8] and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 20 of "Loi Informatique et Libertés"] it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the <ins style="font-weight: bold; text-decoration: none;">data subject </ins>may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to review the CNIL’s refusal, where appropriate. However, if the <ins style="font-weight: bold; text-decoration: none;">data subject </ins>alleges that a controller has disregarded the rights regarding personal data, guaranteed by law to the data subject <ins style="font-weight: bold; text-decoration: none;">with regard to personal data concerning them the CNIL's discretionary power to decide what action to take is exercised under the full control of the juge de l'excès de pouvoir</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 <del style="font-weight: bold; text-decoration: none;">months</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 <ins style="font-weight: bold; text-decoration: none;">weeks</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat therefore rejected the appeal against the CNIL decision.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat therefore rejected the appeal against the CNIL decision.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40233:rev-40260 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CE_-_474625&diff=40233&oldid=40222CE - 4746252024-03-06T09:44:01Z<p><span dir="auto"><span class="autocomment">Facts</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:44, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l71">Line 71:</td>
<td colspan="2" class="diff-lineno">Line 71:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>On 10 April 2023, a data subject sent an erasure request to Societe.com (“controller”). The controller failed to respond to the request, therefore the data subject lodged a complaint with the French DPA (“CNIL”). The CNIL reminded the company of its legal obligations, in particular by asking the controller to provide a response to the request, and therefore closed the data subject’s complaint and invited the data subject to submit a new complaint to the CNIL in 6 weeks if the controller failed to reply to this request. The data subject sought the annulment of this decision with the French Supreme Administrative Court (“Conseil d’Etat”).</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>On 10 April 2023, a data subject sent an erasure request to Societe.com (“controller”). The controller failed to respond to the request, therefore the data subject lodged a complaint with the French DPA (“CNIL”). </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The CNIL reminded the company of its legal obligations, in particular by asking the controller to provide a response to the request, and therefore closed the data subject’s complaint and invited the data subject to submit a new complaint to the CNIL in 6 weeks if the controller failed to reply to this request. </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The data subject sought the annulment of this decision with the French Supreme Administrative Court (“Conseil d’Etat”).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat considered that with regard to [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 Article 8] and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 20 of "Loi Informatique et Libertés"] it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the <del style="font-weight: bold; text-decoration: none;">author of the complaint </del>may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to <del style="font-weight: bold; text-decoration: none;">censure </del>the CNIL’s refusal, where appropriate. However, if the complainant alleges that a <del style="font-weight: bold; text-decoration: none;">data </del>controller has disregarded the rights regarding personal data, guaranteed by law to the data subject.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat considered that with regard to [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 Article 8] and [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 20 of "Loi Informatique et Libertés"] it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the <ins style="font-weight: bold; text-decoration: none;">complainant </ins>may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to <ins style="font-weight: bold; text-decoration: none;">review </ins>the CNIL’s refusal, where appropriate. However, if the complainant alleges that a controller has disregarded the rights regarding personal data, guaranteed by law to the data subject.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 months.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 months.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat therefore <del style="font-weight: bold; text-decoration: none;">refused to annul </del>the CNIL decision.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat therefore <ins style="font-weight: bold; text-decoration: none;">rejected the appeal against </ins>the CNIL decision.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40222:rev-40233 -->
</table>Mghttps://gdprhub.eu/index.php?title=CE_-_474625&diff=40222&oldid=40221CE - 4746252024-03-06T08:17:48Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:17, 6 March 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l66">Line 66:</td>
<td colspan="2" class="diff-lineno">Line 66:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>In an appeal against a CNIL decision, the Supreme Administrative Court found that the CNIL did not vitiate its decision to close a complaint as it reminded the controller of its legal obligation.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>In an appeal against a CNIL decision, the Supreme Administrative Court found that the CNIL did not vitiate its decision to close a complaint as it reminded the controller of its legal obligation <ins style="font-weight: bold; text-decoration: none;">and invited the data subject to submit a new complaint if the controller did not comply within 6 months</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l74">Line 74:</td>
<td colspan="2" class="diff-lineno">Line 74:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat considered that with regard to Article 8 and 20 of "Loi Informatique et Libertés" it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the author of the complaint may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to censure the CNIL’s refusal, where appropriate. However, if the complainant alleges that a data controller has disregarded the rights regarding personal data, guaranteed by law to the data subject.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat considered that with regard to <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923 </ins>Article 8<ins style="font-weight: bold; text-decoration: none;">] </ins>and <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444 </ins>20 of "Loi Informatique et Libertés"<ins style="font-weight: bold; text-decoration: none;">] </ins>it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the author of the complaint may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to censure the CNIL’s refusal, where appropriate. However, if the complainant alleges that a data controller has disregarded the rights regarding personal data, guaranteed by law to the data subject.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 months.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 months.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40221:rev-40222 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CE_-_474625&diff=40221&oldid=0CE - 4746252024-03-06T08:16:01Z<p>Created page with "{{COURTdecisionBOX |Jurisdiction=France |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=CE |Court_Original_Name=Conseil d'Etat |Court_English_Name=Supreme Administrative Court |Court_With_Country=CE (France) |Case_Number_Name=474625 |ECLI=ECLI:FR:CECHS:2024:474625.20240214 |Original_Source_Name_1=Légifrance |Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000049149941?juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&page=1&pageSi..."</p>
<p><b>New page</b></p><div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=France<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=CE<br />
|Court_Original_Name=Conseil d'Etat<br />
|Court_English_Name=Supreme Administrative Court<br />
|Court_With_Country=CE (France)<br />
<br />
|Case_Number_Name=474625<br />
|ECLI=ECLI:FR:CECHS:2024:474625.20240214<br />
<br />
|Original_Source_Name_1=Légifrance<br />
|Original_Source_Link_1=https://www.legifrance.gouv.fr/ceta/id/CETATEXT000049149941?juridiction=CONSEIL_ETAT&juridiction=COURS_APPEL&page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DESC&tab_selection=cetat<br />
|Original_Source_Language_1=French<br />
|Original_Source_Language__Code_1=FR<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=14.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=Article 17 GDPR<br />
|GDPR_Article_Link_1=Article 17 GDPR<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 20 Loi Informatique et Libertés<br />
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000045072444<br />
|National_Law_Name_2=Article 8 Loi Informatique et Libertés<br />
|National_Law_Link_2=https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037822923<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=Societe.com<br />
|Party_Link_1=https://www.societe.com/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=CNIL<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=nzm<br />
|<br />
}}<br />
<br />
In an appeal against a CNIL decision, the Supreme Administrative Court found that the CNIL did not vitiate its decision to close a complaint as it reminded the controller of its legal obligation.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 10 April 2023, a data subject sent an erasure request to Societe.com (“controller”). The controller failed to respond to the request, therefore the data subject lodged a complaint with the French DPA (“CNIL”). The CNIL reminded the company of its legal obligations, in particular by asking the controller to provide a response to the request, and therefore closed the data subject’s complaint and invited the data subject to submit a new complaint to the CNIL in 6 weeks if the controller failed to reply to this request. The data subject sought the annulment of this decision with the French Supreme Administrative Court (“Conseil d’Etat”).<br />
<br />
=== Holding ===<br />
The Conseil d’Etat considered that with regard to Article 8 and 20 of "Loi Informatique et Libertés" it is the CNIL’s responsibility to examine the facts giving rise to a complaint and to decide on the action to be taken. The Conseil d’Etat added that the author of the complaint may refer to the CNIL’s refusal to act with the administrative judge (juge de l’excès de pouvoir). It is then up to the judge to censure the CNIL’s refusal, where appropriate. However, if the complainant alleges that a data controller has disregarded the rights regarding personal data, guaranteed by law to the data subject.<br />
<br />
The Conseil d’Etat ruled that it was clear from the documents that the CNIL did not vitiate its decision to close the complaint as (i) the DPA reminded the controller of its legal obligation by asking the controller to comply with the request and (ii) they invited the data subject to submit a new complaint to the CNIL if the controller failed to comply with the request within 6 months.<br />
<br />
The Conseil d’Etat therefore refused to annul the CNIL decision.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the French original. Please refer to the French original for more details.<br />
<br />
<pre><br />
Full Text<br />
<br />
FRENCH REPUBLIC<br />
IN THE NAME OF THE FRENCH PEOPLE<br />
<br />
Considering the following procedure:<br />
<br />
By a request registered on May 30, 2023 at the litigation secretariat of the Council of State, Mr. B... C... asks the Council of State:<br />
<br />
1°) to annul for abuse of power the decision by which the National Commission for Information Technology and Liberties (CNIL), on May 25, 2023, declared the closure of its complaint against the company Societe.com relating to the deletion personal data concerning him;<br />
<br />
2°) to order the CNIL to take all appropriate measures to implement the right to delete personal data concerning him, accessible online on the societe.com website.<br />
<br />
Considering the other documents in the file;<br />
<br />
Seen :<br />
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;<br />
- Law No. 78-17 of January 6, 1978;<br />
- the administrative justice code;<br />
<br />
After hearing in public session:<br />
<br />
- the report of Mr. Emmanuel Weicheldinger, master of requests for extraordinary service,<br />
<br />
- the conclusions of Ms. Esther de Moustier, public rapporteur;<br />
<br />
Considering the following:<br />
<br />
1. It appears from the documents in the file that, on April 10, 2023, Mr. C... sent the company Societe.com a request to erase personal data concerning him, accessible online. On May 17, 2023, Mr. C... filed a complaint with the National Commission for Information Technology and Liberties (CNIL) due to the lack of response from the company Societe.com to his request. On May 25, 2023, the CNIL indicated to Mr. C... that it had reminded the company of its legal obligations, in particular by asking him to provide a response to his request, that he would have the possibility of contacting the CNIL again. , after the expiration of a period of six weeks, in the event that the company has not complied with its obligations, and has therefore taken a decision to close its complaint. Mr. C... requests the annulment of this decision.<br />
<br />
2. Firstly, Article 17 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (known as GDPR) provides that: "1. The data subject has the right to obtain from the data controller the erasure, as soon as possible, of personal data concerning him or her and the data controller has the "obligation to erase these personal data as soon as possible when one of the following reasons applies (...). ". Article 51 of the law of January 6, 1978 relating to data processing, files and freedoms provides that: "I. The right to erasure is exercised under the conditions provided for in article 17 of the regulation (EU ) 2016/679 of April 27, 2016. / (...) In the event of non-execution of the erasure of personal data or in the event of no response from the data controller within a period of one month to From the date of the request, the person concerned may contact the National Commission for Information Technology and Freedoms, which will rule on this request within three weeks from the date of receipt of the complaint.<br />
<br />
3. Secondly, under the terms of article 8 of the law of January 6, 1978: "I.- The National Commission for Information Technology and Liberties is an independent administrative authority. It is the national supervisory authority in meaning and for the application of Regulation (EU) 2016/679 of April 27, 2016. It carries out the following missions:/ (...) 2° It ensures that the processing of personal data is implemented in accordance with to the provisions of this law and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. As such:/ (...) d) It handles complaints, petitions and complaints lodged by a data subject or by a body, organization or association, examines or investigates the subject matter of the complaint, to the extent necessary, and informs the author of the complaint of the progress and outcome of the investigation (...)".<br />
<br />
4. Thirdly, under the terms of article 20 of the same law: "II.- When the data controller or its subcontractor does not respect the obligations resulting from regulation (EU) 2016/679 of April 27, 2016 or this law, the president of the National Commission for Information Technology and Freedoms may remind him of his legal obligations or, if the breach noted is likely to be subject to compliance, pronounce on him a formal notice, within the deadline it sets: 1° To satisfy the requests presented by the data subject with a view to exercising their rights; 2° To bring the processing operations into compliance with the applicable provisions; 3° A with the exception of processing which concerns state security or defence, to communicate to the data subject a violation of personal data; 4° To rectify or erase personal data, or to limit the processing of these data. In the case provided for in 4° of this II, the president may, under the same conditions, give formal notice to the data controller or its subcontractor to notify the recipients of the data of the measures it has taken. The president may request that compliance be justified within a deadline he sets. (...) ".<br />
<br />
5. It follows from the provisions mentioned in points 3 and 4 that it is up to the CNIL to proceed, when it receives a complaint or a claim relating to the implementation of its powers, to the examination of the facts which are at the origin and to decide on the follow-up to be given to them. To this end, it has a broad power of appreciation and may take into account the seriousness of the alleged breaches with regard to the legislation or regulations that it is responsible for enforcing, the seriousness of the evidence relating to these facts, the date on which they were committed, the context in which they were committed and, more generally, all the general interests for which it is responsible. The author of a complaint may refer the CNIL's refusal to respond to it to the judge for abuse of power. It is up to the judge to censure it, if necessary, for reasons of external illegality and, on the grounds of the merits of the decision, in the event of an error of fact or of law, of a manifest error of appreciation or misuse of power. However, when the author of the complaint relies on the lack of awareness by a data controller of the rights guaranteed by law to the data subject with regard to personal data concerning him or her, in particular the rights of access, rectification , erasure, limitation and opposition mentioned in articles 49, 50, 51, 53 and 56 of the law of January 6, 1978 relating to data processing, files and freedoms, the discretionary power of the CNIL to decide on the follow-up to be taken is exercised, having regard to the nature of the individual right in question, under the entire control of the judge of excess of power.<br />
<br />
6. It appears from the documents in the file that, as stated in point 1, the CNIL, upon receipt of Mr. C...'s complaint, decided to remind the company Societe.com of its legal obligations by asking it to comply with these, while inviting Mr. C..., in the event that the company does not respond to this request within six weeks, to submit a new complaint to the CNIL. In doing so, in the circumstances of this case, it did not taint its decision to close the complaint with an error of assessment.<br />
<br />
7. It follows from all of the above that the applicant is not justified in requesting the annulment of the decision he is impugning. Its conclusions for the purpose of an injunction can, therefore, only be rejected.<br />
<br />
DECIDED :<br />
--------------<br />
<br />
Article 1: Mr. C...'s request is rejected.<br />
Article 2: This decision will be notified to Mr. B... C....<br />
A copy will be sent to the National Commission for Information Technology and Liberties.<br />
<br />
Deliberated at the end of the session of January 11, 2024 where sat: Mr. Bertrand Dacosta, president of the chamber, presiding; Mr. Olivier Yeznikian, State Councilor and Mr. Emmanuel Weicheldinger, master of requests in extraordinary service-rapporteur.<br />
<br />
Returned on February 14, 2024.<br />
<br />
President :<br />
Signed: Mr. Bertrand Dacosta<br />
<br />
The rapporteur :<br />
Signed: Mr. Emmanuel Weiheldinger<br />
<br />
The Secretary :<br />
Signed: Ms. Sylvie Leporcq<br />
<br />
ECLI:FR:CECHS:2024:474625.20240214<br />
</pre></div>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-002&diff=40063&oldid=40057CNIL (France) - SAN-2024-0022024-02-28T14:12:17Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 14:12, 28 February 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l75">Line 75:</td>
<td colspan="2" class="diff-lineno">Line 75:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed a €100,000 fine on real estate service provider, Société PAP, for having <del style="font-weight: bold; text-decoration: none;">excessive </del>retention periods<del style="font-weight: bold; text-decoration: none;">, an incomplete privacy policy and </del>for <del style="font-weight: bold; text-decoration: none;">failing to ensure the security of user accounts</del>. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed a €100,000 fine on real estate service provider, Société PAP, for<ins style="font-weight: bold; text-decoration: none;">, among other things, </ins>having retention periods <ins style="font-weight: bold; text-decoration: none;">of 10 years </ins>for <ins style="font-weight: bold; text-decoration: none;">contracts concluded electronically that were less than €120</ins>. <ins style="font-weight: bold; text-decoration: none;"> </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l84">Line 84:</td>
<td colspan="2" class="diff-lineno">Line 84:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The on-site investigation focused on the verification of the retention periods applied to user account data, the legality of data processor agreements in place and the technical and organizational measures to ensure the security of the data collected through the website. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The on-site investigation focused on the verification of the retention periods applied to user account data, the legality of data processor agreements in place and the technical and organizational measures to ensure the security of the data collected through the website. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>During its investigations, the CNIL found that the controller defined a systematic retention period of ten years from the acceptance of the <del style="font-weight: bold; text-decoration: none;">order</del>. The CNIL also discovered that the controller did not include the right to lodge a complaint with the DPA, the legal basis for each processing as well as the recipients and categories of recipients in their privacy policy. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>During its investigations, the CNIL found that the controller defined a systematic retention period of ten years from the acceptance of <ins style="font-weight: bold; text-decoration: none;">an order on </ins>the <ins style="font-weight: bold; text-decoration: none;">website</ins>. The CNIL also discovered that the controller did not include the right to lodge a complaint with the DPA, the legal basis for each processing as well as the recipients and categories of recipients in their privacy policy. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL initiated a sanctioning procedure against the controller on 6 February 2023.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL initiated a sanctioning procedure against the controller on 6 February 2023.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the retention periods, the CNIL considered that a retention period of ten years from the date of acceptance of the order was justified by its legal obligations resulting from French law, in particular Articles L.213-1, D.213-1 and D.213-2 Consumer Code, for contracts worth more than €120. Therefore, the CNIL considered that for contracts that were less than €120, the 10 year retention period was excessive and therefore breaches [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the retention periods, the CNIL considered that a retention period of ten years from the date of acceptance of the order was justified by its legal obligations resulting from French law, in particular <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000032226994/ </ins>Articles L.213-1<ins style="font-weight: bold; text-decoration: none;">]</ins>, <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000032807208 </ins>D.213-1<ins style="font-weight: bold; text-decoration: none;">] </ins>and <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000032807210 </ins>D.213-2<ins style="font-weight: bold; text-decoration: none;">] </ins>Consumer Code, for contracts worth more than €120. Therefore, the CNIL considered that for contracts that were less than €120, the 10 year retention period was excessive and therefore breaches [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to the user account was justified for legal proceedings and anti-fraud purposes, more than 2 million user accounts of between 5 and 10 years old had been retained, as well as more than 700,000 accounts more than 10 years old. The retention of data beyond what was necessary for the announced purpose constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to the user account was justified for legal proceedings and anti-fraud purposes, more than 2 million user accounts of between 5 and 10 years old had been retained, as well as more than 700,000 accounts more than 10 years old. The retention of data beyond what was necessary for the announced purpose constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40057:rev-40063 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2023-024&diff=40060&oldid=40056CNIL (France) - SAN-2023-0242024-02-28T13:55:52Z<p><span dir="auto"><span class="autocomment">English Summary</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:55, 28 February 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l76">Line 76:</td>
<td colspan="2" class="diff-lineno">Line 76:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service. <del style="font-weight: bold; text-decoration: none;">During these investigations</del>, the CNIL found that at least 20 cookies for advertising purposes had been placed on their terminal even though they had not expressed consent. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" and "Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted the deposit of 26 cookies, 7 of which were used for advertising purposes. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service. <ins style="font-weight: bold; text-decoration: none;">The first investigation consisted of two scenarios: during a first scenario</ins>, the CNIL found that at least 20 cookies for advertising purposes had been placed on their terminal even though they had not expressed consent. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" and "Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted the deposit of 26 cookies, 7 of which were used for advertising purposes. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The </del>CNIL also discovered that when a user tried to withdraw their consent, a window was displayed and indicated that "You must accept them to be able to use Verizon Media products. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc." The CNIL clicked on the "Find out more" link where there were questions, such as "What happens if I withdraw my consent to cookies from the privacy dashboard? "and that the answer to this question stated that while "users in the European Union can withdraw this cookie agreement for their account from the privacy dashboard", "withdrawing this agreement will result in blocked access to our products and other Verizon Media sites and applications". During its second inspection, the CNIL also discovered that when browsing on "Yahoo.com" without creating an account, a data subject could revoke their consent from a page entitled "Privacy dashboard and controls (visitors)", but when doing so, a page appeared followed by the words "Are you sure? You will no longer be able to access YAHOO or other Verizon Media products".</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">During a second scenario, the CNIL browsed on "yahoo.com" in order to create a "Yahoo mail" account. As in the first scenario, the </ins>CNIL <ins style="font-weight: bold; text-decoration: none;">did not express consent to the deposit of cookies. During this investigation, they </ins>also discovered that when a user tried to withdraw their consent, a window was displayed and indicated that "You must accept them to be able to use Verizon Media products. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc." The CNIL clicked on the "Find out more" link where there were questions, such as "What happens if I withdraw my consent to cookies from the privacy dashboard? "and that the answer to this question stated that while "users in the European Union can withdraw this cookie agreement for their account from the privacy dashboard", "withdrawing this agreement will result in blocked access to our products and other Verizon Media sites and applications". </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>During its second inspection, the CNIL also discovered that when browsing on "Yahoo.com" without creating an account, a data subject could revoke their consent from a page entitled "Privacy dashboard and controls (visitors)", but when doing so, a page appeared followed by the words "Are you sure? You will no longer be able to access YAHOO or other Verizon Media products".</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL started a sanctioning procedure on 10 July 2023. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL started a sanctioning procedure on 10 July 2023. </div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l89">Line 89:</td>
<td colspan="2" class="diff-lineno">Line 91:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that [[Article 4 GDPR#7|Article 4(7) GDPR]] applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that [[Article 4 GDPR#7|Article 4(7) GDPR]] applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] requires consent for operations involving the reading and writing of information on a data subject's terminal. <del style="font-weight: bold; text-decoration: none;">Concerning </del>what the CNIL found during its investigation <del style="font-weight: bold; text-decoration: none;">regarding </del>the absence of consent and the deposit of advertising cookies even though none of the buttons were activated<del style="font-weight: bold; text-decoration: none;">. The CNIL therefore </del>considered that numerous cookies requiring prior consent were deposited without collecting prior consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] requires consent for operations involving the reading and writing of information on a data subject's terminal. <ins style="font-weight: bold; text-decoration: none;">Regarding </ins>what the CNIL found during its investigation <ins style="font-weight: bold; text-decoration: none;">concerning </ins>the absence of consent and the deposit of advertising cookies even though none of the buttons were activated<ins style="font-weight: bold; text-decoration: none;">, the DPA </ins>considered that numerous cookies requiring prior consent were deposited without collecting prior consent<ins style="font-weight: bold; text-decoration: none;">, therefore breaching [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Finally, regarding the withdrawal of consent, the CNIL indicated that the withdrawal of consent must be possible under [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. Consent under this Article must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]] meaning it must be given freely, specifically, in an informed and unambiguous manner and manifested by a clear positive act. The CNIL noted that the controller only informed data subjects that the use of its services was conditional on acceptance of certain cookies during the withdrawal process. The CNIL considered that linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, under the condition that consent is free, which implies that both the refusal of consent and its withdrawal are without prejudice to the data subject. The CNIL found that the absence of alternatives offered by the company necessarily affects the free nature of the withdrawal of consent. The DPA also considered that despite the presence of buttons allowing the withdrawal of consent, the messages that appeared were likely to constitute a serious obstacle for data subjects. The CNIL also observed that during the user paths it followed, the CNIL systematically clicked on buttons and tabs with intuitive headings such as "Your account", then "General consent" or "Find out more". Thus, the paths followed by the CNIL during the two online checks are those that users are most likely to follow when they wish to withdraw their consent. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Finally, regarding the withdrawal of consent, the CNIL indicated that the withdrawal of consent must be possible under [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. Consent under this Article must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]] meaning it must be given freely, specifically, in an informed and unambiguous manner and manifested by a clear positive act. The CNIL noted that the controller only informed data subjects that the use of its services was conditional on acceptance of certain cookies during the withdrawal process. The CNIL considered that linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, under the condition that consent is free, which implies that both the refusal of consent and its withdrawal are without prejudice to the data subject. The CNIL found <ins style="font-weight: bold; text-decoration: none;">that the it was not possible to withdraw consent without interrupting the services and noted </ins>that the absence of alternatives offered by the company necessarily affects the free nature of the withdrawal of consent. The DPA also considered that despite the presence of buttons allowing the withdrawal of consent, the messages that appeared were likely to constitute a serious obstacle for data subjects. The CNIL also observed that during the user paths it followed, the CNIL systematically clicked on buttons and tabs with intuitive headings such as "Your account", then "General consent" or "Find out more". Thus, the paths followed by the CNIL during the two online checks are those that users are most likely to follow when they wish to withdraw their consent. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL therefore concluded that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] and imposed a €10 million fine. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL therefore concluded that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] and imposed a €10 million fine. </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40056:rev-40060 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-002&diff=40057&oldid=40034CNIL (France) - SAN-2024-0022024-02-28T13:42:34Z<p><span dir="auto"><span class="autocomment">Holding</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:42, 28 February 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l91">Line 91:</td>
<td colspan="2" class="diff-lineno">Line 91:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the retention periods, the CNIL considered that a retention period of ten years from the date of acceptance of the order was justified by its legal obligations resulting from French law, in particular Articles L.213-1, D.213-1 and D.213-2 Consumer Code, for contracts worth more than €120. Therefore, the CNIL considered that for contracts that were less than €120, the 10 year retention period was excessive and therefore breaches [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the retention periods, the CNIL considered that a retention period of ten years from the date of acceptance of the order was justified by its legal obligations resulting from French law, in particular Articles L.213-1, D.213-1 and D.213-2 Consumer Code, for contracts worth more than €120. Therefore, the CNIL considered that for contracts that were less than €120, the 10 year retention period was excessive and therefore breaches [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to the user account was justified for <del style="font-weight: bold; text-decoration: none;">the contentious </del>and anti-fraud purposes <del style="font-weight: bold; text-decoration: none;">provided by the data controller</del>, more than 2 million user accounts of between 5 and 10 years old had been retained, as well as more than 700,000 accounts more than 10 years old. The retention of data beyond what was necessary for the announced purpose constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to the user account was justified for <ins style="font-weight: bold; text-decoration: none;">legal proceedings </ins>and anti-fraud purposes, more than 2 million user accounts of between 5 and 10 years old had been retained, as well as more than 700,000 accounts more than 10 years old. The retention of data beyond what was necessary for the announced purpose constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the CNIL indicated that the controller breached [[Article 13 GDPR|Article 13 GDPR]] by failing to include <del style="font-weight: bold; text-decoration: none;">users </del>right to lodge a complaint to the CNIL, together with inaccurate data retention period information, in the privacy policy. The CNIL noted that this information helps users to control the processing of their data, and thereby ensures fair and transparent processing. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, the CNIL indicated that the controller breached [[Article 13 GDPR|Article 13 GDPR]] by failing to include <ins style="font-weight: bold; text-decoration: none;">the </ins>right to lodge a complaint to the CNIL, together with inaccurate data retention period information, in the privacy policy. The CNIL noted that this information helps users to control the processing of their data, and thereby ensures fair and transparent processing. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the CNIL found that the controller had breached [[Article 28 GDPR#3|Article 28(3) GDPR]] where it had tried to retroactively amend one of its data processor agreements to include all requirements of this Article. The CNIL held that the retroactive nature of the amendment cannot cover the breach for the past<del style="font-weight: bold; text-decoration: none;">. While the rapporteur had found two other data processing agreements to be in breach of [[Article 28 GDPR#3|Article 28(3) GDPR]], the CNIL concluded that one did in fact contain all the required information, and that the other was incorrectly classified as a data processing agreement and therefore [[Article 28 GDPR#3|Article 28(3) GDPR]] did not apply</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, the CNIL found that the controller had breached [[Article 28 GDPR#3|Article 28(3) GDPR]] where it had tried to retroactively amend one of its data processor agreements to include all requirements of this Article. The CNIL held that the retroactive nature of the amendment cannot cover the breach for the past.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Finally, the CNIL considered that the controller breached [[Article 32 GDPR|Article 32 GDPR]] in several ways. Firstly, users were not required to provide strong passwords when creating an account, accounts were not locked after a certain number of failed access attempts, and part of a reference code used <del style="font-weight: bold; text-decoration: none;">in lieu </del>of an account (if the user did not wish to create one) was made publicly available by forming part of the ad reference number. The CNIL found that the above measures, given the current state of the art, were not sufficient to guarantee the security and confidentiality of the data being processed. Secondly, the controller failed to intermediately archive inactive customer data (kept for 10 years) and inactive user account data (kept for 5 years). The CNIL found that the mixing of inactive data in an active database, which the controller explained was for daily anti-fraud checks, did not ensure adequate data security. A large number of employees could access the data, and some of the retained data was not needed for anti-fraud checks (such as advertising details and billing addresses).</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Finally, the CNIL considered that the controller breached [[Article 32 GDPR|Article 32 GDPR]] in several ways. Firstly, users were not required to provide strong passwords when creating an account, accounts were not locked after a certain number of failed access attempts, and part of a reference code used <ins style="font-weight: bold; text-decoration: none;">instead </ins>of an account (if the user did not wish to create one) was made publicly available by forming part of the ad reference number. The CNIL found that the above measures, given the current state of the art, were not sufficient to guarantee the security and confidentiality of the data being processed. Secondly, the controller failed to intermediately archive inactive customer data (kept for 10 years) and inactive user account data (kept for 5 years). The CNIL found that the mixing of inactive data in an active database, which the controller explained was for daily anti-fraud checks, did not ensure adequate data security. A large number of employees could access the data, and some of the retained data was not needed for anti-fraud checks (such as advertising details and billing addresses).</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>For breaching [[Article 5 GDPR#1e|Articles 5(1)(e)]], [[Article 13 GDPR|13]], [[Article 28 GDPR|28]] and [[Article 32 GDPR|32 GDPR]] the CNIL imposed a €100,000 to the controller.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>For breaching [[Article 5 GDPR#1e|Articles 5(1)(e)]], [[Article 13 GDPR|13]], [[Article 28 GDPR|28]] and [[Article 32 GDPR|32 GDPR]] the CNIL imposed a €100,000 to the controller.</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40034:rev-40057 -->
</table>Mghttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2023-024&diff=40056&oldid=40045CNIL (France) - SAN-2023-0242024-02-28T13:29:21Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:29, 28 February 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l76">Line 76:</td>
<td colspan="2" class="diff-lineno">Line 76:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service. During these investigations, the CNIL found that at least 20 cookies for advertising purposes had been placed on <del style="font-weight: bold; text-decoration: none;">its </del>terminal even though they had not expressed consent. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" and "Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted the deposit of 26 cookies, 7 of which were used for advertising purposes. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service. During these investigations, the CNIL found that at least 20 cookies for advertising purposes had been placed on <ins style="font-weight: bold; text-decoration: none;">their </ins>terminal even though they had not expressed consent. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" and "Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted the deposit of 26 cookies, 7 of which were used for advertising purposes. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL also discovered that when a user tried to withdraw their consent, a window was displayed and indicated that "You must accept them to be able to use Verizon Media products. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc." The CNIL clicked on the "Find out more" link where there were questions, such as "What happens if I withdraw my consent to cookies from the privacy dashboard? "and that the answer to this question stated that while "users in the European Union can withdraw this cookie agreement for their account from the privacy dashboard", "withdrawing this agreement will result in blocked access to our products and other Verizon Media sites and applications". During its second inspection, the CNIL also discovered that when browsing on "Yahoo.com" without creating an account, a data subject could revoke their consent from a page entitled "Privacy dashboard and controls (visitors)", but when doing so, a page appeared followed by the words "Are you sure? You will no longer be able to access YAHOO or other Verizon Media products".</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL also discovered that when a user tried to withdraw their consent, a window was displayed and indicated that "You must accept them to be able to use Verizon Media products. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc." The CNIL clicked on the "Find out more" link where there were questions, such as "What happens if I withdraw my consent to cookies from the privacy dashboard? "and that the answer to this question stated that while "users in the European Union can withdraw this cookie agreement for their account from the privacy dashboard", "withdrawing this agreement will result in blocked access to our products and other Verizon Media sites and applications". During its second inspection, the CNIL also discovered that when browsing on "Yahoo.com" without creating an account, a data subject could revoke their consent from a page entitled "Privacy dashboard and controls (visitors)", but when doing so, a page appeared followed by the words "Are you sure? You will no longer be able to access YAHOO or other Verizon Media products".</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l83">Line 83:</td>
<td colspan="2" class="diff-lineno">Line 83:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the material scope of the CNIL's jurisdiction, the DPA indicated that with regard to a Conseil d'Etat decision, the control <del style="font-weight: bold; text-decoration: none;">of operations </del>to <del style="font-weight: bold; text-decoration: none;">access or register information in the terminals of users in France of an electronic communications service, even when proceeding from </del>cross-border processing, falls within the jurisdiction of the CNIL and the one-stop shop mechanism provided by the GDPR is not applicable. Therefore, the CNIL considered that they are competent to monitor and initiate sanctioning proceedings concerning the processing implemented by the controller as it fell within the scope of the ePrivacy directive. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the material scope of the CNIL's jurisdiction, the DPA indicated that with regard to a Conseil d'Etat decision, the control <ins style="font-weight: bold; text-decoration: none;">tied </ins>to <ins style="font-weight: bold; text-decoration: none;">a </ins>cross-border processing, falls within the jurisdiction of the CNIL and the one-stop shop mechanism provided by the GDPR is not applicable. Therefore, the CNIL considered that they are competent to monitor and initiate sanctioning proceedings concerning the processing implemented by the controller as it fell within the scope of the ePrivacy directive<ins style="font-weight: bold; text-decoration: none;">, which is ''lex specialis'' to the GDPR</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Regarding the territorial scope of the CNIL's jurisdiction, the CNIL indicated that under [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the law "Informatique et Libertés"] ("LIL"), they are competent, as the processing in this case was carried out as part of the activities of an establishment of the controller on the French territory. In particular, the CNIL took into account the purpose of the controller, which is, among other things, "to promote Yahoo's advertising products and solutions on the French market (...)". Therefore, the CNIL concluded that the processing consisting of operations to access or record information in the terminal of data subjects residing in France, when browsing "yahoo.com" or using the "Yahoo mail service" is carried out in the context of the activities of Yahoo France. Thus, the CNIL found that French law is applicable, and that the CNIL is materially and territorially competent.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Regarding the territorial scope of the CNIL's jurisdiction, the CNIL indicated that under [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the law "Informatique et Libertés"] ("LIL"), they are competent, as the processing in this case was carried out as part of the activities of an establishment of the controller on the French territory. In particular, the CNIL took into account the purpose of the controller, which is, among other things, "to promote Yahoo's advertising products and solutions on the French market (...)". Therefore, the CNIL concluded that the processing consisting of operations to access or record information in the terminal of data subjects residing in France, when browsing "yahoo.com" or using the "Yahoo mail service" is carried out in the context of the activities of Yahoo France. Thus, the CNIL found that French law is applicable, and that the CNIL is materially and territorially competent.</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l89">Line 89:</td>
<td colspan="2" class="diff-lineno">Line 89:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that [[Article 4 GDPR#7|Article 4(7) GDPR]] applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that [[Article 4 GDPR#7|Article 4(7) GDPR]] applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] requires consent for operations involving the reading and writing of information on a data subject's terminal. <del style="font-weight: bold; text-decoration: none;">Regarding </del>what the CNIL found during its investigation regarding the absence of consent and the deposit of advertising cookies even though none of the buttons were activated. The CNIL therefore considered that numerous cookies requiring prior consent were deposited without collecting prior consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] requires consent for operations involving the reading and writing of information on a data subject's terminal. <ins style="font-weight: bold; text-decoration: none;">Concerning </ins>what the CNIL found during its investigation regarding the absence of consent and the deposit of advertising cookies even though none of the buttons were activated. The CNIL therefore considered that numerous cookies requiring prior consent were deposited without collecting prior consent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Finally, regarding the withdrawal of consent, the CNIL indicated that the withdrawal of consent must be possible under [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. Consent under this Article must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]] meaning it must be given freely, specifically, in an informed and unambiguous manner and manifested by a clear positive act. The CNIL noted that the controller only informed data subjects that the use of its services was conditional on acceptance of certain cookies during the withdrawal process. The CNIL considered that linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, under the condition that consent is free, which implies that both the refusal of consent and its withdrawal are without prejudice to the data subject.The CNIL found that the absence of <del style="font-weight: bold; text-decoration: none;">alternative </del>offered by the company necessarily affects the free nature of the withdrawal of consent. The DPA also considered that despite the presence of buttons allowing the withdrawal of consent, the messages that appeared were likely to constitute a serious obstacle for data subjects. The CNIL also observed that during the user paths it followed, the CNIL systematically clicked on buttons and tabs with intuitive headings such as "Your account", then "General consent" or "Find out more". Thus, the paths followed by the <del style="font-weight: bold; text-decoration: none;">delegation </del>during the two online checks are those that users are most likely to follow when they wish to withdraw their consent. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Finally, regarding the withdrawal of consent, the CNIL indicated that the withdrawal of consent must be possible under [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL]. Consent under this Article must be understood within the meaning of [[Article 4 GDPR#11|Article 4(11) GDPR]] meaning it must be given freely, specifically, in an informed and unambiguous manner and manifested by a clear positive act. The CNIL noted that the controller only informed data subjects that the use of its services was conditional on acceptance of certain cookies during the withdrawal process. The CNIL considered that linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, under the condition that consent is free, which implies that both the refusal of consent and its withdrawal are without prejudice to the data subject. The CNIL found that the absence of <ins style="font-weight: bold; text-decoration: none;">alternatives </ins>offered by the company necessarily affects the free nature of the withdrawal of consent. The DPA also considered that despite the presence of buttons allowing the withdrawal of consent, the messages that appeared were likely to constitute a serious obstacle for data subjects. The CNIL also observed that during the user paths it followed, the CNIL systematically clicked on buttons and tabs with intuitive headings such as "Your account", then "General consent" or "Find out more". Thus, the paths followed by the <ins style="font-weight: bold; text-decoration: none;">CNIL </ins>during the two online checks are those that users are most likely to follow when they wish to withdraw their consent. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL therefore concluded that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] and imposed a €10 million fine. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL therefore concluded that the controller breached [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82 of the LIL] and imposed a €10 million fine. </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40045:rev-40056 -->
</table>Mghttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2023-024&diff=40045&oldid=40010CNIL (France) - SAN-2023-0242024-02-28T10:59:29Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:59, 28 February 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(2 intermediate revisions by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l69">Line 69:</td>
<td colspan="2" class="diff-lineno">Line 69:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">French </del>DPA imposed €10 million fine on Yahoo for depositing cookies on data subject’s devices without prior consent and for not taking into account the withdrawal of consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed €10 million fine on Yahoo for depositing cookies on data subject’s devices without prior consent and for not taking into account the withdrawal of consent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l85">Line 85:</td>
<td colspan="2" class="diff-lineno">Line 85:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the material scope of the CNIL's jurisdiction, the DPA indicated that with regard to a Conseil d'Etat decision, the control of operations to access or register information in the terminals of users in France of an electronic communications service, even when proceeding from cross-border processing, falls within the jurisdiction of the CNIL and the one-stop shop mechanism provided by the GDPR is not applicable. Therefore, the CNIL considered that they are competent to monitor and initiate sanctioning proceedings concerning the processing implemented by the controller as it fell within the scope of the ePrivacy directive. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Firstly, regarding the material scope of the CNIL's jurisdiction, the DPA indicated that with regard to a Conseil d'Etat decision, the control of operations to access or register information in the terminals of users in France of an electronic communications service, even when proceeding from cross-border processing, falls within the jurisdiction of the CNIL and the one-stop shop mechanism provided by the GDPR is not applicable. Therefore, the CNIL considered that they are competent to monitor and initiate sanctioning proceedings concerning the processing implemented by the controller as it fell within the scope of the ePrivacy directive. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Regarding the territorial scope of the CNIL's jurisdiction, the CNIL indicated that under Article 82 of the law "Informatique et Libertés" ("LIL"), they are competent, as the processing in this case was carried out as part of the activities of an establishment of the controller on the French territory. In particular, the CNIL took into account the purpose of the controller, which is, among other things, "to promote Yahoo's advertising products and solutions on the French market (...)". Therefore, the CNIL concluded that the processing consisting of operations to access or record information in the terminal of data subjects residing in France, when browsing "yahoo.com" or using the "Yahoo mail service" is carried out in the context of the activities of Yahoo France. Thus, the CNIL found that French law is applicable, and that the CNIL is materially and territorially competent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Regarding the territorial scope of the CNIL's jurisdiction, the CNIL indicated that under <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 </ins>Article 82 of the law "Informatique et Libertés"<ins style="font-weight: bold; text-decoration: none;">] </ins>("LIL"), they are competent, as the processing in this case was carried out as part of the activities of an establishment of the controller on the French territory. In particular, the CNIL took into account the purpose of the controller, which is, among other things, "to promote Yahoo's advertising products and solutions on the French market (...)". Therefore, the CNIL concluded that the processing consisting of operations to access or record information in the terminal of data subjects residing in France, when browsing "yahoo.com" or using the "Yahoo mail service" is carried out in the context of the activities of Yahoo France. Thus, the CNIL found that French law is applicable, and that the CNIL is materially and territorially competent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that Article 4(7) applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that <ins style="font-weight: bold; text-decoration: none;">[[Article 4 GDPR#7|</ins>Article 4(7) <ins style="font-weight: bold; text-decoration: none;">GDPR]] </ins>applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, Article 82 of the LIL requires consent for operations involving the reading and writing of information on a data subject's terminal. Regarding what the CNIL found during its investigation regarding the absence of consent and the deposit of advertising cookies even though none of the buttons were activated. The CNIL therefore considered that numerous cookies requiring prior consent were deposited without collecting prior consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 </ins>Article 82 of the LIL<ins style="font-weight: bold; text-decoration: none;">] </ins>requires consent for operations involving the reading and writing of information on a data subject's terminal. Regarding what the CNIL found during its investigation regarding the absence of consent and the deposit of advertising cookies even though none of the buttons were activated. The CNIL therefore considered that numerous cookies requiring prior consent were deposited without collecting prior consent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached Article 82 of the LIL. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 </ins>Article 82 of the LIL<ins style="font-weight: bold; text-decoration: none;">]</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Finally, regarding the withdrawal of consent, the CNIL indicated that the withdrawal of consent must be possible under Article 82 of the LIL. Consent under this Article must be understood within the meaning of Article 4(11) GDPR meaning it must be given freely, specifically, in an informed and unambiguous manner and manifested by a clear positive act. The CNIL noted that the controller only informed data subjects that the use of its services was conditional on acceptance of certain cookies during the withdrawal process. The CNIL considered that linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, under the condition that consent is free, which implies that both the refusal of consent and its withdrawal are without prejudice to the data subject.The CNIL found that the absence of alternative offered by the company necessarily affects the free nature of the withdrawal of consent. The DPA also considered that despite the presence of buttons allowing the withdrawal of consent, the messages that appeared were likely to constitute a serious obstacle for data subjects. The CNIL also observed that during the user paths it followed, the CNIL systematically clicked on buttons and tabs with intuitive headings such as "Your account", then "General consent" or "Find out more". Thus, the paths followed by the delegation during the two online checks are those that users are most likely to follow when they wish to withdraw their consent. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Finally, regarding the withdrawal of consent, the CNIL indicated that the withdrawal of consent must be possible under <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 </ins>Article 82 of the LIL<ins style="font-weight: bold; text-decoration: none;">]</ins>. Consent under this Article must be understood within the meaning of <ins style="font-weight: bold; text-decoration: none;">[[Article 4 GDPR#11|</ins>Article 4(11) GDPR<ins style="font-weight: bold; text-decoration: none;">]] </ins>meaning it must be given freely, specifically, in an informed and unambiguous manner and manifested by a clear positive act. The CNIL noted that the controller only informed data subjects that the use of its services was conditional on acceptance of certain cookies during the withdrawal process. The CNIL considered that linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, under the condition that consent is free, which implies that both the refusal of consent and its withdrawal are without prejudice to the data subject.The CNIL found that the absence of alternative offered by the company necessarily affects the free nature of the withdrawal of consent. The DPA also considered that despite the presence of buttons allowing the withdrawal of consent, the messages that appeared were likely to constitute a serious obstacle for data subjects. The CNIL also observed that during the user paths it followed, the CNIL systematically clicked on buttons and tabs with intuitive headings such as "Your account", then "General consent" or "Find out more". Thus, the paths followed by the delegation during the two online checks are those that users are most likely to follow when they wish to withdraw their consent. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The CNIL therefore concluded that the controller breached Article 82 of the LIL and imposed a €10 million fine. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The CNIL therefore concluded that the controller breached <ins style="font-weight: bold; text-decoration: none;">[https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 </ins>Article 82 of the LIL<ins style="font-weight: bold; text-decoration: none;">] </ins>and imposed a €10 million fine. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>This is another decision concerning cookies taken by the CNIL, reflecting the focus of the DPA on this issue. This decision is similar to [https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-012 CNIL (France) - SAN-2020-012,] concerning Google as far as it underlines the complementary nature of GDPR and national provisions as they result from the transposition of the ePrivacy Directive.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">From the original contributor: </ins>This is another decision concerning cookies taken by the CNIL, reflecting the focus of the DPA on this issue. This decision is similar to [https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-012 CNIL (France) - SAN-2020-012,] concerning Google as far as it underlines the complementary nature of GDPR and national provisions as they result from the transposition of the ePrivacy Directive.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Lengthy proceedings are of note, as they were significantly longer than those in case of others (such as Google decision).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Lengthy proceedings are of note, as they were significantly longer than those in case of others (such as Google decision).</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40010:rev-40045 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-002&diff=40034&oldid=40022CNIL (France) - SAN-2024-0022024-02-28T09:28:54Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:28, 28 February 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(One intermediate revision by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l75">Line 75:</td>
<td colspan="2" class="diff-lineno">Line 75:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">French </del>DPA imposed a €100,000 fine on real estate service provider Société PAP for having excessive retention periods, an incomplete privacy policy and for failing to ensure the security of user accounts. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The DPA imposed a €100,000 fine on real estate service provider<ins style="font-weight: bold; text-decoration: none;">, </ins>Société PAP<ins style="font-weight: bold; text-decoration: none;">, </ins>for having excessive retention periods, an incomplete privacy policy and for failing to ensure the security of user accounts. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40022:rev-40034 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-002_du_31_janvier_2024&diff=40022&oldid=39834CNIL (France) - SAN-2024-002 du 31 janvier 20242024-02-28T09:18:11Z<p><a href="/index.php?title=User:Nzm&action=edit&redlink=1" class="new mw-userlink" title="User:Nzm (page does not exist)"><bdi>Nzm</bdi></a> moved page <a href="/index.php?title=CNIL_(France)_-_SAN-2024-002_du_31_janvier_2024&redirect=no" class="mw-redirect" title="CNIL (France) - SAN-2024-002 du 31 janvier 2024">CNIL (France) - SAN-2024-002 du 31 janvier 2024</a> to <a href="/index.php?title=CNIL_(France)_-_SAN-2024-002" title="CNIL (France) - SAN-2024-002">CNIL (France) - SAN-2024-002</a></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:18, 28 February 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(One intermediate revision by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l75">Line 75:</td>
<td colspan="2" class="diff-lineno">Line 75:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The French DPA imposed a €100,000 fine on real estate service provider Société <del style="font-weight: bold; text-decoration: none;">de Particulier à Particulier - Editions Neressis (</del>PAP<del style="font-weight: bold; text-decoration: none;">) </del>for <del style="font-weight: bold; text-decoration: none;">infringing Articles 5(1)(e)</del>, <del style="font-weight: bold; text-decoration: none;">13, 28 </del>and <del style="font-weight: bold; text-decoration: none;">32 GDPR. The data controller was ultimately found not </del>to <del style="font-weight: bold; text-decoration: none;">be in breach </del>of <del style="font-weight: bold; text-decoration: none;">direct marketing laws</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The French DPA imposed a €100,000 fine on real estate service provider Société PAP for <ins style="font-weight: bold; text-decoration: none;">having excessive retention periods</ins>, <ins style="font-weight: bold; text-decoration: none;">an incomplete privacy policy </ins>and <ins style="font-weight: bold; text-decoration: none;">for failing </ins>to <ins style="font-weight: bold; text-decoration: none;">ensure the security </ins>of <ins style="font-weight: bold; text-decoration: none;">user accounts</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The data </del>controller provides individuals with a set of publications and services allowing them to conclude real estate transactions without intermediaries. The CNIL conducted an online investigation of <del style="font-weight: bold; text-decoration: none;">the </del>www.pap.fr <del style="font-weight: bold; text-decoration: none;">website </del>to verify the methods of informing people about their rights as data subjects, and whether the procedure for creating a user account was sufficiently secure and confidential. </div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Société Particulier à Particulier - Editions Neressis ("</ins>controller<ins style="font-weight: bold; text-decoration: none;">") </ins>provides individuals with a set of publications and services allowing them to conclude real estate transactions without intermediaries. The CNIL conducted an online investigation of <ins style="font-weight: bold; text-decoration: none;">their website, </ins>www.pap.fr<ins style="font-weight: bold; text-decoration: none;">, </ins>to verify the methods of informing people about their rights as data subjects, and whether the procedure for creating a user account was sufficiently secure and confidential. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The on-site investigation focused on the verification of the retention periods applied to user account data, the legality of data processor agreements in place<del style="font-weight: bold; text-decoration: none;">, </del>the technical and organizational measures to ensure the security of the data collected through the website. The CNIL also <del style="font-weight: bold; text-decoration: none;">investigated whether </del>the <del style="font-weight: bold; text-decoration: none;">data </del>controller <del style="font-weight: bold; text-decoration: none;">was in compliance </del>with <del style="font-weight: bold; text-decoration: none;">direct marketing laws when using personal data in marketing </del>for <del style="font-weight: bold; text-decoration: none;">similar products </del>and <del style="font-weight: bold; text-decoration: none;">services</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The on-site investigation focused on the verification of the retention periods applied to user account data, the legality of data processor agreements in place <ins style="font-weight: bold; text-decoration: none;">and </ins>the technical and organizational measures to ensure the security of the data collected through the website<ins style="font-weight: bold; text-decoration: none;">. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">During its investigations, the CNIL found that the controller defined a systematic retention period of ten years from the acceptance of the order</ins>. The CNIL also <ins style="font-weight: bold; text-decoration: none;">discovered that </ins>the controller <ins style="font-weight: bold; text-decoration: none;">did not include the right to lodge a complaint </ins>with <ins style="font-weight: bold; text-decoration: none;">the DPA, the legal basis </ins>for <ins style="font-weight: bold; text-decoration: none;">each processing as well as the recipients </ins>and <ins style="font-weight: bold; text-decoration: none;">categories of recipients in their privacy policy. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The CNIL initiated a sanctioning procedure against the controller on 6 February 2023</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">By keeping user account data beyond what was necessary for the purposes given</del>, the <del style="font-weight: bold; text-decoration: none;">data controller was found to be in breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. The Consumer Code is the relevant law governing electronic contracts, and specifies data </del>retention periods <del style="font-weight: bold; text-decoration: none;">depending on </del>the <del style="font-weight: bold; text-decoration: none;">cost </del>of the <del style="font-weight: bold; text-decoration: none;">contracts entered into with users. Less than one third </del>of the <del style="font-weight: bold; text-decoration: none;">contracts spot-checked </del>by <del style="font-weight: bold; text-decoration: none;">the CNIL were worth €120 or more</del>, <del style="font-weight: bold; text-decoration: none;">whereby the associated data needs to be retained for 10 years (per </del>Articles L.213-1, D.213-1 and D.213-2 Consumer Code<del style="font-weight: bold; text-decoration: none;">)</del>. <del style="font-weight: bold; text-decoration: none;">The </del>CNIL <del style="font-weight: bold; text-decoration: none;">thus held </del>that <del style="font-weight: bold; text-decoration: none;">the data of </del>contracts <del style="font-weight: bold; text-decoration: none;">which </del>were <del style="font-weight: bold; text-decoration: none;">worth </del>less than €120 <del style="font-weight: bold; text-decoration: none;">had been retained for </del>excessive <del style="font-weight: bold; text-decoration: none;">periods of time</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Firstly</ins>, <ins style="font-weight: bold; text-decoration: none;">regarding </ins>the retention periods<ins style="font-weight: bold; text-decoration: none;">, </ins>the <ins style="font-weight: bold; text-decoration: none;">CNIL considered that a retention period </ins>of <ins style="font-weight: bold; text-decoration: none;">ten years from </ins>the <ins style="font-weight: bold; text-decoration: none;">date of acceptance </ins>of the <ins style="font-weight: bold; text-decoration: none;">order was justified </ins>by <ins style="font-weight: bold; text-decoration: none;">its legal obligations resulting from French law</ins>, <ins style="font-weight: bold; text-decoration: none;">in particular </ins>Articles L.213-1, D.213-1 and D.213-2 Consumer Code<ins style="font-weight: bold; text-decoration: none;">, for contracts worth more than €120</ins>. <ins style="font-weight: bold; text-decoration: none;">Therefore, the </ins>CNIL <ins style="font-weight: bold; text-decoration: none;">considered </ins>that <ins style="font-weight: bold; text-decoration: none;">for </ins>contracts <ins style="font-weight: bold; text-decoration: none;">that </ins>were less than €120<ins style="font-weight: bold; text-decoration: none;">, the 10 year retention period was </ins>excessive <ins style="font-weight: bold; text-decoration: none;">and therefore breaches [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to the user account was justified for the contentious and anti-fraud purposes provided by the data controller, more than 2 million user accounts of between 5 and 10 years old had been retained, as well as more than 700,000 accounts more than 10 years old. The retention of data beyond what was necessary for the announced purpose constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to the user account was justified for the contentious and anti-fraud purposes provided by the data controller, more than 2 million user accounts of between 5 and 10 years old had been retained, as well as more than 700,000 accounts more than 10 years old. The retention of data beyond what was necessary for the announced purpose constituted a breach of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]].</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The data </del>controller <del style="font-weight: bold; text-decoration: none;">had </del>breached [[Article 13 GDPR|Article 13 GDPR]] by failing to include users right to lodge a complaint to the CNIL, together with inaccurate data retention period information, in the privacy policy. The CNIL noted that this information helps users to control the processing of their data, and thereby ensures fair and transparent processing<del style="font-weight: bold; text-decoration: none;">. The data controller had also failed to specify the processing operations to which the legal bases relate and the recipients or categories of data recipients. The CNIL did not, however, mention these failings when concluding on Article 13 violations.</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Secondly, the CNIL indicated that the </ins>controller breached [[Article 13 GDPR|Article 13 GDPR]] by failing to include users right to lodge a complaint to the CNIL, together with inaccurate data retention period information, in the privacy policy. The CNIL noted that this information helps users to control the processing of their data, and thereby ensures fair and transparent processing. </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The CNIL found that the data controller had breached Article 28(3) where it had tried to retroactively amend one of its data processor agreements to include all requirements of this Article. The CNIL held that the retroactive nature of the amendment cannot cover the breach for the past. While the rapporteur had found two other data processing agreements to be in breach of Article 28(3), the CNIL concluded that one did in fact contain all the required information, and that the other was incorrectly classified as a data processing agreement and therefore Article 28(3) did not apply.</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The data controller had breached [[Article 32 GDPR|Article 32 GDPR]] in several ways. Firstly, users were not required to provide strong passwords when creating an account, accounts were not locked after a certain number of failed access attempts, and part of a reference code used in lieu of an account (if the user did not wish to create one) was made publicly available by forming part of the ad reference number. The CNIL found that the above measures, given the current state of the art, were not sufficient to guarantee the security and confidentiality of the data being processed</del>.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Secondly</del>, <del style="font-weight: bold; text-decoration: none;">by failing to intermediately archive inactive customer data </del>(<del style="font-weight: bold; text-decoration: none;">kept for 10 years</del>) <del style="font-weight: bold; text-decoration: none;">and inactive user account </del>data <del style="font-weight: bold; text-decoration: none;">(kept for 5 years)</del>. The CNIL <del style="font-weight: bold; text-decoration: none;">found </del>that the <del style="font-weight: bold; text-decoration: none;">mixing </del>of <del style="font-weight: bold; text-decoration: none;">inactive </del>data in <del style="font-weight: bold; text-decoration: none;">an active database</del>, <del style="font-weight: bold; text-decoration: none;">which </del>the <del style="font-weight: bold; text-decoration: none;">data controller explained was for daily anti-fraud checks, </del>did <del style="font-weight: bold; text-decoration: none;">not ensure adequate data security. A large number of employees could access </del>the <del style="font-weight: bold; text-decoration: none;">data</del>, and <del style="font-weight: bold; text-decoration: none;">some of </del>the <del style="font-weight: bold; text-decoration: none;">retained data </del>was <del style="font-weight: bold; text-decoration: none;">not needed for anti-fraud checks (such </del>as <del style="font-weight: bold; text-decoration: none;">advertising details </del>and <del style="font-weight: bold; text-decoration: none;">billing addresses</del>).</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Thirdly</ins>, <ins style="font-weight: bold; text-decoration: none;">the CNIL found that the controller had breached [[Article 28 GDPR#3|Article 28</ins>(<ins style="font-weight: bold; text-decoration: none;">3</ins>) <ins style="font-weight: bold; text-decoration: none;">GDPR]] where it had tried to retroactively amend one of its </ins>data <ins style="font-weight: bold; text-decoration: none;">processor agreements to include all requirements of this Article</ins>. The CNIL <ins style="font-weight: bold; text-decoration: none;">held </ins>that the <ins style="font-weight: bold; text-decoration: none;">retroactive nature </ins>of <ins style="font-weight: bold; text-decoration: none;">the amendment cannot cover the breach for the past. While the rapporteur had found two other </ins>data <ins style="font-weight: bold; text-decoration: none;">processing agreements to be </ins>in <ins style="font-weight: bold; text-decoration: none;">breach of [[Article 28 GDPR#3|Article 28(3) GDPR]]</ins>, the <ins style="font-weight: bold; text-decoration: none;">CNIL concluded that one </ins>did <ins style="font-weight: bold; text-decoration: none;">in fact contain all </ins>the <ins style="font-weight: bold; text-decoration: none;">required information</ins>, and <ins style="font-weight: bold; text-decoration: none;">that </ins>the <ins style="font-weight: bold; text-decoration: none;">other </ins>was <ins style="font-weight: bold; text-decoration: none;">incorrectly classified </ins>as <ins style="font-weight: bold; text-decoration: none;">a data processing agreement </ins>and <ins style="font-weight: bold; text-decoration: none;">therefore [[Article 28 GDPR#3|Article 28(3</ins>) <ins style="font-weight: bold; text-decoration: none;">GDPR]] did not apply</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The data </del>controller <del style="font-weight: bold; text-decoration: none;">had not </del>breached Article <del style="font-weight: bold; text-decoration: none;">L</del>.<del style="font-weight: bold; text-decoration: none;">34-5 </del>of <del style="font-weight: bold; text-decoration: none;">the Postal </del>and <del style="font-weight: bold; text-decoration: none;">Electronic Communications Code because </del>the <del style="font-weight: bold; text-decoration: none;">emails sent out </del>to <del style="font-weight: bold; text-decoration: none;">users</del>, <del style="font-weight: bold; text-decoration: none;">containing ads or anonymous surveys</del>, were not <del style="font-weight: bold; text-decoration: none;">intended </del>to <del style="font-weight: bold; text-decoration: none;">promote other properties or services offered </del>and did not <del style="font-weight: bold; text-decoration: none;">meet </del>the <del style="font-weight: bold; text-decoration: none;">definition </del>of <del style="font-weight: bold; text-decoration: none;">‘commercial prospecting’ given in </del>the <del style="font-weight: bold; text-decoration: none;">Code</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Finally, the CNIL considered that the </ins>controller breached <ins style="font-weight: bold; text-decoration: none;">[[Article 32 GDPR|</ins>Article <ins style="font-weight: bold; text-decoration: none;">32 GDPR]] in several ways</ins>. <ins style="font-weight: bold; text-decoration: none;">Firstly, users were not required to provide strong passwords when creating an account, accounts were not locked after a certain number </ins>of <ins style="font-weight: bold; text-decoration: none;">failed access attempts, </ins>and <ins style="font-weight: bold; text-decoration: none;">part of a reference code used in lieu of an account (if </ins>the <ins style="font-weight: bold; text-decoration: none;">user did not wish </ins>to <ins style="font-weight: bold; text-decoration: none;">create one) was made publicly available by forming part of the ad reference number. The CNIL found that the above measures</ins>, <ins style="font-weight: bold; text-decoration: none;">given the current state of the art</ins>, were not <ins style="font-weight: bold; text-decoration: none;">sufficient </ins>to <ins style="font-weight: bold; text-decoration: none;">guarantee the security </ins>and <ins style="font-weight: bold; text-decoration: none;">confidentiality of the data being processed. Secondly, the controller failed to intermediately archive inactive customer data (kept for 10 years) and inactive user account data (kept for 5 years). The CNIL found that the mixing of inactive data in an active database, which the controller explained was for daily anti-fraud checks, </ins>did not <ins style="font-weight: bold; text-decoration: none;">ensure adequate data security. A large number of employees could access </ins>the <ins style="font-weight: bold; text-decoration: none;">data, and some </ins>of the <ins style="font-weight: bold; text-decoration: none;">retained data was not needed for anti-fraud checks (such as advertising details and billing addresses)</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>For breaching Articles 5(1)(e), 13, 28 and <del style="font-weight: bold; text-decoration: none;">32 GDPR, in consideration of the </del>[[Article <del style="font-weight: bold; text-decoration: none;">83 </del>GDPR|<del style="font-weight: bold; text-decoration: none;">Article 83 </del>GDPR]] <del style="font-weight: bold; text-decoration: none;">fining factors and together with the data controller’s financial capacity, </del>the CNIL <del style="font-weight: bold; text-decoration: none;">lowered the fine </del>imposed <del style="font-weight: bold; text-decoration: none;">on the data controller from €250</del>,000 <del style="font-weight: bold; text-decoration: none;">initially proposed by </del>the <del style="font-weight: bold; text-decoration: none;">rapporteur to €100,000</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>For breaching <ins style="font-weight: bold; text-decoration: none;">[[Article 5 GDPR#1e|</ins>Articles 5(1)(e)<ins style="font-weight: bold; text-decoration: none;">]]</ins>, <ins style="font-weight: bold; text-decoration: none;">[[Article 13 GDPR|</ins>13<ins style="font-weight: bold; text-decoration: none;">]]</ins>, <ins style="font-weight: bold; text-decoration: none;">[[Article 28 GDPR|</ins>28<ins style="font-weight: bold; text-decoration: none;">]] </ins>and [[Article <ins style="font-weight: bold; text-decoration: none;">32 </ins>GDPR|<ins style="font-weight: bold; text-decoration: none;">32 </ins>GDPR]] the CNIL imposed <ins style="font-weight: bold; text-decoration: none;">a €100</ins>,000 <ins style="font-weight: bold; text-decoration: none;">to </ins>the <ins style="font-weight: bold; text-decoration: none;">controller</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39834:rev-40022 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2023-024&diff=40010&oldid=40006CNIL (France) - SAN-2023-0242024-02-28T08:40:59Z<p>Good summary! I just tweeked a few things so that it would better fit out guidelines and thank you for the comment, it is very interesting!</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:40, 28 February 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l69">Line 69:</td>
<td colspan="2" class="diff-lineno">Line 69:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The French DPA imposed €10 million fine on Yahoo for depositing cookies on data subject’s devices without prior consent and for not <del style="font-weight: bold; text-decoration: none;">allowing </del>the <del style="font-weight: bold; text-decoration: none;">data subjects to withdraw their </del>consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The French DPA imposed €10 million fine on Yahoo for depositing cookies on data subject’s devices without prior consent and for not <ins style="font-weight: bold; text-decoration: none;">taking into account </ins>the <ins style="font-weight: bold; text-decoration: none;">withdrawal of </ins>consent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l76">Line 76:</td>
<td colspan="2" class="diff-lineno">Line 76:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service<ins style="font-weight: bold; text-decoration: none;">. During these investigations, the CNIL found that at least 20 cookies for advertising purposes had been placed on its terminal even though they had not expressed consent. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" and "Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted the deposit of 26 cookies, 7 of which were used for advertising purposes. </ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The CNIL also discovered that when a user tried to withdraw their consent, a window was displayed and indicated that "You must accept them to be able to use Verizon Media products. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc." The CNIL clicked on the "Find out more" link where there were questions, such as "What happens if I withdraw my consent to cookies from the privacy dashboard? "and that the answer to this question stated that while "users in the European Union can withdraw this cookie agreement for their account from the privacy dashboard", "withdrawing this agreement will result in blocked access to our products and other Verizon Media sites and applications". During its second inspection, the CNIL also discovered that when browsing on "Yahoo.com" without creating an account, a data subject could revoke their consent from a page entitled "Privacy dashboard and controls (visitors)", but when doing so, a page appeared followed by the words "Are you sure? You will no longer be able to access YAHOO or other Verizon Media products"</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL started a sanctioning procedure on 10 July 2023. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL started a sanctioning procedure on 10 July 2023. </div></td></tr>
<tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l87">Line 87:</td>
<td colspan="2" class="diff-lineno">Line 89:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that Article 4(7) applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Secondly, regarding the controllership, the CNIL noted that Article 4(7) applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, Article 82 of the LIL requires consent for operations involving the reading and writing of information on a data subject's terminal. <del style="font-weight: bold; text-decoration: none;">The </del>CNIL <del style="font-weight: bold; text-decoration: none;">noted that </del>during the <del style="font-weight: bold; text-decoration: none;">online investigations, at least 20 cookies for advertising purposes had been placed on their terminal even though they had not expressed </del>consent<del style="font-weight: bold; text-decoration: none;">. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" </del>and <del style="font-weight: bold; text-decoration: none;">"Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted </del>the deposit of <del style="font-weight: bold; text-decoration: none;">26 </del>cookies<del style="font-weight: bold; text-decoration: none;">, 7 </del>of <del style="font-weight: bold; text-decoration: none;">which </del>were <del style="font-weight: bold; text-decoration: none;">used for advertising purposes</del>. The CNIL therefore considered that numerous cookies requiring prior consent were deposited without collecting prior consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>Thirdly, concerning the absence of prior consent, Article 82 of the LIL requires consent for operations involving the reading and writing of information on a data subject's terminal. <ins style="font-weight: bold; text-decoration: none;">Regarding what the </ins>CNIL <ins style="font-weight: bold; text-decoration: none;">found </ins>during <ins style="font-weight: bold; text-decoration: none;">its investigation regarding </ins>the <ins style="font-weight: bold; text-decoration: none;">absence of </ins>consent and the deposit of <ins style="font-weight: bold; text-decoration: none;">advertising </ins>cookies <ins style="font-weight: bold; text-decoration: none;">even though none </ins>of <ins style="font-weight: bold; text-decoration: none;">the buttons </ins>were <ins style="font-weight: bold; text-decoration: none;">activated</ins>. The CNIL therefore considered that numerous cookies requiring prior consent were deposited without collecting prior consent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached Article 82 of the LIL. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached Article 82 of the LIL. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Was </del>the <del style="font-weight: bold; text-decoration: none;">option to delete cookies presented on site sufficient form </del>of consent <del style="font-weight: bold; text-decoration: none;">withdrawal? </del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Finally, regarding </ins>the <ins style="font-weight: bold; text-decoration: none;">withdrawal </ins>of consent<ins style="font-weight: bold; text-decoration: none;">, the </ins>CNIL <ins style="font-weight: bold; text-decoration: none;">indicated </ins>that <ins style="font-weight: bold; text-decoration: none;">the withdrawal of </ins>consent <ins style="font-weight: bold; text-decoration: none;">must be possible under Article 82 of the LIL. Consent under this Article must be understood within </ins>the <ins style="font-weight: bold; text-decoration: none;">meaning of Article 4</ins>(<ins style="font-weight: bold; text-decoration: none;">11</ins>) <ins style="font-weight: bold; text-decoration: none;">GDPR meaning it </ins>must be <ins style="font-weight: bold; text-decoration: none;">given freely, specifically</ins>, <ins style="font-weight: bold; text-decoration: none;">in an informed and unambiguous manner </ins>and <ins style="font-weight: bold; text-decoration: none;">manifested by a clear positive act</ins>. <ins style="font-weight: bold; text-decoration: none;">The CNIL </ins>noted that <ins style="font-weight: bold; text-decoration: none;">the controller only informed data subjects that the use </ins>of <ins style="font-weight: bold; text-decoration: none;">its </ins>services was <ins style="font-weight: bold; text-decoration: none;">conditional on acceptance of certain cookies during </ins>the <ins style="font-weight: bold; text-decoration: none;">withdrawal process</ins>. <ins style="font-weight: bold; text-decoration: none;">The CNIL considered that linking </ins>the <ins style="font-weight: bold; text-decoration: none;">use of </ins>a <ins style="font-weight: bold; text-decoration: none;">service to the registration </ins>of <ins style="font-weight: bold; text-decoration: none;">cookies that are not strictly necessary for </ins>the <ins style="font-weight: bold; text-decoration: none;">service provided is not in itself illegal</ins>, <ins style="font-weight: bold; text-decoration: none;">under the condition that </ins>consent <ins style="font-weight: bold; text-decoration: none;">is free</ins>, which <ins style="font-weight: bold; text-decoration: none;">implies that both </ins>the <ins style="font-weight: bold; text-decoration: none;">refusal </ins>of consent and <ins style="font-weight: bold; text-decoration: none;">its withdrawal are without prejudice </ins>to the <ins style="font-weight: bold; text-decoration: none;">data subject</ins>.The <ins style="font-weight: bold; text-decoration: none;">CNIL found </ins>that <ins style="font-weight: bold; text-decoration: none;">the absence of alternative offered </ins>by the company <ins style="font-weight: bold; text-decoration: none;">necessarily affects the free nature of </ins>the withdrawal <ins style="font-weight: bold; text-decoration: none;">of consent</ins>. <ins style="font-weight: bold; text-decoration: none;">The DPA also considered </ins>that <ins style="font-weight: bold; text-decoration: none;">despite the presence of buttons allowing </ins>the withdrawal of consent, the <ins style="font-weight: bold; text-decoration: none;">messages that appeared were likely </ins>to <ins style="font-weight: bold; text-decoration: none;">constitute a serious obstacle for data subjects</ins>. <ins style="font-weight: bold; text-decoration: none;">The CNIL </ins>also <ins style="font-weight: bold; text-decoration: none;">observed </ins>that <ins style="font-weight: bold; text-decoration: none;">during </ins>the <ins style="font-weight: bold; text-decoration: none;">user paths it followed</ins>, the <ins style="font-weight: bold; text-decoration: none;">CNIL systematically clicked on buttons </ins>and <ins style="font-weight: bold; text-decoration: none;">tabs with intuitive headings </ins>such as <ins style="font-weight: bold; text-decoration: none;">"Your account"</ins>, <ins style="font-weight: bold; text-decoration: none;">then "General consent" or </ins>"<ins style="font-weight: bold; text-decoration: none;">Find out more</ins>". <ins style="font-weight: bold; text-decoration: none;">Thus, </ins>the <ins style="font-weight: bold; text-decoration: none;">paths followed by </ins>the <ins style="font-weight: bold; text-decoration: none;">delegation during </ins>the <ins style="font-weight: bold; text-decoration: none;">two online checks are </ins>those that <ins style="font-weight: bold; text-decoration: none;">users are most likely to follow </ins>when <ins style="font-weight: bold; text-decoration: none;">they wish to withdraw their consent</ins>. <ins style="font-weight: bold; text-decoration: none;"> </ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>CNIL <del style="font-weight: bold; text-decoration: none;">inspection noted </del>that <del style="font-weight: bold; text-decoration: none;">there option to withdraw </del>consent <del style="font-weight: bold; text-decoration: none;">was displayed a window indicating that </del>the <del style="font-weight: bold; text-decoration: none;">controller "stores cookies </del>(<del style="font-weight: bold; text-decoration: none;">or similar technology</del>) <del style="font-weight: bold; text-decoration: none;">on [the user's] device" as well as a statement specifying: "You </del>must <del style="font-weight: bold; text-decoration: none;">accept them to </del>be <del style="font-weight: bold; text-decoration: none;">able to use Verizon Media products. If you disable them</del>, <del style="font-weight: bold; text-decoration: none;">you revoke your consent </del>and <del style="font-weight: bold; text-decoration: none;">will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc</del>.<del style="font-weight: bold; text-decoration: none;">". ".</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">It was </del>noted <del style="font-weight: bold; text-decoration: none;">also </del>that <del style="font-weight: bold; text-decoration: none;">while a withdrawal </del>of <del style="font-weight: bold; text-decoration: none;">consent was possible, such a withdrawal was associated with being unable to access all Yahoo </del>services<del style="font-weight: bold; text-decoration: none;">. This included being unable to use personal e-mails after withdrawing consent, as this option </del>was <del style="font-weight: bold; text-decoration: none;">not allowed by </del>the <del style="font-weight: bold; text-decoration: none;">company</del>.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Therefore, while withdrawal was possible, negative consequences suffered by </del>the <del style="font-weight: bold; text-decoration: none;">data subject in such </del>a <del style="font-weight: bold; text-decoration: none;">case (such as deletion </del>of the <del style="font-weight: bold; text-decoration: none;">account</del>, <del style="font-weight: bold; text-decoration: none;">including e-mails) made such withdrawal onerous Company did not provide a way to withdraw </del>consent <del style="font-weight: bold; text-decoration: none;">without encountering serious obstacles</del>, which <del style="font-weight: bold; text-decoration: none;">constituted prejudice in </del>the <del style="font-weight: bold; text-decoration: none;">meaning </del>of <del style="font-weight: bold; text-decoration: none;">art 42 of GDPR.</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Other methods allowing users to withdraw their </del>consent <del style="font-weight: bold; text-decoration: none;">was not immediately obvious </del>and <del style="font-weight: bold; text-decoration: none;">were difficult to access – </del>to the <del style="font-weight: bold; text-decoration: none;">extent where the online inspections didn’t find them at all and CNIL was informed of such options only during the proceedings</del>.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The <del style="font-weight: bold; text-decoration: none;">fact </del>that <del style="font-weight: bold; text-decoration: none;">a user could use their right to data probability to move such data (including mailing history) to another controllers as raised </del>by the company<del style="font-weight: bold; text-decoration: none;">, was not sufficient to support </del>the <del style="font-weight: bold; text-decoration: none;">claim that </del>withdrawal <del style="font-weight: bold; text-decoration: none;">was possibly without suffering negative consequences</del>. </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Consequently, CNIL concluded </del>that <del style="font-weight: bold; text-decoration: none;">by obstructing </del>the <del style="font-weight: bold; text-decoration: none;">user's </del>withdrawal of <del style="font-weight: bold; text-decoration: none;">his </del>consent, the <del style="font-weight: bold; text-decoration: none;">company has failed </del>to <del style="font-weight: bold; text-decoration: none;">comply with its obligations under Article 82 of the Data Protection Act</del>.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• To what extent was the Company responsible for cookies belonging to third parties?</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Company noted </del>also that the <del style="font-weight: bold; text-decoration: none;">Commission delegation</del>, <del style="font-weight: bold; text-decoration: none;">during </del>the <del style="font-weight: bold; text-decoration: none;">check, accessed third party site </del>and <del style="font-weight: bold; text-decoration: none;">as </del>such <del style="font-weight: bold; text-decoration: none;">did collect cookies from other entities. </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">As CNIL noted, those cookies were not included in the report on yahoo activities – </del>as <del style="font-weight: bold; text-decoration: none;">the company indeed had no responsibility for their usage. However</del>, <del style="font-weight: bold; text-decoration: none;">the company was responsible for third party cookies on their site. As site publishers who authorize the deposit and use of such </del>"<del style="font-weight: bold; text-decoration: none;">cookies</del>" <del style="font-weight: bold; text-decoration: none;">by third parties when visiting their site must also be considered as data controllers</del>. </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Company also raised a claim concerning </del>the <del style="font-weight: bold; text-decoration: none;">amount of possible fine. It noted that, given </del>the <del style="font-weight: bold; text-decoration: none;">lengthy proceedings, it was placed in an unfavourable situation, where </del>the <del style="font-weight: bold; text-decoration: none;">fine, as imposed based on turnover rate for 2022, would be significantly higher that if it was based on turnover for 2020.</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">CNIL however did not heed </del>those <del style="font-weight: bold; text-decoration: none;">claims, noting </del>that <del style="font-weight: bold; text-decoration: none;">the fine shall be calculated taking into account the worldwide annual turnover for the previous financial year taking into account </del>when <del style="font-weight: bold; text-decoration: none;">the decision is reached, regardless of its possible rise during the proceedings</del>.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The CNIL therefore concluded that the controller breached Article 82 of the LIL and imposed a €10 million fine. </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Comment ==</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>This is another decision concerning cookies <del style="font-weight: bold; text-decoration: none;">made </del>by CNIL, reflecting the focus of DPA on this issue. <del style="font-weight: bold; text-decoration: none;">Decision was </del>similar to CNIL (France) - SAN-2020-012, concerning Google as far as it underlines the complementary nature of GDPR and national provisions as they result from the transposition of the ePrivacy <del style="font-weight: bold; text-decoration: none;">Directiv</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>This is another decision concerning cookies <ins style="font-weight: bold; text-decoration: none;">taken </ins>by <ins style="font-weight: bold; text-decoration: none;">the </ins>CNIL, reflecting the focus of <ins style="font-weight: bold; text-decoration: none;">the </ins>DPA on this issue. <ins style="font-weight: bold; text-decoration: none;">This decision is </ins>similar to <ins style="font-weight: bold; text-decoration: none;">[https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2020-012 </ins>CNIL (France) - SAN-2020-012,<ins style="font-weight: bold; text-decoration: none;">] </ins>concerning Google as far as it underlines the complementary nature of GDPR and national provisions as they result from the transposition of the ePrivacy <ins style="font-weight: bold; text-decoration: none;">Directive</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Lengthy proceedings are of note, as they were significantly longer than those in case of others (such as Google decision).</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Lengthy proceedings are of note, as they were significantly longer than those in case of others (such as Google decision).</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-40006:rev-40010 -->
</table>Nzmhttps://gdprhub.eu/index.php?title=CNIL_(France)&diff=40009&oldid=25493CNIL (France)2024-02-27T22:52:57Z<p><span dir="auto"><span class="autocomment">Known Problems</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 22:52, 27 February 2024</td>
</tr><tr><td colspan="4" class="diff-multi" lang="en">(2 intermediate revisions by the same user not shown)</td></tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l73">Line 73:</td>
<td colspan="2" class="diff-lineno">Line 73:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Known Problems===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===Known Problems===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>*The CNIL takes the view that the data subject is not a party to a complaints procedure.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>*The CNIL takes the view that the data subject is not a party to a complaints procedure<ins style="font-weight: bold; text-decoration: none;">. It only informs the data subject about the status of its complaint ("waiting", "in process" or "closed") althrough the complainant can send an access request according to Article 15 GDPR to the CNIL DPO to get more informations. CNIL is known to be slow to answer such request and often respond just before the deadline of 1 month. That means that if you want to appeal a decision, you've only one month to do so as there's a delay of 2 month after the closure of a complaint for it to be appealed, and the first month is dedicated to waiting for the DPO answer</ins>.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>''You can help us filling this section!''</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>''You can help us filling this section!''</div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-25493:rev-40009 -->
</table>2A01:E0A:4A1:7090:F0B2:ECD0:2640:D94https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2023-024&diff=40006&oldid=39840CNIL (France) - SAN-2023-0242024-02-27T16:59:41Z<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 16:59, 27 February 2024</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l69">Line 69:</td>
<td colspan="2" class="diff-lineno">Line 69:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The French DPA <del style="font-weight: bold; text-decoration: none;">(Commission Nationale de l’Informatique et des Libertés – CNIL) </del>imposed <del style="font-weight: bold; text-decoration: none;">a sanction </del>on Yahoo <del style="font-weight: bold; text-decoration: none;">EMEA Limited for a total amount of €10 million </del>for depositing cookies on <del style="font-weight: bold; text-decoration: none;">user’s device </del>without prior consent and not allowing the <del style="font-weight: bold; text-decoration: none;">users </del>to withdraw their consent.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The French DPA imposed <ins style="font-weight: bold; text-decoration: none;">€10 million fine </ins>on Yahoo for depositing cookies on <ins style="font-weight: bold; text-decoration: none;">data subject’s devices </ins>without prior consent and <ins style="font-weight: bold; text-decoration: none;">for </ins>not allowing the <ins style="font-weight: bold; text-decoration: none;">data subjects </ins>to withdraw their consent.</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== English Summary ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Facts ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Case concerned the functioning of sites </del>and <del style="font-weight: bold; text-decoration: none;">services under </del>the <del style="font-weight: bold; text-decoration: none;">brand of Yahoo. Sites and services belonged first to Verizon Group</del>, of <del style="font-weight: bold; text-decoration: none;">which </del>the <del style="font-weight: bold; text-decoration: none;">parent company Verzion Communications Inc. is located in the United States. Its subsidiary in France is Oath Brands (France)</del>, <del style="font-weight: bold; text-decoration: none;">formerly known </del>as <del style="font-weight: bold; text-decoration: none;">Yahoo France. Another if its subsidiaries is Yahoo EMEA Limited, formerly known </del>as <del style="font-weight: bold; text-decoration: none;">Verizon Media EMEA Limited. Yahoo France was not a direct subsidiary </del>of <del style="font-weight: bold; text-decoration: none;">Yahoo EMEA Limited</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Between 12 June 2019 </ins>and <ins style="font-weight: bold; text-decoration: none;">2 October 2020, </ins>the <ins style="font-weight: bold; text-decoration: none;">French DPA ("CNIL") received 27 complaints, concerning among other things</ins>, <ins style="font-weight: bold; text-decoration: none;">the deposit </ins>of <ins style="font-weight: bold; text-decoration: none;">cookies on </ins>the <ins style="font-weight: bold; text-decoration: none;">data subjects terminals before any action was taken</ins>, as <ins style="font-weight: bold; text-decoration: none;">well </ins>as <ins style="font-weight: bold; text-decoration: none;">the failure to take into account their refusal to the deposit </ins>of <ins style="font-weight: bold; text-decoration: none;">these cookies</ins>. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Verizon Group operated </del>the <del style="font-weight: bold; text-decoration: none;">domain </del>"yahoo.com" and the <del style="font-weight: bold; text-decoration: none;">messaging service </del>"Yahoo mail" . <del style="font-weight: bold; text-decoration: none;">In a period of 16 months - Between 12 June 2019 and 2 October 202 0- CNIL has received 27 complaints concerning the method in which the website managed cookies. Complaints concerned the deposition of cookies on their terminals prior to any action being taken, failure to take account of their refusal to deposit these cookies, and the procedures for refusing cookies.</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Following these complaints, the CNIL carried out online investigations of </ins>the "yahoo.com" <ins style="font-weight: bold; text-decoration: none;">website </ins>and the "Yahoo mail" <ins style="font-weight: bold; text-decoration: none;">messaging service</ins>.</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Following the complaints, </del>CNIL <del style="font-weight: bold; text-decoration: none;">launched investigation into the functioning of the domain and mailing service, in the form of two online inspections, carried out </del>on <del style="font-weight: bold; text-decoration: none;">7 October 2020 and </del>10 <del style="font-weight: bold; text-decoration: none;">June 2021. Proceedings and exchange of information concerning the cookies lasted until </del>2023.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div> </div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The </ins>CNIL <ins style="font-weight: bold; text-decoration: none;">started a sanctioning procedure </ins>on 10 <ins style="font-weight: bold; text-decoration: none;">July </ins>2023. </div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=== Holding ===</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Dispute:</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Firstly, regarding the material scope of the CNIL's jurisdiction, </ins>the DPA <ins style="font-weight: bold; text-decoration: none;">indicated that with regard </ins>to <ins style="font-weight: bold; text-decoration: none;">a Conseil d'Etat decision, the </ins>control <ins style="font-weight: bold; text-decoration: none;">of operations </ins>to <ins style="font-weight: bold; text-decoration: none;">access or register information in </ins>the <ins style="font-weight: bold; text-decoration: none;">terminals of users </ins>in <ins style="font-weight: bold; text-decoration: none;">France </ins>of <ins style="font-weight: bold; text-decoration: none;">an electronic communications service, even when proceeding from cross-border processing, falls within </ins>the <ins style="font-weight: bold; text-decoration: none;">jurisdiction </ins>of the <ins style="font-weight: bold; text-decoration: none;">CNIL and </ins>the <ins style="font-weight: bold; text-decoration: none;">one-stop shop mechanism provided </ins>by <ins style="font-weight: bold; text-decoration: none;">the GDPR is not applicable. Therefore, </ins>the CNIL considered that <ins style="font-weight: bold; text-decoration: none;">they are competent to monitor and initiate sanctioning proceedings concerning </ins>the <ins style="font-weight: bold; text-decoration: none;">processing implemented by </ins>the <ins style="font-weight: bold; text-decoration: none;">controller </ins>as <ins style="font-weight: bold; text-decoration: none;">it fell within </ins>the <ins style="font-weight: bold; text-decoration: none;">scope </ins>of the <ins style="font-weight: bold; text-decoration: none;">ePrivacy directive</ins>. </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Is </del>the <del style="font-weight: bold; text-decoration: none;">French </del>DPA <del style="font-weight: bold; text-decoration: none;">territorially competent </del>to control <del style="font-weight: bold; text-decoration: none;">and sanction? </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Was the Company under the obligation </del>to <del style="font-weight: bold; text-decoration: none;">follow requirements regarding cookies?</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Were cookies placed on </del>the <del style="font-weight: bold; text-decoration: none;">user's terminal </del>in <del style="font-weight: bold; text-decoration: none;">the absence </del>of <del style="font-weight: bold; text-decoration: none;">prior consent?</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Was </del>the <del style="font-weight: bold; text-decoration: none;">option to delete cookies presented on site sufficient form </del>of <del style="font-weight: bold; text-decoration: none;">consent withdrawal? </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• To what extent was </del>the <del style="font-weight: bold; text-decoration: none;">Company responsible for cookies belonging to third parties?</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Is </del>the <del style="font-weight: bold; text-decoration: none;">French DPA territorially competent to control and sanction? </del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">The first issue analysed </del>by the CNIL considered <del style="font-weight: bold; text-decoration: none;">its territorial jurisdiction. Yahoo EMEA Limited maintained </del>that the <del style="font-weight: bold; text-decoration: none;">company Yahoo France who was operator of </del>the <del style="font-weight: bold; text-decoration: none;">sites in question, is a distinct legal entity, not under direct control or ownership of Yahoo EMEA Limited and cannot be considered </del>as <del style="font-weight: bold; text-decoration: none;">its establishment. in </del>the <del style="font-weight: bold; text-decoration: none;">meaning of the Weltimmo decision of the Court of Justice </del>of the <del style="font-weight: bold; text-decoration: none;">European Union</del>. </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Here </del>the CNIL <del style="font-weight: bold; text-decoration: none;">referenced CJEU opinion </del>that <del style="font-weight: bold; text-decoration: none;">notion </del>of <del style="font-weight: bold; text-decoration: none;">establishment must be assessed flexibly. Functions </del>carried out <del style="font-weight: bold; text-decoration: none;">by Yahoo France – justified it being considered </del>as an establishment of <del style="font-weight: bold; text-decoration: none;">Yahoo EMEA Limited</del>. <del style="font-weight: bold; text-decoration: none;">The decisive links in this case were as follows:</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Regarding the territorial scope of the CNIL's jurisdiction, </ins>the CNIL <ins style="font-weight: bold; text-decoration: none;">indicated </ins>that <ins style="font-weight: bold; text-decoration: none;">under Article 82 </ins>of <ins style="font-weight: bold; text-decoration: none;">the law "Informatique et Libertés" ("LIL"), they are competent, as the processing in this case was </ins>carried out as <ins style="font-weight: bold; text-decoration: none;">part of the activities of </ins>an establishment of <ins style="font-weight: bold; text-decoration: none;">the controller on the French territory</ins>. <ins style="font-weight: bold; text-decoration: none;">In particular, the CNIL took into account the </ins>purpose of <ins style="font-weight: bold; text-decoration: none;">the controller, which is, among other things, "to promote </ins>Yahoo<ins style="font-weight: bold; text-decoration: none;">'s advertising </ins>products and solutions <ins style="font-weight: bold; text-decoration: none;">on the French market (...)"</ins>. <ins style="font-weight: bold; text-decoration: none;">Therefore</ins>, <ins style="font-weight: bold; text-decoration: none;">the CNIL </ins>concluded <ins style="font-weight: bold; text-decoration: none;">that the processing consisting of operations to access or record information in the terminal of data subjects residing in </ins>France, <ins style="font-weight: bold; text-decoration: none;">when browsing "yahoo.com" or using </ins>the <ins style="font-weight: bold; text-decoration: none;">"Yahoo mail </ins>service<ins style="font-weight: bold; text-decoration: none;">" is carried out in the context </ins>of the <ins style="font-weight: bold; text-decoration: none;">activities of </ins>Yahoo France<ins style="font-weight: bold; text-decoration: none;">. Thus</ins>, <ins style="font-weight: bold; text-decoration: none;">the CNIL found that French law is applicable</ins>, <ins style="font-weight: bold; text-decoration: none;">and that </ins>the <ins style="font-weight: bold; text-decoration: none;">CNIL is materially and territorially competent</ins>.</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Statues of Yahoo France indicated that its </del>purpose <del style="font-weight: bold; text-decoration: none;">was promotion </del>of Yahoo products and <del style="font-weight: bold; text-decoration: none;">advertising </del>solutions.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• To this effect</del>, <del style="font-weight: bold; text-decoration: none;">contract has been </del>concluded <del style="font-weight: bold; text-decoration: none;">between Yahoo </del>France <del style="font-weight: bold; text-decoration: none;">and Yahoo EMEA Limited</del>, <del style="font-weight: bold; text-decoration: none;">according to which </del>the <del style="font-weight: bold; text-decoration: none;">first acts as a </del>service <del style="font-weight: bold; text-decoration: none;">provider on behalf </del>of the <del style="font-weight: bold; text-decoration: none;">second i</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• While </del>Yahoo France <del style="font-weight: bold; text-decoration: none;">was not directly owned by Yahoo EMEA Limited</del>, <del style="font-weight: bold; text-decoration: none;">it was controlled by a holding company</del>, <del style="font-weight: bold; text-decoration: none;">established by Verizon Media Netherlands BV, which was also </del>the <del style="font-weight: bold; text-decoration: none;">owner of Yahoo EMEA Limited</del>.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Was </del>the <del style="font-weight: bold; text-decoration: none;">Company under </del>the <del style="font-weight: bold; text-decoration: none;">obligation </del>to <del style="font-weight: bold; text-decoration: none;">follow requirements regarding cookies?</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Secondly, regarding </ins>the <ins style="font-weight: bold; text-decoration: none;">controllership, </ins>the <ins style="font-weight: bold; text-decoration: none;">CNIL noted that Article 4(7) applied due </ins>to <ins style="font-weight: bold; text-decoration: none;">the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller. </ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">In this regard</del>, the <del style="font-weight: bold; text-decoration: none;">contested issue was also </del>the <del style="font-weight: bold; text-decoration: none;">question </del>of <del style="font-weight: bold; text-decoration: none;">which requirements were binding upon the Company</del>. <del style="font-weight: bold; text-decoration: none;">Yahoo </del>noted that the online, <del style="font-weight: bold; text-decoration: none;">inspection </del>on <del style="font-weight: bold; text-decoration: none;">7 October 2020 was carried out only several days after CNIL guidelines </del>on <del style="font-weight: bold; text-decoration: none;">cookies were published on 1 October 2020</del>, and <del style="font-weight: bold; text-decoration: none;">during the transition period of 6 months in </del>which <del style="font-weight: bold; text-decoration: none;">the guidelines </del>were <del style="font-weight: bold; text-decoration: none;">supposed to take effect. As such, It was under no obligation at the time to follow the rules set forth in those guidelines</del>.</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Thirdly</ins>, <ins style="font-weight: bold; text-decoration: none;">concerning </ins>the <ins style="font-weight: bold; text-decoration: none;">absence of prior consent, Article 82 of the LIL requires consent for operations involving </ins>the <ins style="font-weight: bold; text-decoration: none;">reading and writing </ins>of <ins style="font-weight: bold; text-decoration: none;">information on a data subject's terminal</ins>. <ins style="font-weight: bold; text-decoration: none;">The CNIL </ins>noted that <ins style="font-weight: bold; text-decoration: none;">during </ins>the online <ins style="font-weight: bold; text-decoration: none;">investigations</ins>, <ins style="font-weight: bold; text-decoration: none;">at least 20 cookies for advertising purposes had been placed </ins>on <ins style="font-weight: bold; text-decoration: none;">their terminal even though they had not expressed consent. They also discovered that </ins>on <ins style="font-weight: bold; text-decoration: none;">the Yahoo page</ins>, <ins style="font-weight: bold; text-decoration: none;">there was a "Your data. Your experience" window which included an "I accept" </ins>and <ins style="font-weight: bold; text-decoration: none;">"Manage settings" button. The "Manage settings" button used push buttons </ins>which were <ins style="font-weight: bold; text-decoration: none;">activated by default</ins>. <ins style="font-weight: bold; text-decoration: none;">The </ins>CNIL <ins style="font-weight: bold; text-decoration: none;">did not activate any of </ins>the <ins style="font-weight: bold; text-decoration: none;">buttons and clicked "Save and continue" but still noted </ins>the <ins style="font-weight: bold; text-decoration: none;">deposit </ins>of <ins style="font-weight: bold; text-decoration: none;">26 cookies, 7 </ins>of which <ins style="font-weight: bold; text-decoration: none;">were used for advertising purposes</ins>. <ins style="font-weight: bold; text-decoration: none;">The CNIL therefore considered that numerous </ins>cookies <ins style="font-weight: bold; text-decoration: none;">requiring prior consent were deposited without collecting </ins>prior consent<ins style="font-weight: bold; text-decoration: none;">.</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">Here the </del>CNIL <del style="font-weight: bold; text-decoration: none;">replied that a transition period was indeed introduced. However </del>the <del style="font-weight: bold; text-decoration: none;">practices on site were violating also </del>the <del style="font-weight: bold; text-decoration: none;">older recommendations </del>of <del style="font-weight: bold; text-decoration: none;">2013(deliberation no. 2013-378 </del>of <del style="font-weight: bold; text-decoration: none;">December 5, 2013) and as such couldn’t benefit from transitory period, as the company was already in breach </del>which <del style="font-weight: bold; text-decoration: none;">had continuous nature</del>. </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">• Were </del>cookies <del style="font-weight: bold; text-decoration: none;">placed on the user's terminal in the absence of </del>prior consent<del style="font-weight: bold; text-decoration: none;">?</del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">During the online checks carried out on October 7, 2020, , the </del>CNIL <del style="font-weight: bold; text-decoration: none;">noted </del>that <del style="font-weight: bold; text-decoration: none;">at least 20 </del>cookies <del style="font-weight: bold; text-decoration: none;">were </del>deposited, <del style="font-weight: bold; text-decoration: none;">pursuing a purpose requiring </del>the <del style="font-weight: bold; text-decoration: none;">user to have previously given consent – without any action.</del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">The </ins>CNIL <ins style="font-weight: bold; text-decoration: none;">added </ins>that <ins style="font-weight: bold; text-decoration: none;">regarding </ins>cookies deposited <ins style="font-weight: bold; text-decoration: none;">by third parties</ins>, the <ins style="font-weight: bold; text-decoration: none;">French Supreme Administrative Court ruled that site publishers who authorize </ins>the deposit <ins style="font-weight: bold; text-decoration: none;">and use </ins>of <ins style="font-weight: bold; text-decoration: none;">such '</ins>cookies<ins style="font-weight: bold; text-decoration: none;">' by third parties when their site is visited </ins>must <ins style="font-weight: bold; text-decoration: none;">also </ins>be <ins style="font-weight: bold; text-decoration: none;">considered as data controllers</ins>. <ins style="font-weight: bold; text-decoration: none;">Therefore, </ins>the <ins style="font-weight: bold; text-decoration: none;">DPA considered that </ins>the <ins style="font-weight: bold; text-decoration: none;">controller breached Article 82 </ins>of the <ins style="font-weight: bold; text-decoration: none;">LIL</ins>. </div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;">In this context, the CNIL recalled on provisions of Article 82 of </del>the <del style="font-weight: bold; text-decoration: none;">French Data Protection Act, according to which any </del>deposit of cookies <del style="font-weight: bold; text-decoration: none;">or tracers </del>must be <del style="font-weight: bold; text-decoration: none;">preceded by the information and consent of users</del>. <del style="font-weight: bold; text-decoration: none;">This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for </del>the <del style="font-weight: bold; text-decoration: none;">provision of an online communication service at </del>the <del style="font-weight: bold; text-decoration: none;">express request </del>of the <del style="font-weight: bold; text-decoration: none;">user</del>.</div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>• Was the option to delete cookies presented on site sufficient form of consent withdrawal? </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>• Was the option to delete cookies presented on site sufficient form of consent withdrawal? </div></td></tr>
<!-- diff cache key gdprwiki:diff::1.12:old-39840:rev-40006 -->
</table>Nzm