CNIL (France) - SAN-2024-014

From GDPRhub
Revision as of 09:16, 15 October 2024 by Ao (talk | contribs) (spelling)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - SAN-2024-014
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 9 GDPR
Article L-34-5 Code des postes et des communications électroniques
Type: Investigation
Outcome: Violation Found
Started: 15.11.2021
Decided: 26.09.2024
Published: 10.10.2024
Fine: 250,000 EUR
Parties: n/a
National Case Number/Name: SAN-2024-014
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: ao

The DPA fined a remote psychic services provider €250,000 for failure to obtain data subjects' explicit consent prior to the processing of sensitive data in the course of recorded consultation sessions.

English Summary

Facts

The controller provided remote psychic services via telephone, online chat or text message. On some of its websites, the controller offered personalised chats via telephone, online chat or text message. In order to promote their services, the controller and its partner sent marketing messages to existing and prospective customers via e-mail and text. Prospective customers contact details were obtained through a contact form on either of the two companies’ websites. The controller and its partner set up a shared database for their marketing purposes which on the 6 October 2022 included personal data of more than 1.5 million people.

On 15 November 2021, the French DPA (Commission Nationale de l’Informatique et des Libertés - CNIL) carried out an online check of five websites run by the controller or its partner. An on-site inspection was also carried out on 7 and 8 December 2021 at the premises of the two companies. The following details the findings of the investigation:

1) Data retention period proportionate to the purpose of processing under Article 5(1)(e) GDPR

The controller retained the data of its customers for a period of six years after the end of the commercial relationship.

2) Processing limited to necessary data under Article 5(1)(c) GDPR

The controller categorically recorded all telephone conversations with half of the conversations being deleted by the end of the day and the other half being stored for six years. The controller argued that this is necessary so that it would be able to respond to possible judicial investigations as well as for training and quality control purposes.

3) Prior consent to the processing of special category data under Article 9 GDPR

Through its partner's website, the controller gained access to data containing data subjects sex, date, time and city of birth, as well as their e-mail address, but also the sex and date of birth of their partner. During the remote consultations, a plethora of personal information may be disclosed by the customers. The controller argued that this sensitive data is not processed but simply recorded.

4) Processing for marketing purposes under Article L.34-5 of the French Post and Electronic Communications Code (Article L.34-5 Code des postes et des communication électroniques)

The notice included on the contact form did not list the controller by name, nor a list of all other third parties the data is shared with. While users could follow a link which provided some additional information, this link was located much further down on the form. Further, the information included in the link did not mention commercial advertising at all.

During the proceedings the controller changed the format of the contact form to include a very small unintelligible character attached to a word on the form. A click on this character then lead to a footnote which was not visible on the original form listing the controller as the provider of marketing messages.

The controller argued that it would be impossible to provide data subjects with a comprehensive list of recipients as this would breach contractual confidentiality clauses.

Holding

1) Data retention proportionate to the purpose of processing under Article 5(1)(e) GDPR

The CNIL clarifies that while the controller must comply with judicial requests for data, the controller would not face any criminal sanctions if it had deleted data as it was no longer necessary to process it for the controller’s specified purposes. Thus the CNIL did not accept the controller’s argument for warranting the six year storage policy.

As the data is collected for a specific purpose which is the management of the commercial relationship, the CNIL states that as soon as the purpose changes, the controller must take action in differentiating the data. The practice of categorically compiling all customer data into an active database without any differentiation or archiving policy therefore constituted a violation of Article 5(1)(e) GDPR. In relation to the managing of commercial relationships, the CNIL recommended a maximum storage period of three years after the commercial relationship has ended.

2) Processing limited to necessary data under Article 5(1)(c) GDPR

The CNIL stated that the categorical recording of telephone calls was excessive and that a sample would be sufficient for quality control and training purposes.

3) Prior consent to the processing of special category data under Article 9 GDPR

The CNIL points out that the mere act of recording the conversations, storing some and deleting others at the end of the day falls under the definition of processing under Article 4(2) GDPR, therefore rejecting the controller’s argument. Contrary to the provisions of Article 4(11) GDPR, the CNIL notes that the company does not provide any specific information to the data subjects with regard to the collection and processing of data collected from the form on the website and does not explicitly collect their consent for the processing of such data. Similarly, in the context of chat or text consultations, no information on the processing of such data is provided or consent as required under Article 9(2)(a) GDPR.

The CNIL therefore concludes a violation of Article 9 GDPR as the mere willingness to enter information into a form or share personal information through the chat options does not equate to the fully informed consent to the processing of this sensitive data.

3) Processing for marketing purposes under Article L.34-5 of the Post and Electronic Communications Code (Article L34-5 Code des postes et des communications électroniques)

The CNIL stated that the improvements made to the form still do not meet the required standard of allowing the data subject to easily access a clear description of the marketing purposes and partners as required by the French provision.

4) Conclusion and setting the fine

The CNIL concluded that the controller had violated Article 5(1)(e) & (c) GDPR, Article 9 GDPR and Article 34-5 of the French domestic provision (Article L34-5 Code des postes et des communications électroniques). With reference to the controller’s annual turnover, a €200,000 fine was set for the breaches of the GDPR through Articles 5(1)(e) & (c) and Article 9 GDPR and a €50,000 fine for the breach of Article L.34-5 of the French Post and Electronic Communications Code.

Comment

The CNIL issued a decision regarding the controller's partner on the same day, which you can find here.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.