CNIL (France) - SAN-2021-008: Difference between revisions
No edit summary |
No edit summary |
||
Line 58: | Line 58: | ||
}} | }} | ||
The CNIL fined a bricolage company a total of €500,000 for violating Articles 5(1)(e), 13, 17, and 32 GDPR and for | The CNIL fined a bricolage company a total of €500,000 for violating Articles 5(1)(e), 13, 17, and 32 GDPR and for infringing national provisions concerning cookies and unsolicited commercial communications. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 13th November 2018, the French DPA (CNIL) carried out an inspection at the Brico Privé's premises, a bricolage company, | On 13th November 2018, the French DPA (CNIL) carried out an inspection at the Brico Privé's premises, a bricolage company, to inspect the company's data retention periods, the information it provides to data subjects, its compliance with requests for the deletion of personal data, data security, and compliance with the obligation to obtain data subject consent to receive commercial prospecting by e-mail. | ||
In order to complete its investigations | In order to complete its investigations, the CNIL carried out an online inspection of all processing accessible from the bricoprive.com domain on 6 February 2020. | ||
On 13 January 2021, as the company indicated that changes had been made to the methods of depositing cookies, a delegation from the CNIL carried out a new | On 13 January 2021, as the company indicated that changes had been made to the methods of depositing cookies, a delegation from the CNIL carried out a new investigation of any processing accessible from the bricoprive.com domain in order to update the findings made on 6 February 2020. | ||
=== Holding === | === Holding === | ||
The CNIL found that the controller had violated Articles 5(1)(e), 13, 17 and 32 GDPR by failing to comply with the obligation to determine and implement data retention periods, failing to inform | The CNIL found that the controller had violated Articles 5(1)(e), 13, 17 and 32 GDPR by failing to comply with the obligation to determine and implement data retention periods, failing to inform web visitors about processing activities, failing to comply with the request for erasure of data, and failing to ensure appropriate security measures regarding authentication on the website and on the customer relationship management software used by the company's employees. | ||
The CNIL also found that the controller had violated | The CNIL also found that the controller had violated national provisions concerning cookies and unsolicited commercial communications. | ||
With regards to Article 5(1)(e), the DPA found that the company did not have a retention policy in place for the deletion of data. The company had data | With regards to Article 5(1)(e), the DPA found that the company did not have a retention policy in place for the deletion of data. The company had data from accounts as old as five years without any activity. | ||
With regards to Article 13, the controller did not offer | With regards to Article 13, the controller did not offer on their website information such as the contact details of the data protection officer, the retention periods, the legal bases for processing, and certain rights from which individuals benefit under the GDPR. | ||
With regards to Article 17, the company did not delete the data when there were requests | With regards to Article 17, the company did not delete the data when there were requests from users to delete their account, but only deactivated the accounts, preventing the person from connecting to the account and ending unsolicited commercial communications. | ||
With regards to Article 32, the DPA found that there was not a sufficient level of security | With regards to Article 32, the DPA found that there was not a sufficient level of data security to meet requirements concerning the robustness of passwords, both for users and employees. | ||
With regards to cookies, the DPA found that several cookies that did not fall within the scope of the exceptions (necessary cookies) were placed on the user's terminal as soon as they arrived on the home page of the site, and before any action on | With regards to cookies, the DPA found that several cookies that did not fall within the scope of the exceptions (necessary cookies) were placed on the user's terminal as soon as they arrived on the home page of the site, and before any action on their part. | ||
Additionally, the company was | Additionally, the company was sending unsolicited commercial communications to users who created an account for commercial purposes and without obtaining their consent. | ||
Therefore, the CNIL fined Brico Privé €300,000 for violating articles 5(1)(e), 13, 17 and 32 GDPR and €200,000 for violating article 82 of loi n° 78-17 du 6 janvier 1978 modifiée relative à l'informatique, aux fichiers et aux libertés and Article L.34-5 du code des postes et des communications électroniques (CPCE). | Therefore, the CNIL fined Brico Privé €300,000 for violating articles 5(1)(e), 13, 17 and 32 GDPR and €200,000 for violating article 82 of loi n° 78-17 du 6 janvier 1978 modifiée relative à l'informatique, aux fichiers et aux libertés and Article L.34-5 du code des postes et des communications électroniques (CPCE). | ||
Line 88: | Line 88: | ||
The CNIL also ordered the controller to bring its processing operations into compliance with the obligations resulting from articles 5(1)(e) GDPR and article L. 34-5 of the CPCE, and in particular: | The CNIL also ordered the controller to bring its processing operations into compliance with the obligations resulting from articles 5(1)(e) GDPR and article L. 34-5 of the CPCE, and in particular: | ||
* cease to retain the personal data of former customers | * to cease to retain the personal data of former customers at the end of a set period of inactivity and proceed with the purging of such data retained by the company, | ||
* provide evidence of an intermediate archive procedure for customers | * to provide evidence of an intermediate archive procedure for customers personal data, established after sorting out the relevant data to be stored and deleting irrelevant data, as well as the starting point of such storage (e.g. for invoices stored for accounting purposes), | ||
* cease commercial | * to cease unsolicited commercial communications to users who have not given their consent. | ||
== Comment == | == Comment == |
Revision as of 13:02, 23 June 2021
CNIL (France) - SAN-2021-008 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(e) GDPR Article 13 GDPR Article 17 GDPR Article 32 GDPR Article 82 Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés Article L34-5 Code des postes et des communications électroniques |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 14.06.2021 |
Published: | 17.06.2021 |
Fine: | 500000 EUR |
Parties: | n/a |
National Case Number/Name: | SAN-2021-008 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Légifrance (in FR) |
Initial Contributor: | n/a |
The CNIL fined a bricolage company a total of €500,000 for violating Articles 5(1)(e), 13, 17, and 32 GDPR and for infringing national provisions concerning cookies and unsolicited commercial communications.
English Summary
Facts
On 13th November 2018, the French DPA (CNIL) carried out an inspection at the Brico Privé's premises, a bricolage company, to inspect the company's data retention periods, the information it provides to data subjects, its compliance with requests for the deletion of personal data, data security, and compliance with the obligation to obtain data subject consent to receive commercial prospecting by e-mail.
In order to complete its investigations, the CNIL carried out an online inspection of all processing accessible from the bricoprive.com domain on 6 February 2020.
On 13 January 2021, as the company indicated that changes had been made to the methods of depositing cookies, a delegation from the CNIL carried out a new investigation of any processing accessible from the bricoprive.com domain in order to update the findings made on 6 February 2020.
Holding
The CNIL found that the controller had violated Articles 5(1)(e), 13, 17 and 32 GDPR by failing to comply with the obligation to determine and implement data retention periods, failing to inform web visitors about processing activities, failing to comply with the request for erasure of data, and failing to ensure appropriate security measures regarding authentication on the website and on the customer relationship management software used by the company's employees.
The CNIL also found that the controller had violated national provisions concerning cookies and unsolicited commercial communications.
With regards to Article 5(1)(e), the DPA found that the company did not have a retention policy in place for the deletion of data. The company had data from accounts as old as five years without any activity.
With regards to Article 13, the controller did not offer on their website information such as the contact details of the data protection officer, the retention periods, the legal bases for processing, and certain rights from which individuals benefit under the GDPR.
With regards to Article 17, the company did not delete the data when there were requests from users to delete their account, but only deactivated the accounts, preventing the person from connecting to the account and ending unsolicited commercial communications.
With regards to Article 32, the DPA found that there was not a sufficient level of data security to meet requirements concerning the robustness of passwords, both for users and employees.
With regards to cookies, the DPA found that several cookies that did not fall within the scope of the exceptions (necessary cookies) were placed on the user's terminal as soon as they arrived on the home page of the site, and before any action on their part.
Additionally, the company was sending unsolicited commercial communications to users who created an account for commercial purposes and without obtaining their consent.
Therefore, the CNIL fined Brico Privé €300,000 for violating articles 5(1)(e), 13, 17 and 32 GDPR and €200,000 for violating article 82 of loi n° 78-17 du 6 janvier 1978 modifiée relative à l'informatique, aux fichiers et aux libertés and Article L.34-5 du code des postes et des communications électroniques (CPCE).
The CNIL also ordered the controller to bring its processing operations into compliance with the obligations resulting from articles 5(1)(e) GDPR and article L. 34-5 of the CPCE, and in particular:
- to cease to retain the personal data of former customers at the end of a set period of inactivity and proceed with the purging of such data retained by the company,
- to provide evidence of an intermediate archive procedure for customers personal data, established after sorting out the relevant data to be stored and deleting irrelevant data, as well as the starting point of such storage (e.g. for invoices stored for accounting purposes),
- to cease unsolicited commercial communications to users who have not given their consent.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.