CNIL (France) - SAN-2021-013: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL (France) |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2021-013 |ECLI=...")
 
No edit summary
 
(4 intermediate revisions by 3 users not shown)
Line 20: Line 20:
|Date_Published=29.07.2021
|Date_Published=29.07.2021
|Year=2021
|Year=2021
|Fine=50
|Fine=50000
|Currency=EUR
|Currency=EUR


Line 45: Line 45:


|Initial_Contributor=rem
|Initial_Contributor=rem
|
|}}
}}


The French DPA imposed an administrative fine of €50,000 on a press company for failing to comply with its obligations to inform and obtain consent from individuals with regard to cookies and other tracers on its website.
The French DPA fined a publisher €50,000 for failing to comply with its obligations to inform and obtain consent from individuals regarding cookies and other trackers on its website.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
This decision follows a complaint received by the French DPA (CNIL) on 16 August 2018 from an user of the company's website, in which was reported the deposit of cookies on her terminal without her consent and prior to any action.
This decision follows a complaint received by the French DPA (CNIL) on 16 August 2018 from a user of the Société du Figaro's website, a publisher, in which was reported the installation of cookies on their terminal without their consent and prior to any action.


The DPA therefore conducted five online inspections of the website between 14 January 2020 and 1 June 2021.  
The DPA therefore conducted five online inspections of the website between 14 January 2020 and 1 June 2021.  


During the first two operations, the CNIL carried out verifications on:  
During the first two operations, the DPA carried out a verification on:  
- The nature of the cookies;
- The purpose of each of the cookie;
- The information provided to users;
- The system put in place so that the user can refuse the deposit when browsing on the home page of the website.


Then, the DPA also verified the consequences for the user of navigating to another page of the website after having refused the deposit of cookies on arrival on the website.  
* The nature of the cookies;
* The purpose of each of the cookie;
* The information provided to users;
* The system put in place so that the user can refuse the installation when browsing on the home page of the website.


=== Dispute ===
Then, the DPA also verified the consequences for the user of navigating to another page of the website after having refused the installation of cookies on arrival on the website.
=== Holding ===
First, the DPA stated that the scope of responsibility of the controller regarding cookies on its website exists in the form of an obligation of means to ensure that its partners do not, via its website, install cookies in violation of the applicable law.


In addition, the DPA found out that cookies were installed on a user's terminal as soon as they arrived on the website's home page, before they could express their choice, and even if they had expressed a refusal in the event of navigation to another page of the site.


=== Holding ===
Consequently, the DPA held that the controller had breached its obligations regarding consent and information about cookies on its website by:
First, the DPA stated that the scope of responsibility of the controller regarding cookies on its website exists in the form of an obligation of means to ensure that its partners do not, via its website, deposit cookies in violation of the regulations applicable.


In addition, the DPA found out that cookies could be deposited on a user's terminal as soon as they arrived on the website's home page, before they could express their choice, and even if they had expressed a refusal in the event of navigation to another page of the site.  
* allowing cookies to be installed on users' terminals before any action on their part;
* making their refusal ineffective;
* failing to ensure that its partners do not emit, via its site, cookies that do not comply with the applicable regulations;
* failing to take the necessary steps to put an end to the breach observed.


Consequently, the DPA held that the controller had breached its obligations regarding consent and information about cookies on its website by :
The DPA fined the controller €50,000.
- allowing cookies to be deposited on users' terminals before any action on their part;
- making their refusal ineffective;
- failing to ensure that its partners do not emit, via its site, cookies that do not comply with the applicable regulations;
- failing to take the necessary steps to put an end to the breach observed.


== Comment ==
== Comment ==

Latest revision as of 14:36, 11 August 2021

CNIL (France) - SAN-2021-013
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law:
Article 82 Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.07.2021
Published: 29.07.2021
Fine: 50000 EUR
Parties: Société du Figaro
National Case Number/Name: SAN-2021-013
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: rem

The French DPA fined a publisher €50,000 for failing to comply with its obligations to inform and obtain consent from individuals regarding cookies and other trackers on its website.

English Summary

Facts

This decision follows a complaint received by the French DPA (CNIL) on 16 August 2018 from a user of the Société du Figaro's website, a publisher, in which was reported the installation of cookies on their terminal without their consent and prior to any action.

The DPA therefore conducted five online inspections of the website between 14 January 2020 and 1 June 2021.

During the first two operations, the DPA carried out a verification on:

  • The nature of the cookies;
  • The purpose of each of the cookie;
  • The information provided to users;
  • The system put in place so that the user can refuse the installation when browsing on the home page of the website.

Then, the DPA also verified the consequences for the user of navigating to another page of the website after having refused the installation of cookies on arrival on the website.

Holding

First, the DPA stated that the scope of responsibility of the controller regarding cookies on its website exists in the form of an obligation of means to ensure that its partners do not, via its website, install cookies in violation of the applicable law.

In addition, the DPA found out that cookies were installed on a user's terminal as soon as they arrived on the website's home page, before they could express their choice, and even if they had expressed a refusal in the event of navigation to another page of the site.

Consequently, the DPA held that the controller had breached its obligations regarding consent and information about cookies on its website by:

  • allowing cookies to be installed on users' terminals before any action on their part;
  • making their refusal ineffective;
  • failing to ensure that its partners do not emit, via its site, cookies that do not comply with the applicable regulations;
  • failing to take the necessary steps to put an end to the breach observed.

The DPA fined the controller €50,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.