CNIL (France) - 2c1s196162814: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=2c1s196162814 |ECLI=EDPBI:FR...")
 
(added what the outcome of the first complaint was, fixed typos and changed order in the holding)
 
(8 intermediate revisions by 2 users not shown)
Line 73: Line 73:
}}
}}


In an Article 60 procedure, The French DPA decided three complaints regarding one controller. Among other violations, the controller did not respond to access requests in time, did not provide information and did not take necessary measures to only.
In an [[Article 60 GDPR|Article 60]] procedure, the French DPA covered three complaints regarding a consumer credit provider. Among other violations, the controller did not respond to access requests in time and had a retention period of 6 years for anti-money laundering purposes, while French law only required 5 years.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
This decision by the French DPA consisted of several complaints by different data subjects regarding the same controller. The nature of this controller was not disclosed, but was most likely a provider of consumer credit.
This decision by the French DPA consisted of several complaints by different data subjects regarding the same controller. The nature and the name of this controller were not disclosed. Based on the information provided in the decision, the controller seemed to be a provider of consumer credit.  
The first data subject was French and requested access to his data at the controller. The data subject received responses from the controller but these were incomplete according to the data subject. After an intervention of the French DPA, the request was granted by the controller.  
 
The second data subject had repeatedly requested the source of personal data concerning him, the retention period and the deletion of his data. The data subject filed a complaint at the French DPA (DPA). After discussions between the DPA and the controller, the controller informed the data subject that his phone number and his address had been obtained from an investigative agency, located in Israel. The controller added that the use of such an agency only occurred when the data collected from the ‘transferring institution’ was inadequate. The controller also informed the data subject about the ‘exceptional’ closure of his case and that the personal data would be deleted after a period of 6 years. The controller stated that it was obliged to keep this data for a minimum of five years for anti-money laundering purposes.  
The <u>first</u> data subject (French) requested access to his personal data. He received responses from the controller but these answers were incomplete according to the data subject, because the identity of the investigative agency at the origin of the data collection was not disclosed. After an intervention of the DPA, the controller complied with the request.  
The complaint of the third data subject was transferred by the Polish DPA pursuant of [[Article 56 GDPR#1|Article 56(1) GDPR]]. The controller was not able to reach the data subject concerning his supposed debt. Therefore, it appealed to an investigative agency, which sent the contact details of the data subject on 13 July 2018. The data subject was contacted by the controller to pay his debt despite never being a client of the controller. After communication between the data subject and the controller and an intervention of the DPA, the controller acknowledged that there had been a mistake regarding the identity of the data subject. The controller anonymized the data subject’s address and telephone number following the intervention of the DPA.  
 
The data subject complained at the DPA about the unlawfulness of processing of personal data concerning him and requested erasure of his data. The data subject stated that he was not a debtor and had never been a client of the controller.
The <u>second</u> data subject (French) had repeatedly requested information about the source -  and the retention period of personal data. He also requested the deletion of his data. After discussions between the DPA and the controller, the controller informed the data subject that his phone number and his address had been obtained from an investigative agency, located in Israel. The controller added that it only hired such an agency when the data collected from a ‘transferring institution’ was inadequate. It is not clear what the controller meant with a 'transferring institution'. The controller also informed the data subject of the retention period of 6 years. The controller stated that it was obligated to keep data for a minimum of five years for anti-money laundering purposes, despite French law only requiring a storage period of five years, without any mention of a minimum period (Article L561-12 of the French Monetary and Financial Code).
 
The complaint of the <u>third</u> data subject (Polish) was transferred by the Polish DPA pursuant of [[Article 56 GDPR#1|Article 56(1) GDPR]]. The controller was not able to reach the data subject concerning his supposed debt. Therefore, it hired an investigative agency, which sent the contact details of the data subject to the controller on 13 July 2018. The data subject was then contacted by the controller with the request to pay his debt. However, the data subject stated that he was not a debtor and had never been a client of the controller. After communication between the data subject and the controller, the controller acknowledged that there had been a mistake regarding the identity of the data subject. The telephone number of the data subject was invalidated, but no further action was taken. Only 9 months later, the controller anonymized the data subject’s address and telephone number following the intervention of the DPA.  
The data subject complained at the DPA about the unlawfulness of processing of his personal data and requested erasure of his personal data.  


=== Holding ===
=== Holding ===
The DPA held that the controller had disregarded [[Article 12 GDPR#3|Article 12(3) GDPR]] regarding the third complaint, because it had taken the controller four months to respond to the data subjects first request and did not answer as soon as possible. The controller also violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject, who was not a debtor. The controller continued to process the data and only anonymized the data after the French DPA interfered.
The DPA did not make any specific remarks on the <u>first</u> complaint but reminded the controller that, according to [[Article 12 GDPR|Article 12(3) GDPR]], it is obliged to respond to data subject requests within one month. 
The DPA also determined that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] regarding the second complaint because of the 6-year retention period, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code).
 
The DPA also stated that [[Article 14 GDPR|Article 14 GDPR]] had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy with each financial claim, indicating the possibility of recourse to an investigative agency, does not mean that the obligation of [[Article 14 GDPR|Article 14 GDPR]] is fulfilled. This information is not specific enough and does not provide information on the exact source of the data.  
The DPA determined that the controller violated [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] regarding the <u>second</u> complaint because of the 6 year retention period of personal data, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code). 
The DPA issued a reprimand pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and Article 20.II of the French data protection act with regard to the obligation to respond to requests for the exercise of rights of individuals and the obligation to process accurate and updated personal data. The DPA also issued a formal notice pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] and Article 20.II of the French data protection act to limit the retention period of personal data to five years and to correctly inform individuals about the origin of their personal data.
 
The DPA also held that the controller had disregarded [[Article 12 GDPR#3|Article 12(3) GDPR]] regarding the <u>third</u> complaint, because it had taken the controller four months to respond to the data subject and did not answer as soon as possible. The DPA stated that an initial, insufficient measure was taken only four months after the data subject's first request. The controller only provided a satisfactory response more than a year after the data subject's first request, since the controller anonymized the data only after the French DPA interfered. The controller also violated [[Article 5 GDPR#1d|Article 5(1)(d) GDPR]] regarding the <u>third</u> complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject. Because of the lack of adequate measures, the controller continued processing until it anonymized the personal data.
 
The DPA stated that [[Article 14 GDPR]] had been breached by the controller regarding <u>all complaints</u>, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy, indicating the possibility of consulting an investigative agency, did not mean that the obligation under [[Article 14 GDPR]] was fulfilled. The information in the privacy policy was not specific enough and did not provide information on the exact source of the data.
 
The DPA issued a reprimand pursuant of [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]] and Article 20.II of the French Data Protection Act with regard to the obligation to respond to data subject requests and the obligation to process accurate and updated personal data. The DPA also issued a formal notice pursuant of [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]] and Article 20.II of the French Data Protection Act to limit the retention period of personal data to five years and to correctly inform individuals about the origin of their personal data.


== Comment ==
== Comment ==
''Share your comments here!''
Although the nature or the name of the controller were not disclosed, it seemed that the controller was some sort of a provider of consumer credit. Under section 1 of the decision (paragraph 1), there is a mention of a debt assignment agreement between the controller and the data subject. Also under section 1 (paragraph 5), one of the data subjects stated that he had never been a debtor of the controller. 


== Further Resources ==
== Further Resources ==
Line 100: Line 108:


<pre>
<pre>
Dear Sir,
I am following up on the exchanges of letters that took place between the CNIL services and the
data protection officer (DPO) of your company, as part of the investigation of several complaints relating
to the processing of debtors’ personal data (amicable collection files).
I. Reminder of claims and facts
With regard to referral No. f
The French complainant requested access to his data and received some responses. He nevertheless
referred the matter to CNIL, feeling that the responses were incomplete, as the identity of the investigative
agency at the origin of the data collection was not communicated to him. Following the intervention of
CNIL services, his request was granted.
With regard to referral No. P|
The data relating to the French complainant were processed by
assignment agreement entered into with ‘he complainant has repeatedly
requested the source of the data concerning him, as well as its retention period and its deletion. Following
discussions with CNIL vices informed the complainant that his address and
telephone number had been obtained from an investigative agency located in Israel. Your DPO has
indicated to CNIL that the use of such an agency occurs only when the data collected from the transferring
institution turns out to be inaccurate.
based on a debt
In addition, the complainant was informed of the “exceptional” closure of his case and that his data
will be deleted after a period of six years from that closure. Your DPO justified this period by the fact that
your company is “legally required to keep this data far anti-money laundering pur poses for a minimum of
five years.“
With regard to referral No. Fs
In this complaint submitted by the Polish Data Protection Authority, pursuant to Article 56.1 of the
General Data Protection Regulation (GDPR), the complainant challenged the lawfulness of the processing
of data concerning him b and requested its erasure. He indicated that he was not a
debtor and had never been a client of the ceding company
From the complaint and the exchanges with your company’s DPO, the following details emerge:
- after unsuccessfully attempting to contact the debtor concerned,ME appealed to an
investigative agency, which sent it the contact details of the complainant on 13 July 2018;
- on 23 July 2018, the complainant requested the erasure of the data from [I after
reccivingEE s letter informing him of the existence of a claim concerning him;
- on 27 July 2018, he contacted I by email DE © obtain
information, as he claims never to have taken out a loan withI
- on17 September 2018, he received another letter asking him to pay his debt;
- on 29 November 2018, during a telephone conversation with the complainant, eS
services noticed that this was a case of mistaken identity (same surname and first name). His
telephone number was then invalidated, but no further action was taken;
- the complainant’s address and telephone number were anonymised following the intervention of
CNIL services on 26 August 2019 (all data relating to the complainant was replaced by crosses,
thus preventing any link between the true debtor’s file and the complainant);
- the complainant was informed that this measure would therefore put an end to all correspondence
with him.
II. Analysis of the facts in question
1. Failure to respond to requests to exercise rights
Pursuant to Article 12.3 GDPR, the Data Controller must respond to requests from individuals
exercising their rights within a maximum period of one month.
In the present case, the Polish complainant attempted to obtain information on the processing of
the data and requested its erasure upon receipt of the letter of assignment of claim.
An initial, insufficient measure was taken only four months after the complainant’s first request. It
is only the intervention of CNIL services - over a year after the complainant’s first request - which led your
services to respond satisfactorily.
I also note that compliance with this obligation and taking into account the complainant’s requests
from the outset could have enabled your company to identify the case of mistaken identity in July 2018
and thus immediately cease the processing of data concerning the complainant.
I find ha i therefore disregarded Article 12.3 GDPR in that it did not respond to
the complainant as soon as possible.
2. Failure to process accurate and up-to-date data
Pursuant to Article 5.1.d GDPR, the personal data processed must be accurate and, if necessary,
kept up to date.
In this case, the case of mistaken identity was identified on 29 November 2018 when the Polish
plaintiff disputed being a customer of the company and requested the deletion of his data. However,
did not take adequate measures to remove any doubt as to this homonymy and
immediately delete the data concerning this non-debtor complainant.
Thus, the data relating to the complainant continued to be processed by I and was
only anonymised after the intervention of CNIL services on 26 August 2019.
I find that Po has therefore disregarded Article 5.1 d) GDPR in that it did not take
the necessary measures to process only accurate and up-to-date data relating to a debtor and that it took the
intervention of CNIL services to stop this breach.


</pre>
</pre>

Latest revision as of 12:06, 4 January 2023

CNIL - 2c1s196162814
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(c) GDPR
Article 12(3) GDPR
Article 14 GDPR
Article 56(1) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Article L561-12 of the French Monetary and Financial Code
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 20.05.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 2c1s196162814
European Case Law Identifier: EDPBI:FR:OSS:D:2022:369
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 procedure, the French DPA covered three complaints regarding a consumer credit provider. Among other violations, the controller did not respond to access requests in time and had a retention period of 6 years for anti-money laundering purposes, while French law only required 5 years.

English Summary

Facts

This decision by the French DPA consisted of several complaints by different data subjects regarding the same controller. The nature and the name of this controller were not disclosed. Based on the information provided in the decision, the controller seemed to be a provider of consumer credit.

The first data subject (French) requested access to his personal data. He received responses from the controller but these answers were incomplete according to the data subject, because the identity of the investigative agency at the origin of the data collection was not disclosed. After an intervention of the DPA, the controller complied with the request.

The second data subject (French) had repeatedly requested information about the source - and the retention period of personal data. He also requested the deletion of his data. After discussions between the DPA and the controller, the controller informed the data subject that his phone number and his address had been obtained from an investigative agency, located in Israel. The controller added that it only hired such an agency when the data collected from a ‘transferring institution’ was inadequate. It is not clear what the controller meant with a 'transferring institution'. The controller also informed the data subject of the retention period of 6 years. The controller stated that it was obligated to keep data for a minimum of five years for anti-money laundering purposes, despite French law only requiring a storage period of five years, without any mention of a minimum period (Article L561-12 of the French Monetary and Financial Code).

The complaint of the third data subject (Polish) was transferred by the Polish DPA pursuant of Article 56(1) GDPR. The controller was not able to reach the data subject concerning his supposed debt. Therefore, it hired an investigative agency, which sent the contact details of the data subject to the controller on 13 July 2018. The data subject was then contacted by the controller with the request to pay his debt. However, the data subject stated that he was not a debtor and had never been a client of the controller. After communication between the data subject and the controller, the controller acknowledged that there had been a mistake regarding the identity of the data subject. The telephone number of the data subject was invalidated, but no further action was taken. Only 9 months later, the controller anonymized the data subject’s address and telephone number following the intervention of the DPA. The data subject complained at the DPA about the unlawfulness of processing of his personal data and requested erasure of his personal data.

Holding

The DPA did not make any specific remarks on the first complaint but reminded the controller that, according to Article 12(3) GDPR, it is obliged to respond to data subject requests within one month.

The DPA determined that the controller violated Article 5(1)(e) GDPR regarding the second complaint because of the 6 year retention period of personal data, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code).

The DPA also held that the controller had disregarded Article 12(3) GDPR regarding the third complaint, because it had taken the controller four months to respond to the data subject and did not answer as soon as possible. The DPA stated that an initial, insufficient measure was taken only four months after the data subject's first request. The controller only provided a satisfactory response more than a year after the data subject's first request, since the controller anonymized the data only after the French DPA interfered. The controller also violated Article 5(1)(d) GDPR regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject. Because of the lack of adequate measures, the controller continued processing until it anonymized the personal data.

The DPA stated that Article 14 GDPR had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy, indicating the possibility of consulting an investigative agency, did not mean that the obligation under Article 14 GDPR was fulfilled. The information in the privacy policy was not specific enough and did not provide information on the exact source of the data.

The DPA issued a reprimand pursuant of Article 58(2)(b) GDPR and Article 20.II of the French Data Protection Act with regard to the obligation to respond to data subject requests and the obligation to process accurate and updated personal data. The DPA also issued a formal notice pursuant of Article 58(2)(d) GDPR and Article 20.II of the French Data Protection Act to limit the retention period of personal data to five years and to correctly inform individuals about the origin of their personal data.

Comment

Although the nature or the name of the controller were not disclosed, it seemed that the controller was some sort of a provider of consumer credit. Under section 1 of the decision (paragraph 1), there is a mention of a debt assignment agreement between the controller and the data subject. Also under section 1 (paragraph 5), one of the data subjects stated that he had never been a debtor of the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.


Dear Sir,
I am following up on the exchanges of letters that took place between the CNIL services and the
data protection officer (DPO) of your company, as part of the investigation of several complaints relating
to the processing of debtors’ personal data (amicable collection files).
I. Reminder of claims and facts
With regard to referral No. f
The French complainant requested access to his data and received some responses. He nevertheless
referred the matter to CNIL, feeling that the responses were incomplete, as the identity of the investigative
agency at the origin of the data collection was not communicated to him. Following the intervention of
CNIL services, his request was granted.
With regard to referral No. P|
The data relating to the French complainant were processed by
assignment agreement entered into with ‘he complainant has repeatedly
requested the source of the data concerning him, as well as its retention period and its deletion. Following
discussions with CNIL vices informed the complainant that his address and
telephone number had been obtained from an investigative agency located in Israel. Your DPO has
indicated to CNIL that the use of such an agency occurs only when the data collected from the transferring
institution turns out to be inaccurate.
based on a debt
In addition, the complainant was informed of the “exceptional” closure of his case and that his data
will be deleted after a period of six years from that closure. Your DPO justified this period by the fact that
your company is “legally required to keep this data far anti-money laundering pur poses for a minimum of
five years.“
With regard to referral No. Fs
In this complaint submitted by the Polish Data Protection Authority, pursuant to Article 56.1 of the
General Data Protection Regulation (GDPR), the complainant challenged the lawfulness of the processing
of data concerning him b and requested its erasure. He indicated that he was not a
debtor and had never been a client of the ceding company
From the complaint and the exchanges with your company’s DPO, the following details emerge:
- after unsuccessfully attempting to contact the debtor concerned,ME appealed to an
investigative agency, which sent it the contact details of the complainant on 13 July 2018;
- on 23 July 2018, the complainant requested the erasure of the data from [I after
reccivingEE s letter informing him of the existence of a claim concerning him;
- on 27 July 2018, he contacted I by email DE © obtain
information, as he claims never to have taken out a loan withI
- on17 September 2018, he received another letter asking him to pay his debt;
- on 29 November 2018, during a telephone conversation with the complainant, eS
services noticed that this was a case of mistaken identity (same surname and first name). His
telephone number was then invalidated, but no further action was taken;
- the complainant’s address and telephone number were anonymised following the intervention of
CNIL services on 26 August 2019 (all data relating to the complainant was replaced by crosses,
thus preventing any link between the true debtor’s file and the complainant);
- the complainant was informed that this measure would therefore put an end to all correspondence
with him.
II. Analysis of the facts in question
1. Failure to respond to requests to exercise rights
Pursuant to Article 12.3 GDPR, the Data Controller must respond to requests from individuals
exercising their rights within a maximum period of one month.
In the present case, the Polish complainant attempted to obtain information on the processing of
the data and requested its erasure upon receipt of the letter of assignment of claim.
An initial, insufficient measure was taken only four months after the complainant’s first request. It
is only the intervention of CNIL services - over a year after the complainant’s first request - which led your
services to respond satisfactorily.
I also note that compliance with this obligation and taking into account the complainant’s requests
from the outset could have enabled your company to identify the case of mistaken identity in July 2018
and thus immediately cease the processing of data concerning the complainant.
I find ha i therefore disregarded Article 12.3 GDPR in that it did not respond to
the complainant as soon as possible.
2. Failure to process accurate and up-to-date data
Pursuant to Article 5.1.d GDPR, the personal data processed must be accurate and, if necessary,
kept up to date.
In this case, the case of mistaken identity was identified on 29 November 2018 when the Polish
plaintiff disputed being a customer of the company and requested the deletion of his data. However,
did not take adequate measures to remove any doubt as to this homonymy and
immediately delete the data concerning this non-debtor complainant.
Thus, the data relating to the complainant continued to be processed by I and was
only anonymised after the intervention of CNIL services on 26 August 2019.
I find that Po has therefore disregarded Article 5.1 d) GDPR in that it did not take
the necessary measures to process only accurate and up-to-date data relating to a debtor and that it took the
intervention of CNIL services to stop this breach.