CNIL (France) - SAN-2024-015: Difference between revisions
m (Fixed case number) |
m (spelling mistake) |
||
| (3 intermediate revisions by 2 users not shown) | |||
| Line 63: | Line 63: | ||
}} | }} | ||
The DPA fines a remote psychic services provider €150,000 for failure to obtain data subject's explicit consent prior to the processing of sensitive data as well as breaching the principle of storage limitation. | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller | The controller provided remote psychic services via telephone, online chat or text message. On some of its websites, the controller offered personalized chats via telephone carried out by its partner. In order to promote their services, the two companies sent marketing messages to existing and prospective customers via e-mail and text. Prospective customers' contact details were obtained through a contact form on either of the two companies’ websites. The controller and its partner set up a shared database for their marketing purposes which on the 6 October 2022 included personal data of more than 1.5 million people. | ||
On 15 November 2021, the French DPA (''Commission Nationale de l’Informatique et des Libertés - CNIL'') carried out an online check of five websites run by the controller and | On 15 November 2021, the French DPA (''Commission Nationale de l’Informatique et des Libertés - CNIL'') carried out an online check of five websites run by the controller and its partner. An on-site inspection was also carried out on 7 and 8 December 2021 at the premises of the two companies. The following details the findings of the investigation: | ||
1) Data retention period proportionate to the purpose of processing under [[Article 5 GDPR|Article 5(1)(e) GDPR]] | 1) Data retention period proportionate to the purpose of processing under [[Article 5 GDPR|Article 5(1)(e) GDPR]] | ||
The controller retained the data of its customers for a period of six years after the end of the commercial relationship. The | The controller retained the data of its customers for a period of six years after the end of the commercial relationship. The controller argued that this is necessary so that it would be able to respond to possible judicial investigations. | ||
2) Prior consent to the processing of special category data under [[Article 9 GDPR]] | 2) Prior consent to the processing of special category data under [[Article 9 GDPR]] | ||
The controller offers users of its website horoscope.fr to fill in a form intended to issue a free prediction about their romantic compatibility with a person of their choice. Users must enter their sex, date, time and city of birth, as well as their e-mail address, but also the sex and date of birth of their partner. During the remote consultations, a plethora of personal information may be disclosed by the customers. | The controller offers users of its website horoscope.fr to fill in a form intended to issue a free prediction about their romantic compatibility with a person of their choice. Users must enter their sex, date, time and city of birth, as well as their e-mail address, but also the sex and date of birth of their partner. During the remote consultations, a plethora of personal information may be disclosed by the customers. These conversations are recorded by the controller's partner and half of the data is stored until the end of the working day and the other half stored for a period of six months. | ||
The controller argued that this sensitive data is not processed but simply recorded. | The controller argued that this sensitive data is not processed but simply recorded. | ||
3) Processing for marketing purposes under Article L.34-5 of the French Post and Electronic Communications Code (''Article L.34-5 Code des postes et des communication électroniques'') | 3) Processing for marketing purposes under [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000042155961/ Article L.34-5 of the French Post and Electronic Communications Code (''Article L.34-5 Code des postes et des communication électroniques'')] | ||
The notice included on the contact form did not list the controller, nor a list of all other third parties the data is shared with. While users could follow a link which provided some additional information, this link was located much further down on the form. Further, the information included in the link did not mention commercial advertising at all. | |||
During the proceedings the controller changed the format of the contact form to include a very small unintelligible character attached to a word on the form. A click on this character then lead to a footnote which was not visible on the original form listing the controller as the provider of marketing messages. | During the proceedings the controller changed the format of the contact form to include a very small unintelligible character attached to a word on the form. A click on this character then lead to a footnote which was not visible on the original form listing the controller as the provider of marketing messages. | ||
| Line 94: | Line 93: | ||
1) Data retention proportionate to the purpose of processing under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] | 1) Data retention proportionate to the purpose of processing under [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]] | ||
The CNIL clarifies that while the controller must comply with judicial requests for data, the controller would not face any criminal sanctions if had deleted data as it was no longer necessary to process it for the controller’s specified purposes. Thus the CNIL did not accept the controller’s argument for warranting the six year storage policy. | The CNIL clarifies that while the controller must comply with judicial requests for data, the controller would not face any criminal sanctions if it had deleted data as it was no longer necessary to process it for the controller’s specified purposes. Thus the CNIL did not accept the controller’s argument for warranting the six year storage policy. | ||
As the data is collected for a specific purpose which is the management of the commercial relationship, the CNIL states that as soon as the purpose changes, the controller must take action in differentiating the data. The practice of categorically compiling all customer data into an active database without any differentiation or archiving policy therefore constituted a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. In relation to the managing of commercial relationships, the CNIL recommended a maximum storage period of three years after the commercial relationship has ended. | As the data is collected for a specific purpose which is the management of the commercial relationship, the CNIL states that as soon as the purpose changes, the controller must take action in differentiating the data. The practice of categorically compiling all customer data into an active database without any differentiation or archiving policy therefore constituted a violation of [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]. In relation to the managing of commercial relationships, the CNIL recommended a maximum storage period of three years after the commercial relationship has ended. | ||
| Line 101: | Line 100: | ||
The CNIL points out that the mere act of recording the conversations, storing some and deleting others at the end of the day falls under the definition of processing under [[Article 4 GDPR#2|Article 4(2) GDPR]], therefore rejecting the controller’s argument. | The CNIL points out that the mere act of recording the conversations, storing some and deleting others at the end of the day falls under the definition of processing under [[Article 4 GDPR#2|Article 4(2) GDPR]], therefore rejecting the controller’s argument. | ||
Contrary to the provisions of [[Article 4 GDPR#11|Article 4(11) GDPR]], the CNIL notes that the company does not provide any specific information to the data subjects with regard to the collection and processing of data collected from the form on the website and does not explicitly collect their consent for the processing of such data. Similarly, in the context of | Contrary to the provisions of [[Article 4 GDPR#11|Article 4(11) GDPR]], the CNIL notes that the company does not provide any specific information to the data subjects with regard to the collection and processing of data collected from the form on the website and does not explicitly collect their consent for the processing of such data. Similarly, in the context of chat or text consultations, no information on the processing of such data is provided or consent as required under [[Article 9 GDPR|Article 9(2)(a) GDPR]] obtained. | ||
The CNIL therefore concludes a violation of [[Article 9 GDPR|Article 9 GDPR]] as the mere willingness to enter information into a form or share personal information through the chat options does not equate to the fully informed consent to the processing of this sensitive data. | The CNIL therefore concludes a violation of [[Article 9 GDPR|Article 9 GDPR]] as the mere willingness to enter information into a form or share personal information through the chat options does not equate to the fully informed consent to the processing of this sensitive data. | ||
| Line 114: | Line 113: | ||
== Comment == | == Comment == | ||
' | The CNIL issued a decision regarding the controller's partner on the same day, which you can find [[CNIL (France) - SAN-2021-014|here]]. | ||
== Further Resources == | == Further Resources == | ||
Latest revision as of 08:51, 15 October 2024
| CNIL - SAN-2024-014 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 5(1)(e) GDPR Article 9 GDPR Article L34-5 Code des postes et des communications électroniques |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 15.11.2021 |
| Decided: | 26.09.2024 |
| Published: | 10.10.2024 |
| Fine: | 150,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | SAN-2024-014 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Legifrance (in FR) |
| Initial Contributor: | ao |
The DPA fines a remote psychic services provider €150,000 for failure to obtain data subject's explicit consent prior to the processing of sensitive data as well as breaching the principle of storage limitation.
English Summary
Facts
The controller provided remote psychic services via telephone, online chat or text message. On some of its websites, the controller offered personalized chats via telephone carried out by its partner. In order to promote their services, the two companies sent marketing messages to existing and prospective customers via e-mail and text. Prospective customers' contact details were obtained through a contact form on either of the two companies’ websites. The controller and its partner set up a shared database for their marketing purposes which on the 6 October 2022 included personal data of more than 1.5 million people.
On 15 November 2021, the French DPA (Commission Nationale de l’Informatique et des Libertés - CNIL) carried out an online check of five websites run by the controller and its partner. An on-site inspection was also carried out on 7 and 8 December 2021 at the premises of the two companies. The following details the findings of the investigation:
1) Data retention period proportionate to the purpose of processing under Article 5(1)(e) GDPR
The controller retained the data of its customers for a period of six years after the end of the commercial relationship. The controller argued that this is necessary so that it would be able to respond to possible judicial investigations.
2) Prior consent to the processing of special category data under Article 9 GDPR
The controller offers users of its website horoscope.fr to fill in a form intended to issue a free prediction about their romantic compatibility with a person of their choice. Users must enter their sex, date, time and city of birth, as well as their e-mail address, but also the sex and date of birth of their partner. During the remote consultations, a plethora of personal information may be disclosed by the customers. These conversations are recorded by the controller's partner and half of the data is stored until the end of the working day and the other half stored for a period of six months.
The controller argued that this sensitive data is not processed but simply recorded.
3) Processing for marketing purposes under Article L.34-5 of the French Post and Electronic Communications Code (Article L.34-5 Code des postes et des communication électroniques)
The notice included on the contact form did not list the controller, nor a list of all other third parties the data is shared with. While users could follow a link which provided some additional information, this link was located much further down on the form. Further, the information included in the link did not mention commercial advertising at all.
During the proceedings the controller changed the format of the contact form to include a very small unintelligible character attached to a word on the form. A click on this character then lead to a footnote which was not visible on the original form listing the controller as the provider of marketing messages.
The controller argued that it would be impossible to provide data subjects with a comprehensive list of recipients as this would breach contractual confidentiality clauses.
Holding
1) Data retention proportionate to the purpose of processing under Article 5(1)(e) GDPR
The CNIL clarifies that while the controller must comply with judicial requests for data, the controller would not face any criminal sanctions if it had deleted data as it was no longer necessary to process it for the controller’s specified purposes. Thus the CNIL did not accept the controller’s argument for warranting the six year storage policy.
As the data is collected for a specific purpose which is the management of the commercial relationship, the CNIL states that as soon as the purpose changes, the controller must take action in differentiating the data. The practice of categorically compiling all customer data into an active database without any differentiation or archiving policy therefore constituted a violation of Article 5(1)(e) GDPR. In relation to the managing of commercial relationships, the CNIL recommended a maximum storage period of three years after the commercial relationship has ended.
2) Prior consent to the processing of special category data under Article 9 GDPR
The CNIL points out that the mere act of recording the conversations, storing some and deleting others at the end of the day falls under the definition of processing under Article 4(2) GDPR, therefore rejecting the controller’s argument. Contrary to the provisions of Article 4(11) GDPR, the CNIL notes that the company does not provide any specific information to the data subjects with regard to the collection and processing of data collected from the form on the website and does not explicitly collect their consent for the processing of such data. Similarly, in the context of chat or text consultations, no information on the processing of such data is provided or consent as required under Article 9(2)(a) GDPR obtained.
The CNIL therefore concludes a violation of Article 9 GDPR as the mere willingness to enter information into a form or share personal information through the chat options does not equate to the fully informed consent to the processing of this sensitive data.
3) Processing for marketing purposes under Article L.34-5 of the Post and Electronic Communications Code (Article L34-5 Code des postes et des communications électroniques)
The CNIL stated that the improvements made to the form still do not meet the required standard of allowing the data subject to easily access a clear description of the marketing purposes and partners as required by the French provision.
4) Conclusion and setting the fine
The CNIL concluded that the controller had violated Article 5(1)(e) GDPR, Article 9 GDPR and Article 34-5 of the French domestic provision (Article L34-5 Code des postes et des communications électroniques). With reference to the controller’s annual turnover, a €100,000 fine was set for the breaches of the GDPR through Articles 5(1)(e) and 9 GDPR and a €50,000 fine for the breach of Article L.34-5 of the French Post and Electronic Communications Code.
Comment
The CNIL issued a decision regarding the controller's partner on the same day, which you can find here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
