CNIL (France) - SAN-2021-012: Difference between revisions
Marcovermeil (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL (France) |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2021-012 |ECLI=...") |
|||
Line 50: | Line 50: | ||
}} | }} | ||
The French DPA fined Monsanto | The French DPA fined Monsanto €400,000 for violating Articles 14 and 28 GDPR. The company created contact files for the purpose of lobbying, without informing data subject, and did not lead by a judicial document the processing of personal data realized by processors on its behalf. | ||
The company created contact files for the purpose of lobbying, without | |||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In may 2019, several medias revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists, scientists that are related to glyphosate debate. | In may 2019, several medias revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists, scientists that are related to glyphosate debate. | ||
At the same time, the French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) received seven complaints from data subjects who were on the filing system. | At the same time, the French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) received seven complaints from data subjects who were on the filing system. | ||
An investigation carried out by | An investigation carried out by revealed that: | ||
* The filing system has been created on behalf of Monsanto company, by several companies specialized in public relations and lobbying. | |||
* The filing system contained, for every data subject, information like the job, professional mailbox, mobile phone number, and sometimes the Twitter account. | |||
Furthermore, a rating was attributed to every data subject, to estimate their influence and their support to Monsanto company. | |||
=== Dispute === | === Dispute === | ||
Has the company | Has the company violated [[Article 14 GDPR]] because it did not provide data subject with information listed in those articles? | ||
Has the company violated | Has the company violated [[Article 28 GDPR]] because it did not lead by a judicial document the processing realised by processors? | ||
=== Holding === | === Holding === | ||
==== On the information of data subjects ==== | |||
The CNIL found that the company had violated Article 14 GDPR. | The CNIL found that the company had violated Article 14 GDPR. | ||
Creation of contact files for the purpose of lobbying is not illegal in itself. On the other hand, even if consent of those public figures was not necessary, they had to be informed, so they could use their rights and especially their right to object. | Creation of contact files for the purpose of lobbying is not illegal in itself. On the other hand, even if consent of those public figures was not necessary, they had to be informed, so they could use their rights and especially their right to object. | ||
On the absence of judicial document between the controller and the processors | The CNIL found that data subject were informed of the existence of the filing system only in 2019, after the medias revelations, even though Monsanto company had all of their contact information. | ||
The CNIL also remind that the fact of not inform data subject of the existence of a processing harms the exercise of their others rights guaranteed under the GDPR. | |||
==== On the absence of judicial document between the controller and the processors ==== | |||
The CNIL found that the company has violated Article 28 GDPR. As a controller, Monsanto company had to lead by a judicial document the processing realised by its processor, especially to guarantee security measures. | |||
The CNIL found that no contract between the companies contained the terms provided by the article 28 GDPR. | The CNIL found that no contract between the companies contained the terms provided by the article 28 GDPR. | ||
Revision as of 10:12, 4 August 2021
CNIL (France) - SAN-2021-012 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 14 GDPR Article 28 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 26.08.2021 |
Published: | 28.08.2021 |
Fine: | 400000 EUR |
Parties: | Monsanto Company |
National Case Number/Name: | SAN-2021-012 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Légifrance (in FR) |
Initial Contributor: | Marco Vermeil |
The French DPA fined Monsanto €400,000 for violating Articles 14 and 28 GDPR. The company created contact files for the purpose of lobbying, without informing data subject, and did not lead by a judicial document the processing of personal data realized by processors on its behalf.
English Summary
Facts
In may 2019, several medias revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists, scientists that are related to glyphosate debate.
At the same time, the French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) received seven complaints from data subjects who were on the filing system.
An investigation carried out by revealed that:
- The filing system has been created on behalf of Monsanto company, by several companies specialized in public relations and lobbying.
- The filing system contained, for every data subject, information like the job, professional mailbox, mobile phone number, and sometimes the Twitter account.
Furthermore, a rating was attributed to every data subject, to estimate their influence and their support to Monsanto company.
Dispute
Has the company violated Article 14 GDPR because it did not provide data subject with information listed in those articles?
Has the company violated Article 28 GDPR because it did not lead by a judicial document the processing realised by processors?
Holding
On the information of data subjects
The CNIL found that the company had violated Article 14 GDPR. Creation of contact files for the purpose of lobbying is not illegal in itself. On the other hand, even if consent of those public figures was not necessary, they had to be informed, so they could use their rights and especially their right to object.
The CNIL found that data subject were informed of the existence of the filing system only in 2019, after the medias revelations, even though Monsanto company had all of their contact information.
The CNIL also remind that the fact of not inform data subject of the existence of a processing harms the exercise of their others rights guaranteed under the GDPR.
On the absence of judicial document between the controller and the processors
The CNIL found that the company has violated Article 28 GDPR. As a controller, Monsanto company had to lead by a judicial document the processing realised by its processor, especially to guarantee security measures.
The CNIL found that no contract between the companies contained the terms provided by the article 28 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.