CNIL (France) - SAN-2024-003: Difference between revisions

From GDPRhub
mNo edit summary
Line 72: Line 72:


=== Facts ===
=== Facts ===
On 23 September 2021, the French DPA (“CNIL”) carried out an inspection on Foriou’s premises (“controller”), in particular regarding the legal basis of the processing and the security measures taken. The controller was in the business of marketing and managing loyalty programs and cards. In order to promote its programs, until 2021, the controller carried out telephone canvassing campaigns using prospect files purchased with several data suppliers who collected the data via entry forms for online competitions. The personal data collected was the following: surname, first name, tile, email address, date of birth and postal address.
On 23 September 2021, the French DPA (“CNIL”) carried out an inspection on Foriou’s premises (“controller”), in particular regarding the legal basis of the processing and the security measures taken. The controller was in the business of marketing and managing loyalty programs and cards. In order to promote its programs, until 2021, the controller carried out telephone canvassing campaigns using prospect files purchased with several data suppliers who collected the data via entry forms for online competitions. The personal data collected was the following: surname, first name, title, email address, date of birth and postal address.


During its investigations, the CNIL discovered that the data suppliers all had similar forms on their websites: there were fields which enabled the data subject to enter their contact details. Underneath these fields were a “Validate”, “I validate” or “I answer questions to apply” button. Above or below this button, a text specified that by clicking on it, the user declared that they read the data supplier’s data protection policy and accepts that the data collected would be used to send them offers from the company’s partners. Hyperlinks were provided to access the data protection policy as well as the list of partners concerned. However, the list did not mention the controller. At the end of the text it was specified that if the user wished to continue without receiving offer’s from the data supplier’s partners, they could click a link in the text (“click here”).  
During its investigations, the CNIL discovered that the data suppliers all had similar forms on their websites: there were fields which enabled the data subject to enter their contact details. Underneath these fields were a “Validate”, “I validate” or “I answer questions to apply” button. Above or below this button, a text specified that by clicking on it, the user declared that they read the data supplier’s data protection policy and accepts that the data collected would be used to send them offers from the company’s partners. Hyperlinks were provided to access the data protection policy as well as the list of partners concerned. However, the list did not mention the controller. At the end of the text it was specified that if the user wished to continue without receiving offers from the data supplier’s partners, they could click a link in the text (“click here”).  


Therefore, data subjects could either click on the “Validate” button and accept that their data would be used to send them offers from the data supplier’s partners or on the “click here” link to continue without receiving these offers.
Therefore, data subjects could either click on the “Validate” button and accept that their data would be used to send them offers from the data supplier’s partners or on the “click here” link to continue without receiving these offers.
Line 87: Line 87:
Regarding the controller’s legitimate interest, the CNIL added that the controller must ensure that the processing does not infringe the rights and interests of the data subject, taking into account their reasonable expectations. The CNIL held that regarding the fact that the controller was not listed as a partner from the data supplier, the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to justify its commercial canvassing operations by telephone, as the protection of the interests, freedoms and fundamental rights of the data subjects took precedence over the legitimate interests of the controller.  
Regarding the controller’s legitimate interest, the CNIL added that the controller must ensure that the processing does not infringe the rights and interests of the data subject, taking into account their reasonable expectations. The CNIL held that regarding the fact that the controller was not listed as a partner from the data supplier, the controller could not rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] to justify its commercial canvassing operations by telephone, as the protection of the interests, freedoms and fundamental rights of the data subjects took precedence over the legitimate interests of the controller.  


Regarding consent, the CNIL stressed that concerning commercial canvassing operations, when the data subject’s data has not been collected directly from them by the canvassing organization, consent may be obtained by the initial collector on behalf of the organization that will carry out subsequent canvassing operations. If this is not the case, it is up to the prospecting organization to obtain such consent before proceeding with the processing. The CNIL considered that the design of the forms on the data supplier’s website did not allow data subject’s to express a valid choice as the interfaces particularly highlight the “Validate”, “I validate” or “I answer questions to apply” button, whose size and color make it stand out from the other information provided. The words used also suggested the conclusion of the data subject’s journey rather than the transmission of data to partners and the location of the button on the form gave the impression that it must be clicked to complete the registration and take part in the competition. The CNIL also found that the hyperlink text which allowed data subjects to partake in the competition without agreeing to the transmission of their data to partners was presented in the body of the text in characters much smaller in size than those used for the buttons and without any particular emphasis. The CNIL also found that the forms submitted by the controller in its observations did not sufficiently inform the data subjects either. Therefore, the CNIL considered that the consent was not unambiguous and free as per required under [[Article 4 GDPR#11|Article 4(11) GDPR]].
Regarding consent, the CNIL stressed that concerning commercial canvassing operations, when the data subject’s data has not been collected directly from them by the canvassing organization, consent may be obtained by the initial collector on behalf of the organization that will carry out subsequent canvassing operations. If this is not the case, it is up to the prospecting organization to obtain such consent before proceeding with the processing. The CNIL considered that the design of the forms on the data supplier’s website did not allow data subject’s to express a valid choice as the interfaces particularly highlight the “Validate”, “I validate” or “I answer questions to apply” button, whose size and color make it stand out from the other information provided. The words used also suggested the conclusion of the data subject’s registration process rather than the transmission of data to partners and the location of the button on the form gave the impression that it must be clicked to complete the registration and take part in the competition. The CNIL also found that the hyperlink text which allowed data subjects to partake in the competition without agreeing to the transmission of their data to partners was presented in the body of the text in characters much smaller in size than those used for the buttons and without any particular emphasis. The CNIL also found that the forms submitted by the controller in its observations did not sufficiently inform the data subjects either. Therefore, the CNIL considered that the consent was not unambiguous and free as per required under [[Article 4 GDPR#11|Article 4(11) GDPR]].


In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of [[Article 6 GDPR|Article 6 GDPR]] was constituted.
In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of [[Article 6 GDPR|Article 6 GDPR]] was constituted.

Revision as of 10:11, 13 March 2024

CNIL - SAN-2024-003
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(11) GDPR
Article 6(1) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 23.09.2021
Decided: 31.01.2024
Published: 05.03.2024
Fine: 310,000 EUR
Parties: n/a
National Case Number/Name: SAN-2024-003
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: nzm

The CNIL fined a controller who carried out telephone canvassing campaigns using data purchased with data suppliers €310,000 for, among other things, not having a legal basis for processing. The controller did not appear in the data supplier’s list of partners, which did not allow the use of legitimate interest, and the data suppliers did not respect privacy by design when collecting consent.

English Summary

Facts

On 23 September 2021, the French DPA (“CNIL”) carried out an inspection on Foriou’s premises (“controller”), in particular regarding the legal basis of the processing and the security measures taken. The controller was in the business of marketing and managing loyalty programs and cards. In order to promote its programs, until 2021, the controller carried out telephone canvassing campaigns using prospect files purchased with several data suppliers who collected the data via entry forms for online competitions. The personal data collected was the following: surname, first name, title, email address, date of birth and postal address.

During its investigations, the CNIL discovered that the data suppliers all had similar forms on their websites: there were fields which enabled the data subject to enter their contact details. Underneath these fields were a “Validate”, “I validate” or “I answer questions to apply” button. Above or below this button, a text specified that by clicking on it, the user declared that they read the data supplier’s data protection policy and accepts that the data collected would be used to send them offers from the company’s partners. Hyperlinks were provided to access the data protection policy as well as the list of partners concerned. However, the list did not mention the controller. At the end of the text it was specified that if the user wished to continue without receiving offers from the data supplier’s partners, they could click a link in the text (“click here”).

Therefore, data subjects could either click on the “Validate” button and accept that their data would be used to send them offers from the data supplier’s partners or on the “click here” link to continue without receiving these offers.

The controller also submitted 2 other forms in its observations. These forms contained “Validate my coordinates” and “Continue” buttons to validate participation in the game and transmit data to partners. The “click here” button remained unchanged and was still presented in the body of the text.

Regarding security measures, the CNIL found that the controller indicated that they would keep customer data for a period of 5 years from the date of the end of the contract in an active database with no intermediate archiving mechanism implemented.

Holding

Firstly, the CNIL indicated that Article 6(1) GDPR establishes the legal bases of processing. The DPA also pointed out that commercial prospecting by telephone can be carried out on the legal basis of the controller’s legitimate interest or on the basis of consent.

Regarding the controller’s legitimate interest, the CNIL added that the controller must ensure that the processing does not infringe the rights and interests of the data subject, taking into account their reasonable expectations. The CNIL held that regarding the fact that the controller was not listed as a partner from the data supplier, the controller could not rely on Article 6(1)(f) GDPR to justify its commercial canvassing operations by telephone, as the protection of the interests, freedoms and fundamental rights of the data subjects took precedence over the legitimate interests of the controller.

Regarding consent, the CNIL stressed that concerning commercial canvassing operations, when the data subject’s data has not been collected directly from them by the canvassing organization, consent may be obtained by the initial collector on behalf of the organization that will carry out subsequent canvassing operations. If this is not the case, it is up to the prospecting organization to obtain such consent before proceeding with the processing. The CNIL considered that the design of the forms on the data supplier’s website did not allow data subject’s to express a valid choice as the interfaces particularly highlight the “Validate”, “I validate” or “I answer questions to apply” button, whose size and color make it stand out from the other information provided. The words used also suggested the conclusion of the data subject’s registration process rather than the transmission of data to partners and the location of the button on the form gave the impression that it must be clicked to complete the registration and take part in the competition. The CNIL also found that the hyperlink text which allowed data subjects to partake in the competition without agreeing to the transmission of their data to partners was presented in the body of the text in characters much smaller in size than those used for the buttons and without any particular emphasis. The CNIL also found that the forms submitted by the controller in its observations did not sufficiently inform the data subjects either. Therefore, the CNIL considered that the consent was not unambiguous and free as per required under Article 4(11) GDPR.

In the absence of a legal basis enabling the controller to base its commercial canvassing operations by telephone, the CNIL considered that a breach of Article 6 GDPR was constituted.

Secondly, the CNIL also pointed out that a simple contractual commitment by a data broker to comply with the GDPR as well as the rules applicable to commercial prospecting do not constitute a sufficient measure (see CNIL, SAN-2022-021). Thus, the DPA considered that the contractual obligations that the controller imposed on its suppliers did not exonerate the controller from its liability, despite the possible existence of liability on part of suppliers.

Finally, the CNIL noted that during the phase of current use, which corresponds to the time required to achieve the purpose of the processing, the data is kept in an “active base” and is accessible to all departments responsible for implementing and processing. At the end of this phase, when the data is no longer used to achieve the set objective, but is still of administrative use to the controller (for example the management of a possible dispute), it must be possible to consult only on an ad hoc basis and for a specific reason, by specially authorized people. With regards to this case, the CNIL held that the information they found did not make it possible to establish that persons would have access to the data without having a need to know. Therefore, the DPA concluded that there was no breach of Article 32 GDPR.

Thus, the CNIL imposed a €310,000 fine on the controller for breaching Article 6 GDPR.

Comment

To grasp the notion of consent, the CNIL referred to several documents:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training no. SAN-2024-003 of January 31, 2024 concerning the company FORIOU

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Isabelle LATOURNARIE-WILLEMS and MM. Alain DRU and Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to decision no. 2021-191C of June 29, 2021 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a verification mission of the processing implemented by the company SFK GROUP, by its subsidiaries or on its behalf, in any place likely to be affected by their implementation;

Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated April 4, 2022;

Having regard to the report of Ms. Valérie PEUGEOT, commissioner rapporteur, notified to the company FORIOU on August 23, 2023;

Considering the written observations submitted by the company FORIOU on September 29, 2023;

Having regard to the rapporteur's response to these observations, notified to the company on October 20, 2023;

Considering the closure of the investigation, notified to the company on November 22, 2023;

Considering the oral observations made during the restricted training session of December 7, 2023;

Having regard to the deliberation preliminary to the law of restricted training n°SAN-2023-020 of December 14, 2023;

Having regard to the written observations submitted by the rapporteur on December 21, 2023;

Considering the written observations submitted by the company on December 28, 2023;

Considering the oral observations made during the restricted training session of January 18, 2024;

Considering the note for deliberation sent by the company on January 29, 2024;

Considering the other documents in the file;

Were present during the restricted training session:

- Ms. Valérie PEUGEOT, commissioner, heard in her report;

As representatives of the FORIOU company:

- […]

The FORIOU company having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The company FORIOU (hereinafter "the company"), whose head office is located at 23/25 avenue Kléber in Paris (16th), is a subsidiary of the company SFK GROUP. Its activity is the marketing and management of loyalty programs and cards. It does not employ any employees but relies, for the conduct of its activities, on the services of personnel from other companies in the group. The company indicated that it had identified […] customers as of October 5, 2021. Its turnover for the year 2021 amounted to […] euros, for a net loss of […] euros.

2. In order to promote its programs, the company carried out, until 2021, telephone canvassing campaigns based on prospect files purchased from two main partners, the companies […] and […].

3. On September 23, 2021, a delegation from the National Commission for Information Technology and Liberties (hereinafter “the Commission” or “the CNIL”) carried out an inspection at the company’s premises, in order to verify the compliance with the provisions of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the Data Protection Act" or "law of January 6, 1978 as amended") and of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data and the free movement of such data (hereinafter the “Regulation” or “GDPR”).

4. Report No. 2021-191/1, drawn up on the day of the inspection, was notified to the company on September 30, 2021.

5. The company communicated additional documents on October 5 and November 22, 2021.

6. For the purposes of examining these elements, the President of the Commission, on April 4, 2022, appointed Ms. Valérie PEUGEOT as rapporteur on the basis of article 22 of the law of January 6, 1978 as amended.

7. On June 8, 2023, the rapporteur sent a supplementary request to which the company responded on June 23, 2023.

8. On August 23, 2023, at the end of her investigation, the rapporteur notified the company of a report detailing the breaches of Articles 6 and 32 of the GDPR which she considered to have occurred in this case. This report proposed to the restricted panel to impose an administrative fine against the company. He also proposed that this decision be made public.

9. On September 29, 2023, the company produced observations in response to the sanction report.

10. The rapporteur responded to the company's observations on October 20, 2023.

11. On November 22, 2023, the rapporteur, in application of III of article 40 of decree no. 2019-536 of May 29, 2019 taken for the application of the Data Protection Act, informed the company and the president of restricted training that the investigation was closed.

12. The same day, the company was informed that the file was included on the agenda for the restricted training on December 7, 2023.

13. The restricted panel held a session on December 7, 2023.

14. By preliminary deliberation No. SAN-2023-020 of December 14, 2023, sent by email to the company the same day and notified by post on December 20, 2023, the restricted panel asked the company FORIOU and to the rapporteur the production of a complementary document, mentioned by the company during the meeting of December 7, 2023.

15. On December 21, 2023, the rapporteur communicated to the restricted panel a document entitled “leads_701_23-09-2021 […]”.

16. On December 28, 2023, the company communicated to the restricted panel a document also entitled “leads_701_23-09-2021 […]”.

17. In application of article 41 of decree no. 2019-536 of May 29, 2019, a summons to the restricted training session of January 18, 2024 was notified to the company FORIOU on December 20, 2023.

18. The rapporteur and the company presented oral observations during the restricted training session.

II. Reasons for decision

A. On the failure to comply with the obligation to process data lawfully

19. Under the terms of Article 6 of the GDPR, “1. Processing is only lawful if, and to the extent that, at least one of the following conditions is met:

a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject;

c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to safeguard the vital interests of the data subject or another natural person;

e) the processing is necessary for the performance of a mission of public interest or relating to the exercise of public authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the person concerned is a child.

20. The restricted training recalls that commercial prospecting actions by telephone calls can be carried out on the legal basis of the legitimate interest of the company (f) or on that of consent (a).

21. In this case, the company indicated that it carried out commercial prospecting operations by telephone using prospect files purchased from several data providers, the latter collecting said data via participation forms in online competitions.

22. The restricted panel notes that the company was not able, either in its written observations or in its oral observations during the session, to indicate precisely on what legal basis it was relying to carry out such processing. . Under these conditions, the two legal bases likely to be applicable in this case will be examined successively.

1) On legitimate interest

23. The rapporteur maintains that, to base its commercial prospecting operations by telephone, the company cannot rely on the legal basis of legitimate interest referred to in point f) of Article 6, paragraph 1 of the GDPR. It thus notes, with regard to the participation forms for online competitions through which the company […] collects the data of prospects which it resells to the company FORIOU, that the latter is not systematically mentioned in the list of partners likely to approach the persons concerned, and that the latter cannot legitimately expect to receive commercial offers from this company.

24. In defense, the company relies on the contractual commitments of the company […], which provide that the company FORIOU must be mentioned among the recipients of the data collected. It considers that it cannot be held responsible for the shortcomings of its service provider, and produces an example of a form implemented by the company […] containing a URL link to a list of partners, including the company SFAM ( a link to the latter's confidentiality policy allowing access to the complete list of companies belonging to the same group as SFAM, including the company FORIOU). Finally, the company claims to implement regular checks relating to the conformity of the files delivered.

25. The restricted training recalls that, if commercial prospecting by non-electronic means can be carried out on the basis of the legitimate interest of the company, the latter must ensure that the processing does not conflict with the rights and interests of the persons whose the data is processed, taking into account their reasonable expectations.

26. In this regard, recital 47 of the GDPR provides that: “[…] the existence of a legitimate interest should be the subject of a careful assessment, in particular in order to determine whether a data subject can reasonably expect , at the time and in the context of the collection of personal data, that these are subject to processing for a given purpose. The interests and fundamental rights of the person could, in particular, prevail on the interest of the controller when personal data are processed in circumstances where the data subjects have no reasonable expectation of further processing […]. ".

27. The restricted training firstly notes that it follows from these provisions that, in its capacity as data controller, the FORIOU company is required to verify itself that the conditions allowing it to carry out commercial prospecting operations are united. In this regard, the responsibility of an organization could be held by considering that a simple contractual commitment from its data broker to respect the GDPR and the rules applicable to commercial prospecting did not constitute a sufficient measure (CNIL, FR , November 24, 2022, Sanction, No. D-SAN-2022-021, published).

28. Thus, with regard to the contractual commitments of the company [...] which the FORIOU company relies on, the restricted panel considers that the contractual obligations that may be imposed on suppliers cannot exempt the FORIOU company from its liability as responsible for processing, despite the possible existence of supplier liability.

29. Furthermore, with regard to the checks that the company claims to carry out on the forms from which the data are collected, the restricted training notes that it does not produce any element to attest to this, the contractual commitments of its suppliers do not not constituting a control measure as such.

30. In the present case, the restricted panel notes that certain competition forms from which the company [...] collects prospect data which it transmits to the company FORIOU do not allow the persons concerned to reasonably expect to receive commercial prospecting offers from this company.

31. Thus, with regard to the form accessible from the website […], the restricted panel observes that the latter contains a hyperlink referring to a nominative list of partners and not to categories of partners. Thus, the persons concerned can legitimately expect that this list of partners is exhaustive. However, the said list does not mention the company FORIOU.

32. Concerning the forms present on the sites […] (this form referring to the site […]) and […], the restricted training notes that they do not mention the list of partners or categories of partners to which the data is likely to be transmitted, and that they also do not contain any link allowing access to such a list.

33. The restricted panel considers that under these conditions, the protection of the interests, freedoms and fundamental rights of the persons concerned takes precedence over the legitimate interests of the company, and that the latter cannot therefore rely on the legal basis mentioned in Article 6, paragraph 1, f) to base its commercial prospecting operations by telephone.

2) On consent

34. The rapporteur considers that, to base its commercial prospecting operations by telephone, the company cannot rely on the legal basis of consent referred to in point a) of Article 6, paragraph 1, of the GDPR. It notes that the findings made by the delegation made it possible to establish that the data brokers from which the company FORIOU obtains its supplies collect said data via participation forms for online competitions, the design of which does not allow does not allow users to demonstrate their consent by a clear and unambiguous positive act, and strongly encourages them to accept the transmission of their data to the company's partners for prospecting purposes.

35. In defense, the company relies on the terms of the contract concluded with the company […]. It takes note of the material findings, but indicates that, if the breaches exist, they are neither representative of a desire to ignore its obligations, nor of generalized practices. In this regard, it provides two examples of collection forms implemented by its suppliers, which it considers to be compliant. Finally, it reports checks carried out on the files following their provision by the service provider, and emphasizes the impossibility, given the volume of these files, of implementing a unitary check.

36. The restricted committee recalls that under the terms of Article 4, paragraph 11, of the GDPR, “consent” of the data subject means “any manifestation of will, free, specific, informed and unambiguous by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him or her are subject to processing.

37. With regard to commercial prospecting operations, it emphasizes that when the prospects' data have not been collected directly from them by the prospecting organization, consent may have been obtained at the time of the initial collection of the data. given by the first-time collector, on behalf of the organization which will carry out subsequent prospecting operations. Failing this, it is up to the prospecting organization to obtain such consent before carrying out prospecting acts (CNIL, FR, November 24, 2022, Sanction, n°SAN-2022-021, published)

38. Firstly, with regard to the contractual commitments of the company [...] which the FORIOU company relies on, the restricted training refers to the elements developed in points 27 and 28. It further recalls that, if the intentional nature of the violation must be taken into account when deciding whether there is reason to impose a fine and when deciding its amount, it has no impact on the characterization of the breach, the latter possibly resulting from negligence. The same applies to the generalized nature or not of said breach.

39. Secondly, the restricted training recalls that the consent mentioned by the provisions of Article 6, paragraph 1, a) of the GDPR, which allows the processing of personal data to be based, can only result from a express consent of the user, given in full knowledge of the facts after adequate information on the use that will be made of their personal data. It is therefore necessary to ensure that the persons concerned have given unequivocal, specific, free and informed consent when collecting their personal data via competition participation forms.

40. The restricted training notes in this regard that the work carried out on the practices implemented in terms of cookies with regard to banners for collecting consent can usefully serve to assess in a more general manner the conditions for collecting free consent , unambiguous, specific and informed, and serve as a reference in matters of commercial prospecting when it is based on the collection of consent.

41. Furthermore, on the same conditions of consent, the Court of Justice of the European Union (hereinafter "CJEU") specified, in its Planet49 GmbH decision: "Article 7(a) of Directive -tive 95 provides that the consent of the data subject can make such processing lawful provided that this consent is "undoubtedly" given by the data subject. However, only active behavior on the part of this person with a view to manifesting consent is likely to fulfill this requirement” (CJEU, Grand Chamber, October 1, 2019, Planet49 GmbH, C-673/17, ECLI:EU:C:2019:801, §54). Therefore, it should be considered that if consent is not given without doubt, it must be considered as lacking, which makes the processing illegal for lack of legal basis. More precisely on the methods of collection, the CJEU states that "the manifestation of will referred to in Article 2(h) of Directive 95/46 must, in particular, be "specific", in the sense that it must relate precisely to the data processing concerned and cannot be deduced from a manifestation of will having a distinct object. In this case, contrary to what Planet49 argued, the fact for a user to activate the button participation in the promotional game organized by this company cannot therefore be sufficient to consider that the user has validly given his consent to the placement of cookies" (Idem, §§ 58-59).

42. Furthermore, the Council of State held that "free, specific, informed and unequivocal consent can only be an express consent of the user, given in full knowledge of the facts and after adequate information on the use that will be made of his personal data." (EC, 10th and 9th chambers combined, June 19, 2020, Google LLC, no. 430810, pt. 21).

43. The restricted training also notes, by way of example, that guidelines 5/2020 on consent, adopted on May 4, 2020 by the "article 29" working group (now the European Data Protection Board, hereinafter "EDPS"), specify that the free nature of consent "implies a choice and real control for the data subjects. As a general rule, the GDPR provides that if the data subject is not genuinely able to exercise a choice, feels forced to consent or will suffer significant negative consequences if he or she does not give consent, the consent is not valid […] In general terms, any inappropriate pressure or influence exerted on the person concerned (which may manifest in different ways) preventing him from exercising his will will render the consent invalid.

44. By way of illustration and comparison, in its deliberation no. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of use of "cookies and other tracers", the Commission recommends that the organizations concerned ensure "that users take the full measure of the options available to them, in particular through the design chosen and the information provided (§ 10) […] In order not to induce mislead users, the Commission recommends that data controllers ensure that interfaces for collecting choices do not include potentially misleading design practices leading users to believe that their consent is obligatory or which visually highlight a choice rather than another. It is recommended to use buttons and font of the same size, offering the same ease of reading, and highlighted in the same way" (§ 34). She adds that it is necessary "to be careful that the information accompanying each actionable element allowing consent or refusal to be expressed is easily understandable and does not require efforts of concentration or interpretation on the part of the the user. Thus, it is particularly recommended to ensure that it is not written in such a way that a quick or careless reading could lead one to believe that the selected option produces the opposite of what users thought they were choosing." (§ 23). Otherwise, the unequivocal nature of the consent would not be characterized.

45. The restricted training also recalls that studies carried out on the practices of digital interfaces, in particular concerning cookies, note the considerable impact of the appearance of consent collection banners on the choice of users, which can encourage them to make choices that do not reflect their preferences on data sharing.

46. In this case, it appears from the documents in the file that the companies […] and […], suppliers of prospect data to the company FORIOU, collect the data of the persons concerned (surname, first name, title, email address, mobile telephone number, date of birth and postal address) via participation forms in online competitions, in order to allow their partners to use them as part of their commercial prospecting.

47. Regarding the findings made by the delegation during the inspection, the restricted panel notes that the forms accessible from the websites […], […], […] and […] are presented in a similar manner. Under the fields allowing the persons concerned to enter their contact details (which are requested by the formulas "fill in your details below if you win" or "fill in your details below to apply") is located a button "VALIDATE ", "I VALIDATE" or "I ANSWER THE QUESTIONS TO APPLY". Above or below this button, a text specifies that by clicking on it, the user declares to have read the company's data protection policy and accepts that the data collected will be used to send them offers. partners of the company. Hypertext links provide access to the data protection policy and the list of partners concerned. The end of the text specifies that if the user wishes to continue without receiving offers from the company's partners, they can click on a link present in the text ("click here").

48. Thus, the user confronted with this form can either click on a button allowing both to validate their participation in the game and to accept that their data is used to send them offers from the company's partners, or click on the “click here” link allowing you to continue without receiving these offers.

49. The restricted panel considers that as designed, the proposed forms do not allow data subjects to validly express a choice reflecting their preferences regarding the transmission of data for commercial prospecting purposes. The overall overview of the interfaces particularly highlights the "VALIDATE", "I VALIDATE" or "I ANSWER THE QUESTIONS TO APPLY" button which, by its size and color, stands out from the other information provided. Likewise, its title evokes more the conclusion of the user journey rather than a transmission of data to partners. Finally, its location gives the impression that it must be clicked to complete registration and participate in the competition. Conversely, the hypertext link allowing you to participate in the game without accepting the transmission of your data to partners is presented in the body of the text, in characters of a size significantly smaller than that used for the buttons and without particular emphasis, so that it does not appear intuitive that it is possible to participate without clicking on one of the aforementioned buttons and therefore without transmitting your data to third parties for prospecting purposes. The consent obtained is therefore devoid of an unequivocal and free nature.

50. The restricted panel also notes that, as part of its written observations, the company produced two other forms, presented as compliant. However, the restricted panel notes that their design does not allow the persons concerned to demonstrate their consent by a clear and unambiguous positive act.

51. On the one hand, the restricted panel observes that the presentation of these forms, like those consulted by the delegation during the on-site inspection, particularly highlights the "VALIDATE MY CONTACT INFORMATION" and "CONTINUE" button, to validate participation in the game and transmit data to partners. On the contrary, the hypertext link "click here" allowing you to participate in the game without accepting this transmission is presented in the body of the text, in characters of a size significantly smaller than that of the button and without particular emphasis. In addition, the overall visual of the form accessible from the site […], which contains three green inserts (“I VALIDATE MY PARTICIPATION”, “I CONFIRM MY DETAILS FOR DELIVERY IN CASE OF WIN” and “VALIDATE MY CONTACT DETAILS”) leads us to believe that there is a logical sequencing between these three actions and that the "VALIDATE MY CONTACT INFORMATION" button is the last button to activate to participate in the game and obtain your winnings. However, this button is not obligatory since the user can use the aforementioned link "click here", which is not intuitive given the general appearance of the form.

52. In addition, with regard to the form implemented by the company […] from the site […], the restricted training notes the existence of two boxes to check, one concerning reading and acceptance of the rules of the game, the other reading the confidentiality policy and accepting the transmission of their data. The similar appearance of these boxes, presented as legal notices that must be read, and whose accompanying text begins with "I have read", pushes the user to check them indiscriminately, then to click on "CONTINUE" in transmitting its data. The possibility of participating in the draw without receiving promotional offers exists by clicking on the link "here" but is written in a smaller font and without emphasis compared to the "CONTINUE" button which on the one hand, is particularly visible by its size, color and font, on the other hand, seems to conclude the user journey due to its location at the bottom of the form. Thus, the optional nature of the “CONTINUE” button is not clearly deduced from the overall visual of the form.

53. On the other hand, the restricted training notes that an online check carried out on October 17, 2023 revealed that, given its configuration, the form referred to in the preceding paragraph did not materially allow the user to participate to the game without accepting the transmission of their data to the company's partners, and therefore without being the recipient of commercial prospecting, contrary to what is indicated on the form.

54. The restricted panel thus considers that the above-mentioned forms do not sufficiently inform the persons concerned of the fact that they consent to the transmission of their data for commercial prospecting purposes, in a context where the very purpose of these sites web is to offer a prospect of earnings which cannot suggest the objective of long-term collection of this data for such purposes. These people are not able to demonstrate their consent by a clear and unambiguous positive act.

55. Third and last, with regard to the checks that the company claims to carry out on the files delivered, the restricted panel observes that the company does not produce any evidence to attest to this.

56. On the one hand, in its written observations of September 29, 2023, then in its oral observations during the meeting of December 7, 2023, the company mentioned a document entitled "leads_701_23-09-2021 […]", collected during on-site inspection and reporting, according to it, "checks of the prospecting files carried out following their provision by the service provider". By deliberation no. SAN-2023-020 of December 14, 2023, the restricted panel requested the rapporteur and the company to produce this document.

57. The restricted panel notes that the file produced by the rapporteur, the digital fingerprint of which certifies that it is indeed the file from which the findings were made by the delegation during the inspection, does not contain any element of a nature to certify the verifications relied upon by the company. In accordance with what is mentioned on the inspection report, this is a file of prospects (“leads”) delivered by the company […] to the INDEXIA group on September 23, 2021, containing the data of approximately 15,000 prospects. If, for each of these prospects, a URL link allowing access to the source of the data is present, the restricted training notes that no mention is made of verifications which could have been carried out by the FORIOU company or the INDEXIA group . During the meeting of January 18, 2024, the company indicated that it would not question the integrity of this part.

58. Regarding the file produced by the company, the restricted panel notes that it does not correspond to that collected during the inspection, insofar as its digital footprint and its size differ. It further notes that this difference is confirmed by its content since, contrary to the findings appearing in the minutes of September 23, 2021, it does not contain any prospect data but only URL links accompanied by comments ("ok", "only one check box", "disputed").

59. Finally, the restricted panel observes that the content of the file produced does not appear consistent with the purpose invoked insofar as the summary and undated comments which appear therein are not linked to any prospect sheet and that it is not Furthermore, it has not been demonstrated that the non-conformities identified would have been reported to the company […]. The restricted training thus considers that in any case, such a file does not make it possible to demonstrate the existence of checks carried out on the files delivered.

60. On the other hand, with regard to the other documents in the file, the restricted panel notes that they attest exclusively to requirements imposed by the company FORIOU on the company […], prior to the resumption of their contractual relations, without constitute controls by the company FORIOU on the subsequent practices of its service provider.

61. The restricted panel notes in any case that the proportion of non-compliant files among those randomly examined by the delegation (i.e. four non-compliant files out of the seven examined) demonstrates the insufficiency of the measures taken by the company to ensure the validity of the consent of the persons concerned.

62. Therefore, in the absence of a legal basis allowing the FORIOU company to base its commercial prospecting operations by telephone, the restricted panel considers that a breach of Article 6 of the GDPR has occurred.

B. On the failure to comply with the obligation to ensure data security

63. Under the terms of Article 32, paragraph 1 of the GDPR, "taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk [ …] "and in particular "means to guarantee the constant confidentiality, integrity, availability and resilience of processing systems and services" and a "procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing".

64. The rapporteur notes that the company indicated that it kept its customers' data for a period of five years from the date of closing of the contract, in accordance with the legal limitation periods, specifying that this data was kept on an active basis, without that no intermediate archiving mechanism is implemented. The rapporteur considers that these storage arrangements do not make it possible to limit access to data to users with a need to know, to the extent that people with an interest in having access to this data during the duration of the contract continue, even after the closure of the latter, to be able to access it without restriction for a period of five years, even though their functions no longer necessarily require them to know about it.

65. In defense, the company does not deny keeping its customers' data for a period of five years from the end of the contractual relationship, nor the absence of intermediate archiving, but considers that the notion of "basic active" constitutes restrictive terminology insofar as the information accessible during the life of a contract remains, for the vast majority of it, still necessary even after the latter has been closed. She also underlines that the implementation of intermediate archiving measures raises the question of the relationship between the human and financial investment effort that would be necessary and the limited gain that would result.

66. The restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller must put in place appropriate measures to ensure the confidentiality of the data and prevent them from being processed unlawfully by the fact of people who do not need to know (CNIL, FR, October 29, 2021, Sanction, n°SAN-2021-019, published).

67. This need to know is likely to evolve depending on the life cycle of the data and the purposes for which they are kept. Thus, during the phase of their current use, which corresponds to the duration necessary to accomplish the determined purpose, the data are kept on an "active basis" and accessible to all the services responsible for implementing the processing. At the end of this phase, when the data is no longer used to achieve the set objective but it still presents an administrative interest for the organization (for example for the management of possible litigation) or must be kept to meet a legal obligation, they must be able to be consulted only on an ad hoc and motivated basis by specifically authorized persons, participating in the objective which justified this conservation, by being the subject of intermediate archiving. This intermediate archiving requires a separation from the active database, which can be physical (via a transfer of data within a dedicated archive database), or logical (via the implementation of technical and organizational measures guaranteeing that only people with an interest in processing the data due to their functions can access it).

68. The restricted panel notes that the company does not dispute retaining its customers' data at the end of the contractual relationship, without any intermediate archiving measure taking place. The restricted training recalls that the termination of contractual relations must lead to limiting access to data to certain employees due to their functions. However, the restricted panel considers that as it stands, the elements in the file do not make it possible to establish that people would have access to said data without needing to know it.

69. It follows from the above that there is no breach of Article 32 of the GDPR.

III. On the issuance of corrective measures and publicity

70. Under the terms of article 20 of law no. 78-17 of January 6, 1978 as amended: "When the data controller or its subcontractor does not comply with the obligations resulting from regulation (EU) 2016/679 of 27 April 2016 or this law, the president of the National Commission for Information Technology and Freedoms may […] refer the matter to the restricted formation of the commission with a view to pronouncing, after contradictory procedure, one or more of the measures following: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the figure total global annual business of the previous financial year, the highest amount being retained. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased , respectively, to 20 million euros and 4% of said turnover. The restricted body takes into account, in determining the amount of the fine, the criteria specified in the same article 83 ".

71. Article 83 of the GDPR provides that: "Each supervisory authority shall ensure that administrative fines imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective , proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.

72. Firstly, the restricted panel recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation. , whether the violation was deliberate or not, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the violation .

73. The restricted training underlines that the breach committed by the company relates to obligations relating to the fundamental principles of the protection of personal data.

74. Indeed, the restricted training recalls that the consequence of failure to comply with the obligation to have a legal basis for processing prospects' data in the context of commercial prospecting by telephone is to deprive the operations concerned of lawfulness.

75. She underlines that, if the company intends to base these on the legal basis of consent, the ecosystem of the resale of data from partners to partners requires particularly strong guarantees as to the quality and validity of the consent obtained by the first-time data collector and which partners use for commercial prospecting purposes. It emphasizes that in this regard, the organization which avails itself of such consent to carry out commercial prospecting operations assumes an essential responsibility requiring it, as data controller, to ensure that the conditions enabling it to carrying out said operations are combined, regardless of the possible liability of the data providers, primary collectors. The restricted training considers that these requirements must be particularly reinforced with regard to the methods of obtaining the consent of users of websites whose purpose is to offer prospects of earning, these people not necessarily being aware of the scope of their agreement as part of their registration.

76. The restricted training also recalls the importance, in the absence of obtaining valid consent, of allowing the persons concerned to measure the extent of the processing to which their data is likely to be subject. Thus, the fact that at the time of data collection, a detailed list of partners likely to carry out commercial prospecting operations is made available to the persons concerned, without the FORIOU company appearing there, and without this list being supplemented by a statement specifying the categories of partners of which the company FORIOU could be a part, deprives the persons concerned of the minimum information base allowing them to preserve their interests, freedoms and fundamental rights.

77. The restricted training emphasizes the fact that the company FORIOU, as a subsidiary of the company SFK GROUP, has sufficient human, financial and technical resources to ensure compliance with the rules relating to the protection of personal data .

78. Finally, the restricted training intends to take into account […]

79. In view of all of these elements, the restricted panel considers that it is appropriate to impose an administrative fine for the breach of Article 6 of the GDPR.

80. Secondly, with regard to the amount of the administrative fine, the restricted committee recalls that the violation noted in this case concerns a breach likely to be subject, under Article 83 of the GDPR, to an administrative fine of up to 20 million euros or up to 4% of the global annual turnover of the previous financial year, whichever is higher.

81. It considers that the activity of the company and its financial situation must in particular be taken into account. It notes in this regard that for the year 2021, the company achieved a turnover of […] euros, for an operating profit of […] euros. The restricted committee notes that, if the company presents a net loss of […] euros, it is only due to a waiver of debt of […] euros to the INDEXIA group. Furthermore, as this exceptional result is not deductible, the FORIOU company was subject, for the year 2021, to an amount of […] euros in corporate tax. Taking into account all of these elements, the restricted panel considers that the financial situation of the company is healthy.

82. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83, paragraph 2, of the GDPR mentioned above, the restricted panel considers that a fine of three hundred and ten one thousand euros (€310,000) appears justified.

83. Thirdly, with regard to the publicity of the sanction, the restricted panel considers that this is justified in view of the seriousness of the breach in question, the position of the company on the market, the scope of the treatment and the number of people affected.

84. It also notes that this measure is intended in particular to inform the people concerned by the company's prospecting operations. This information will allow them, if necessary, to assert their rights.

85. Finally, it considers that this measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• impose an administrative fine against the company FORIOU in the amount of three hundred and ten thousand euros (€310,000) for breach of article 6 of the GDPR;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from its publication.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within two months of its notification.