CNIL (France) - 2c1s196162814
CNIL - 2c1s196162814 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(d) GDPR Article 5(1)(c) GDPR Article 12(3) GDPR Article 14 GDPR Article 56(1) GDPR Article 58(2)(b) GDPR Article 58(2)(d) GDPR Article L561-12 of the French Monetary and Financial Code |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 20.05.2022 |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | 2c1s196162814 |
European Case Law Identifier: | EDPBI:FR:OSS:D:2022:369 |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
In an Article 60 procedure, The French DPA covered three complaints regarding one controller, a credit provider. Among other violations, the controller did not respond to access requests in time and had a retention period of 6 years for anti money laundering purposes, while French law only required 5 years.
English Summary
Facts
This decision by the French DPA consisted of several complaints by different data subjects regarding the same controller. The nature and the name of this controller were not disclosed. Based on the information provided in the decision, the controller seemed to be a provider of consumer credit.
The first data subject (French) requested access to his personal data. He received responses from the controller but these answers were incomplete according to the data subject, because the identity of the investigative agency at the origin of the data collection was not disclosed. After an intervention of the French DPA, the controller complied with the request.
The second data subject (French) had repeatedly requested information about the source - and the retention period of personal data. He also requested the deletion of his data. After discussions between the DPA and the controller, the controller informed the data subject that his phone number and his address had been obtained from an investigative agency, located in Israel. The controller added that it only hired such an agency when the data collected from a ‘transferring institution’ was inadequate. It is not clear what the controller meant with a 'transferring institution'. The controller also informed the data subject of the retention period of 6 years. The controller stated that it was obligated to keep data for a minimum of five years for anti-money laundering purposes, despite French law only requiring a storage period of five years, without any mention of a minimum period (Article L561-12 of the French Monetary and Financial Code).
The complaint of the third data subject was transferred by the Polish DPA pursuant of Article 56(1) GDPR. The controller was not able to reach the data subject concerning his supposed debt. Therefore, it hired an investigative agency, which sent the contact details of the data subject to the controller on 13 July 2018. The data subject was then contacted by the controller with the request to pay his debt. However, the data subject stated that he was not a debtor and had never been a client of the controller. After communication between the data subject and the controller, the controller acknowledged that there had been a mistake regarding the identity of the data subject. The telephone number of the data subject was invalidated, but no further action was taken. The controller anonymized the data subject’s address and telephone number following the intervention of the DPA almost one year later. The data subject complained at the DPA about the unlawfulness of processing of his personal data and requested erasure of his personal data.
Holding
The DPA held that the controller had disregarded Article 12(3) GDPR regarding the third complaint, because it had taken the controller four months to respond to the data subject and did not answer as soon as possible. The DPA stated that an initial, insufficient measure was taken only four months after the data subject's first request. The controller only provided a satisfactory response a year after the first request and after the intervention of the DPA, since the controller only anonymized the data after the French DPA interfered.
The controller also violated Article 5(1)(d) GDPR regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject.
The DPA also determined that the controller violated Article 5(1)(e) GDPR regarding the second complaint because of the 6-year retention period of personal data, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code).
The DPA also stated that Article 14 GDPR had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy, indicating the possibility of consulting an investigative agency, did not mean that the obligation under Article 14 GDPR was fulfilled. The information in the privacy policy was not specific enough and did not provide information on the exact source of the data.
The DPA issued a reprimand pursuant of Article 58(2)(b) GDPR and Article 20.II of the French data protection act with regard to the obligation to respond to data subject requests and the obligation to process accurate and updated personal data. The DPA also issued a formal notice pursuant of Article 58(2)(d) GDPR and Article 20.II of the French data protection act to limit the retention period of personal data to five years and to correctly inform individuals about the origin of their personal data.
Comment
Although the nature or the name of the controller were not disclosed, it seemed that the controller was some sort of a provider of consumer credit. Under section 1 of the decision (paragraph 1), there is a mention of a debt assignment agreement between the controller and the data subject. Also under section 1 (paragraph 5), one of the data subjects stated that he had never been a debtor of the controller.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Dear Sir, I am following up on the exchanges of letters that took place between the CNIL services and the data protection officer (DPO) of your company, as part of the investigation of several complaints relating to the processing of debtors’ personal data (amicable collection files). I. Reminder of claims and facts With regard to referral No. f The French complainant requested access to his data and received some responses. He nevertheless referred the matter to CNIL, feeling that the responses were incomplete, as the identity of the investigative agency at the origin of the data collection was not communicated to him. Following the intervention of CNIL services, his request was granted. With regard to referral No. P| The data relating to the French complainant were processed by assignment agreement entered into with ‘he complainant has repeatedly requested the source of the data concerning him, as well as its retention period and its deletion. Following discussions with CNIL vices informed the complainant that his address and telephone number had been obtained from an investigative agency located in Israel. Your DPO has indicated to CNIL that the use of such an agency occurs only when the data collected from the transferring institution turns out to be inaccurate. based on a debt In addition, the complainant was informed of the “exceptional” closure of his case and that his data will be deleted after a period of six years from that closure. Your DPO justified this period by the fact that your company is “legally required to keep this data far anti-money laundering pur poses for a minimum of five years.“ With regard to referral No. Fs In this complaint submitted by the Polish Data Protection Authority, pursuant to Article 56.1 of the General Data Protection Regulation (GDPR), the complainant challenged the lawfulness of the processing of data concerning him b and requested its erasure. He indicated that he was not a debtor and had never been a client of the ceding company From the complaint and the exchanges with your company’s DPO, the following details emerge: - after unsuccessfully attempting to contact the debtor concerned,ME appealed to an investigative agency, which sent it the contact details of the complainant on 13 July 2018; - on 23 July 2018, the complainant requested the erasure of the data from [I after reccivingEE s letter informing him of the existence of a claim concerning him; - on 27 July 2018, he contacted I by email DE © obtain information, as he claims never to have taken out a loan withI - on17 September 2018, he received another letter asking him to pay his debt; - on 29 November 2018, during a telephone conversation with the complainant, eS services noticed that this was a case of mistaken identity (same surname and first name). His telephone number was then invalidated, but no further action was taken; - the complainant’s address and telephone number were anonymised following the intervention of CNIL services on 26 August 2019 (all data relating to the complainant was replaced by crosses, thus preventing any link between the true debtor’s file and the complainant); - the complainant was informed that this measure would therefore put an end to all correspondence with him. II. Analysis of the facts in question 1. Failure to respond to requests to exercise rights Pursuant to Article 12.3 GDPR, the Data Controller must respond to requests from individuals exercising their rights within a maximum period of one month. In the present case, the Polish complainant attempted to obtain information on the processing of the data and requested its erasure upon receipt of the letter of assignment of claim. An initial, insufficient measure was taken only four months after the complainant’s first request. It is only the intervention of CNIL services - over a year after the complainant’s first request - which led your services to respond satisfactorily. I also note that compliance with this obligation and taking into account the complainant’s requests from the outset could have enabled your company to identify the case of mistaken identity in July 2018 and thus immediately cease the processing of data concerning the complainant. I find ha i therefore disregarded Article 12.3 GDPR in that it did not respond to the complainant as soon as possible. 2. Failure to process accurate and up-to-date data Pursuant to Article 5.1.d GDPR, the personal data processed must be accurate and, if necessary, kept up to date. In this case, the case of mistaken identity was identified on 29 November 2018 when the Polish plaintiff disputed being a customer of the company and requested the deletion of his data. However, did not take adequate measures to remove any doubt as to this homonymy and immediately delete the data concerning this non-debtor complainant. Thus, the data relating to the complainant continued to be processed by I and was only anonymised after the intervention of CNIL services on 26 August 2019. I find that Po has therefore disregarded Article 5.1 d) GDPR in that it did not take the necessary measures to process only accurate and up-to-date data relating to a debtor and that it took the intervention of CNIL services to stop this breach.