CNIL (France) - SAN-2020-008

From GDPRhub
Revision as of 15:44, 27 November 2020 by Roka (talk | contribs)
CNIL - SAN-2020-008
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 12 GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 14 GDPR
Article 15 GDPR
Article 15(1)(g) GDPR
Article 17 GDPR
Article 17(1)(c) GDPR
Article 21 GDPR
Article 32 GDPR
Article 33 GDPR
Article 83 GDPR
Article 83(5) GDPR
Code des postes et des communications électroniques
Loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.11.2020
Published: 26.11.2020
Fine: 2250000 EUR
Parties: Carrefour France
National Case Number/Name: SAN-2020-008
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Roka

The French DPA (CNIL) imposed a € 2250000 fine on Carrefour France for several violations of the GDPR and French data protection law. These include: excessive data retention periods, incomplete and unclear information on data processes, lack of proper answer to data subjects' requests, security breaches and illicit use of cookies.

English Summary

Facts

The French retail company Carrefour France operates the online store carrefour.fr The CNIL has received fifteen complaints related to this website between June 2018 and April 2019. Several failures were pointed out in these complaints :

  • Carrefour sending prospecting e-mail despite data subjects objecting to it
  • Lack of positive response to data deletion and access requests
  • Absence of "unsubscribe" link in a commercial email

In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as its database storing client's personal data.

Several written exchanges happened during the investigative procedure and Carrefour quickly implemented corrective measures. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.

Dispute

The CNIL investigated several questions regarding Carrefour France's data processing :

  • Is keeping data on loyalty program members for four years after their last contact with the company excessive in regards to Article 5(1)(e) GDPR ?
  • Is keeping a copy of the ID card of a data subject after its request has been met excessive ?
  • Is systematically requesting an ID card for the exercise of right by a data subject a violation of Article 12 GDPR ?
  • Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ?
    • Spreading the mandatory information on data processing across several webpages
    • Making the information part of the terms and conditions of the loyalty program
    • On a paper information media, referring the data subject to the privacy policy on the carrefour.fr website without specifying the exact URL adress of the policy.
    • The use of vague wording such as "These treatments mainly include", "for one or more of the following purposes for which your data may be used"
  • Is responding to a data deletion request by removing the user of a business solicitation database sufficient regarding Article 17 GDPR ?
  • Is requesting the recipient of a solicitation email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, Article L34-5 ?
  • Does having purchase invoice containing personal data publicly available on the web through unprotected URL addresses violates Article 32 GDPR on data security ?
  • Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law (Loi Informatique & Libertés), Article 82 ?

Holding

The CNIL imposed a € 2250000 sanction on Carrefour France on the account of several breaches of GDPR and the French national law. Due to the seriousness of the breaches and the large user database of the company the French DPA made the sanction public and decided to publish the decision on its website, deleting the name of Carrefour after a two year period.

the CNIL aknowledged Carrefour efforts to rectify its wrongdoings even before the end of the investigating procedure and that it did not gain any financial advantage from it. However, it pointed out that the breaches relate to "essential requirements" of a data controller in justifying the severity of the sanction.

On the data retention period

The CNIL reminded that in order to determine the appropriate data retention period, one should examine the purpose of the processing as well as the specifics of the business sector of the data controller. In this case, members of a loyalty program for a retail company tend to shop frequently at the company's stores. As such, a client who has not had contacts with the company for four years cannot be deemed active. The CNIL recommends a maximum retention period of three years in this case.

On the ID retention period when dealing with data subjects' exercise of rights, the CNIL states that the copy of the ID cannot be kept longer than necessary in order to satisfy the request. By keeping this data for up to six years, Carrefour violated Article 5(1)(e) GDPR.

On the systematic request for an ID in order to exercise a right

According to the CNIL, when dealing with an exercise of right requesting an ID should only be done when there is a reasonable doubt as to the identity of the person. As such, systematically requesting an ID violates Article 12 GDPR by making the exercise of right harder than it should be.

On the more general topic of exercise of right, the CNIL pointed out that Carrefour exceeded regularly the one month delay to answer a request, sometime taking up to 9 months in order to answer. Furthermore, on several occasions Carrefour did not respond to the request of the data subject but confused it with another request.

On the several questionable practices regarding the right to information

Quoting Article 12 GPDR, the CNIL reminded that the information provided to the data subject must be "concise, transparent, intelligible and easily accessible".

The DPA deemed the information not easily accessible because it was spread-out across several webpages, including as part of the terms and conditions of the loyalty program which was very long.

The CNIL specified that the information can be given at different levels of the website on the condition that the data subject can easily identify the information, presented in a unique document distinct from the terms and conditions, as recommended in the WP29 guidelines on transparency.

Secondly, the French DPA concluded that the information was not clear and in plain language as the company used ambiguous and imprecise wording as previously quoted. The CNIL also pointed out that the information was not organized nor prioritized making it harder to understand.

Finally, the DPA stated that the information given was insufficient to comply with Articles 13 and 14 GDPR as several mandatory information were missing or incorrect, mainly regarding the identity of the data controller, the legal basis for the processes, the transfer of data outside of the EU and the data retention period.

On the removal from the solicitation database as an answer to a data deletion request

Carrefour argued that the email address was a core data of the user's profile and such, could not remove it from its database. As a result Carrefour responded to deletion requests by removing the user from its solicitation database.

The CNIL rebuked this argument, stating that the data subjects' requests were clear and that by keeping data on users despite their request, Carrefour violated Article 17 GDPR.

On the matter of deletion request, the DPA pointed out that on several other occasions Carrefour did not met data subjects' request due to technical or human errors.This problem occurred with objection to processes as well, in violation of Article 21 GDPR.

On the objection to solicitation emails

The CNIL stated that requesting a data subject to login to a website in order to object to receiving solicitation emails violated the French Law on electronic communication, as some recipients of the email did not have an account on Carrefour's website, thus making it impossible for them to object.

On the data security breach

The French DPA concluded that by making personal data publicly available on the web by using unprotected URL addresses, Carrefour did not set-up the appropriate technical measures to secure personal data.

The CNIL also pointed out the company identified a data breach on November 16th, 2018 and failed to implement the necessary corrective measures. Carrefour also did not notify the CNIL of the data breach, violating Article 33 GDPR.

On the use of cookies on the website

The CNIL concluded that Carrefour did not comply with the French law on cookies. The company used some cookies for a purpose which was not listed in its privacy policy and placed 39 cookies on the user's terminal prior to collecting its consent.

Comment

The use of unprotected URL addresses allowing personal data to be made publicly available has often been sanctioned by the French DPA as a violation of Article 32 GDPR. On this topic see CNIL - SAN-2019-005.

This sanction was taken jointly with CNIL - SAN-2020-009 which imposed a 800000 EUR fine on Carrefour Banque, a sister company of Carrefour France.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the closed session n° SAN-2020-008 of November 18, 2020 on the company CARREFOUR FRANCE
---

The CNIL (Commission Nationale de l'Informatique et des Libertés), in its restricted formation, composed of Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Sylvie LEMMET and Christine MAUGÜE, members;

Having regard to Convention No. 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data ;

Having regard to Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms, in particular Articles 20 et seq;

Having regard to the Postal and Electronic Communications Code ;

Having regard to decree no. 2019-536 of 29 May 2019 taken for the application of law no. 78-17 of 6 January 1978 relating to information technology, files and freedoms;

Having regard to deliberation no. 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Civil Liberties;

Having regard to Order No. 2020-306 of 25 March 2020 relating to the extension of time limits during the period of health emergency ;

Having regard to seizures Nos. 18011774, 18013824, 18018909, 18019816, 18022931, 18023308, 18023417, 18024794, 19000325, 19001602, 19001627, 19002040, 19002339, 19004654 and 19006872 ;

Having regard to decisions No. 2019-081C of April 24, 2019 and No. 2019-102C of June 6, 2019 of the President of the Commission Nationale de l'Informatique et des Libertés to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by this body or on behalf of the company CARREFOUR and its subsidiaries, and in particular the companies CARREFOUR FRANCE, CARREFOUR SYSTEMS D'INFORMATION, OOSHOP, CARREFOUR SERVICE CLIENTS and CARREFOUR HYPERMARCHÉS ;

Having regard to the comments sent to the Commission by CARREFOUR on December 5, 2019;

Having regard to the decision of the President of the National Commission for Data Processing and Liberties appointing a rapporteur before the restricted formation, dated December 10, 2019 ;

Having regard to the report of Mr. Éric PÉRÈS, commissioner-rapporteur, notified to the company CARREFOUR FRANCE on January 10, 2020;

Having regard to the written observations made by the Board of CARREFOUR FRANCE on March 10, 2020;

Having regard to the rapporteur's response to these observations notified by e-mail on April 22, 2020 to the board of the company ;

Considering the written observations of the board of CARREFOUR FRANCE received on August 24, 2020;

Having regard to the additional comments received on 15 September 2020;

Having regard to the oral observations made during the session of the restricted session ;

Having regard to the other documents in the file;

Were present, during the session of the restricted session of September 17, 2020:

- Mr. Éric PÉRÈS, Commissioner, heard in his report;

As representatives of the company CARREFOUR FRANCE:

- […] ;

- […] ;

- […] ;

- […] ;

- […] ;

- […].

The company CARREFOUR FRANCE having had the last word ;

The restricted formation adopted the following decision:

I. Facts and procedure

1. CARREFOUR FRANCE (hereinafter the Company) is a subsidiary of the CARREFOUR Group (hereinafter the Group), located at 93 avenue de Paris in Massy (91300), which is active in a number of areas. Its main activity is mass distribution, but the group has diversified its activities, for example by operating in the banking and insurance sectors, as well as as as a travel agency and a salesman specializing in online commerce.

2. In 2019, the CARREFOUR group employed around 360,000 people, had a turnover of around 80 billion euros and an adjusted net profit, group share, of 905 million euros, up from 2018 (804 million euros). In 2019, CARREFOUR FRANCE generated sales of approximately 14 million euros, with a net loss of approximately 1.6 billion euros.

3. The CARREFOUR Group is notably made up of the parent company CARREFOUR SA, which owns 99.61% of CARREFOUR FRANCE. The latter owns 82% of CARREFOUR HYPERMARKETS and 99% of CARREFOUR PROXIMITÉ FRANCE. In 2019, CARREFOUR HYPERMARKETS had revenues of 14.3 billion euros and CARREFOUR PROXIMITÉ FRANCE had revenues of 636 million euros.

4. For the needs of its activity, the company CARREFOUR FRANCE publishes in particular the website www.carrefour.fr (hereafter the carrefour.fr website), enabling its customers to create and access a personal space and to place orders.

5. Between June 8, 2018 and April 6, 2019, the Commission received fifteen complaints from individuals relating to the companies of the CARREFOUR group.

6. Seven of these referrals (Nos. 18018909, 18019816, 18022931, 18023308, 18023417, 19002040 and 19002339) referred to commercial prospecting even though the persons concerned had previously expressed their opposition.

7. 7. Four of these referrals (Nos. 18011774, 18013824, 19001602 and 19006872) followed requests for the deletion of data that had not been granted.

8. 8. Three of these seizures (Nos. 18024794, 19001627 and 19004654) were the result of requests for access to data that had not been granted.

9. One seizure (no. 19000325) was an unsubscription link in a commercial prospecting e-mail.

10. Pursuant to Decisions No. 2019-081C of April 24, 2019 and No. 2019-102C of June 6, 2019 of the President of the Commission, five checks were carried out online or at the Company's premises :

- an online control, carried out on May 24, 2019, relating to the carrefour.fr site and the processing implemented from this site ;

- an on-site inspection, carried out on May 28, 2019, relating to the processing implemented by CARREFOUR FRANCE, in particular within the framework of the Carrefour loyalty program (hereafter the loyalty program), as well as the various databases used by the company for the management of its customers;

- an on-site audit, carried out on June 11 and 12, 2019, relating to the exercise of rights and the responses given to several complainants who have filed a claim against the company with the CNIL;

- an on-site inspection, carried out on June 26 and 27, 2019, relating more specifically to the management of personal data in the context of the loyalty program;

- an on-site inspection, carried out on July 11, 2019, relating to the security measures developed by CARREFOUR FRANCE to protect the personal data it processes and to data breaches that have occurred.

11. The purpose of these missions was to verify the company's compliance with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the Regulation or the RGPD) and Act 78-17 of January 6, 1978 as amended relating to information technology, files and liberties (hereinafter the Act of January 6, 1978 or the Information Technology and Civil Liberties Act).

12. Various exchanges have taken place by e-mail between the company and the delegation of control. These exchanges concerned the transmission of documents requested during inspections. On December 5, 2019, the Company sent written comments to the delegation of control, covering most of the points raised during the audits and announcing various actions aimed at bringing the Company into compliance.

13. 13. In order to examine these elements, the Chairman of the Commission appointed Mr. Éric PÉRÈS as rapporteur on December 10, 2019, on the basis of Article 22 of the Law of January 6, 1978.

14. At the end of his investigation, the rapporteur had a bailiff serve on CARREFOUR FRANCE, on January 10, 2020, a report detailing the breaches of the RGPD, the French Data Protection Act and the French Post and Electronic Communications Code that he considered to be present in this case.

15. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into compliance with the provisions of articles 5, 12, 13, 15, 17, 21, 32 and 33 of the Regulation and article 82 of the French Data Protection Act, accompanied by a penalty payment and an administrative fine. It also proposed that this decision be made public and that the company no longer be identified by name after a period of two years from its publication.

16. On January 29, 2020, the company requested a one-month extension of the deadline by which it had to respond to the report, the postponement of the meeting initially scheduled for March 24, 2020 and a meeting with the rapporteur. On February 3, the chairman of the restricted panel granted the requested one-month extension. On February 6, the Secretary General of the CNIL granted the request to postpone the session to April 21, 2020. The same day, the rapporteur refused the meeting requested by the company.

17. On March 10, 2020, through its board, the company produced observations and made a request for the meeting before the restricted panel to be held in camera.

18. By e-mail dated March 23, 2020 and on the basis of Article 40, paragraph 4, of Decree no. 2019-536 of May 29, 2019, the rapporteur asked the chairman of the restricted formation for an additional fifteen days to respond to the company's observations.

19. By letter dated March 24, 2020, noting in particular the context of the health crisis, the chairman of the restricted formation granted the rapporteur's request.

20. In a letter dated the same day, the Company was informed of the additional time period granted to the rapporteur and of the fact that, pursuant to paragraph 5 of Article 40 of Decree no. 2019-536 of May 29, 2019, it had a period of one month in which to respond to the rapporteur's reply. The letter also informed him of the postponement of the restricted session, initially scheduled for April 21, 2020.

21. By e-mail dated April 7, 2020, the rapporteur asked the chairman of the restricted session for a further fifteen days to respond to the company's comments, which was granted on April 8, 2020. The company was informed of this on the same day.

22. The rapporteur responded to the company's observations on April 22, 2020.

23. By a letter of the same day, the secretary general of the CNIL informed the company that it could transmit its observations to the rapporteur's reply until August 24, 2020 in application of the order no. 2020-306 of March 25, 2020 relating to the extension of the deadlines due during the period of health emergency.

24. On June 30, 2020, the chairman of the restricted formation granted the company's request for an in camera hearing on the grounds that certain items included in the proceedings were protected by business secrecy, as provided for in Article L151-1 of the French Commercial Code.

25. On August 5, 2020, the services of the CNIL notified the Company of a notice to attend the meeting of the restricted session of September 17, 2020.

26. On August 24 and again on September 15, the company submitted new observations in response to those of the rapporteur.

27. The company and the rapporteur presented oral observations during the restricted session.

II. Reasons for Decision

A. On the failure to comply with the obligation to keep personal data for no longer than is necessary for the purposes for which it is processed

28. Article 5-1 e) of the Regulation provides that personal data must be kept in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which the data are processed.

1. The data of customers who are members of the loyalty program and of users of the carrefour.fr website must be kept for a period not exceeding that necessary for the purposes for which they are processed.

29. On the one hand, the rapporteur criticizes the company for having set retention periods that exceed the periods necessary for the purposes of processing. On the other hand, he reproaches the company for having kept personal data for a longer period than that provided for.

30. 30. The Company acknowledges these points, but recalls that it had decided, prior to the CNIL controls, to reduce the retention periods of its inactive customers and that it had begun the purging operations necessary to comply with these new periods. It also indicates having completed all these operations during the sanction procedure.

31. On the first point, the restricted session recalls that, on the day of the inspections, the company indicated that the data of loyalty customers were kept on an active basis for four years from their last activity (this could be understood, depending on the situation, as the last transaction with the loyalty card at the checkout of a store, the last online transaction, the last modification of the personal space on the company's website or the last contact with customer service).

32. It reminds that the loyalty program established by the company aims at the commercial prospecting of its members, as it emerges from the information mentions present on the membership form. The restricted session notes that the customers of the mass distribution, a fortiori those of a loyalty program, are customers who usually return regularly to the same stores. Consequently, it considers that a customer who has not traded with the company for several years should no longer be considered an active customer. By way of illustration, both the former Simplified Standard No. 48 relating to customer-prospect files and online sales and the recent draft standard on personal data processing implemented for the purpose of managing business activities recommend that the data of inactive customers be retained for a period of three years from the last contact with the Company. While this period is indicative and is not imposed as such on data controllers, the restricted session considers that it constitutes a reference for assessing an appropriate duration. In this case, it notes that this duration is already significant in the mass retail sector. While the specific features of the processing implemented by CARREFOUR FRANCE, and in particular the extensive interconnection of its databases, may justify that this three-year period is not considered excessive, the restricted session considers that it cannot be extended to the four-year period initially set by the company. Considering this purpose of commercial canvassing for loyalty processing, it considers that a four-year retention period was not strictly necessary for the purpose pursued, and therefore excessive.

33. 33. Nevertheless, it notes that the Company has, prior to the initiation of control procedures, initiated a plan to reduce this retention period to three years for all of its databases. In view of the interconnection between the Company's various databases and the operational need to set the same retention period for all its data, the three-year retention period for inactive customers appears proportionate to the purpose pursued.

34. On the second point, the restricted session notes, firstly, that the company acknowledges a delay in the implementation of its data erasure program but emphasizes the significant efforts made since the initiation of the procedure to bring itself into compliance. The limited session notes that the delegation of control has identified data concerning customers who have been inactive for more than four years, including more than twenty-eight million loyalty program customers who have been inactive for five to ten years. With regard to users of the carrefour.fr website, the restricted session emphasizes that the data of more than 750,000 users whose purchases were made between five and ten years ago, and nearly 20,000 users whose last purchase was made more than ten years ago, were kept.

35. 35. The restricted formation therefore considers, in view of these elements, that a breach of article 5-1-e) of the RGPD is constituted.

36. However, the restricted session underlines the very important organizational and financial means deployed by the company and notes, on the day of the session, the compliance of the company's practices with the Regulation. Indeed, the latter demonstrates that it has set up an automated system for deleting the data of its customers (both from the loyalty program and the carrefour.fr site) that have been inactive for more than three years.

2. Identity documents kept within the framework of the exercise of the rights of access to the site.

37. The rapporteur criticises the company for having kept for a period of one to six years the identity documents communicated to it by the persons concerned in the context of the exercise of a right. He considers that this period is excessive, as the data is kept beyond the time necessary to achieve the purpose for which it is processed.

38. On this point, the company points out the change in these practices since the notification of the sanction report, with identity documents being retained only for the period relating to the processing of the request in question.

39. The restricted session notes that the control delegation did indeed note that copies of applicants' national identity cards were kept by the company for a period of between one and six years.

40. It considers that, once the application has been granted, the company no longer needs to keep a copy of the applicant's identity document. The sole purpose of providing this document is to prove the identity of the person from whom the application emanates and it is not necessary to keep it once the identity has been confirmed.

41. The restricted panel also considers that, in order to demonstrate that it has actually granted the request, the company may, as an intermediate filing for litigation purposes, retain only the letter of favorable response, an element whose retention presents, incidentally, a lesser risk for the person concerned.

42. It therefore considers, in light of these elements, that a breach of Article 5-1-e) of the RGPD is constituted.

43. 43. It nevertheless highlights the changes made upon notification of the report and observes that the company's new practices are, on the day of the meeting, in compliance with the Regulation. It has in fact been shown that identity documents are now abolished as soon as the request has been granted.

B. Failure to comply with the terms and conditions for the exercise of rights

44. Article 12 of the Regulation provides, on the one hand, that the controller shall facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to comply with the data subject's request to exercise the rights conferred on him/her by Articles 15 to 22 unless the controller establishes that he/she is not able to identify the data subject and that where the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21, he/she may request additional information necessary to confirm the identity of the data subject .

45. It also provides that the controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22 as soon as possible and in any case within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. The controller shall inform the data subject of such extension and the reasons for the extension within one month of receipt of the request.

46. Firstly, the rapporteur noted that, except in cases of opposition to the processing of data for commercial prospecting purposes, the company systematically requested proof of identity when exercising a right.

47. 47. The company stressed, during its discussions with the rapporteur, that this practice was discontinued as of October 23, 2019.

48. The restricted formation notes that the company did not reserve the request for a proof of identity to cases where there was reasonable doubt as to the identity of the person, this request being systematic. It emphasizes that the presence (noted during the inspections) of proof of identity accompanying the requests, as well as the company's letters in response communicated to the CNIL by the complainants, demonstrated the existence of this practice. Indeed, the CNIL was informed of a request to this effect in the case of Messrs. [...], [...], [...], [...], [...], [...], [...], [...] and [...] and Mrs. [...] without the company having any reasonable doubts as to the identity of the person.

49. The restricted panel considers that the systematic nature of requests for proof of identity, recognized by the society, is sufficient to show that these requests were not limited to situations where the society had reasonable doubts as to the identity of the natural person making the request .

50. It therefore considers, in view of these elements, that a failure to comply with article 12 of the RGPD is constituted.

51. Nevertheless, it highlights the changes made by the company and notes that the company's new practices are, on the day of the meeting, in compliance with the Regulation. It is in fact demonstrated that letters in response to requests to exercise rights no longer systematically require proof of identity.

52. Secondly, the rapporteur criticizes the company for the delay in responding to requests to exercise rights. He points out that response times vary but can be as long as nine months, without any information being communicated to the persons concerned in the meantime. He believes that these processing delays are recurrent. As an illustration, Ms. [...]'s request for deletion and objection was received on July 4, 2018. The withdrawal of her consent to advertising prospecting was entered into the database on April 15, 2019, more than nine months later. Mr. [...]'s request for access was received on November 7, 2018 and a response was provided on June 10, 2019, more than seven months later. Mr. [...]'s request for access and opposition was registered in the JIRA tool on January 10, 2019. However, it appears from the documents communicated to the CNIL by the complainant that the company acknowledged receipt of his first request as early as November 9, 2018. An answer was given to his request concerning the opposition to prospecting on June 11, 2019, i.e. more than seven months later.

53. On this point, the company acknowledges, both in its second response to the rapporteur's observations and during the restricted session, a chronic delay in the processing of applications at the time of the inspection. However, it emphasizes the particularly significant efforts made since the audit operations, the in-depth restructuring of the organization of the teams working on these issues, and the transformation of their working methods, with in particular the development of new ad hoc tools that improve the allocation and processing of requests to exercise rights, reducing their processing time and the risk of error.

54. The Panel observes that the company's organization was structurally causing a delay in the processing of applications and notes that the company indicates that this structural failure was due to a misunderstanding of the consequences of the GAR. The implementation of the DMPR increased the number of applications the company had to deal with in unexpected proportions (from one to two applications per day prior to the implementation of the DMPR to sometimes more than 75 applications per day after May 25, 2018).

55. The limited session notes that this lack of anticipation has had direct consequences for the people exercising their rights, sometimes forcing them to formalize several reminders in the face of the silence kept by society. The restricted formation therefore considers, in light of these elements, that a breach of article 12 of the RGPD has been established.

56. 56. It nevertheless underlines the profound and effective changes made by the company and notes that the company's new practices are, on the day of the meeting, in compliance with the Regulations. The company now shows an average response time to requests of less than fifteen days, sometimes even less than ten days. It also shows that no more responses have been sent out after the deadline since the change in its internal processes and the development of new tools.

C. On the failure to provide information to individuals

57. Article 12 of the DPMR provides that the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 [...] regarding the processing operation to the data subject in a concise, transparent, comprehensible and easily accessible manner and in plain and simple terms [...]. Articles 13 and 14 list the information that must be given to data subjects when personal data are collected directly from them and indirectly.

1. With regard to the accessibility of the information

58. Firstly, the rapporteur considers that the information provided was not easily accessible.

59. With regard firstly to the information communicated on the carrefour.fr website, he notes that the multiplicity of pages to be consulted, the links present in the various pages, and the redundancy of the information do not make it possible to consider that the information relevant to individuals is easily accessible.

60. With regard to the information communicated to people joining the loyalty program online, the rapporteur considers that the information was not easily accessible since it was included in the general terms and conditions of use of the Carrefour card.

61. Finally, with regard to the information provided to people who subscribe to the loyalty program by means of a paper form, the rapporteur notes that the information was not easily accessible either. Indeed, he notes that the bulletin summarized the essential information and referred to the home page of the carrefour.fr website for more complete information, without giving any further details.

62. On these points, the company claims that a page dedicated to data protection was directly accessible via a hypertext link at the foot of the page, and that it modified the information mentions on its website on November 22, 2019, i.e. prior to the opening of the sanction procedure and the notification of the report. These significant changes included the merging of all the information in a single document, the retention of a page dedicated to the exercise of the various rights, and a reformulation of the information provided to make it more readable, more precise and simpler.

63. The restricted session notes that the company has chosen to provide information at several levels, as permitted by the Regulation.

64. 64. In this configuration, the restricted class considers it particularly important that the information remain easily accessible, as required by section 12 of the Regulation. The presentation of information in multiple layers increases the risk that the information will be more difficult to find. Recital 39 of the DPMR underlines that the principle of transparency requires that all information and communication relating to the processing of personal data should be easily accessible, easy to understand, and formulated in clear and simple terms. Recital 58 also states that the principle of transparency requires that any information addressed to the public or to the data subject should be concise, easily accessible and easy to understand, and formulated in clear and simple terms and, furthermore, where appropriate, illustrated with visual elements.

65. In this case, the restricted formation considers, on the one hand, that access to the information mentions on the carrefour.fr site was difficult, since they were grouped together in article 3 of the general conditions of use of the carrefour.fr site, which the user therefore had to browse. It is the same for the mentions of information relating to the loyalty program which appeared in article 10 of the general conditions of use of the Carrefour card.

66. These two documents were so long that the user had to scroll through a large number of pages and read several dozen paragraphs (about fifteen in the general conditions of use of the carrefour.fr website, more than seventy in the general conditions of use of the Carrefour card) before being able to find the information relating to the protection of his personal data. Consequently, the restricted session considers that the access to this information was not easy and that the user had to show a particular determination to access information on these issues. It recalls that information must be presented in an efficient and succinct manner in order to avoid drowning the information to be delivered among other informative content.

67. The difficulty of accessing this information was further compounded by its redundancy. In fact, since the information relating to the protection of personal data was scattered and fragmented among several documents (general terms and conditions of use, general terms and conditions of sale, page relating to the protection of personal data, page dedicated to the exercise of rights), some information was only present on certain pages, while others were presented several times.

68. So that the user does not have to search for relevant information, the restricted session considers that this information should be grouped together in a single document separate from the general conditions of use. It shares here the position developed by the G29 in the Guidelines on Transparency within the meaning of the Regulation adopted in their revised version on 11 April 2018 (hereafter the Transparency Guidelines) which considers that the data subject should not have to actively search for the information covered by these Articles among other information such as the terms and conditions of use of a website.

69. It also considers that when a data controller chooses to communicate information to data subjects at several levels, it is important not only that the second level of information details all the information relating to the processing operation, but also that the first level of information presents the essential characteristics of the processing operation. This requirement of accessibility, as enlightened by Recital 39 of the DPMR, is notably recalled in the guidelines on transparency. In particular, the G29 recommends that the first level/modality should include details of the purpose of the processing, the identity of the controller and a description of the rights of the data subjects.

70. However, the restricted session notes that the first level of information on the carrefour.fr site, accessible from the link personal data, did not provide this essential information but only some general information such as the possibility for data subjects to consult the personal data concerning them or to exercise the various rights they enjoy, or one of the purposes of the processing (the presentation of personalized offers).

71. Concerning the persons who subscribe to the loyalty program through the paper newsletter, the restricted session considers that, by referring these persons to the carrefour.fr site without further details, the company has not made the information easily accessible. The company should, at the very least, have specified the page or URL address where this information was available. The restricted session notes that this lack of accessibility by a simple reference to the home page of the site was aggravated by the previously underlined defects concerning the carrefour.fr site.

72. Secondly, the rapporteur considers that the information provided was not written in clear and simple terms.

73. He considers that all of the information mentions (in the general conditions of use of the carrefour.fr site, the paper forms for joining the loyalty program and for joining the same program via the customer area of the carrefour.fr site) used imprecise and unclear terms and were not easily understandable because of their layout.

74. 74. On this point, the company highlights the significant changes made to the information mentions prior to the opening of the sanction procedure. It indicates that it has, as of November 2019, put online a specific information page on the protection of personal data, separate from the general terms of use, accessible directly from the home page by a hypertext link.

75. The restricted session notes that the information mentions on the carrefour.fr website (both in the general terms and conditions of use and in the process of joining the loyalty program) and on the paper registration forms contained, at the time of the audit on May 24, 2019, unclear, ambiguous or imprecise wording. The use, in an almost systematic way in particular in the general conditions of use of the carrefour.fr website and the loyalty program, of terms such as these treatments include, in particular, for one or more of the following reasons or your data may be used do not allow the persons concerned to fully understand the treatments implemented. In the same way, formulas such as you also have a right to obtain the limitation of a processing and a right to the portability of the data that you may have provided, which will apply in certain cases (general conditions of use of the Carrefour card) do not provide complete information to the persons concerned, since the latter cannot understand, upon reading them, the situations in which these rights are open to them and the terms and conditions to enforce them.

76. The general conditions of use of the site carrefour.fr and the loyalty program included, in the majority of cases, only examples relating to the data collected (we may possibly have data from the open Data), the operations carried out or the purposes pursued (your data may be subject to processing for one or more of the following reasons), or general and evasive formulations. However, the restricted formation recalls that Recital 39 of the GDPR stresses the importance of the principle of transparency, stating that individuals should be informed of the risks, rules, guarantees and rights related to the processing of personal data and of the ways in which they can exercise their rights with regard to such processing. The Restricted session calls for the information provided to be of paramount importance, since its compliance is a condition for the validity of the individual's commitment and willingness to allow the processing of personal data by a particular controller. The data subject should be able, on reading the information communicated to him or her, to understand the general scope of the processing, which is not the case here.

77. The formulations used, often unnecessarily complicated, made the reading of the information statements particularly tedious, even for an enlightened person. For example, a sentence such as you may ask to exercise your right to object, for reasons relating to your particular situation, to a processing of personal data concerning you when the processing is based on the legitimate interest of the data controller, including the profiling extracted from the general conditions of the carrefour.fr site, does not allow a lay user to understand the existence, the scope, or the conditions for exercising his right to object. It is the same for the sentence your data may be transmitted to all or part of the following recipients : ...] partner brands, but in this case the latter have no direct or indirect access to data concerning you and only data related to your profile without it being possible to identify you directly or indirectly, to companies of the Carrefour group for the above-mentioned purposes as regards the recipients of the data.

78. The restricted session recalls that the information presented was intended for all users of the company's services, who may have very diverse profiles. The company should have adopted a style that could be understood by as many people as possible. The limited session considers that this was not the case here.

79. In general, the restricted formation recalls that the information mentions should be made, as far as possible, using simple vocabulary, short sentences and a direct style, but also avoiding legal or technical terms, abstract or ambiguous terms and formulas such as we could use your data, a possible use of your data, some data concerning you are used, etc. The restricted formation considers that the company should have adopted a style that would allow it to be understood by as many people as possible.

80. Moreover, the restricted session notes that, despite the very large amount of information communicated, it was neither hierarchical nor ordered. The information took the form of a long list of the various points of the Regulation. It considers that such a presentation does not allow the persons concerned to easily find the information they are looking for, forcing them to read all the information mentions. The Commission is therefore of the view that the format used did not meet the accessibility requirement of section 12 of the Regulation, as informed by the transparency guidelines already cited.

81. The restricted panel notes that the combination of sections 12 and 13 of the Regulation requires the data controller to ensure that the information provided is both complete and easily understandable. This balance may be difficult to achieve when, as in the present case, the data processed, the purposes pursued and the retention periods are numerous and different. Nevertheless, the Commission considers that the quality of the information provided is central to the decision of data subjects to enter into a commercial relationship. In this respect, the restricted formation considers that the company should have paid particular attention to the information communicated and should have achieved, even before the controls were carried out, a result that was more readable for the individuals.

2. With regard to the content of the information

82. The rapporteur considers that the information communicated to individuals is incomplete in several respects.

83. Firstly, he states that the data controller is not correctly identified on the carrefour.fr website.

84. Secondly, the rapporteur points out that the legal basis of the processing operations is not indicated, since the company merely states that personal data may be processed on the basis of the user's consent, the performance of the contract or the legitimate interest of the controller, without further clarification.

85. Thirdly, the rapporteur considers that the information on the countries to which the data may be transferred is not complete, as the guarantees surrounding the transfer are not specified, nor is the means of obtaining a copy of these guarantees.

86. Fourthly, he considers that individuals are not informed, in respect of all their data, of the length of time for which it may be retained.

87. On all of these points, the company has indicated that it has made changes prior and subsequent to the notification of the report to bring it into compliance. It stated that, on the day of the audits, it provided full information on several points, including the contact details of its data protection officer, the recipients of the data and the existence of rights. On the points on which it acknowledges the inadequacy of the information it provided, it states that it has modified its information in accordance with the rapporteur's requests during the procedure, in particular as regards the identity of the controller, the purposes and legal basis of the processing operations carried out, the storage periods and the transfer of personal data outside the European Union.

88. On the first point, it emerges from the findings of the delegation of control that the company CARREFOUR HYPERMARCHÉS was indicated as being responsible for the processing implemented through the carrefour.fr website. The companies CARREFOUR HYPERMARCHÉS, CARREFOUR SUPERMARCHÉS FRANCE, CARREFOUR PROXIMITÉ FRANCE, CARREFOUR DRIVE and OOSHOP were designated in the information mentions as joint data controllers for the loyalty program.

89. The restricted session considers, on the first point, that the responsibility for processing implemented from the carrefour.fr site lies with the company CARREFOUR FRANCE, which alone determines the marketing policy common to all formats of the stores in France. This interpretation is consistent with the analysis of the company CARREFOUR FRANCE, which also considers itself responsible for processing as it indicated to the delegation of control on May 28, 2019.

90. Consequently, the restricted formation considers that the mentions made on the carrefour.fr site as in the general conditions of use of the Carrefour card were erroneous.

91. On the second point, the restricted session recalls that the persons concerned must be informed of the legal basis of the processing operation(s) implemented. This requirement cannot be satisfied by the sole reference made to the existing legal bases when several processing operations are implemented. In this case, the persons concerned are not in fact informed of the legal basis applicable to each of the processing operations carried out.

92. The restricted session considers that the indication of the legal basis applicable to each processing operation is of particular importance. On the one hand, it allows the data subject to have an overall appreciation of the processing carried out, in particular its origin. The data subject must therefore be able to know whether the data are processed on the basis of the consent he or she has given (and could therefore withdraw), or on the basis of a contract he or she has entered into with the data controller, or on the basis of a legal obligation on the part of the latter, or on the basis of his or her legitimate interest. On the other hand, and most importantly, the applicable legal basis may have direct consequences on the rights of individuals. For example, Article 20 of the GDMP provides that the right to data portability applies when the processing is based on consent. Therefore, the company had the obligation to specify the legal basis applicable to each processing operation carried out.

93. Due to the absence of such specifications, the restricted formation considers that the mentions made on the carrefour.fr site were incomplete.

94. On the third point, the restricted session emphasizes that Article 13 of the Regulation requires, in point 1.f), that the controller must inform the data subject of the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Articles 46 or 47, or in the second subparagraph of Article 49(1), the reference to appropriate or adequate safeguards and the means of obtaining a copy of them or the place where they have been made available .

95. The restricted session notes that this information was not communicated to the persons concerned at the time of the findings made by the delegation of control. The restricted session considers that the information provided on the carrefour.fr website was incomplete.

96. On the fourth point, the restricted session notes that Article 13-2-a) of the Regulation requires that persons be informed of the duration of the storage of personal data or, when this is not possible, the criteria used to determine this duration. The Guidelines on Transparency, in order to clarify the provisions of Article 13, specify that the retention period (or the criteria for determining it) [...] should be formulated in such a way that the data subject can assess [...] what the retention period will be in the case of specific data or for specific purposes. The restricted session notes that the information mentions did not indicate the retention periods (or the criteria used to establish them) in a systematic way for all data or purposes, such as navigation data or data relating to purchases made. As a result, individuals were unable to estimate, for many data, the retention periods established by the data controller.

97. Due to the absence of such details, the restricted session considers that the mentions made on the carrefour.fr site were incomplete.

98. It emerges from all of these elements that the information communicated to individuals through the carrefour.fr site and through the paper membership forms for the loyalty program was not easily accessible and was incomplete. The Restricted Group therefore considers that a breach of articles 12 and 13 of the RGPD has been established.

99. 99. It nevertheless underlines the important work of compliance carried out by the company with regard to the information mentions present on its website and on its paper forms. She noted that the company's new practices were, on the day of the meeting, in compliance with the Regulations. The company now provides clear, transparent, easily accessible and complete information on all its media.

D. On the breach of access rights

100. Article 15 of the RGPD provides that data subjects have the right to obtain confirmation from the data controller that personal data concerning them are being processed, as well as a certain amount of information, including any available information as to the origin of the data, when the data are not collected directly by the data controller (Article 15-1-g).

101. In referral no. 19001627 of January 21, 2019, Mr [...] explained that on November 8, 2018, he had received an electronic prospecting letter without having communicated his contact details to the CARREFOUR group in the past. He stated that he had requested the same day the origin of the personal data concerning him held by the company. On November 15, 2018, the company replied to him in order to obtain a copy of the complainant's identity document, which was communicated to the data controller on November 21. Mr. [...] explained that, despite several reminders on January 4 and 18, 2019, no response was given to his request, only his opposition to receive canvassing having been taken into account.

102. It appears from the findings made on June 12, 2019 that this complainant was a former customer of the company OOSHOP, whose site was subsequently integrated into the site carrefour.fr.

103. The company CARREFOUR FRANCE acknowledges that it did not initially communicate to the complainant the origin of the data that it held concerning him, considering that it processed this personal data within the framework of a direct, and not indirect, collection, and that the origin of the data is among the information that must be communicated on the basis of Article 15 of the Rules only in the case of indirect collection of personal data.

104. On this point, the restricted session notes that the complainant had previously created an account on the ooshop website. It is on this occasion that the personal data concerning him had been collected by the company OOSHOP. The restricted session considers that the subsequent merger between the ooshop web site and the carrefour.fr web site does not give the CARREFOUR FRANCE company the quality of first collector of personal data. Indeed, the personal data were transmitted to the company CARREFOUR FRANCE by the company OOSHOP, which corresponds to the case of indirect collection, the data not having been collected by CARREFOUR FRANCE from the person concerned. Consequently, the restricted session considers that CARREFOUR FRANCE was obliged to inform the complainant of the origin of the data in the context of his request for access, in accordance with article 15-1-g) of the RGPD.

105. The restricted session recalls that the fact that the complainant was informed of the merger between the ooshop site and the carrefour.fr site prior to his request to the company did not exempt the data controller from his obligation to inform the complainant of the origin of the data, formulated by the complainant in the context of the exercise of his rights.

106. It follows from these elements that a breach of Article 15 of the Regulations has been established.

107. However, the restricted session emphasizes that the company granted the complainant's request on June 19, 2019, after the audit was carried out but before the initiation of the sanction procedure, and that the breach was therefore no longer constituted on the day of the session.

E. On the breach relating to the right to erasure

108. Article 17 of the Regulation defines the conditions under which data subjects are entitled to have their personal data erased. Article 17-1-c), in particular, provides this right when the data is no longer necessary for the purposes of processing or when the person objects to the processing implemented for prospecting purposes.

109. The Commission has received several complaints concerning the difficulties encountered in the exercise of this right.

110. By referral no. 18011774 of June 8, 2018, Mr. [...] referred the matter to the CNIL, explaining that he had requested the deletion of his data without obtaining a favorable response to his request, which concerned in particular the deletion of his e-mail address, used by the company for commercial prospecting purposes.

111. The findings made during the audit of June 12, 2019 revealed the presence of the complainant's e-mail address in the company's databases.

112. In defence, the company explained that the e-mail address serves as an entry key to the database in question and therefore cannot be deleted. It further stated that the situation did not result in any prejudice to the complainant, as his opposition to the prospecting had been taken into account.

113. The restricted session first of all emphasizes that the request for deletion of Mr. [...] of May 28, 2018 was broad and explicit: I ask you to delete all data you may have on me. These data will be attached to the email address [...]@[...].com.

114. The restricted session notes that the company has chosen to use as the entry key to its database the e-mail addresses of individuals, thus personal data. This purely practical decision, without the retention of the data in question being justified by any legitimate purpose with regard to the elements of the file, cannot allow it to be exempted from its obligations to exercise its rights. The restricted session considers that Mr. [...] could legitimately, on the basis of Article 17-1 c) of the Regulation, require the deletion of his data used for commercial prospecting purposes and it was therefore up to the Company to accede to this request and to set up a system for organizing its database that did not infringe this right. In the present case, the restricted session notes that the Company did not comply with its obligations under Article 17 of the Regulation.

115. The restricted session nevertheless observes that the company modified the architecture of its databases after the notification of the sanction report. The new mode of operation no longer uses personal data as an entry key to the database, and the request made by Mr [...] was granted.

116. By referral no. 18013824 of July 7, 2018, Mrs. [...] referred the matter to the CNIL, explaining that she had asked the company to delete all personal data concerning her without obtaining a favorable response to her request.

117. The findings made during the audit revealed the presence of the complainant's surname, first name, date of birth and cell phone number in the company's databases.

118. In defence, the company explained that the presence of these data was the result of a one-time error and that it had not led to any consequences for the complainant, as her opposition to receiving commercial prospecting had been taken into account.

119. The restricted session considers that Ms. [...] could legitimately, on the basis of article 17-1 c) of the Regulation, require the erasure of her data used for the purposes of commercial prospecting. This constitutes a breach of Article 17 of the Regulation.

120. The restricted session notes, however, that the Company granted Ms. [...]'s request on May 12, 2020.

121. By referral no. 19001602 of January 19, 2019, Mr. [...] referred the matter to the CNIL, explaining that he had twice requested the deletion of his data and nevertheless continued to receive commercial prospecting.

122. The findings made during the audit revealed the presence of the complainant's surname, first name, date of birth and postal and e-mail addresses in the company's databases.

123. The company explains that the data collected was not included in a database used for commercial prospecting. It argues that, in the event of an objection to the prospecting, it grants the request but does not erase the data from the databases that are not dedicated to prospecting.

124. The restricted session notes that Mr. [...]'s request [...], concerning the cessation of commercial prospecting and the deletion of data, was unambiguous. In a first e-mail addressed to the company, the complainant explained I wish to obtain the closure of my account thus in accordance with articles 38 and following of the amended law on information technology and civil liberties of January 6, 1978, I thank you for deleting all my personal data attached to this account. In a second letter, he specified Thus, I reiterate my request: pursuant to Articles 21.1 and 17.1.c of the General Regulations on Data Protection (RGPD), I thank you to delete my personal data on the following sites: carrefour.fr and courses-en-ligne.carrefour.fr . Mr. [...] being entitled to request such deletion on the basis of Article 17-1 c), it was up to the company, unless justified by the latter to keep the data for a legitimate purpose, to grant this request. A breach of Article 17 of the Regulation is therefore constituted.

125. The restricted session nevertheless notes that, while contesting the assessment of the rapporteur, the company granted the request of Mr. [...] and proceeded to erase all data concerning him.

126. By referral no. 19006872 of April 6, 2019, Mr. [...] referred the matter to the CNIL, explaining that he had asked the company to erase his postal address without obtaining a favorable response to his request.

127. The findings made during the audit revealed the presence of the name, first name, date of birth, fixed and mobile telephone numbers and postal and electronic addresses of the complainant in the company's databases.

128. 128. The company explains that the presence of the complainant's postal address was the result of a one-off error and did not lead to any consequences, as his opposition to receiving commercial canvassing was taken into account.

129. The restricted session considers that Mr. [...] could legitimately, on the basis of article 17-1 c) of the Regulation, require the erasure of his data. A breach of section 17 of the Regulation is therefore constituted.

130. The restricted session nevertheless notes that the Company rectified its error as soon as it was informed of it, following the audit carried out on June 11, 2019.

131. In conclusion, the restricted session considers that if, following a request for deletion, certain personal data of customers may be retained, in particular in accordance with legal obligations or for evidentiary purposes or where the company has a compelling legitimate reason, personal data not necessary in the context of compliance with these other obligations or purposes must be deleted after the exercise of this right as soon as the conditions laid down in Article 17 of the GDR are met. It notes in this respect that this was the case for the processing for the purpose of canvassing and that it does not appear from the elements of the procedure that the retention of the data in question was legitimate on any other basis.

132. Moreover, the restricted session reminds that the data controller has the obligation to contact the data subject when it considers that the requests it receives do not contain all the elements that would enable it to carry out the operations requested of it (Article 142 of Decree no. 2019-536 of May 29, 2019 implementing Law no. 78-17 of January 6, 1978 relating to data processing, data files and liberties, formerly Article 94 of Decree no. 2005-1309 of October 20, 2005). Consequently, the restricted session considers that if CARREFOUR FRANCE considered that the requests for erasure were too broad and that it could not grant them on the basis of an overriding legitimate interest or because erasure was not possible on the basis of article 17 of the RGPD, it was incumbent on it to take the attachment of the persons concerned, which it did not do in this case.

133. Consequently, in each of the above-mentioned cases, the company did not comply with its obligations under Article 17 of the Regulation and a breach is characterized.

F. On the breach relating to the right to object to the processing of personal data for commercial prospecting purposes

134. The second paragraph of Article 21 of the Regulation provides that where personal data are processed for the purposes of canvassing, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such purposes.

135. By referral no. 18019816 of October 1, 2018, Mr. [...] referred the matter to the CNIL, explaining that he had continued to receive advertising SMS messages from the company despite having previously expressed his opposition to the processing of his personal data for commercial prospecting purposes.

136. The findings made during the audit of June 11, 2019 showed that the complainant's opposition had not been transcribed into the company's databases, thus making it impossible to take it into account.

137. The company explains that this one-off error is due to a shortcoming on the part of its service provider, which had not forwarded the objection in question to it.

138. The restricted session notes that it appears from the findings of the audit, as well as from the documents communicated by the company, that the service provider [...] communicates to the company the objections expressed by the persons in the course of the audit .... These transmissions are also compiled in a monthly mailing, which is the only one taken into account by the company in order to transcribe the objections into a database, as it indicated during the procedure. It appears from the documents provided by the Company during the proceedings that Mr. [...]'s objection had not been transmitted in a mailing compiled on the day of the audit, June 11, 2019. However, the restricted session emphasizes that the company had received this opposition in the context of the run-of-river transmission and that it should therefore have stopped all commercial prospecting towards the complainant. In any event, the delegation noted that this opposition had not been taken into account on the day of the inspection.

139. Consequently, a breach of Article 21 of the Regulation is constituted.

140. The restricted session nevertheless notes that this error was corrected by the company during the audit carried out on June 11, 2019. It emphasizes above all that the Company has deployed significant resources to review in depth the impact of the objections expressed by SMS in its databases in the context of the present proceedings. It notes that objections are now received directly, processed and transcribed into the database, ensuring better respect of rights.

141. By referral No. 18023308 of November 22, 2018, Mr. [...] referred the matter to the CNIL, explaining that he continued to receive advertising SMS messages from the company despite several oppositions previously expressed.

142. The findings made during the audit found that the complainant's opposition had not been transcribed in the company's databases.

143. The company explains that this absence of transcription was due to internal human error.

144. Accordingly, the restricted session considered that the company had not complied with its obligations under section 21 of the Regulation.

145. It notes, however, that the complainant's opposition was taken into account and transcribed into the database during the audit carried out on June 11, 2019.

146. In conclusion on these breaches, the restricted session considers that in each of the above-mentioned cases, the company did not comply with its obligations under Article 21 of the Regulation and that a breach was characterised on the day of the inspection since, although it had offered the persons concerned a means of exercising their right of opposition, this was not systematically taken into account. However, it emphasizes that all of the complaints were handled by the company in the course of the procedure, either immediately during the inspections or following its discussions with the rapporteur.

G. On the breach of the right to object to electronic prospecting

147. The first paragraph of Article L34-5 of the French Post and Electronic Communications Code provides that direct canvassing by means of an automated electronic communications system within the meaning of Article L. 32 (6), a fax machine or electronic mail using the contact details of a natural person, subscriber or user, who has not previously expressed his consent to receive direct canvassing by this means, is prohibited. However, the fourth paragraph of the same article sets out an exception to this principle of prohibition if the recipient's contact details have been collected from him, in compliance with the provisions of Law No. 78-17 of 6 January 1978 relating to data processing, data files and liberties, on the occasion of a sale or provision of services, if the direct canvassing concerns similar products or services provided by the same natural or legal person, and if the addressee is offered, in an express and unambiguous manner, the possibility to object, free of charge, except for those related to the transmission of the refusal, and in a simple manner, to the use of his contact information at the time they are collected and each time a canvassing e-mail is sent to him in case he has not immediately refused such use.

148. By referral no. 19000325 of January 4, 2019, Mr. [...] referred the matter to the CNIL, explaining that he had received commercial canvassing without the e-mail allowing him to oppose it. Indeed, the unsubscribe link of the mailing list sent him back, in order to be able to oppose, to a page of connection to a customer account. However, the complainant did not have such an account, and therefore could not oppose the commercial prospecting.

149. The rapporteur considers that the company failed to fulfil its obligations under Article L.34-5 of the French Post and Electronic Communications Code since it did not systematically offer the recipients of its canvassing e-mails a simple and effective means of unsubscribing from the e-mails in question.

The Company acknowledges this error but considers that a breach cannot be characterized on the basis of this single occurrence.

151. It appears from the explanations provided by the company during the audit carried out on July 11, 2019 that such an error did indeed occur in a prospecting e-mail sent to more than 350,000 people. The company indicates that the unsubscribe link included in the prospecting e-mail referred to the personal space of the carrefour.fr site allowing people with a customer account to unsubscribe. By mistake, people without a customer account were targeted by this prospecting campaign. When these people clicked on the unsubscription link, they were asked, in order to unsubscribe, to connect to a customer account they did not have.

152. The company explains that it immediately spotted the error because it had received a large number of complaints from customers who could not properly exercise their rights. It therefore claims that this error occurred only once, since it has not received any other similar complaints.

153. The restricted session considers that persons without a customer account could not simply object to the use of their personal data for commercial prospecting purposes. Consequently, a breach of Article L.34-5 of the French Postal and Electronic Communications Code is constituted when no means of opposing prospecting by electronic means has been offered to these persons.

154. The restricted session nevertheless points out that the company has set up a unique unsubscription link that does not require a customer account to unsubscribe. It therefore believes that the company has implemented the necessary measures to ensure that the rights of individuals are respected in the future.

H. On the breach relating to the security of personal data

155. Article 32 of the RGPD provides that the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

156. The rapporteur criticises the company for not having put in place the necessary measures to protect the personal data it processes after becoming aware of the existence of a vulnerability on its website.

157. It emerges from the company's statements made during the audit of July 11, 2019 that, when a purchase is made on the carrefour.fr website, an invoice is made available to the customer on his personal space after delivery of the order or collection in the store. This invoice is accessible through a fixed URL address. Any person with this address can access the invoice issued without the need to authenticate and connect to his customer area.

158. The Company identified this technical vulnerability on November 16, 2018, recorded in the security incident log under number 415342. To address this vulnerability, the company decided to develop two measures: the addition of a random character string and a mandatory pre-authentication mechanism. The first measure, by increasing the number of potential URLs, was intended to reduce the risk of an incremental address deduction to access invoices. The second measure completely prevented access to the invoices by anyone other than the person concerned.

159. The first measure was implemented very quickly by the company. On the day of the audit, almost eight months after the vulnerability was discovered, the second measure had still not been deployed, and access to an invoice was still possible by anyone with a URL address.

160. On this point, the Company states that, on the day of the audit, it had already deployed a sufficient first measure that significantly reduced the risk of access to documents, and that the second measure was in the process of being deployed.

161. The restricted session considers that the addition of a random character string alone is not sufficient to prevent undue access to the personal data of third parties. This measure reduces the risk but does not eliminate it, as access remains possible. It recalls that the French National Agency for the Security of Information Systems (ANSSI) has been warning of this vulnerability linked to URL addresses since 2013, even in the case of URLs composed of several dozen perfectly random characters (Recommendations for the Security of Websites, 13 August 2013, p. 16). The restricted session emphasizes that the company had identified the appropriate measure to be implemented as early as November 2018, since it had planned, as of that date, the deployment of mandatory prior authentication.

162. Accordingly, the restricted session considers that the failure to implement mandatory pre-authentication following the discovery of the vulnerability - when this measure had been identified and is the only measure to completely prevent the risk - constitutes a breach of section 32 of the Regulation.

163. The restricted session notes, however, that the company implemented mandatory authentication on July 17, 2019.

I. On the breach relating to the notification of personal data breaches

164. Article 33 of the Regulation provides that in the event of a breach of personal data, the controller shall notify the competent supervisory authority in accordance with Article 55 as soon as possible and, if possible, no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to jeopardize the rights and freedoms of natural persons.

165. The rapporteur considers that the company has failed in its obligation to notify personal data breaches, as this obligation is apparent from the circumstances of the breach and the data concerned.

166. The findings of the July 11, 2019 audit show that the company identified and recorded a computer attack on July 1, 2019. This attack, using the group's mobile application authentication service, took the form of 800,000 connection attempts from 10,000 IP addresses. It resulted in 4,000 successful authentications and 275 effective accesses to customer accounts. This violation was not notified to the CNIL.

167 In defence, the company indicated that the violation was unlikely to create a risk to the rights and freedoms of individuals. It also stated that the persons concerned suffered no financial loss since no loyalty points were subtracted. It stresses that in any event, the general conditions of use of the Carrefour card provide for the reimbursement of the jackpot of the persons concerned in the event of an attack by third parties.

168. The restricted session recalls that in the event of a breach of personal data, the principle is that of notification to the supervisory authority. The absence of notification is only possible by way of exception, when the violation is not likely to create a risk for the rights and freedoms of individuals. In the present case, the restricted session considers that the analysis of the risks linked to this violation does not lead to the application of this exception to the obligation of notification. Indeed, the seriousness of the violation stems from the obviously malicious origin of this attack, the large number of persons concerned and the combination of several personal data to which the attack gave access and which allow for the identification and direct contact of the persons concerned (customer accounts may include, in particular, the identity of the persons, their telephone number, their e-mail address and their physical address).

169. The restricted session notes that the 4,000 accounts for which no effective access has been found but which have been successfully authenticated should be regarded as participating in the risk assessment. Indeed, the restricted session points out that many people use the same combination of email address and password on a very large number of websites. There is therefore a serious risk that attackers who have identified a valid email address/password combination will try to reuse it on other websites (a technique called credential stuffing). There was also a risk that, now having several pieces of information about the persons concerned and their relations with the companies of the Carrefour group, the attackers would try to usurp the identity of one of these companies in malicious and misleading e-mails (phishing). These accounts must therefore be considered as concerned by the violation.

170 Accordingly, the restricted session considers that a violation of section 33 of the GDMP is constituted.

171 It nevertheless stresses that, despite a difference of appreciation with the rapporteur and with a view to compliance, the company notified the violation to the CNIL on July 19, 2020 and was thus in compliance on the day of the meeting.

J. On the breach relating to cookies

172. Article 82 of the French Data Protection Act (Article 32.II in a wording identical to the day of the findings) requires that users be informed and that their consent be obtained before any operation of access or registration to information already stored in its equipment. Any deposit of cookies or other tracers must therefore be preceded by the information and consent of individuals. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user .

173. The rapporteur considers that the company did not comply with these provisions since it emerges from the online control of May 24, 2019 that when arriving on the carrefour.fr website, several cookies that do not fit into the two cases mentioned above were deposited on the user's terminal as soon as he connects to the home page of the site and before any action on his part.

174. The company does not dispute these elements.

175. The restricted session notes that in the case in point, the deposit of thirty-nine cookies was automatic upon arrival on the home page of the site, and before any action by the user. Of these thirty-nine cookies, three belonged to the Google Analytics solution (cookies _gid , _ga and _gat_gtag_UA_3928615_46 ).

176. With regard to these three cookies, known as Google analytics, the restricted session emphasizes that there is no debate that the data collected by these cookies can be cross-referenced with data from other treatments to pursue purposes other than those restrictively provided for in Article 82 of the Data Protection Act, including to carry out personalized advertising. Indeed, it emerges from the practical guide Association of Analytics accounts and Google Ads, posted on one of Google's sites, that the integration of Google Analytics in Google Ads (...) allows [advertisers] to know precisely to what extent [their] ads result in conversions, then quickly adjust the creations and bids accordingly. Advertisers can] also combine products to identify [their] most interesting segments and then engage these users with personalized messages.

177. Accordingly, these cookies are not intended solely to enable or facilitate electronic communication and are not strictly necessary for the provision of the Service. Their deposit should therefore have required the company to obtain the prior consent of users.

178. The restricted session considers, therefore, that a breach of article 82 of law no. 78-17 of January 6, 1978 is constituted. It also considers that this breach concerned a large number of people, namely all visitors to the carrefour.fr site.

179. The restricted session nevertheless stresses that the company made significant changes to its website during the sanction proceedings. These modifications led, in particular, to the cessation of the automatic deposit of cookies on arrival on the home page of the site since February 5, 2020.

III. On corrective measures and advertising

180. Under the terms of III of article 20 of the law of January 6, 1978:

When the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or the present law, the president of the National Commission for Information Technology and Civil Liberties may also, if necessary after having sent him the warning provided for in I of the present article or, if necessary in addition to a formal notice provided for in II, refer the matter to the restricted session of the commission with a view to the pronouncement, after an adversarial procedure, of one or more of the following measures: […]

7° Except in cases where the treatment is implemented by the State, an administrative fine may not exceed 10 million euros or, in the case of a company, 2% of the total annual worldwide turnover of the previous financial year, whichever is higher. In the cases referred to in Article 83 (5) and (6) of EU Regulation 2016/679 of April 27, 2016, these ceilings are increased to 20 million euros and 4% of said revenue, respectively. The restricted session takes into account, in determining the amount of the fine, the criteria specified in the same Article 83.

181. Article 83 of the RGPD provides :

1. Each control authority shall ensure that administrative fines imposed under this Article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.

2. 2. Depending on the specific features of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of the following elements :

a) the nature, seriousness and duration of the violation, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage they have suffered ;

(b) whether the breach was committed intentionally or through negligence ;

(c) any measure taken by the controller or the processor to mitigate the damage suffered by the data subjects ;

(d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32;

(e) any relevant breach previously committed by the controller or processor ;

(f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating its possible negative effects ;

(g) the categories of personal data concerned by the breach;

(h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor notified the breach ;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures ;

(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and

(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.

182. With respect to injunctions and compliance, the restricted session noted that the company corrected all of the deficiencies identified in the sanction report during the proceeding. As compliance has been demonstrated to date, the restricted session considers that no injunction is warranted.

183. As regards the imposition of a fine and its amount, the restricted session considers that, in the case in point, the aforementioned breaches justify the imposition of an administrative fine on the company.

184. As regards the fine proposed by the rapporteur, the company first of all argues that the amount of the proposed fine is excessive, as several breaches are, in its view, not constituted. On this point, the restricted session considers that all the breaches noted by the rapporteur are characterized in this case, as it detailed previously in the reasons for the decision.

185. The company then argues that the mitigating factors set out in section 83 of the Regulation should lead to a reduction in the amount proposed by the rapporteur and that the significant compliance work carried out should be taken into account.

186. The restricted session analyzes the criteria set out in Section 83 as follows.

187. With regard to the nature, seriousness and duration of the breach, it considers that this criterion is particularly characterized for several breaches, in particular those relating to the duration of the storage of personal data, the modalities of exercising rights and the deposit of cookies. With regard to the breach relating to the right to erasure and opposition to prospecting, the restricted session notes the residual nature of these cases in view of the large number of requests for erasure that the data controller has faced since the application of the RGPD. It stresses that the number of complaints received by the Commission is limited and is the result of isolated failures on each occasion. She acknowledges the changes made by the company to comply on this point as well as to internalize the consideration of individuals' opposition and improve the processing of requests and respect for rights. With respect to the data security breach, the restricted session believes that the seriousness of this breach is mitigated by the prompt implementation of measures that partially limit the occurrence of the risk. Finally, with respect to the opposition to electronic prospecting, the restricted session notes that the incident was a one-time incident. Regarding the number of people concerned, this criterion is particularly aggravating for the failure relating to the length of time data is kept, which affected several million people, for information, since every person who joined the loyalty program or created an account on the carrefour.fr site was concerned, and for the failure relating to cookies, since cookies were deposited without consent on the terminal of the site's 1.7 million unique visitors. This criterion is, however, mitigating with regard to the difficulties encountered in exercising the right of access (three persons concerned), the right to erase data (four persons concerned), the right to object (two persons concerned) and the opposition to electronic prospecting (350 persons concerned out of the 350,000 people targeted by the campaign). Of all the breaches, the restricted session considers the level of damage suffered to be insignificant.

188. The restricted session notes that most breaches are the result of negligence, one-off errors or a lack of anticipation of the consequences of the application of the Regulations.

189. With regard to the measures taken by the controller to mitigate the harm suffered by data subjects, the restricted session notes the company's perfect cooperation throughout the sanction procedure and the very significant efforts made to achieve full compliance on the day of the session. It notes that all breaches have been corrected to date.

190. With regard to the degree of cooperation with the supervisory authority, the restricted session noted the company's perfect cooperation, both in facilitating the CNIL's investigations and in taking into account the rapporteur's observations, even before the restricted session's decision. It also notes that the company complied with the rapporteur's legal analysis of all the shortcomings noted, even in cases where a difference of opinion remained.

191. With regard to the categories of personal data concerned, the restricted session notes that no sensitive data were concerned by the processing operations.

192. With regard to the manner in which the supervisory authority became aware of the breach, the restricted session notes that complaints were the source of many of the breaches.

193. 193. With respect to the benefits derived from the breaches, the restricted session believes that the company did not receive any financial benefit from the breaches. In particular, it demonstrated that even when the retention periods were exceeded, the data could not be used for prospecting purposes. In addition, it has committed significant financial resources to comply during the sanction procedure.

194. In conclusion, the restricted session raises the number and seriousness of breaches of certain essential obligations of a data controller, such as information or respect for the rights of individuals. It also notes that some failures were structural. This was the case, for example, of the undersizing of the means used to respond to requests to exercise rights, leading on a recurring basis to abnormally long response times without individuals being informed of the processing of their request, or the delay in the purging of personal data whose storage period had expired. On these points, the restricted session also highlights the particularly large number of people involved, given the several tens of millions of customers whose personal data is held in the company's databases. Finally, the restricted session notes that the breaches were brought to its attention due to a large number of complaints received by the CNIL concerning this data controller. This large volume of complaints is moreover at the origin of the decision to carry out an audit against this company.

195. Consequently, the restricted session considers that a fine should be imposed.

196. With regard to the basis for the fine, the company also disputes the method of calculating the basis for the penalty.

197. On this point, the restricted session points out that article 83-5 of the Regulation provides that the amount of fines imposed for breaches of the rules may amount to up to 4 per cent of the total annual worldwide turnover of the previous financial year. It points out that recital 150 of the Regulation specifies that when administrative fines are imposed on an undertaking, the term "undertaking" should, for this purpose, be understood as an undertaking in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union . The restricted session therefore considers that the Regulation makes a direct and explicit reference, in the particular context of the determination of the amount of fines, to the competition law as it relates to Articles 101 and 102 of the Treaty on the Functioning of the European Union (hereinafter the TFEU ). The restricted session recalls that the Guidelines on the application and setting of administrative fines for the purposes of Regulation 2016/679, adopted on 3 October 2017 by the G29, specify in this respect that in order to impose effective, proportionate and dissuasive fines, the supervisory authorities will rely on the definition of the concept of undertaking provided by the CJEU for the purposes of the application of Articles 101 and 102 TFEU, i.e. the concept of undertaking must be understood as an economic unit which may be formed by the parent company and all the subsidiaries concerned. In accordance with Union law and case-law, an undertaking is to be understood as the economic unit engaged in commercial or economic activities, irrespective of the legal person involved (recital 150).

198. The restricted session considers that the subsidiaries owned by the company CARREFOUR FRANCE and benefiting from the processing operations must be considered as concerned within the meaning of the above-mentioned guidelines. Indeed, in the context of competition law, to which recital 150 of the Regulation refers directly, an undertaking must be understood as designating an economic unit even if, from a legal point of view, this economic unit is made up of several natural or legal persons (judgment of 12 July 1984, Hydrotherm, 170/83, ECR p. 2999, point 11, reproduced in the judgment of the Confederación Española de Empresarios de Estaciones de Servicio, ECLI:EU:C:2006:784, point 40).

199. The restricted session also recalls that the fines imposed must have a deterrent effect. In the light of this requirement, it has been held that imputation of liability to the economic successor is justified for the purposes of the effective implementation of the competition rules. Indeed, if the Commission did not have such an option, it would be easy for companies to escape sanctions through restructuring, divestitures or other legal or organizational changes. The objective of repressing conduct contrary to the rules of competition and preventing the renewal of such conduct by means of dissuasive sanctions would thus be compromised (Trib. EU, February 29, 2016, Schenker v. European Commission, Case T-265/12, paragraph 193).

200. The restricted session considers that the legal organization of the group, and in particular that of CARREFOUR FRANCE and its subsidiaries, would de facto render ineffective any fine that would be imposed on the turnover of CARREFOUR FRANCE alone. The restricted session reminds that CARREFOUR FRANCE had revenues of approximately 14 million euros and a net loss of 1.6 billion euros in 2019. These figures were of the same order in 2018 (sales of around 25 million euros and a net loss of 1.4 billion euros). However, CARREFOUR FRANCE belongs to a group whose economic activity is of a totally different order of magnitude, with revenues of approximately 80 billion euros (approximately 40 billion euros in France) for an adjusted net profit, group share, of approximately 900 million euros in 2019. Certain subsidiaries of CARREFOUR FRANCE generate particularly high revenues. For example, CARREFOUR HYPERMARKETS (81.73% owned by CARREFOUR FRANCE) generated revenues of 14.3 billion euros in 2019 and CARREFOUR PROXIMITÉ FRANCE (99% owned by CARREFOUR FRANCE) generated revenues of 636 million euros in 2019.

201. Consequently, the restricted session considers that, in order to assess the concept of an enterprise in accordance with Articles 101 and 102 of the TFEU, it is necessary to take into account the turnover generated by CARREFOUR FRANCE and by the subsidiaries it owns and which have benefited from the treatments. It emerges from the company's declarations during the audit carried out on May 28, 2019 that CARREFOUR HYPERMARKETS and CARREFOUR PROXIMITÉ FRANCE benefit from the data pooling program. The French Marketing Department of CARREFOUR FRANCE processes the shared data of the customers of these companies (surname, first name, physical and electronic address, telephone number, purchase history) in order to send them personalized advertising for the products sold in these brands. The restricted session also emphasizes that these companies participate in the collection of personal data, since membership in the loyalty program is possible directly in the store through paper forms.

202. In conclusion, the restricted session notes that the turnover of the company, in the sense of an economic unit, serving as a basis for calculating the basis of the fine amounts to EUR 14.9 billion in 2019.

203. The restricted session considers, however, that the determination of the amount of the fine must take account of the specific nature of the economic model of the sector concerned, that of mass retailing, which is characterized by a particularly high turnover in relation to the net results generated by the activity, which is characterized by extremely high volumes and low margins.

204. 2,250,000 is justified and proportionate to the breaches identified and to the situation of CARREFOUR FRANCE.

205. On the publicity of the decision, the company considers that the publicity of the penalty is not justified.

206. The restricted session considers, first, that the seriousness of certain breaches justifies, in itself, the publicity of the present decision.

207. The restricted session recalls, secondly, that the breaches relating to the duration of data retention, the methods of exercising rights or the information provided concerned a very large number of persons. It considers that the publicity of its decision is the best means of informing people of the past existence of these failures. It notes that individuals can only become aware of certain breaches (such as the one relating to the retention period) through the publication of its decision.

208. It follows from all of the foregoing and taking into account the criteria set out in Article 83 of the Regulation that an administrative fine of EUR 2,250,000 and an additional publication penalty for a period of two years are justified and proportionate.

FOR THESE REASONS

The restricted session of the CNIL, after having deliberated, decides to :

- impose an administrative fine of 2,250,000 (two million two hundred and fifty thousand) euros on CARREFOUR FRANCE for breaches of Articles 5-1 e), 12, 13, 15, 17, 21, 32 and 33 of the RGPD, Article L34-5 of the French Post and Electronic Communications Code and Article 82 (formerly 32.II) of the French Data Protection Act;

- make its decision public, on the CNIL website and on the Légifrance website, which will no longer identify the company by name after two years from the date of publication.

The Chairman

Alexandre LINDEN

This decision may be appealed before the Council of State within two months of its notification.