CNIL (France) - SAN-2020-009
CNIL - SAN-2020-009 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(a) GDPR Article 12 GDPR Article 13 GDPR Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 18.11.2020 |
Published: | 26.11.2020 |
Fine: | 800000 EUR |
Parties: | Carrefour Banque |
National Case Number/Name: | SAN-2020-009 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Legifrance (in FR) |
Initial Contributor: | Fra-data67 |
The French DPA (CNIL) fined Carrefour Banque € 800000 for several violations of the GDPR and French data protection law. The breaches concerned loyalty and transparency of data processing, accessibility and content of information concerning processing and illicit use of cookies.
English Summary
Facts
CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.
As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.
Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.
Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the GDPR and the French Data Protection law (Loi informatique et libertés).
Dispute
In this case, the French data protection authority investigated several issues :
- Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in Article 5(1)(a) GDPR?
- Is the information relating to personal data processing operations easily accessible within the meaning of Articles 12 and 13 GDPR?
- Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR?
- Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, Article 82?
Holding
The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it.
However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years.
On the violation of the obligation to fairly process personal data
When a subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOUR BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber.
The French DPA concluded that this was a violation of the principle of fairness within Article 5(1)(a) GDPR, as the information given to data subjects are imprecise and misleading. The French DPA outlined that despite the lack of definition of fairness in the GDPR, this was linked to the requirement of transparency within Article 12. More specifically, the CNIL highlights that:
- CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription.
- CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to the subscriber prior to this mention.
On the lack of accessibility to information on processing of personal data
Quoting Articles 12 GDPR, the French DPA distinguishes between :
- Access to information relating to personal data protection: In this case, the user could access the information relating to the processing of his or her data, either by clicking directly on the "Protection of Banking Data" tab at the bottom of the page, or by accessing the Legal Notice which referred to the privacy policy, thus requiring several actions by the user. On this point, the CNIL recalls the WP29 guidelines on transparency, according to which data subjects should not have to search for information, but should have to immediate access to it. So the French DPA held that there was a violation of the obligation of transparency as per Article 12 GDPR. On the one hand, the vagueness of the title "Protection of Banking Data" does not make it easy for the data subjects that this tab refers the personal data protection. On the other hand, with regard to access to the privacy policy via the legal notices, the CNIL notes that users must first undertake several actions before being able to access this tab.
- The information provided to data subjects throughout the online subscription process: According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complement these mentions by allowing people to read complete information by means of a link to this information. This was a violation of Article 12.
On the vagueness of data retention periods
Based on Article 13(2)(a) GDPR and WP29 guidelines on transparency, the CNIL noted that the CARREFOUR BANQUE’s privacy policy were imprecise and vague about data conservation information.
Indeed, the privacy policy contained vague and undefined formulations that confused data subjects as to the extent and nature of the data collected. Furthermore, the information policy did not specify the retention periods for all data and did not specify the criteria used to determine these periods.
On the use of cookies on the website
The French DPA recalls the provisions of Article 82 of the French data protection law (loi informatique et libertés), which requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.
In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.
Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.
Comment
The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the RGPD and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects.
This sanction was taken jointly with CNIL - SAN-2020-008 which imposed a € 2 250 000 fine on Carrefour France.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.