CNIL (France) - SAN-2020-018

From GDPRhub
Revision as of 09:48, 11 January 2021 by Mh (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2020-018 |ECLI= |Origin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - SAN-2020-018
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 12 GDPR
Article 12(4) GDPR
Article 13 GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 32 GDPR
Article 20 III loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Article 8 loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Article L. 34-5 Code des postes et des communications électroniques
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.12.2020
Published: 06.01.2021
Fine: 20000 EUR
Parties: Nestor SAS
National Case Number/Name: SAN-2020-018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA (CNIL) imposed a fine of €20,000 on the catering company Nestor. The company sent commercial emails without gathering consent (Article L. 34-5 Postal and Electronic Communication law), it did not provide sufficient information to data subjects (Articles 12 and 13 GDPR), it failed to respect data subjects' right of access (Article 15) and finally, did not afford sufficient security to personal data it processed (Article 32)

English Summary

Facts

Nestor SAS, founded in 2015, provides a service of prepared and delivered meals to office employees which order these on their website. It was subject to various complaints over time.

In November 2018 and January 2019, CNIL received four complaints from people that were not clients, indicating that they had received commercial emails despite having never provided their consent.

Additionally, another complainant outlined that it is particularly difficult to object to the processing of personal data for commercial emailing purposes. Some complainants received emails despite having unsubscribed to the mailing list.

Another two complainants attempted to get a copy of their personal data from Nestor, without success. Nestor did not either respond to requests asking information about the purpose of processing, the duration of processing or their source.

The CNIL also conducted a investigation of the Nestor website and app in May 2019. This was performed to check its compliance with the GDPR and the French national data protection law 1978 as amended (loi n°78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés). CNIl did this again in February 2020.

The CNIL also inspected the company's headquarters in May 2019.

CNIL continued its investigation in June and September 2019 by requiring further information on the legal basis for processing data, the right to object and the duration of processing of personal data.

Dispute

There were four key material law questions:

- Did Nestor violate Article L. 34-5 of the Postal and Electronic Communication law (Code des postes et des communications électroniques) by sending commercial emails without consent? - Did Nestor fail to provide sufficient information to the data subject at the moment of collecting their personal data in violation of Articles 12 and 13 GDPR? - Did Nestor fail to respect the exercises of the right of access in violation of Article 15 GDPR? - Did Nestor fail to satisfy the obligation of security in violation of Article 32 GDPR?

Holding

Regularity of the Procedure: Claim that CNIL did not have to power to impose measures: Nestor claimed that the CNIL lacked powers to impose any sanctioning measures unless there was continuous non-compliance with the law.

The CNIL held that Article 20 III of the 1978 national data protection law (amended) cannot be interpreted to restrict the functions of the CNIL. Instead, the legislator sought to allow the CNIL to impose sanctions for any violations even if this had stopped and corrective measures are no longer necessary.

The CNIL highlights that this interpretation of Article 20 1978 law in coherent with the GDPR as highlighted in Recital 148.

The CNIL also referred to a decision n°423559 by the French Supreme Administrative Court (Conseil d'Etat) which allowed for such sanctions, even if the violation had been corrected. https://www.legifrance.gouv.fr/ceta/id/CETATEXT000038388017/

Therefore, the CNIL dismissed the argument brought by Nestor that they did not have the power to impose sanctions.

Claim that the CNIL did not have standing: Nestor also argued that the CNIL misinterpreted the scope of the referral for the investigation, which did not refer to Article L. 34-5 of the French Postal and Electronic Communication law (Code des postes et des communications électroniques). Therefore, the CNIL could not pronounce itself on the violations of Article L. 34-5 of that law.

However, the CNIL referred to Article 8 of the 1978 law (amended) to specify that the CNIL has for mission to apply the 1978 law, as well as other provisions relating to data protection law in legislative texts, EU legislation and international agreements that France is signatory to. Therefore, Article L. 34-5 of the French Postal and Electronic Communication law falls within that scope.

The French Supreme Administrative Court also confirmed that the CNIL could ensure respect of Article L. 34-5 of the French Postal and Electronic Communication law in its decision n°368624. https://www.legifrance.gouv.fr/ceta/id/CETATEXT000030445581/

Therefore, the CNIL could apply the Postal and Electronic Communication law to investigate potential violation of that law.

Claim that the allegations lacked precision: The CNIL rejected the argument that the allegations it made lacked precision as it deems that there was sufficient material and temporal information to allow Nestor to exercise its right of defense.

Violation of the obligation to gather consent as prescribed by Article L. 34-5 of the Postal and Electronic Communication law: Lack of consent from natural persons receiving commercial emails: The CNIL found in its investigation that Nestor worked with two companies to create a database of personal data to send commercial emails. This was achieved by combining the name of the natural person with the company they work for and collating it in a database. Nestor revealed that 635,033 commercial emails were send that way since 2017.

The CNIL dismissed Nestor's allegation that this processing of personal data relied on their legitimate interest as a legal basis (and therefore Nestor's claim that they did not need prior consent).

The CNIL held that sending commercial emails to natural persons had no link to the recipients' professional activity as it concerned lunch meals. The CNIL therefore held that Nestor sent emails and SMS without having gathered consent beforehand. According to the CNIL, these commercial emails fell within the scope of Article L. 34-5 of the Postal and Electronic Communication law which also excludes legitimate interest as a legal basis.

Therefore, Nestor violated Article L. 34-5 of the Postal and Electronic Communication law.

Lack of consent to receive commercial emails from natural persons creating accounts on Nestor's website or app: The CNIL held that Nestor did not gather valid consent to send commercial emails to users creating account on their website or app.

This was therefore in violation of Article L. 34-5 of the Postal and Electronic Communication law. Nestor has since corrected this issue.

Violations of the obligations to inform as prescribed by Article 12 and 13 GDPR: The CNIL held that the information provided by Nestor to data subjects concerning the processing of their personal data, at the moment of collecting such data, was incomplete and hence, in violation of Article 13 GDPR. The questionnaire to subscribe to Nestor did not include all the information required by Article 13 GDPR: there was no information on legal bases for processing, recipients of the personal data, duration of processing nor the right to file a complaint before the relevant authority.

Additionally, the CNIL held that the privacy policy on the home page was not complete: lack of information on duration of the processing, the legal bases and any potential third party recipients.

It also held that this information was also no easily accessible for the data subject in violation of Article 12 GDPR. The CNIL highlighted that Article 12 must be interpreted in light of Recital 61 and the Article 29 Working Party Guidelines on transparency (i.e. the data subject must not have to look for information, but must be able to access it immediately).

Therefore, Nestor, violated Articles 12 and 13 GDPR. The company has since remedied these issues.

Violations of the obligations to respect the right of access as prescribed by Article 15 GDPR: The CNIL held that Nestor failed to provide a requesting data subject a copy of their personal data that Nestor had on their database. Nestor only unsubscribed the data subject from their mailing list. This was therefore a failure to respect the exercise of the right of access as per Article 15(3) GDPR.

Additionally, CNIL held that Nestor responded to an request for information under Article 15 after more than 5 months had pass (Article 12(4) GDPR requires this to be done in 1 month) Similarly, Nestor failed to provide information as to their source for collecting personal data: it only described that the data subject's email was reconstituted based on another email address without mentioning that the latter had been obtained on a professional social media platform. Nestor also did not provide any copy of the data to the data subject

Therefore, Nestor failed to respect data subjects' exercise of their right of access in violation of Article 15.

Violations of the obligations to ensure security of personal data as prescribed by Article 32 GDPR: The CNIL found that Nestor's subscription page allowed data subjects to have a password of only one character on the app, and of 6 characters on the website.

The CNIL held that the app's requirements for password were insufficient to ensure security of the personal data as required by Article 32 GDPR. According to the DPA, length and complexity of a password is what is necessary for security purposes. The CNIL referred to it recommendations found in the Deliberation n° 2017-012 du 19 janvier 2017 on password security. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033928007

The CNIL therefore held that Nestor violated Article 32 GDPR.

Corrective measures: For the aforementioned violations, the CNIL imposed a fine of €20,000 on Nestor SAS having considered the economic impact of COVID-19 on the catering company. It also required Nestor to ensure compliance with the violated Article in the future (including the access requests).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.