CNIL (France) - SAN-2021-008
CNIL (France) - SAN-2021-008 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(e) GDPR Article 13 GDPR Article 17 GDPR Article 32 GDPR Article 82 Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés Article L34-5 Code des postes et des communications électroniques |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 14.06.2021 |
Published: | 17.06.2021 |
Fine: | 500 EUR |
Parties: | n/a |
National Case Number/Name: | SAN-2021-008 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | Légifrance (in FR) |
Initial Contributor: | n/a |
The CNIL fined BRICO PRIVÉ €300,000 for violating articles 5(1)(e), 13, 17 and 32 GDPR by failing to comply with the obligation to determine and implement data retention periods, failing to inform users of its website about processing activities, failing to comply with the request for erasure of data subjects, and failing to ensure appropriate security measures regarding authentication on the website and on the customer relationship management software used by the company's employees.
The CNIL also fined BRICO PRIVÉ €200,000 for violations of national provisions concerning cookies and consent to commercial prospection.
English Summary
Facts
On 13th November 2018, the CNIL carried out an inspection at the BRICO PRIVE's premises, where the verification concerned data retention periods, information provided to data subjects, compliance with requests for the deletion of personal data of data subjects, the obligation to ensure data security and the obligation to obtain the consent of the data subject to receive commercial prospecting by e-mail.
In order to complete its investigations and after receiving additional documents the CNIL carried out an online inspection of all processing accessible from the bricoprive.com domain on 6 February 2020.
On 13 January 2021, as the company indicated that changes had been made to the methods of depositing cookies, a delegation from the CNIL carried out a new online control mission of any processing accessible from the bricoprive.com domain in order to update the findings made on 6 February 2020.
Dispute
Holding
The CNIL fined BRICO PRIVÉ €300,000 for violating articles 5(1)(e), 13, 17 and 32 GDPR and €200,000 for violating article 82 of loi n° 78-17 du 6 janvier 1978 modifiée relative à l'informatique, aux fichiers et aux libertés and article L.34-5 du code des postes et des communications électroniques (CPCE).
The CNIL also ordered BRICO PRIVÉ to bring its processing operations into compliance with the obligations resulting from articles 5(1)(e) GDPR and article L. 34-5 of the CPCE, and in particular :
- cease to retain the personal data of former customers of the company's website at the end of the set period of inactivity, proceed with the purging of such data retained by the company up to the date of the deliberation of the restricted formation and justify the deletion of such personal data beyond a set period of inactivity, which it will be for the company to justify - provide evidence of an intermediate archive procedure for customers' personal data, established after sorting out the relevant data to be stored and deleting irrelevant data, as well as the starting point of such storage (e.g. for invoices stored for accounting purposes) - cease commercial prospection to prospects who have not given their consent, except by obtaining their consent.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.