CNIL (France) - SAN-2022-011
CNIL - Délibération SAN-2022-011 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 12 GDPR Article 14 GDPR Article 15 GDPR Article 21 GDPR Article 83 GDPR B) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 (Privacy Directive) Article L. 34-5 of the French Post and Electronic Telecommunications Code (CPCE) Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 23.06.2022 |
Fine: | 1,000,000 EUR |
Parties: | XXXXXXXX TOTAL ENERGIES ELECTRICITY AND GAS FRANCE |
National Case Number/Name: | Délibération SAN-2022-011 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | LegiFrance (in FR) |
Initial Contributor: | Samuel Uzoigwe |
The French DPA fined a data controller 1,000,000 (one million) Euros for failure to properly respond to data subjects requests in time, and for the lack of option on the data controllers website for users to object to the processing of their personal data for marketing purposes at the time of collection.
English Summary
Facts
The data controller is a limited liability company whose business is the supply and production of electricity and gas in France.
Several Data subjects sent complainants to the French DPA (CNIL) that they had encountered difficulties in exercising their rights of access to personal information about them, and objection to receiving commercial prospecting telephone calls from the data controller.
The complaints concerned data subject requests for rectification of personal data, late, erroneous, or no response to access to personal data and access to the origin of personal data, failure to cease processing of personal data after objection to the processing of data for commercial prospecting (marketing) purposes, and request for personal data deletion.
The DPA appointed a rapporteur that carried out an audit of the website of the data controller and investigated the various complaints of the data subjects.
The data controller in its defence argued that 1) the data subjects' access requests were not sent by the data subjects to the data controller’s dedicated unit and that the person who received the requests did not know how to identify their purpose; 2) the procedures it had put in place were not respected because of human error; 3) there were a large number of requests received in 2020 during the health crisis and this was impeded by the disruptions that followed; 4) there were difficulties in obtaining the necessary information from its business partners, thus unable to properly inform data subjects about the source of their data; 3) It had taken steps to modify its processing activities to comply with the relevant applicable laws; 4) The breach affected barely a fraction of its customers.
Beyond the direct complaints made by the data subjects, the DPA in its investigation noted that when subscribing online on the data controller's website, the subscription form had no option for users to object to the use of their personal data for marketing purposes. The subscription form informed users that their personal data may be used by the data controller to present offers to them at a later date.
On this point, the data controller argued that 5) the CPCE did not apply to the online subscription form, since the collection of personal data through the form was not intended to promote the company's products or services, but to offer assistance to the user in order to help them finalize the current subscription.
Holding
The DPA held that the lack of an option for a user to object to the processing of their personal data for marketing purposes, at the time of collection, constitutes a breach of the provisions of article L. 34-5 of the French Post and Electronic Telecommunications Code (CPCE).
The DPA observed that, in certain cases, the data subjects contacted for marketing purposes were not provided with any information required in Article 14 of the GDPR - such as the purposes of the processing or the existence of the various rights. They were not informed that the call was being recorded nor of their right to object to it.
The DPA observed that the data controller had failed to respond, supplied erroneous responses, or responded late to several data subject requests, beyond the deadlines set by Article 12 of the GDPR, often after several reminders from the data subject.
The DPA observed that the data controller failed to process the various data subject’s requests for access to personal data, their origin, as well as access to recordings of telephone conversations concerning the data subjects within the time limit set with the obligations of Article 15.
The DPA finally observed that the data controller continued to process the personal data of data subjects after objections from the data subjects to the processing of their personal data in breach of Article 21 of the GDPR.
The DPA held that the data controller cannot rely on its difficulties in obtaining information from its commercial partners to justify its failure to provide a response to the applicants in accordance with the applicable provisions. It is the duty of the data controller to organize itself in such a way as to be able to ensure that requests for access are processed in accordance with the applicable provisions and, in particular, to provide information on the origin of the data.
The DPA further held that although data subjects did not send their access requests directly to the unit in charge of responding to them, it is up to the data controller, as long as the requests, one of which was directly addressed to the data protection officer, were received in clear terms by the data controller, to process them within the time limits provided for and to ensure that they were transmitted to the competent department responsible for handling such requests.
The DPA imposed a fine of 1,000,000 (one million) Euros on the data controller.
The data controller argued against the publication of the penalty decision, on the ground that publication would be disproportionate in light of the limited nature of the alleged breaches and its compliance. It also claimed that publication of the penalty would have a significant impact on the data controller’s image and that it would be favorable to its main competitors, in a very competitive market.
The DPA also decided to make its decision public on the CNIL website and on the Légifrance website and held that the data controller will no longer be identified by name after a period of two years from its publication.
The DPA noted that the company has taken measures to bring its processing into compliance with the applicable laws, and the efforts made by the company to comply throughout the procedure. The DPA also noted that the data controller’s agents have had to attend awareness training on the subjects of the complaints.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.