CE - 437808

From GDPRhub
CE - 437808
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 83 GDPR
Decided: 01.03.2021
Published: 05.03.2021
Parties: Futura Internationale
National Case Number/Name: 437808
European Case Law Identifier: ECLI:FR:CECHR:2021:437808.20210301
Appeal from: CNIL
[[1]]
Appeal to: Not appealed
Original Language(s): French
Original Source: Conseil d'Etat (in French)
Initial Contributor: n/a

The French Supreme Administrative Court (Conseil d'Etat) rejected Futura Internationale's appeal against the French DPA's decision of administrative fine of € 500,000. The Conseil d'Etat rejected the argument that the CNIL infringed the constitutional principle of non-retroactivity of the law by applying the GDPR and considered the fine proportionate.

English Summary[edit | edit source]

Facts[edit | edit source]

Futura Internationale appealed against the French DPA's decision to impose a fine of 500,000 EUR on Futura Internationale for sending unsolicited marketing communications.

Dispute[edit | edit source]

Did the French DPA breach the constitutional principle of non-retroactivity of the law by applying the GDPR?

Was the fine of € 500,000 imposed by the French DPA proportionate?

Holding[edit | edit source]

The highest administrative court of France (Conseil d'Etat) dismissed the claim that even if the investigation by the (French DPA) CNIL started in March 2018, the infringement continued after the GDPR entered into force. Futura Internationale was notified of its administrative fine in October 2018. Therefore, the Court held that the French DPA (CNIL) applied the relevant law by applying the GDPR. There was no breach of the constitutional principle of non-retroactivity of the law by the CNIL.

The French Court then assessed Article 83 GDPR and agreed that Futura Internationale failed to comply with several GDPR obligations, including the principle of data minimisation, the obligation to inform data subjects, the obligation to respect the right to object, the obligation to cooperate with the DPA and the obligation to safeguard data transferred internationally. It held that the violations were particularly important and persistent. Therefore, the Court concluded that the French DPA had not imposed a disproportionate fine. 500 000 EUR fine was 2.5% of Futura Internationale's annual global turnover.

Therefore, the French Court rejected Futura Internationale's appeal against the French DPA's decision.

Comment[edit | edit source]

The decision by the CNIL can be found here: CNIL - SAN-2019-010

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.


Council of State, 10th - 9th chambers combined, 03/01/2021, 437808, Unpublished in the Lebon collection
Council of State - 10th - 9th chambers combined

    No. 437808
    ECLI: FR: CECHR: 2021: 437808.20210301
    Unpublished in the Lebon collection

Monday reading, March 01, 2021
Reporter
    Ms. Myriam Benlolo Carabot 
Public reporter
    Mr. Alexandre Lallet 
Lawyer (s)
    SCP DE NERVO, POUPET 
Full Text
FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Considering the following procedure:

By a summary request and an additional memorandum, registered on January 21 and May 18, 2020 at the litigation secretariat of the Council of State, the company Futura Internationale asks the Council of State:

1 °) to cancel the deliberation n ° SAN-2019-010 of 21 November 2019 by which the restricted formation of the National Commission for Informatics and Freedoms (CNIL) pronounced against it a financial penalty in the amount of 500,000 euros and ordered the publication of its deliberation for a period of 2 years, before anonymization;

2) in the alternative, to significantly reduce the amount of the financial penalty;

3) to order the CNIL to pronounce the closure of the procedure, to note its compliance and to publish these elements in the same forms as the contested deliberation;

4 °) to charge the CNIL the sum of 6,000 euros under article L. 761-1 of the code of administrative justice.


Having regard to the other documents in the file;
Having regard to:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law n ° 78-17 of January 6, 1978;
- the code of administrative justice and decree n ° 2020-1406 of November 18, 2020;


After hearing in public session:

- the report Mrs. A ... B ..., master of the requests in extraordinary service,

- the conclusions of Mr. Alexandre Lallet, protractor public;

The word having been given, after the conclusions, to the SCP of Nervo, Poupet, lawyer of the company Futura Internationale;




Considering the following:

1. It results from the instruction that the National Commission for Informatics and Freedoms (CNIL), following a complaint alleging telephone canvassing on the part of the company Futura Internationale, despite opposition to the prospecting expressed both orally to the telephone operators and by letter addressed to the company's head office, on March 20, 2018, ordered a control mission at the premises of the company Futura Internationale. The president of the CNIL notified the company on October 2, 2018 of decision n ° MED-2018-039 of September 27, 2018 in which several breaches of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 were identified. 2016 relating to the protection of natural personswith regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (known as "RGPD"), relating to the excessive nature of the data processed, to cooperation with the Commission, to the 'information to individuals, respect for individuals' right to object and supervision of transfers of personal data outside the European Union. Futura Internationale was given notice to proceed, within two months, with the necessary modifications to ensure compliance with the GDPR. By deliberation n ° SAN 2019-010 of 21 November 2019, notified on 25 November 2019, the restricted formation of the CNIL imposed on Futura Internationale a fine of 500,000 euros,pronounced an injunction to bring the processing into conformity with the obligations resulting from articles 5, paragraph 1, point c), 12, 13, 14, 21 and 44 of the GDPR, injunction accompanied by a fine of 500 euros per day of delay the end of a period of one month following its notification, and decided to make the sanction public for a period of 2 years from its publication before anonymization.

2. First of all, it follows from the instruction that, if the breaches of the company were noted during the control mission carried out by the CNIL on March 20, 2018, i.e. before the entry into force, on of May 25, 2018, of the GDPR, they continued after this date, beyond the time limit set by the formal notice notified on October 2, 2018 to the company Futura Internationale and at least until the notification to the company, the June 11, 2019, of the report drawn up by the rapporteur commissioner. It is thus with good reason that the CNIL, noting the continuous nature of the breaches identified in the formal notice, considered the GDPR applicable to the facts of the case and assessed the breaches with regard to it. It sfollows that the plea based on the disregard by the CNIL of the constitutional principle of non-retroactivity of the more severe repressive law can only be rejected.

3. Secondly, under Article 83 of the GDPR: "1. Each supervisory authority shall ensure that administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. / 2. (...) In deciding whether to impose an administrative fine and in deciding on the amount of the administrative fine, due account shall be taken , in each individual case, of the following: a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered; b) whether the violation was committed willfully or negligently;c) any measure taken by the controller or processor to mitigate the damage suffered by the data subjects; d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32; e) any relevant breach previously committed by the controller or processor; (f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating any negative effects thereof; g) the categories of personal data affected by the breach; h) how the supervisory authority became aware of the breach, including whether, and to what extent,the controller or processor notified the breach; (...) / 3. If a controller or a processor deliberately or negligently violates several provisions of this Regulation, within the framework of the same processing operation or related processing operations, the total amount of the administrative fine may not exceed the amount set for the most serious violation. / (...) 5. Violations of the following provisions shall be subject, in accordance with paragraph 2, to administrative fines of up to EUR 20,000,000 or, in the case of an enterprise, up to 4% of the total worldwide annual turnover for the previous financial year, whichever is greater: / a) the basic principles of a treatment,including the conditions applicable to consent under Articles 5, 6, 7 and 9 (...) ".

4. It follows from the investigation, and it is moreover not disputed, that the company Futura Internationale committed breaches of the obligation to process only adequate personal data, relevant and limited to what is necessary. with regard to the purposes of the processing, the obligation to inform the persons whose personal data has been collected, the obligation to respect their right to object, the obligation to cooperate with the authority of control and, finally, the obligation to regulate transfers of personal data outside the European Union.

5. The company argues that it had difficulties in meeting all the obligations of the law of January 6, 1978, then of the RGPD, which it implemented following the formal notice of the devices allowing the 'exercise of the right to object, that the failure to fulfill its obligation to cooperate with the CNIL is attributable to its advice and is not the result of a deliberate will and that in any event this failure ceased upon the engagement of the sanction procedure. However, on the one hand, the obligations it disregarded already existed before the entry into force of the GDPR and the company cannot therefore usefully invoke the difficulty of complying with new obligations and, on the other hand, the corrective measures. made during the procedurehave not effectively put an end to the shortcomings observed before the notification of the sanction report.

6. Having regard to the nature, seriousness and persistence of the breaches observed, in particular the excessive nature of the data collected, the lack of information for the persons concerned, the breach of their right to object, and the breach characterized by the obligation of cooperation with the supervisory authority, the restricted formation of the CNIL did not inflict a disproportionate sanction on Futura Internationale by pronouncing against it a financial penalty in the amount of 500,000 euros, representing 2.5% of its turnover in 2018, even though it had fallen by 25% compared to 2017 and the company's net profit was 180,000 euros in 2018, and matching it , to ensure its dissuasive character,an additional sanction consisting of its publication for a period of two years before its anonymization.

7. It follows from all of the foregoing that Futura Internationale is not justified in requesting the annulment of the deliberation it is attacking. Its conclusions for the purposes of injunction having become moot following the closure of the procedure by deliberation n ° SAN-2020-001 adopted by the CNIL on January 30, 2020, which noted the compliance of the company, its request must be rejected, including its conclusions tending to the application of article L. 761-1 of the code of administrative justice.




DECIDES:
--------------
Article 1: The request of the company Futura Internationale is rejected.

Article 2: This decision will be notified to the company Futura Internationale and to the National Commission for Informatics and Freedoms.

ECLI: FR: CECHR: 2021: 437808.20210301