CNIL (France) - SAN-2021-008

From GDPRhub
CNIL (France) - SAN-2021-008
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 13 GDPR
Article 17 GDPR
Article 32 GDPR
Article 82 Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Article L34-5 Code des postes et des communications électroniques
Type: Investigation
Outcome: Violation Found
Started:
Decided: 14.06.2021
Published: 17.06.2021
Fine: 500000 EUR
Parties: n/a
National Case Number/Name: SAN-2021-008
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: n/a

The CNIL fined a DIY company a total of €500,000 for violating Articles 5(1)(e), 13, 17, and 32 GDPR and for infringing national provisions concerning cookies and unsolicited commercial communications.

English Summary

Facts

On 13th November 2018, the French DPA (CNIL) carried out an inspection at the Brico Privé's premises, a DIY company, to inspect the company's data retention periods, the information it provides to data subjects, its compliance with requests for the deletion of personal data, data security, and compliance with the obligation to obtain data subject consent to receive commercial prospecting by e-mail.

In order to complete its investigations, the CNIL carried out an online inspection of all processing accessible from the bricoprive.com domain on 6 February 2020.

On 13 January 2021, as the company indicated that changes had been made to the methods of depositing cookies, a delegation from the CNIL carried out a new investigation of any processing accessible from the bricoprive.com domain in order to update the findings made on 6 February 2020.

Holding

The CNIL found that the controller had violated Articles 5(1)(e), 13, 17 and 32 GDPR by failing to comply with the obligation to determine and implement data retention periods, failing to inform web visitors about processing activities, failing to comply with the request for erasure of data, and failing to ensure appropriate security measures regarding authentication on the website and on the customer relationship management software used by the company's employees.

The CNIL also found that the controller had violated national provisions concerning cookies and unsolicited commercial communications.

With regards to Article 5(1)(e), the DPA found that the company did not have a retention policy in place for the deletion of data. The company had data from accounts as old as five years without any activity.

With regards to Article 13, the controller did not offer on their website information such as the contact details of the data protection officer, the retention periods, the legal bases for processing, and certain rights from which individuals benefit under the GDPR.

With regards to Article 17, the company did not delete the data when there were requests from users to delete their account, but only deactivated the accounts, preventing the person from connecting to the account and ending unsolicited commercial communications.

With regards to Article 32, the DPA found that there was not a sufficient level of data security to meet requirements concerning the robustness of passwords, both for users and employees.

With regards to cookies, the DPA found that several cookies that did not fall within the scope of the exceptions (necessary cookies) were placed on the user's terminal as soon as they arrived on the home page of the site, and before any action on their part.

Additionally, the company was sending unsolicited commercial communications to users who created an account for commercial purposes and without obtaining their consent.

Therefore, the CNIL fined Brico Privé €300,000 for violating Articles 5(1)(e), 13, 17 and 32 GDPR and €200,000 for violating Article 82 of the loi n° 78-17 du 6 janvier 1978 modifiée relative à l'informatique, aux fichiers et aux libertés and Article 34(5) of the Code des postes et des communications électroniques (CPCE) – the national provisions concerning cookies and unsolicited commercial communications.

The CNIL also ordered the controller to bring its processing operations into compliance with the obligations resulting from Article 5(1)(e) GDPR and Article 34(5) of the CPCE, and in particular:

  • to cease to retain the personal data of former customers at the end of a set period of inactivity and proceed with the purging of such data retained by the company,
  • to provide evidence of an intermediate archive procedure for customers personal data, established after sorting out the relevant data to be stored and deleting irrelevant data, as well as the starting point of such storage (e.g. for invoices stored for accounting purposes),
  • to cease unsolicited commercial communications to users who have not given their consent.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.