Banner2.png

CNIL (France) - SAN-2024-020

From GDPRhub
CNIL - SAN-2024-020
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 12 GDPR
Article 14 GDPR
Article 15 GDPR
Type: Investigation
Outcome: Violation Found
Started: 28.07.2022
Decided: 05.12.2024
Published: 19.12.2024
Fine: 240,000 EUR
Parties: KASPR
National Case Number/Name: SAN-2024-020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: ao

The DPA fined a Chrome browser extension provider €240,000 for the unlawful processing of personal data harvested from LinkedIn, concerning users who restricted their visibility on the platform.

English Summary

Facts

KASPR runs a Chrome browser extension which allows users to get the business details of people whose LinkedIn profile they had visited. On the 28 July 2022, the French DPA (Commission nationale de l’informatique et des libertés – CNIL) carried out a compliance check with KASPR, the controller.

The investigation showed that approximately 160 million contacts were included in the controller’s database. These entries included the surname, first name, e-mail address, telephone number, LinkedIn profile URL or other social networks, employer, company, job title, skills, professional interest, career, date of hiring and end of post, training, place of work, source of data and date of collection.

Harvesting the data from LinkedIn and storage

On LinkedIn, users can choose between four different visibility options: 1 – Only visible to me, 2 – Anyone on LinkedIn, 3 – 1st degree connections and 4 – 1st and 2nd degree connections.

The controller collected the contacts details of LinkedIn users who had made their details visible to all (Option 2) as well as those whom had limited the visibility to 1st and 2nd degree connections (Options 3&4).

Providing information

Four years after the implementation of the KASPR tool, the controller notified data subjects by sending an email which informed them of the practice and gave the option to object to the processing by clicking on a link in the email. When data subjects filed access requests under Article 15 GDPR, the controller merely responded that their personal information was retrieved from publicly available sources.

The controller’s argument

The controller argued that the processing is based on its legitimate interest to facilitate connection between working professionals aligning with the intentions of data subjects active on LinkedIn. Further, it argued that identity verification should reasonably be expected by users of a professional networking service and that data was collected according to the selected options on LinkedIn.

Holding

No legal basis under Article 6 GDPR

The CNIL found that the processing of personal data taken from LinkedIn users who had limited their visibility lacked a legal basis. The CNIL highlighted that users who had selected options 3 and 4, had expressly limited the visibility of their contact details. The mere fact that users had limited and not entirely denied access to their contact details did not provide authorisation for the controller to harvest this data as users could not reasonably expect for this processing to occur.

No clear data retention period adhered to under Article 5(1)(e) GDPR

The CNIL found that the controller's storage limitation policy entailed an automatic extension of the storage period and potentially led to an indefinite storage of personal data without a clear set storage limitation. According to the CNIL, this was not proportional and did not meet the requirements under Article 5(1)(e) GDPR.

Failure to provide adequate transparency under Article 12 GDPR and information under Article 14 GDPR

In addition to the fact that the controller had only informed data subject’s four years after it had begun processing their personal data, the CNIL criticised that the controller sent the email exclusively in English.

Failure to provide access to data under Article 15 GDPR

The CNIL found that the controller did not provide all available information as to the source of the data. Even if the controller could not trace the specific source of the data for each data subject, it was found to have been aware of some sources and should have disclosed these. The CNIL further criticised that these sources were not listed in the privacy policy.

For the above breaches of the GDPR, the CNIL issued a fine of €240,000. The CNIL ordered the company to rectify its data processing within a six-month period (before the 18 June 2025). Specifically it ordered the controller to:

  • Stop collecting the data of LinkedIn users who had selected to limit the visibility of their contact details and to delete this data. If the controller cannot identify which users had limited their data visibility, it should inform all data subjects of the processing and the option to object to it within three months. The CNIL specified that the collected data must only be used for this purpose.
  • Cease the automatic renewal of the storage period pending a personal data update.
  • Inform data subjects of the processing in a language they understand.
  • Adequately respond to access requests and include all available information on the source of the personal data collected.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 

The decision below is a machine translation of the French original. Please refer to the French original for more details.
The Commission nationale de l'informatique et des libertés, meeting in its restricted formation composed of Messrs Philippe-Pierre CABOURDIN, Chairman, Vincent LESCLOUS, Vice-Chairman, Ms Laurence FRANCESCHINI and Messrs Bertrand DU MARAIS and Alain DRU, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data ;
Having regard to Act no. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, as amended, in particular Articles 20 et seq;
Having regard to Decree no. 2019-536 of 29 May 2019, as amended, for the application of Law no. 78-17 of 6 January 1978 relating to information technology, files and freedoms;
Having regard to deliberation no. 2013-175 of 4 July 2013 adopting the rules of procedure of the Commission nationale de l'informatique et des libertés ;
Having regard to decision no. 2022-104C of 21 June 2022 of the President of the Commission nationale de l'informatique et des libertés (French Data Protection Authority) to instruct the Secretary General to carry out, or have carried out, an audit of the processing operations implemented by the company KASPR;
Having regard to the report of Mr Fabien TARISSAN, reporting commissioner, notified to the company KASPR on 3 May 2024;
Having regard to the written observations submitted by counsel for KASPR on 13 June 2024;
Having regard to the rapporteur's reply to these observations, served on KASPR on 12 July 2024;
Having regard to the written observations submitted by counsel for KASPR, received on 19 August 2024;
Having regard to the oral observations made at the meeting of the restricted formation;
Having regard to the other documents in the file;
The following were present at the meeting of the restricted formation on 19 September 2024:
- Mr Fabien TARISSAN, commissioner, heard in his report;
As representatives of KASPR:
- [...].
KASPR having spoken last;
The restricted formation adopted the following decision:
I. Facts and procedure
1. Founded in 2018, KASPR (hereinafter ‘the Company’) has its registered office at 38 rue Dunois in Paris (75013) and its operational offices at 198 avenue de France in Paris (75013). The company has 32 employees. It generated sales of approximately EUR [...] in 2021, EUR [...] in 2022 and EUR [...] in 2023.
2. KASPR develops and markets an extension (hereinafter ‘the KASPR extension’) available from the ‘kaspr.io’ website and running on the CHROME browser, which enables users to obtain the professional contact details of people whose profiles they visit on the LinkedIn social network.
3. On 28 July 2022, following several referrals, and pursuant to Decision No. 2022-104C of 21 June 2022 of the President of the Commission nationale de l'informatique et des libertés (hereinafter ‘the CNIL’ or ‘the Commission’), the Commission's departments conducted a hearing inspection of the company's representatives.
4. The purpose of this audit was to verify the compliance of the personal data processing implemented by KASPR with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data (hereinafter ‘the GDPR’ or ‘the Regulation’), Law no. 78-17 of 6 January 1978 on data processing, data files and individual liberties (hereinafter ‘the Data Processing and Individual Liberties Law’) and, where applicable, with the provisions of Articles L251-1 et seq. of the French Internal Security Code.
5. By e-mail dated 9 August 2022, the company sent the CNIL a number of documents and responses requested by the Commission's departments as part of the investigations.
6. On 8 April 2024, for the purpose of investigating these items, the President of the Commission appointed Mr Fabien TARISSAN as rapporteur on the basis of Article 39 of Decree no. 2019-536 of 29 May 2019 implementing the Data Protection Act.
7. On 3 May 2024, at the end of his investigation, the rapporteur sent the company a report detailing the breaches of the GDPR that he considered to have occurred in this case.
8. This report proposed that the Commission's select committee impose an administrative fine on the company, as well as an injunction to bring the processing into compliance with Articles 5, 6, 12, 14 and 15 of the RGPD, together with a penalty payment at the end of a period of three months following notification of the select committee's decision. It also proposed that this decision be made public and that the company no longer be identified by name two years after its publication.
9. By e-mail dated 17 May 2024, the company requested additional time from the chairman of the restricted panel to produce its observations in response, which was granted on 23 May 2019, on the basis of Article 40, paragraph 4 of the Decree of 29 May 2019.
10. On 13 June 2024, the company submitted its observations in response to the rapporteur's report.
11. On 12 July 2024, the rapporteur replied to the company's observations.
12. On 19 August 2024 the company submitted further observations in response.
13. By letter dated 6 September 2024, the company received an invitation to attend the meeting of the select committee on the following 19 September.
14. The company and the rapporteur presented oral observations at the meeting of the restricted panel on 19 September 2024.
I. Reasons for the decision
A. On the processing in question
15. The KASPR tool is an extension for the CHROME browser which, when a person's profile on LinkedIn is visited, displays the professional contact details (telephone number and e-mail address) of natural persons in the KASPR database. To access this service, users must purchase and spend ‘credits’ to display the contact details of the desired person (the target). The number of credits available to the user is determined by the price of the subscription, which may be monthly or annual.
16. In this case, the Select Committee notes that the company processes the personal data of two distinct categories of people:
- the target persons, i.e. the persons whose professional details have been collected by the company from various sources, including the LinkedIn social network, and entered into its database ;
- users of the KASPR extension, i.e. the company's customers whose subscription allows them to visit the LinkedIn profiles of the target persons in order, in particular, to obtain their professional details.
17. The purpose of the KASPR extension is to enable these users to contact the target persons, for example for commercial prospecting, recruitment or identity verification, using the professional contact details obtained. The only data that can be displayed by the extension when a LinkedIn profile is visited is the telephone number and email address. The data collected concerning the contact data of target persons is the surname, first name, email address, telephone number, URL of the LinkedIn profile or other social networks, employer, company, job title, skills, professional interests, career, date of hire and end of position, training, place of work, source of data and date of collection.
18. The Panel notes that the company collects data from three sources:
- ‘suppliers’ who themselves collect data from publicly accessible professional sources such as LinkedIn, Whois, GitHub ;
- the directories of domain name registries, which can be used to search for information about an existing domain name and its owner;
- the import of a user's LinkedIn contacts when KASPR is activated. KASPR users synchronise the KASPR extension with their LinkedIn account. The delegation was informed that this makes it possible to retrieve the contact details available on LinkedIn of users' direct contacts but which are not necessarily visible to all visitors to the LinkedIn site. The KASPR extension thus makes it possible to make available, in the KASPR database, data that the LinkedIn contacts of KASPR users wanted to limit to their contacts within the professional social network.
19. Approximately 160 million contacts are included in the database created by the company, including precisely [...] in the European Union, Norway, Iceland and Liechtenstein, the geographical origin being determined by the workplace address.
B. Jurisdiction of the CNIL and application of the consistency mechanism
20. Article 3(1) of the GDPR provides that ‘This Regulation shall apply to the processing of personal data carried out in the course of the activities of an establishment of a controller or processor on the territory of the Union, whether or not the processing takes place within the Union’.
21. Under Article 56(1) of the Regulation, ‘the supervisory authority of the main establishment or sole establishment of the controller or processor shall be competent to act as lead supervisory authority with regard to cross-border processing carried out by that controller or processor, in accordance with the procedure laid down in Article 60’.
22. The criteria for determining whether a supervisory authority is concerned are set out in Article 4 (22) of the GDPR which provides that an authority is ‘concerned by the processing of personal data because:
(a) the controller or processor is established on the territory of the Member State to which that supervisory authority is subject ;
(b) data subjects residing in the Member State of that supervisory authority are or are likely to be significantly affected by the processing; or
(c) a complaint has been lodged with that supervisory authority’.
23. The rapporteur considers that, pursuant to Article 3(1) of the GDPR, where the activities of the controller take place within the territory of the Union, the obligations contained in the GDPR apply to all data subjects affected by the processing, whether or not they are located within the European Union.
24. Furthermore, the rapporteur considers that, since the CNIL delegation noted the presence in the KASPR database of personal data of persons located in Sweden, Hungary and the Land of Saxony, these authorities are concerned.
25. In its defence, although the company does not contest the CNIL's status as the competent authority for determining whether the processing at issue complies with the GDPR, it maintains that the CNIL is not competent to rule, as the lead authority, on whether the processing of personal data of persons located in Hungary, Sweden and the Land of Saxony complies with the GDPR, since these authorities have declared that they are not concerned. Secondly, with regard to the territorial scope of the GDPR, the company considers that when assessing the number of people affected by the alleged breaches, it cannot take into account people located outside the European Union. The company argues that in its judgment of 24 September 2019, the Court of Justice of the European Union held, on the occasion of a preliminary ruling on the territorial scope of the right to dereference, that the GDPR could only produce effect within the territory of the European Union (CJEU, Grand Chamber, 24 September 2019, Google, n°C-507/17).
26. The restricted panel noted that KASPR's sole establishment was in France, that the processing at issue therefore took place in the context of the activity of that establishment, and that the CNIL was therefore the competent authority to examine the compliance of the processing with the RGPD, which was not disputed by the company.
27. In accordance with Article 56 of the RGPD, on 19 September 2023 the CNIL informed all the European supervisory authorities of its competence to act as lead supervisory authority with regard to the cross-border processing implemented by the company, a competence derived by the CNIL from the fact that the company's main establishment is in France. In this respect, the Select Committee notes that the form entitled ‘Article 56 - Identification of LSA and CSA’, sent to all the other European data protection authorities, is intended solely to enable the other authorities to be aware of the opening of a file by the lead authority and is not intended to conclusively determine their status as the authority concerned at this stage. Conversely, the Select Committee notes that the presence of data concerning persons established on the territory of a particular Member State is decisive in identifying the authorities concerned.
28. In this case, the CNIL's supervisory delegation noted that in addition to all the other contacts in the database, [...] contacts in the KASPR database are located in Sweden, [...] contacts are located in Hungary and [...] contacts are located in Germany. All European authorities are therefore concerned within the meaning of Article 4(22) of the Regulation.
29. Thus, the Select Committee considers that the criterion set out in Article 4(22)(b) of the GDPR is indeed met in this case, since it has been found that ‘data subjects residing in the Member State of that supervisory authority are or are likely to be significantly affected by the processing operation’.
30. In addition, the Select Committee points out that a data controller whose establishment is located within the territory of the European Union is required to comply with the GDPR in respect of all persons whose data it processes, without making any distinction between persons according to their location. The restricted formation observes that the facts at issue in the present case differ from those referred to in the CJEU judgment on dereferencing.
31. At issue was the necessary balance between, on the one hand, the right to respect for the private life of a person located on the territory of the European Union and, on the other hand, the right to information of a person located outside the European Union, who is therefore not a data subject since his or her data were not processed. This person was a third party to the processing operation. In this case, however, the data of individuals outside the territory of the European Union is collected and processed by KASPR, which is subject to compliance with the GDPR. Thus, under the terms of Article 83(2)(a), account should be taken of the fact that the company processes 160 million contacts, it being specified that the same natural person may correspond to several contacts.
32. Pursuant to Article 60(3) of the GDPR, the draft decision adopted by the Select Committee was forwarded to the other competent European supervisory authorities, with a view to enabling them to make relevant and reasoned objections to the processing operations and breaches that concern them, on 5 November 2024.
33. As at 4 December 2024, none of the supervisory authorities concerned had raised relevant and reasoned objections to this draft decision regarding the breaches identified, so that, pursuant to Article 60(6) of the GDPR, they are deemed to have approved it.
C. Breach of the obligation to have a legal basis (Article 6 of the RGPD)
34. Under Article 6 of the GDPR, ‘1. Processing shall be lawful only if, and insofar as, at least one of the following conditions is fulfilled:
(a) the data subject has consented to the processing of his or her personal data for one or more specific purposes ;
b) processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the data subject's request; or
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject which require the protection of personal data prevail, in particular where the data subject is a child’.
35. Recourse to the legal basis of legitimate interest, pursuant to Article 6(1)(f) of the GDPR, as a legal basis for processing is subject to three conditions: the interest pursued must be legitimate, it is necessary to process the personal data for the purposes of the legitimate interests pursued and the processing must not adversely affect the rights and interests of the persons whose data are processed, taking into account their reasonable expectations.
36. By way of illustration, with regard to the legal basis for the legitimate interest, Recital 47 of the GDPR states that such an interest may ‘constitute a legal basis for the processing, unless the interests or fundamental rights and freedoms of the data subject prevail, having regard to the reasonable expectations of data subjects based on their relationship with the controller. Such a legitimate interest could, for example, exist where there is a relevant and appropriate relationship between the data subject and the controller in situations such as those where the data subject is a customer of, or in the service of, the controller’.
37. The rapporteur points out that the failure to comply with Article 6 of the GDPR described in the penalty report relates only to data collected via the LinkedIn social network - in the case of individuals who wished to restrict the display of their contact details - and not to other sources of data collection. It considers that the provision of the contact data of the target individuals by the company KASPR to its users when they had chosen not to make them public to everyone exceeds what individuals who register on a professional social network such as LinkedIn can reasonably expect.
38. In its defence, the company considers that the processing is founded on the legal basis of legitimate interest, since LinkedIn users register on that social network in order to benefit from being put in touch with other professionals, and that it is therefore not necessary to obtain their consent. It also maintains that the need to verify identity is part of the reasonable expectations of professionals in a context of increasing risks regarding the validity of digital profiles. However, it considers that the risks of phishing and identity theft raised by the rapporteur are in fact lacking and do not take into account the guarantees put in place by KASPR. The company points out that the KASPR extension deals with professional contact details and is fed by legitimate public professional sources other than LinkedIn. The company adds that the validity of this legal basis for the benefit of KASPR cannot be limited to consideration of its sole and exclusive interest and cites a CNIL publication entitled ‘La prospection commerciale par courrier électronique, Pour les professionnels (B to B)’ dated 18 May 2009, which states that ‘prospection aimed at professionals can (perfectly) be based on the legitimate interest of the organisation’.
39. Finally, the company points out that contact data is collected in accordance with the choices expressed by users of the LinkedIn social network. It states in its latest letter that users have the option of making their contact details visible via the settings in the LinkedIn interface, by choosing from four options: 1) ‘visible only to me’, 2) ‘Everyone on LinkedIn’, 3) ‘1st level relations’ and 4) ‘1st and 2nd level relations’. The company explains that it is only in these last two cases, where the user makes their email address visible to their first- and second-level contacts, that it collects the data. When people have chosen option no. 1 ‘only through me’, their data is not collected.
40. As a preliminary point, the Select Committee specifies that the breach described below concerns the personal data collected on the LinkedIn social network of target individuals who have chosen to limit or hide the visibility of their contact details. In response to one of the company's arguments, the panel also noted that the fact that the database at issue consisted solely of the ‘professional’ contact details of the target persons had no bearing on the ‘personal’ nature of that data when it related to natural persons, in accordance with the well-established case law of the Court of Justice of the European Union (see, in particular, CJEU, 9 November 2010, Volker and Others, Case C-92/09 and C-93/09, pt. 59).
41. With regard to the interest pursued - in that it is commercial in nature and is consubstantial with the company's business model - the restricted formation considers that it can be described as legitimate and that the data collected for the purposes of these interests may appear necessary, an interest that may also extend to KASPR's customers who actually benefit from an interest in using these contacts for commercial prospecting or recruitment.
42. This legitimate interest pursued by the company must be considered in the light of the balancing of the interests, freedoms and fundamental rights of the data subjects and the legitimate interests pursued by the company. The Select Committee points out that in order to found processing on the basis of legitimate interest, the processing must not adversely affect the rights and interests of the persons whose data are processed, taking into account their reasonable expectations.
43. In the present case, the Select Committee considers that when individuals exercise their freedom of choice by restricting the visibility of their personal data, that choice is necessarily binding on third parties. Thus, if a professional who is registered on LinkedIn chooses to restrict the visibility of his contact details, it cannot be argued that the collection of his data by the company KASPR is among that person's reasonable expectations.
44. The restricted formation observes that it is apparent from the LinkedIn settings interface that if the target persons who chose to restrict the visibility of their contact details had really wanted their professional contact details to appear to everyone, they would have chosen to activate the setting allowing their contact details to be visible to all users. In the present case, it considers that the fact that the target persons chose to hide their contact details amounts to a form of opposition, an indispensable corollary of the legitimate interest, which must be taken into account by the company, which thus has no legitimate interest in collecting the hidden contact details.
45. Thus, by revealing the data of target persons to persons unknown to them when they had chosen to restrict the visibility of their contact details (1st and/or 2nd level relationships), the company goes directly against their ‘reasonable expectations’, within the meaning of Recital 47 of the GDPR. Furthermore, the Select Committee notes that the company's impact assessment shows that since the processing is invisible, the target individuals may ‘not be aware that KASPR or the end users of the profile data have collected their data’. Finally, while the company maintains that it has taken measures to limit the risk to individuals in its impact assessment, the Select Committee notes that the latter does not consider the case of target individuals whose data is collected even though they had chosen to hide the visibility of their contact details. It has therefore not taken any measures to limit the risk of infringement of the rights of target individuals.
46. Contrary to what the company maintains, it cannot be argued that the target persons, by authorising some of their contacts to see their contact details, intended by that action to authorise KASPR to collect such data. In that sense, there is no ‘relevant and appropriate relationship’ within the meaning of the above-mentioned recital between the target persons and the company, in that they are not users of the KASPR extension but merely contacts of KASPR customers who use the extension.
47. Furthermore, the Select Committee notes that several complainants who have been canvassed by users of the KASPR extension, either electronically or by telephone, have informed the Commission's departments of their questions about the basis and legitimacy of the company's collection and provision of their personal data.
48. Although not carried out by the company, this canvassing is made possible by the KASPR extension, which reveals to its users the contact details of the target persons in its database and leads some of its user customers to carry out this canvassing. In addition, although the company maintains that the contact details of the persons canvassed may have been collected from sources other than LinkedIn, this circumstance has no bearing on the nature of the breach in that the company was not justified in collecting the data of persons who had chosen to restrict their visibility.
49. The restricted formation emphasises that LinkedIn's privacy policy precisely insists on the fact that the data processed from its social network is processed in accordance with the users' preferences: “All the data that you include in your profile or in the content that you publish, as well as your actions on the social networks (...) carried out on our Services, are visible to other people according to your preferences”.
50. In light of all these factors, the Restricted Panel considers that the interests or the fundamental rights and freedoms of the data subjects, in particular their right to privacy, took precedence over the data controller's legitimate interest in processing their data in order to ensure the operation of its extension, so that the legal basis of the company's legitimate interest cannot be accepted.
51. Finally, with regard to the other legal bases, the Restricted Panel notes that the individuals whose contact data was collected never consented in any way to the collection of their contact data, nor to its transmission to the company to ensure the operation of the KASPR extension.
52. It also points out that there is no contract between the persons concerned and KASPR, which is not disputed by the company.
53. Thus, the Restricted Panel considers that neither the legal basis of consent, nor that of the contract, nor any other legal basis (compliance with a legal obligation, safeguarding the vital interests of the data subject or performance of a task in the public interest), appears to be a valid legal basis for the processing at issue.
54. It follows from the foregoing that the collection of contact data through the import of the LinkedIn contacts of users who have decided not to make their contact data visible to all other users, used to populate the KASPR extension database, lacks a legal basis, so that a breach of Article 6 of the RGPD is constituted.
D. Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the RGPD)
55. Under Article 5(1)(e) of the GDPR, personal data must be ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (...)’.
56. Pursuant to these provisions, it is up to the data controller to define a retention period in line with the purpose of the processing. Once this purpose has been achieved, the data must be deleted or rendered anonymous, or be archived for a specific period of time when its retention is necessary, for example to comply with legal obligations or for pre-litigation or litigation purposes.
57. As a preliminary point, it should be noted that the company collects and retains, on the one hand, the contact data of target persons and, on the other hand, the data of users of the KASPR extension which are used by the company for commercial prospecting purposes.
58. The rapporteur notes that although the extension was created in 2018, at the hearing on 28 July 2022 the CNIL was informed that KASPR had not yet formalised a data retention policy. It was only during this adversarial procedure that the company stated that it had been considering its data retention policy since July 2021.
59. With regard to KASPR's customers, the rapporteur considers that, until the company redefined its updated confidentiality policy in June 2024, it kept customers' data for commercial prospecting purposes indefinitely as long as they had not objected. He considered that this was incompatible with the principle of keeping data for a proportionate period.
60 He went on to point out, with regard to target individuals, that the company had not defined a retention period policy at the time of the Commission's hearing on 28 July 2022 and that, in any event, the company was not justified in retaining the data of target individuals indefinitely, at the risk of causing these individuals to lose control of their data irretrievably.
61. The company maintains, with regard to KASPR customers, that the starting point for the period of retention of their data for commercial canvassing purposes is automatically renewed at each subscription expiry date until the customers cancel their subscription. It specifies that it now keeps the data for three years from the end of the subscription, and has done so since KAPSR drafted the note on data retention in July 2021.
62. The company maintains, with regard to the target persons, that the retention of such data is at the heart of the service offered by KASPR through its extension and that it has now provided for a data retention period of five years that begins to run with each periodic update of the personal data of the target persons.
63. As a preliminary point, the Select Committee emphasises that the breach of Article 5-1-e does not concern the data of individuals, which it has just been stated in paragraphs 40 to 50 were processed without a valid legal basis, which should not have been entered and kept in the database.
64. Firstly, the Restricted Panel notes, with regard to KASPR's customers, that on the day of the inspection, the company's confidentiality policy clearly indicated that customers' data were kept for commercial prospecting purposes until they objected. However, the restricted panel observed that such storage must necessarily be limited in time and that the company could not be satisfied with a lack of opposition from users to keep their data indefinitely after the end of the commercial relationship.
65. The Restricted Panel nevertheless notes that in its written submissions, the company indicated that the confidentiality policy in force on the date of the checks did not reflect the company's practice. In this regard, it produced internal documents in which the company indicated, on the one hand, that it applied a retention period of three years from the end of the commercial relationship and, on the other hand, that it purged data that had reached that retention period.
66. The Select Committee therefore considers that, with regard to the retention of the company's customer data, there has been no breach of Article 5-1-e.
67. Secondly, with regard to target persons whose data were not collected unlawfully [i.e. persons who chose to leave their contact details visible on LinkedIn], the Restricted Panel does not dispute the need for the company to retain the data of target persons who did not object to the processing of their data insofar as their disclosure to the company's customers constitutes the principle of the processing. It notes, however, that the company initially stated in its privacy policy that it would keep the data indefinitely and that it was only in 2021, three years after the processing was implemented, that the company began to redefine its retention period policy.
68. In any event, the restricted panel notes that the retention policy established by the company after the inspection provides that the data are retained for 5 years from each update of the data, which generally occurs when a person changes position or employer.
69. However, the restricted panel notes that for individuals who change jobs or employers within a period of less than 5 years, this renewal of the retention period leads to a disproportionate retention of their data.
70. The restricted panel considers that this automatic ‘dynamic’ retention is not compatible with compliance with the principle of proportionate retention.
71. Indeed, the target individuals are not users of the service offered by KASPR and have no relationship with the data controller. The data subjects are therefore passive vis-à-vis the processing and captive to it, since they do not choose to be included in the database.
72. The Select Committee emphasises that, unlike persons who have created an online account on a social network or an e-commerce site and for whom it is possible to determine when they became inactive, it is not, by nature, possible to determine such a time for the persons whose data KASPR processes.
73. Although the company explains that since 18 May 2022 it has set up an information campaign by e-mail that allows people to object to the processing of their data and therefore to put an end to it, the restricted panel notes that for people in the situation described in point 70, sending this message has so far been the only opportunity for them to express their wish to no longer appear in the company's database. In cases where individuals do not object to processing on receipt of this message, the company will keep their data indefinitely.
74. Thus, the restricted panel considers that the company should cease the automatic dynamic renewal of the retention of the personal data of the target persons so that KASPR does not retain their data indefinitely and indefinitely, but for five years at most.
75. It follows from the foregoing that the retention policy defined by the company is not proportionate with regard to the specific features of the processing, which constitutes a breach of Article 5-1-e of the GDPR.
E. On the breach of the obligation of transparency and information to individuals (Articles 12 and 14 of the RGPD)
76. Article 12(1) of the GDPR provides that ‘the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to make any communication under Articles 15 to 22 and Article 34 regarding the processing to the data subject in a concise, transparent, comprehensible and easily accessible manner, in clear and simple language, in particular for any information specifically addressed to a child. The information shall be provided in writing or by other means including, where appropriate, by electronic means’.
77. Article 14 of the GDPR provides that where personal data have not been obtained from the data subject, the controller shall provide the data subject with the information referred to in that Article ‘within a reasonable time after obtaining the personal data, but not exceeding one month, having regard to the specific circumstances in which the personal data are processed’.
78. Thus, under this article, the controller must provide the data subject with information on the identity and contact details of the controller (and, where appropriate, the contact details of the data protection officer), the purposes of the processing operation, its legal basis, the categories of personal data concerned and, where appropriate, the recipients or categories of recipients of the data, the fact that the data controller intends to transfer the data to a third country and, if necessary to guarantee fair and transparent processing, how long the data will be kept, the existence of the various rights enjoyed by individuals, including the right to ask the data controller for access to personal data, the right to rectify personal data or the right to object to processing, the source from which the data originates and whether automated decision-making is used.
79. Under paragraph 5(b) of the same article, however, this obligation to provide information does not apply where ‘the provision of such information proves impossible or would require a disproportionate effort’ or where compliance with the obligation to provide information ‘is likely to make impossible or to seriously compromise the achievement of the purposes of the processing’.
80. In its transparency guidelines of 29 November 2017 revised on 11 April 2018, the Article 29 Data Protection Working Party points out that ‘Articles 13 and 14 refer to the obligation imposed on the controller to “[provide] all the following information...”. The word ‘provide’ is crucial here. It means that the controller must take concrete steps to provide the information in question to the data subject or to actively direct the data subject to the location of that information’. The guidelines thus state that ‘The data subject should not have to actively search for the information covered by these articles among other information such as the terms of use of a website or application’ (point 33).
81. The rapporteur notes, with regard to the obligation to provide information, that it was not until 18 May 2022 that the company began to inform data subjects that their personal data had been collected in an English-language e-mail with a link allowing them to object to the processing. The rapporteur considers, however, that the company was in a position to inform target individuals, as soon as the application was deployed, that their data were being processed, since the data it collects include an e-mail address.
82. The rapporteur then points out, with regard to the obligation of transparency, that the information provided in the information e-mail sent out since 18 May 2022 is written exclusively in English, which does not make it possible to provide valid information to people who do not master that language.
83. In its defence, the company submits that between 2018 and 2022, i.e. between the creation of the extension and the implementation of information emails relating to the processing, individuals were informed via the LinkedIn and KASPR privacy policies, and that if the communication implemented on 18 May 2022 was only available in English, that does not constitute a breach of the obligation of transparency since the KASPR extension is used by a public of professionals for whom that language can be considered to be commonly used within the European Union.
84. As a preliminary point, the Restricted Panel emphasises that the breach of Articles 12 and 14 does not concern the information of persons whose data has been collected unlawfully, as set out in paragraphs 40 to 50, the obligation to inform these persons being, as a result, without object. The Restricted Panel notes, however, that if the company proceeded to collect this data (which it wrongly considered to be lawful), it did not inform the data subjects either.
85. The restricted panel noted first of all, with regard to the obligation to inform, that the data of the target individuals had been collected and processed for almost 4 years, without any information being sent to them by the company, the latter only providing in its impact assessment since July 2022 that it ‘notifies all data subjects present in its database in compliance with its obligations under Article 14 of the GDPR and sets up a team dedicated to managing access requests within the time limits set’.
86. The restricted formation considers that the company cannot rely on its privacy policy or that of LinkedIn to consider that it has fulfilled its obligation to provide information to the data subjects concerned by the processing. In this regard, the restricted panel noted that in its privacy policy, LinkedIn states that ‘All of the data that you include in your profile or in the content that you publish, as well as your actions on social networks (...) carried out on our Services, are visible to other people according to your preferences’. However, KASPR's practice of making data accessible that a user wished to keep ‘private’ goes against their wishes. KASPR's confidentiality policy does not provide any specific information about the source of the data collected, stating only that ‘We collect this data from public sources, professional directories and our partners from time to time’.
87. Secondly, with regard to the obligation of transparency, the Select Committee considers that informing people whose contact details are processed by means of an e-mail available only in English does not meet the requirement of providing transparent information set out in Article 12 of the Regulation (CNIL, FR, 29 December 2023, Sanction, No. SAN 2023-023). The Select Committee recalls that according to the guidelines of the ‘Article 29’ Working Party on transparency within the meaning of Regulation (EU) 2016/679, adopted on 11 April 2018, a key aspect of the principle of transparency is that ‘the data subject should be able to determine in advance what the scope and consequences of the processing encompass so as not to be caught off guard at a later stage as to how his or her personal data have been used’ and that ‘A translation into one or more languages should be provided where the controller targets data subjects who speak those languages’.
88. In the present case, while the company maintains that the professionals whose data is collected have a good command of English if they work within the European Union, the restricted formation considers that the mere fact that these people are registered on the social network and work in a European Union country does not prejudge their level of English. Anyone can register on LinkedIn without necessarily working in a profession that requires the use of English, as the Dutch data protection authority recently pointed out in the context of a breach of the transparency obligation against the companies Uber Technologies Inc. and Uber BV. The authority considered that the controller is obliged to translate the information provided to the persons whose data are processed into a language that they understand, and that it is not possible to prejudge their level of English (Dutch data protection authority, 11 December 2023, Uber Technologies Inc. and Uber BV).
89. In the case in point, the lack of information that individuals could understand meant that, until information was made available in several languages, as the company stated in its second observations, they were unable to object to the processing and therefore to the inclusion of this data in the company's database.
90. While the company noted that some complainants had sent their request to exercise their rights in English, the restricted panel pointed out that it is not possible to presuppose the level of English of every person whose contact is present in the KASPR database, and noted in this respect that even when the complainants had addressed the company in French, the latter had replied in English.
91. Finally, the Restricted Panel notes that the company indicated for the first time in its observations filed on 19 August 2024 that it now allowed individuals to select the language of their choice regarding the KASPR information email and privacy policy in order to read them in French, Spanish, Dutch or German, without however specifying the date on which this option was implemented, or why these documents were not made available in all the languages spoken within the European Union.
92. It follows from the foregoing that between 2018 and 2022 no information was provided to target persons who had not restricted the visibility of their data and that since 2022 information has been provided in English, which does not meet the requirement of transparency, so that there is a breach of Articles 12 and 14 until the possibility for persons to select the language of their choice is introduced.
F. Failure to comply with the obligation to comply with requests to exercise the right of access (Article 15 of the RGPD)
93. Under Article 15(1)(g) of the Regulation, ‘the data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, where such data are processed, access to them and, [...] where the personal data have not been obtained from the data subject, any available information as to their source’.
94. Article 12(4) of the GDPR provides that ‘the controller shall provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15 to 22 as soon as possible and in any event within one month of receipt of the request’.
95. The rapporteur notes that it appears from several referrals that complainants who have been canvassed and who have questioned KASPR about the origin of the data have not received any precise reply from the company, which has merely told them that the data were available from publicly accessible sources.
96. The rapporteur considers that, since the company is able to identify some of the sources used to collect the data in its database, it should have cited the possible sources of collection in the context of the access requests, even if it was unable to tell the complainants the precise source from which the personal data concerning them was collected.
97. In its defence, the company argues that the inclusion of complaints made after the hearing infringes the rights of the defence in that it was only when preparing its observations in response to the rapporteur's report that it had the opportunity to demonstrate how those complaints had been handled.
98. The company added that, prior to January 2022, it did not have the technical capacity to trace separately the various categories of data sources included in the KASPR database, and that it was not in a position to do so retroactively from January 2022.
99. The restricted formation considers, firstly, that the company had the necessary time and facilities to provide any evidence likely to demonstrate the outcome of the complaints communicated by the rapporteur in support of his initial report. It considered that there had been no infringement of the rights of the defence, as the breaches had occurred before the penalty was imposed.
100. Secondly, the Restricted Section considers that the company must be able to indicate ‘any available information as to the source’ of the data it holds on individuals pursuant to the aforementioned Article 15, in particular where the individual's business telephone number was obtained, if it has this information. In the present case, it is clear from the referrals that the complainants questioned how the company had obtained their contact details, but were not given a precise answer, the company merely stating that the data was available from publicly accessible sources. While the company maintained that, in accordance with the EDPS Guidelines on the rights of data subjects - right of access n°01/2022 of 28 March 2023, it had responded to access requests by setting up a second-level referral mechanism to more precise information, the restricted panel noted that the same guidelines, which set out an example, stated that: ‘If it is not possible to determine ex ante which of the companies will be involved in the processing, it is sufficient to mention the names of the eligible companies in the privacy policy. In the context of a request based on Article 15, in addition to the information according to which information relating to solvency has been obtained, it would then be necessary (a posteriori) to indicate exactly which companies have been involved. It is clear from Article 15(1)(g) that information on data processing includes ‘any available information as to its source’ where the personal data are not obtained from the data subject.
101. The restricted formation considers that although the company could provide the information required by the aforementioned Article 15 in the context of second-level information, i.e. by including a link in the information e-mail referring to the KASPR website and in particular to its data confidentiality policy, this is not sufficiently precise in view of the information available to the company on the sources of the data. The privacy policy in force at the time of the company's response to the complainants states, with regard to the origin of the personal data of target individuals: ‘We collect this data from public sources, professional directories and our partners on an ad hoc basis’. However, it is clear from the documents in the file that KASPR has precisely identified some of the sources that feed its database.
102. In fact, it indicated to the inspection delegation three main sources of data (point 19), which are now referred to in the latest version of its confidentiality policy: ‘We collect this data from social networks such as LinkedIn, professional directories such as Whois and GitHub and from our data suppliers from time to time’.
103. However, the Restricted Panel considers that the reference to ‘our data suppliers from time to time’ does not provide any details about the various ‘suppliers’ referred to in this case and considers that once KASPR is aware of the various precise sources, it is up to it to provide information about them.
104. The company was therefore in a position to provide more information to the complainants about the sources of the data, even though it was not in a position to tell the complainants the precise source.
105. The restricted panel recalls that the purpose of the right of access is to enable the data subject to become aware of the processing of his or her data and to verify its lawfulness. Exercising this right therefore presupposes that the information provided is as accurate as possible (CNIL, FR, 30 November 2022, Sanction, No. SAN 2022-022).
106. It follows from the foregoing that the company did not inform the target persons who exercised their right of access about the source from which it had collected their data, so that a breach of Article 15 of the GDPR is constituted.
II. Corrective measures and publicity
107. Under Article 58(2) of the RGPD, ‘Each supervisory authority shall have the power to adopt any of the following corrective measures: [...]
(c) order the controller or processor to comply with requests made by the data subject to exercise his or her rights under this Regulation;
(d) order the controller or the processor to bring the processing operations into conformity with the provisions of this Regulation, where appropriate, in a specific manner and within a specific period of time; [...] (e) order the controller or the processor to carry out the processing operations in accordance with the provisions of this Regulation, where appropriate, in a specific manner and within a specific period of time
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the specific features of each case’.
108. III of Article 20 of the amended Act of 6 January 1978 provides that: ‘when the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act, the Chairman of the Commission nationale de l'informatique et des libertés may [...] refer the matter to the Commission's restricted panel with a view to pronouncing, after adversarial proceedings, one or more of the following measures : [...]
2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Act, or to comply with requests made by the data subject to exercise his or her rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment, the amount of which may not exceed €100,000 per day of delay from the date set by the restricted panel; [...]
7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding €10 million or, in the case of a company, 2% of the total annual worldwide turnover for the previous financial year, whichever is greater. In the cases referred to in Article 83(5) and (6) of Regulation (EU) 2016/679 of 27 April 2016, these ceilings are raised to €20 million and 4% of the said turnover respectively. In determining the amount of the fine, the Restricted Panel shall take into account the criteria specified in the same Article 83.’
109. Article 83 of the RGPD further provides that ‘each supervisory authority shall ensure that the administrative fines imposed [...] are, in each case, effective, proportionate and dissuasive’, before specifying the factors that must be taken into account in deciding whether to impose an administrative fine and in deciding the amount of that fine.
110. In determining the amount of the fine, the restricted panel must take into account criteria such as the number of violations, their nature and seriousness, the number of persons concerned and the financial benefits obtained as a result of the breach.
111. The company argues that its treatment is legitimate, that the imposition of a fine is unfounded in the absence of actual breaches and that the imposition of a fine would be tantamount to refusing to take into account compliance measures that already exist. The company then argued that the amount of the fine was disproportionate to the seriousness of the breaches and KASPR's behaviour, which should constitute a ‘mitigating factor’. Lastly, the company maintains that the proposed injunction is devoid of purpose and that publicising the penalty would be counterproductive with regard to a company that has invested in an RGPD compliance process.
112. In the first place, the restricted panel points out that, while the imposition of an administrative fine is conditional on the establishment of a culpable breach on the part of the body being prosecuted, that fault may arise from deliberate conduct but also from negligence, pursuant to subparagraph (b) of Article 83(2) of the GDPR (CJEU, Grand Chamber, 5 December 2023, Deutsche Wohnen SE and Others, C-807/21; CJEU, Grand Chamber, 5 December 2023, Nacionalinis visuomenės sveikatos centras prie Sveikatos apsaugos ministerijos and Others, C-683/21).
113. The restricted formation considers that, in the present case, the breaches committed by the company reveal definite negligence on its part. In fact, the restricted panel emphasised, on the one hand, that the rules set out in this decision are constantly interpreted by the CNIL. For example, the select committee has already ruled on the right of access, stating that the information provided must be as precise as possible (CNIL, FR, 30 November 2022, Sanction, No. SAN 2022-022), but also on the obligation of transparency by considering that informing people whose details are processed by an email available only in English does not meet the requirement of providing transparent information set out in Article 12 of the Regulation (CNIL, FR, 29 December 2023, Sanction, n°SAN 2023-023). On the other hand, the Select Committee noted that the multiplicity of breaches demonstrated negligence in the implementation of the processing carried out by the company.
114 Secondly, the Restricted Panel considers that the criterion set out in Article 83(2)(a) of the GDPR relating to the nature, seriousness and duration of the breach should be applied, taking into account the nature and scope of the processing and the number of data subjects.
115. The Select Committee notes first of all that breaches of Articles 5(1)(e) and 6 of the GDPR concern the fundamental principles of data protection and may therefore be subject to a fine of up to €20 million or 4% of the company's annual turnover for the previous financial year - the maximum amount provided for in the legislation - pursuant to Article 83(5) of the GDPR. In this respect, Guidelines 04/2022 on the calculation of administrative fines under the RGPD adopted on 24 May 2023 by the European Data Protection Committee point out that ‘through this distinction, the legislator has given an initial indication of the seriousness of the breach, in an abstract manner. The more serious the breach, the higher the fine is likely to be’ (point 50).
116. The restricted formation then notes, as it explained in paragraph 31 of this deliberation, that the breaches of Articles 5-1-e, 12 and 14 identified are likely to concern a large number of people, as the KASPR database included nearly 160 million contacts on the day of the hearing inspection, since all of the contacts present in the KASPR database should be taken into account, as they are persons affected by the RGPD.
117. The restricted panel also emphasises that for people who have decided not to post their contact details on LinkedIn, the processing presents a particularly strong infringement of people's rights insofar as it goes against their wish to keep this data private in order, in particular, to canvass them, as corroborated by the various complaints received by the Commission's departments.
118. This uncertainty about the extent of the breach of the confidentiality of their data is compounded by the inconvenience caused by these untimely canvassings, as denounced by the complainants in the referrals received by the Commission.
119. Finally, the restricted panel notes that examination of the complaints also highlights the shortcomings of the procedures for exercising rights implemented within the company, which does not respond precisely to complainants wishing to know the source from which their contact data was obtained indirectly.
120 Thirdly, the Restricted Panel intends to apply the criterion set out in Article 83(2)(k) of the GDPR, relating to the financial benefits obtained as a result of the breach.
121. In this regard, it notes that the company derives all of its revenue from billing its customers for a service whose operation is based in part on data collected unlawfully and, until 2022, without the knowledge of the data subjects.
122. Thus, the company's entire business model is based on the infringement of major provisions of the GDPR, in that the database from which its extension operates was partly constituted unlawfully.
123. Fourthly, the Select Committee intends to take account of the measures taken by the company to mitigate the breaches, pursuant to Article 83(2)(c) of the RGPD. It appears that, following receipt of the penalty report, the company has implemented a new retention period for KASPR user data and, for the company's information email and privacy policy, has made it possible for data subjects to choose the language of the text in French, Spanish, Dutch or German.
124. The restricted panel considers that all of these elements justify the imposition of an administrative fine.
(125) With regard to the amount of the fine, the Select Committee recalls that the violations identified are liable to be the subject, pursuant to Article 83 of the GDPR, of an administrative fine of up to €20 million or up to 4% of the worldwide annual turnover for the previous financial year, whichever is higher.
126. It considers that the company's business and financial situation must be taken into account. In this respect, it notes that KASPR generated sales of EUR [...] and profits of EUR [...] in 2022. The following year, this turnover amounted to EUR [...], with a profit of EUR [...].
127. In view of the company's liability, its financial capacity and the relevant criteria of Article 83(2) of the GDPR referred to above, the Restricted Panel considers that a fine of two hundred and forty thousand (240,000) euros appears justified.
128. With regard to issuing an injunction accompanied by a penalty payment, the rapporteur proposes in his report to the restricted formation to issue a compliance injunction against the company, accompanied by a penalty payment, for the breaches of Articles 5-1-e, 6, 12, 14 and 15 of the RGPD.
129. The company considers that the injunctive measures proposed by the rapporteur have no purpose, since the company has brought its processing into compliance as best it can given its resources.
130 Firstly, with regard to the legal basis, the Restricted Panel notes that the company continues to process data that has been collected in the absence of a valid basis.
131. Consequently, the Restricted Panel considers it necessary to issue an injunction so that the company complies with the applicable obligations in this area.
132. Secondly, with regard to the obligation to define and comply with a data retention period proportionate to the purpose of the processing, the restricted panel notes that the company has not indicated that it has implemented a proportionate retention period policy for target persons.
133. Consequently, the restricted panel considers it necessary to uphold the injunction on these points.
134. Thirdly, with regard to the failure to comply with the obligation to grant requests to exercise the right of access, the Restricted Panel notes that the complainants have still not been informed of the precise source of the data concerning them collected by the company.
135. Consequently, the Restricted Panel considers that the injunction is justified on this point.
136. Lastly, with regard to the terms and conditions of the injunction with penalty payment, the Restricted Panel notes that in order to preserve the penalty payment's comminatory function, its amount must be both proportionate to the seriousness of the breaches committed and adapted to the controller's financial capacities. It also considers that in determining this amount, account must be taken of the fact that the breach to which the injunction relates directly contributes to the profits generated by the controller.
137. In light of these factors, the restricted panel considers that the imposition of a penalty payment of 10,000 euros per day of delay, to be liquidated at the end of a six-month period, is justified.
138. With regard to the publication of the penalty, the Restricted Section considers that this is justified in light of the seriousness of some of the breaches in question, the company's position on the market, the scope of the processing and the number of persons concerned.
139. It also notes that the purpose of this measure is to inform data subjects of the processing operations carried out by the company, whether they are users of the extension or target persons. This information will enable them, where appropriate, to assert their rights.
140 Lastly, it considers that this measure is proportionate given that the decision will no longer identify the company by name two years after its publication.
FOR THESE REASONS
The CNIL's select committee, after deliberation, decides to :
- impose an administrative fine on the company KASPR in the amount of two hundred and forty thousand (240,000) euros with regard to the breaches constituted by Articles 5-1-e), 6, 12, 14 and 15 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ;
- issue an injunction against KASPR:
o as regards the breach of Article 6 of the GDPR,
- to stop collecting contact data from KASPR users who have chosen to limit the visibility of their contact details;
- to delete all contact data imported when synchronising the LinkedIn accounts of users who have chosen to limit the visibility of their contact details or, failing that, if it is impossible to distinguish this data whose visibility has been limited from other data, to inform them, within a period of 3 months, of the processing of their data and of the possibility of objecting to it and to use the data only for this purpose;
o with regard to the failure to comply with Article 5-1-e of the RGPD, concerning target persons, to stop automatically renewing the 5-year retention period for target persons' data as soon as their profile is updated, and to retain data only for a period that is proportionate to the processing operation;
o with regard to the failure to comply with Articles 12 and 14 of the GDPR: to inform data subjects of all the information provided for in this article in a language that they understand;
o with regard to the failure to comply with Article 15 of the GDPR,
- to comply with requests for right of access from individuals by providing them with all available information as to the source from which their contact data was added to the company's database;
- and to comply with requests for access from persons who have lodged complaints [...] under the same conditions, before deleting the data relating to the complaints [...].
- make the injunction subject to a penalty payment of ten thousand euros (€10,000) per day of delay at the end of a period of six months following notification of this resolution, with proof of compliance to be sent to the select committee within this period;
- make its decision public on the CNIL website and on the Légifrance website, which will no longer allow the company to be identified by name at the end of a period of two years from its publication.
The Chairman
Philippe-Pierre CABOURDIN
This decision may be appealed to the Conseil d'État within two months of its notification.
Retrieved from "https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2024-020&oldid=44894"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki