CNIL (France) - 2c1s196162814

From GDPRhub
CNIL - 2c1s196162814
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(d) GDPR
Article 5(1)(c) GDPR
Article 12(3) GDPR
Article 14 GDPR
Article 56(1) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Article L561-12 of the French Monetary and Financial Code
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 20.05.2022
Fine: n/a
Parties: n/a
National Case Number/Name: 2c1s196162814
European Case Law Identifier: EDPBI:FR:OSS:D:2022:369
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: n/a

In an Article 60 procedure, the French DPA covered three complaints regarding a consumer credit provider. Among other violations, the controller did not respond to access requests in time and had a retention period of 6 years for anti-money laundering purposes, while French law only required 5 years.

English Summary

Facts

This decision by the French DPA consisted of several complaints by different data subjects regarding the same controller. The nature and the name of this controller were not disclosed. Based on the information provided in the decision, the controller seemed to be a provider of consumer credit.

The first data subject (French) requested access to his personal data. He received responses from the controller but these answers were incomplete according to the data subject, because the identity of the investigative agency at the origin of the data collection was not disclosed. After an intervention of the DPA, the controller complied with the request.

The second data subject (French) had repeatedly requested information about the source - and the retention period of personal data. He also requested the deletion of his data. After discussions between the DPA and the controller, the controller informed the data subject that his phone number and his address had been obtained from an investigative agency, located in Israel. The controller added that it only hired such an agency when the data collected from a ‘transferring institution’ was inadequate. It is not clear what the controller meant with a 'transferring institution'. The controller also informed the data subject of the retention period of 6 years. The controller stated that it was obligated to keep data for a minimum of five years for anti-money laundering purposes, despite French law only requiring a storage period of five years, without any mention of a minimum period (Article L561-12 of the French Monetary and Financial Code).

The complaint of the third data subject (Polish) was transferred by the Polish DPA pursuant of Article 56(1) GDPR. The controller was not able to reach the data subject concerning his supposed debt. Therefore, it hired an investigative agency, which sent the contact details of the data subject to the controller on 13 July 2018. The data subject was then contacted by the controller with the request to pay his debt. However, the data subject stated that he was not a debtor and had never been a client of the controller. After communication between the data subject and the controller, the controller acknowledged that there had been a mistake regarding the identity of the data subject. The telephone number of the data subject was invalidated, but no further action was taken. Only 9 months later, the controller anonymized the data subject’s address and telephone number following the intervention of the DPA. The data subject complained at the DPA about the unlawfulness of processing of his personal data and requested erasure of his personal data.

Holding

The DPA did not make any specific remarks on the first complaint but reminded the controller that, according to Article 12(3) GDPR, it is obliged to respond to data subject requests within one month.

The DPA determined that the controller violated Article 5(1)(e) GDPR regarding the second complaint because of the 6 year retention period of personal data, while French law determined that the storage period for money laundering purposes was only five years (Article L561-12 of the French Monetary and Financial Code).

The DPA also held that the controller had disregarded Article 12(3) GDPR regarding the third complaint, because it had taken the controller four months to respond to the data subject and did not answer as soon as possible. The DPA stated that an initial, insufficient measure was taken only four months after the data subject's first request. The controller only provided a satisfactory response more than a year after the data subject's first request, since the controller anonymized the data only after the French DPA interfered. The controller also violated Article 5(1)(d) GDPR regarding the third complaint, because it did not take the necessary measures to only process up-to-date personal data. It held that the controller did not take adequate measures to remove any doubt surrounding the data subject and delete the personal data of this data subject. Because of the lack of adequate measures, the controller continued processing until it anonymized the personal data.

The DPA stated that Article 14 GDPR had been breached by the controller regarding all complaints, because data subjects were not informed about the source of personal data when this was collected by the controller through a third party. The DPA specified that providing a copy of a privacy policy, indicating the possibility of consulting an investigative agency, did not mean that the obligation under Article 14 GDPR was fulfilled. The information in the privacy policy was not specific enough and did not provide information on the exact source of the data.

The DPA issued a reprimand pursuant of Article 58(2)(b) GDPR and Article 20.II of the French Data Protection Act with regard to the obligation to respond to data subject requests and the obligation to process accurate and updated personal data. The DPA also issued a formal notice pursuant of Article 58(2)(d) GDPR and Article 20.II of the French Data Protection Act to limit the retention period of personal data to five years and to correctly inform individuals about the origin of their personal data.

Comment

Although the nature or the name of the controller were not disclosed, it seemed that the controller was some sort of a provider of consumer credit. Under section 1 of the decision (paragraph 1), there is a mention of a debt assignment agreement between the controller and the data subject. Also under section 1 (paragraph 5), one of the data subjects stated that he had never been a debtor of the controller.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.


Dear Sir,
I am following up on the exchanges of letters that took place between the CNIL services and the
data protection officer (DPO) of your company, as part of the investigation of several complaints relating
to the processing of debtors’ personal data (amicable collection files).
I. Reminder of claims and facts
With regard to referral No. f
The French complainant requested access to his data and received some responses. He nevertheless
referred the matter to CNIL, feeling that the responses were incomplete, as the identity of the investigative
agency at the origin of the data collection was not communicated to him. Following the intervention of
CNIL services, his request was granted.
With regard to referral No. P|
The data relating to the French complainant were processed by
assignment agreement entered into with ‘he complainant has repeatedly
requested the source of the data concerning him, as well as its retention period and its deletion. Following
discussions with CNIL vices informed the complainant that his address and
telephone number had been obtained from an investigative agency located in Israel. Your DPO has
indicated to CNIL that the use of such an agency occurs only when the data collected from the transferring
institution turns out to be inaccurate.
based on a debt
In addition, the complainant was informed of the “exceptional” closure of his case and that his data
will be deleted after a period of six years from that closure. Your DPO justified this period by the fact that
your company is “legally required to keep this data far anti-money laundering pur poses for a minimum of
five years.“
With regard to referral No. Fs
In this complaint submitted by the Polish Data Protection Authority, pursuant to Article 56.1 of the
General Data Protection Regulation (GDPR), the complainant challenged the lawfulness of the processing
of data concerning him b and requested its erasure. He indicated that he was not a
debtor and had never been a client of the ceding company
From the complaint and the exchanges with your company’s DPO, the following details emerge:
- after unsuccessfully attempting to contact the debtor concerned,ME appealed to an
investigative agency, which sent it the contact details of the complainant on 13 July 2018;
- on 23 July 2018, the complainant requested the erasure of the data from [I after
reccivingEE s letter informing him of the existence of a claim concerning him;
- on 27 July 2018, he contacted I by email DE © obtain
information, as he claims never to have taken out a loan withI
- on17 September 2018, he received another letter asking him to pay his debt;
- on 29 November 2018, during a telephone conversation with the complainant, eS
services noticed that this was a case of mistaken identity (same surname and first name). His
telephone number was then invalidated, but no further action was taken;
- the complainant’s address and telephone number were anonymised following the intervention of
CNIL services on 26 August 2019 (all data relating to the complainant was replaced by crosses,
thus preventing any link between the true debtor’s file and the complainant);
- the complainant was informed that this measure would therefore put an end to all correspondence
with him.
II. Analysis of the facts in question
1. Failure to respond to requests to exercise rights
Pursuant to Article 12.3 GDPR, the Data Controller must respond to requests from individuals
exercising their rights within a maximum period of one month.
In the present case, the Polish complainant attempted to obtain information on the processing of
the data and requested its erasure upon receipt of the letter of assignment of claim.
An initial, insufficient measure was taken only four months after the complainant’s first request. It
is only the intervention of CNIL services - over a year after the complainant’s first request - which led your
services to respond satisfactorily.
I also note that compliance with this obligation and taking into account the complainant’s requests
from the outset could have enabled your company to identify the case of mistaken identity in July 2018
and thus immediately cease the processing of data concerning the complainant.
I find ha i therefore disregarded Article 12.3 GDPR in that it did not respond to
the complainant as soon as possible.
2. Failure to process accurate and up-to-date data
Pursuant to Article 5.1.d GDPR, the personal data processed must be accurate and, if necessary,
kept up to date.
In this case, the case of mistaken identity was identified on 29 November 2018 when the Polish
plaintiff disputed being a customer of the company and requested the deletion of his data. However,
did not take adequate measures to remove any doubt as to this homonymy and
immediately delete the data concerning this non-debtor complainant.
Thus, the data relating to the complainant continued to be processed by I and was
only anonymised after the intervention of CNIL services on 26 August 2019.
I find that Po has therefore disregarded Article 5.1 d) GDPR in that it did not take
the necessary measures to process only accurate and up-to-date data relating to a debtor and that it took the
intervention of CNIL services to stop this breach.