CNIL (France) - SAN-2020-009: Difference between revisions

From GDPRhub
No edit summary
 
(5 intermediate revisions by one other user not shown)
Line 10: Line 10:
|ECLI=
|ECLI=


|Original_Source_Name_1=AEPD
|Original_Source_Name_1=Legifrance
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00207-2020.pdf
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042564657
|Original_Source_Language_1=Spanish
|Original_Source_Language_1=French
|Original_Source_Language__Code_1=ES
|Original_Source_Language__Code_1=FR


|Type=Investigation
|Type=Complaint
|Outcome=Violation Found
|Outcome=Upheld
|Date_Decided=
|Date_Decided=18.11.2020
|Date_Published=
|Date_Published=26.11.2020
|Year=
|Year=2020
|Fine=800000
|Fine=800000
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 9(2) GDPR
|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_Link_1=Article 9 GDPR#2
|GDPR_Article_Link_1=Article 5 GDPR#1a
 
|GDPR_Article_2=Article 12 GDPR
 
|GDPR_Article_Link_2=Article 12 GDPR
 
|GDPR_Article_3=Article 13 GDPR
|Party_Name_1=
|GDPR_Article_Link_3=Article 13 GDPR
|Party_Link_1=
|National_Law_Name_1=Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/id/JORFTEXT000000886460/2020-11-30/
|Party_Name_1=Carrefour Banque
|Party_Link_1=https://www.carrefour-banque.fr/
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
Line 41: Line 44:
|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Status=Unknown
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Jackline
|Initial_Contributor=Fra-data67
|
|
}}
}}
 
The French DPA (CNIL) fined Carrefour Banque € 800000 for several violations of the GDPR and French data protection law. The breaches concerned loyalty and transparency of data processing, accessibility and content of information concerning processing and illicit use of cookies.
hello
 
==English Summary==
==English Summary==
===Facts===
===Facts===
helo
CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.


===Dispute===
As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.
hi


===Holding===
Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.
bze


==Comment==
Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the GDPR  and the French Data Protection law (Loi informatique et libertés).
''Share your comments here!''


==Further Resources==
===Dispute===
''Share blogs or news articles here!''
In this case, the French data protection authority investigated several issues :


==English Machine Translation of the Decision==
*Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in [https://gdprhub.eu/Article_5_GDPR#.28a.29_Lawfulness.2C_fairness_and_transparency Article 5(1)(a) GDPR]?
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
*Is the information relating to personal data processing operations easily accessible within the meaning of [https://gdprhub.eu/index.php?title=Article_12_GDPR Articles 12] and [https://gdprhub.eu/index.php?title=Article_13_GDPR 13 GDPR]?
*Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR?
*Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82]?


<pre>
===Holding===
                                                                                1/7
The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it.


However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years.


====On the violation of the obligation to fairly process personal data====
When a subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOUR BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber.


The French DPA concluded that this was a violation of the principle of fairness within Article 5(1)(a) GDPR, as the information given to data subjects are imprecise and misleading. The French DPA outlined that despite the lack of definition of fairness in the GDPR, this was linked to the requirement of transparency within Article 12. More specifically, the CNIL highlights that:


*CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription.
*CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to the subscriber prior to this mention.


====On the lack of accessibility to information on processing of personal data====
Quoting Articles 12 GDPR, the French DPA distinguishes between :


*<u>Access to information relating to personal data protection:</u> In this case, the user could access the information relating to the processing of his or her data, either by clicking directly on the "Protection of Banking Data" tab at the bottom of the page, or by accessing the Legal Notice which referred to the privacy policy, thus requiring several actions by the user. On this point, the CNIL recalls the [https://www.cnil.fr/sites/default/files/atoms/files/wp260_enpdf_transparency.pdf WP29 guidelines on transparency], according to which data subjects should not have to search for information, but should have to immediate access to it. So the French DPA held that there was a violation of the obligation of transparency as per Article 12 GDPR. On the one hand, the vagueness of the title "Protection of Banking Data" does not make it easy for the data subjects that this tab refers the personal data protection. On the other hand, with regard to access to the privacy policy via the legal notices, the CNIL notes that users must first undertake several actions before being able to access this tab.


*<u>The information provided to data subjects throughout the online subscription process:</u> According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complement these mentions by allowing people to read complete information by means of a link to this information. This was a violation of Article 12.


====On the vagueness of data retention periods====
Based on Article 13(2)(a) GDPR and WP29 guidelines on transparency, the CNIL noted that the CARREFOUR BANQUE’s privacy policy were imprecise and vague about data conservation information.


Indeed, the privacy policy contained vague and undefined formulations that confused data subjects as to the extent and nature of the data collected. Furthermore, the information policy did not specify the retention periods for all data and did not specify the criteria used to determine these periods.


     Procedure No.: PS / 00207/2020
====On the use of cookies on the website====
 
The French DPA recalls the provisions of Article 82 of the French data protection law (loi informatique et libertés), which requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.
 
                RESOLUTION OF SANCTIONING PROCEDURE
 
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
 
                                  BACKGROUND
 
 
FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated April 9, 2019
filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against Servicios Prescriptor y Medios de Pago, E.F.C., S.A.U.
with NIF A86373701 (hereinafter, the claimed one).
 
 
      The claimant states that the claimant requires the payment of a
treatment of which he had only requested a budget without formalizing any contract of
financing.
 
      He adds that his data was informed to the file of patrimonial solvency and
credit BADEXCUG.
 
      It states that the events took place on *** DATE.1.
      And, among other things, it provides the following documentation:
     Letters sent by TEAM4 dated October 18, November 5 and 12
      December 2018.
     Letter sent by EXPERIAN BUREAU DE CRÉDITO S.A. dated 15 of
 
      January 2019 informing the claimant of the inclusion of their data in the
      file BADEXCUG.
     Letter sent by ASNEF-EQUIFAX dated January 15, 2019
      informing the claimant of the inclusion of their data in the ASNEF file.
 
     Complaint filed with the Municipal Consumer Information Office of
      Madrid on December 12, 2018.
 
SECOND: In view of the facts reported in the claim and the
documents provided by the claimant, on May 6, 2019 it was agreed not to
admit for processing the claim presented by the claimant, in accordance with the
 
stipulated in article 65.2 of the LOPDGDD, after the analysis carried out on the
documents provided and the concurrent circumstances, there were no indications
reasons for the existence of an infringement within the Agency's competence
Spanish Data Protection.
 
 
THIRD: The claimant filed on May 20, 2019, an appeal for
replacement, providing new documentation, highlighting the contract, unsigned, of a
medical treatment that the affected party states that it was never carried out and of which
He had only requested a budget, finally opting for another
treatment of a smaller budget and for which no financing was necessary.
    And it provides, among others, the following documents:
 
     Stomach reduction operation budget.
     Request for a loan contract not signed by the claimant.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7
 
 
 
 
 
 
 
 
     Newsletter of adherence to the insurance for death, unemployment, disability, etc.
        not signed.
     Communication from EVO FINANCE indicating the monthly payment plan.
 
     Request to the BANKIA entity for the refund of undue charges from
        EVO FINANCE and modification of SEPA direct debit order.
 
    On July 2, 2019, the Director of the Spanish Agency for the Protection of
 
Data, agrees to estimate the appeal for reconsideration filed by the claimant against the
Resolution of this Agency issued on May 6, 2019, having provided
new relevant documentation for the purpose of considering that the question raised
It could be contrary to current regulations on data protection.
 
 
FOURTH: Information requested from EQUIFAX IBERICA, S.L. (hereinafter, EQUIFAX)
on the data of the claimant informed to the ASNEF file, dated June 3
of 2020 is received in this Agency, response to the request sent by
 
EQUIFAX stating that there are no records of the claimant of any entity
in the file ASNEF.
 
    Information requested from EXPERIAN BUREAU de CRÉDITO, S.A. about the data
of the claimant informed to the BADEXCUG file, dated July 1, 2020,
 
receives in this Agency a response to the request sent by this company
indicating that currently there are no data reported to the BADEXCUG file of
the claimant, although in its historical file, there was a discharge reported by EVO
FINANCE on January 13, 2019, for an unpaid amount of € XXX, which was
Deregistration on June 23, 2019 as a result of the automatic update
weekly data file sent by the entity.
 
 
FIFTH: On August 11, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD.
 
 
SIXTH: Notified the initiation agreement, the claimed entity, by means of a written
On September 17 of this year, it made, in summary, the following allegations:
 
    "The claimed has a loan and credit agreement duly signed
through an electronic signature process with the intervention of a trusted third party
in which the loan applicant was identified and her consent was obtained
 
contractual, which was provided through the referred electronic signature process.
    1. Evo Finance loan and credit agreement in the name of the claimant
 
        duly signed electronically through a service provider
        electronic trusted by means of the consignment of an OTP code “One
        Time Pasword "
 
      1.1 Trusted electronic service of certified electronic contracting
          contracted by Prescriber Services with the service provider entity
          electronic trust Logalty Servicios de Tercero de Confianza, S.L.
          (hereinafter Logalty) aimed at proving the validity of the contract, the
          identity of the contractor and the provision of his consent.
 
 
 
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7
 
 
 
 
 
 
 
 
      Prescriber Services (formerly “Evo Finance”) has contracted with the entity
      trusted electronic service provider Logalty a service of
      Certified Electronic Contracting.
 
      Logalty is a provider of trusted electronic services and other services
      in accordance with the provisions of the RGPD.
 
      In accordance with article 30.2 of the Electronic Signature Law, Logalty is
      included in the list of trusted electronic service providers, both
      qualified as unqualified, from the Ministry of Economic Affairs and
 
      Digital transformation.
      All communications between Client and Logalty are made through
      telematic transactions signed electronically under a secure system of
 
      communications.
      Logalty's Certified Electronic Procurement includes as standard the
 
      certified copy of the document perfected by the parties, with mechanism of
      control of the integrity of the content and making a notarial deposit of the
      summary function of the content of all contracts
 
    To this, the following documentary evidence is provided as document No. 4:
    I. Loan and credit agreement dated 08/02/2018 in the name of the
 
          claimant with his DNI signed by electronic signature with stamp of
          Logalty, unique identifier and time stamp,
 
    II. General Conditions sent by email to the claimant and
          additionally accessible via the address *** URL.1, as specified
          indicated in the contract;
 
    III. Documentation provided by the claimant during the
          hiring: a) copy of your ID, b) payroll of the claimant
          corresponding to the month of June 2018 and c) savings account in your favor
          accrediting the bank account incorporated into the contract in the Order of
          direct debit SEPA direct debit, IBAN account.
 
    IV. Certificate issued by Logalty in accordance with the indicated
          previously accrediting the contractual perfection
 
    This specific agreement, as well as the definition of the perfection process
    electronic contract is collected in two different places in the
 
    contractual documentation that was sent by email to the claimant
    to your email address
    For all, one cannot expect to find that the contractual document that is
 
    Provides it comes signed in handwritten form in the boxes enabled by the
    loan applicant. The aforementioned boxes are blank since the act of the
    signature is constituted by the series of electronic evidences that are accredited with
    the certificate provided as a non-manipulable document with a unique identifier,
    digitally signed by Logalty and time-stamped including the evidences
 
    electronic data obtained during the contracting process as well as the contract
    subscribed electronically.
 
    In this regard, it is noted that as part of the services provided by Logalty
    there is the sending of two SMS in case of mobile signature for the
    perfection / signature of the contract by the recipient. The hiring certificate
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7
 


In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.


Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.


==Comment==
The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the GDPR and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects.


This sanction made jointly with [https://gdprhub.eu/index.php?title=CNIL_-_SAN-2020-008 CNIL - SAN-2020-008] where the French DPA imposed a € 2250000 fine on Carrefour France.
==Further Resources==
''Share blogs or news articles here!''
==English Machine Translation of the Decision==
The decision below is a machine translation of the French original. Please refer to the French original for more details.


<pre>
'''Deliberation of restricted training n ° SAN-2020-009 of November 18, 2020 concerning the company CARREFOUR BANQUE'''


The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ms Sylvie LEMMET and Christine MAUGÜE, members;


    Electronic includes the contract downloaded by the client after receiving the email
Considering the Convention n <sup>o</sup> 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;
    sent to your email address whose particular and general conditions
    were read and later accepted through the OTP code that was


    forwarded to your mobile phone number. The certificate carries a code of
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;
    Unique identification matching the electronic timestamp listed on
    the right margin of the contract.


    In conclusion, the claimant electronically signed the Loan Agreement and
Considering the law n <sup>o</sup> 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following ;
    Credit giving your consent to it and the treatment clause of
    personal data included in it


    As confirmation of the electronic signature of the loan contract Services
Considering the decree n <sup>o</sup> 2019-536 of May 29, 2019 taken for the application of the law n <sup>o</sup> 78-17 of January 6, 1978 relating to data processing, files and freedoms;
    Precriptor transferred the requested amount to the establishment designated by the
    claimant ”.


FIFTH: On October 26, 2020, the respondent was notified of the opening of the
Considering the deliberation n <sup>o</sup> 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;
trial period, taking as incorporated all the previous actions, as well as
such as the documents provided by the claimed entity.


Considering the ordinance n ° 2020-306 of March 25, 2020 relating to the extension of the deadlines expired during the period of health emergency;


                                PROVEN FACTS
Considering the decisions n <sup>o</sup> 2019-081C of April 24, 2019 and n <sup>o</sup> 2019-102C of June 6, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or have carried out a mission verification of the processing implemented by this body or on behalf of the company CARREFOUR and its subsidiaries, and in particular the company CARREFOUR BANQUE;


Having regard to the decision of the Vice-President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated November 29, 2019;


      1 On April 9, 2019, the claimant states that the claimed requires
Having regard to the report by Mr. Éric PÉRÈS, commissioner rapporteur, notified to the company CARREFOUR BANQUE on January 10, 2020;
the payment of a treatment for which you have only requested a budget without formalizing
any financing contract.


Having regard to the written observations made by the board of the company CARREFOUR BANQUE on March 10, 2020;


      2 On September 17, 2020, the respondent states that the complainant
Having regard to the rapporteur's response to these observations notified by email on April 22, 2020 to the board of the company;
accepted the particular and general conditions of the Loan and Credit Agreement
giving your consent through an electronic signature process whose validity
legal is the same as if it were handwritten. Proof of this is the certificate of


electronic contracting issued by Logalty.
Having regard to the written observations of the board of CARREFOUR BANQUE received on August 24, 2020;
      3 The name appears in the loan and credit contract dated 08/02/2018


of the claimant with their DNI signed by electronic signature with Logalty seal,
Having regard to the oral observations made during the session of the restricted formation;
unique identifier and time stamp,
      It consists of the remission of the General Conditions sent by mail


electronic to the claimant and accessible additionally through the address
Having regard to the other documents in the file;
*** URL.1, as indicated in the contract;


      Likewise, the documentation provided by the claimant during the
Were present during the restricted training session of September 17, 2020:
hiring process: a) copy of your ID, b) payroll of the claimant
corresponding to the month of June 2018 and c) savings passbook in your favor
of the bank account incorporated into the contract in the direct debit order
direct SEPA, IBAN account.


      Likewise, the certificate issued by Logalty in accordance with the indicated
- Mr Éric PÉRÈS, commissioner, heard in his report;
previously accrediting the contractual perfection.


As representatives of CARREFOUR BANQUE:


- […] ;


- […] ;


- […] ;


- […] ;


- […] ;


- […] ;


C / Jorge Juan, 6 www.aepd.es
- […].
28001 - Madrid sedeagpd.gob.es 5/7


The CARREFOUR BANQUE company having spoken last;


The restricted committee adopted the following decision:


I. Facts and procedure


1. CARREFOUR BANQUE is a subsidiary 40% owned by BNP PARIBAS SA and 60% by CARREFOUR SA, parent company of the CARREFOUR group.


2. Created in 1959, the CARREFOUR group (hereinafter the group), whose head office is at 93 avenue de Paris in Massy (91300), its main activity is mass distribution. He is also involved in other areas such as the banking and insurance sector, e-commerce and travel agencies. In 2018, it employed around 360,000 people and had a turnover of 76 billion euros.


3. Based at 1 place Copernic Courcouronnes in Évry Courcouronnes (91080), the company CARREFOUR BANQUE (hereinafter the company) is a banking establishment whose main activities include consumer credit, portfolio management, insurance brokerage and as investment services. In 2018, it employed around 300 people and achieved n net banking income of 308 million euros .


4. As part of its activities, the company publishes the website www.carrefour-banque.fr (hereinafter the site carrefour-banque.fr). It also markets a payment card intended for customers of the Carrefour group (hereinafter the Pass card), which can be attached to the group's loyalty program.


                            FOUNDATIONS OF LAW
5. En application des décisions n<sup>o</sup> 2019-081C du 24 avril 2019 et n<sup>o</sup> 2019-102C du 6 juin 2019 de la présidente de la Commission, les services de la CNIL ont procédé à un contrôle en ligne, le 5 juillet 2019, relatif au site carrefour-banque.fr et aux traitements mis en œuvre à partir de ce site ainsi qu’à un contrôle sur place dans les locaux de la société CARREFOUR S.A., le 9 juillet 2019, relatif aux traitements concernant la carte Pass.


6. Ces missions avaient pour objet de vérifier, notamment, le respect, par la société, de l’ensemble des dispositions durèglement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 (ci-après le Règlement ou le RGPD ) et dela loi n<sup>o</sup> 78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés (ci-après la loi informatique et libertés ).


                                              I
7. Dans le cadre du contrôle sur place, les représentants du groupe CARREFOUR ont précisé à la délégation que la société CARREFOUR BANQUE est responsable de traitement des deux programmes paiement (débit et crédit) de la carte Pass tandis que la société CARREFOUR FRANCE est responsable de traitement du troisième programme permettant le rattachement de la carte Pass à la base de données SIEBEL qui met en œuvre le programme de fidélité Carrefour.


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
8. Le 19 juillet 2019, la société a transmis à la délégation de contrôle les documents demandés dans le cadre du contrôle sur place du 9 juillet 2019 et notamment le comptage du nombre de cartes Pass rattachées au programme de fidélité Carrefour.
control, and as established in arts. 47 and 48.1 of the LOPDPGDD, the Director of
The Spanish Agency for Data Protection is competent to resolve this


process.
9. For the purposes of examining these elements, the Vice-President of the Commission appointed Mr. Éric PÉRÈS as rapporteur, on November 29, 2019, on the basis of Article 22 of the Data Protection Act.


                                            II
10. At the end of his investigation, the rapporteur had a bailiff served on the company CARREFOUR BANQUE, on January 10, 2020, with a report detailing the breaches of the GDPR and of the Data Protection Act that he considered to be the species.


11. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into conformity with the provisions of Articles 5, 12 and 13 of the Regulations and of Article 82 of the Data Protection Act, together with a penalty, as well as an administrative fine. He also proposed that this decision be made public and no longer make it possible to identify the company by name after a period of two years from its publication.


Law 39/2015, of Common Administrative Procedure of the Administrations
12. On January 29, 2020, the company requested a one-month extension of the deadline within which it had to respond to the report, the postponement of the meeting initially scheduled for March 24, 2020 as well as a meeting with the rapporteur. On February 3, the president of the restricted party granted the requested extension for a period of one month. On February 6, the secretary general of the CNIL granted the request to postpone the meeting to April 21, 2020. On the same day, the rapporteur refused the meeting requested by the company.
Public (LPACAP) establishes in its article 89.1 that “the end of the
procedure, with filing of the proceedings, without the need for the formulation
of the resolution proposal, when in the procedure instruction it is


I manifest that any of the following circumstances concur:
13. On March 10, 2020, through its counsel, the company filed observations and made a request that the session before the restricted panel be held in camera.


        a) The non-existence of the facts that could constitute the offense ”.
14. By e-mail of 23 March 2020 and on the basis of article 40, paragraph 4, of decree n ° 2019-536 of 29 May 2019, the rapporteur asked the president of the restricted formation for an additional period of fifteen days to respond to comments from the company.


15. By letter of March 24, 2020, taking note in particular of the context of the health crisis, the president of the restricted group granted the rapporteur's request.


                                            III
16. By letter of the same day, the company was informed of the additional time granted to the rapporteur and of the fact that it had, by virtue of paragraph 5 of article 40 of decree n ° 2019-536 of 29 May 2019, a period of one month to respond to the rapporteur's response. The letter also informed him of the second postponement of the restricted training session, scheduled for April 21, 2020.


The defendant is charged with committing an infraction for violation of Article 6 of the
17. By e-mail of April 7, 2020, the rapporteur asked the chairman of the restricted party for a new additional period of fifteen days to respond to the company's observations, which was granted to him on April 8, 2020. The company was. informed the same day.


RGPD, "Legality of the treatment", which indicates in its section 1 the cases in which
18. Le rapporteur a répondu aux observations de la société le 22 avril 2020.
the processing of third party data is considered lawful:


        "1. The treatment will only be lawful if at least one of the following is met
19. Par un courrier du même jour, le secrétaire général de la CNIL a informé la société qu’elle pouvait transmettre ses observations à la réponse du rapporteur jusqu’au 24 août 2020 en application de l’ordonnance n° 2020-306 du 25 mars 2020 relative à la prorogation des délais échus pendant la période d'urgence sanitaire.
terms:


      a) the interested party gave their consent for the processing of their data
20. Le 30 juin 2020, le président de la formation restreinte a fait droit à la demande de huis clos formulée par la société, au motif que certains éléments versés aux débats étaient protégés par le secret des affaires, tel que prévu par l’article L 151-1 du code du commerce.
      personal for one or more specific purposes;


      b) the treatment is necessary for the performance of a contract in which the
21. Le 5 août 2020, les services de la CNIL ont notifié à la société une convocation à la séance de la formation restreinte du 17 septembre 2020.
      interested is part or for the application at the request of this of measures
      pre-contractual;


      (…) "
22. Le 24 août 2020, la société a produit de nouvelles observations en réponse à celles du rapporteur.


23. La société et le rapporteur ont présenté des observations orales lors de la séance de la formation restreinte.


      The offense is typified in Article 83.5 of the RGPD, which considers as such:
II. Motifs de la décision


      "5. Violations of the following provisions will be sanctioned, in accordance
A. Sur le manquement à l’obligation de traiter les données de manière loyale


with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
24. Aux termes de l’article 5, paragraphe 1, a), du RGPD : ''Les données à caractère personnel doivent être: a) traitées de manière licite, loyale et transparente au regard de la personne concernée (licéité, loyauté, transparence)'' .
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


25. It emerges from the observations made by the delegation of control that when a subscriber of a payment card (Pass card) also wishes to join the Carrefour loyalty program, the company CARREFOUR BANQUE makes several requests to the company CARREFOUR FRANCE including, in particular, a request to join the Carrefour loyalty program.


      a) The basic principles for the treatment, including the conditions for the
26. Indeed, during the online check, the delegation noted that if they want to join the Carrefour loyalty program, the Pass card subscriber must in particular tick the box at the bottom of the page entitled My loyalty rewarded with support. which the following statement: ''contains I want to link my Carrefour Loyalty account to my Pass card (or failing that, create and link it). To do this, I accept that Carrefour Banque communicates to Carrefour Fidélité my name, first name and email. Carrefour Banque undertakes not to transmit any other information to Carrefour Fidélité'' .
      consent in accordance with articles 5,6,7 and 9. "


27. It appears from the documents submitted to the delegation during the on-site inspection that the company CARREFOUR BANQUE also transmits to the company CARREFOUR FRANCE, in addition to the surname, first name and email address of the subscriber of the Pass card mentioned above, his address mailing as well as its telephone number (s). When it has this information, it also informs CARREFOUR FRANCE about the number of children declared by the subscriber.


      Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
28. The rapporteur therefore considers that the company breached the principle of loyalty when it transmitted to the company CARREFOUR FRANCE more personal data concerning the subscribers of the Pass card than those exhaustively listed in the context of the subscription process. online.
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions


C / Jorge Juan, 6 www.aepd.es
29. The company replied, first of all, that since the concept of loyalty was not defined in the Rules, the rapporteur could not ask the restricted panel to sanction the violation.
28001 - Madrid sedeagpd.gob.es 6/7


30. It notes, moreover, that the principle of loyalty can at most be linked to the obligation of transparency, provided for in Article 12 of the Rules. In this case, it claims to have complied with this requirement of transparency since the mention of information challenged by the rapporteur informs people of the existence of the processing, its purpose and the transfer of this data. to third parties.


31. It maintains, finally, that the practices complained of could all the less be qualified as unfair as they result only from a failure to update its website, due to a communication error between the various services of the two companies.


32. The restricted committee recalls that the principle of loyalty is an independent principle provided for in Article 5, paragraph 1, a) of the GDPR, the violation of which by a data controller is likely to give rise to the pronouncement of a corrective measure. from the supervisory authority.


33. It notes, in this regard, that this provision must be interpreted in the light of recital 60 of the Regulation, according to which: ''the principle of fair and transparent treatment requires that the data subject be informed of the existence of the transaction processing and its purposes. The controller should provide the data subject with any other information necessary to ensure fair and transparent processing, taking into account the particular circumstances and the context in which the personal data are processed'' .


34. In this case, the restricted panel considers that the information provided in this reference was both imprecise and misleading.


35. First of all, the restricted committee notes that the CARREFOUR BANQUE company mentions ''Carrefour Fidélité'' as the recipient of the data communicated even though this service, attached to the CARREFOUR FRANCE company, had never before this mention been presented to subscribers. of the Pass card. Thus, the persons concerned could not understand for themselves that their personal data were in fact communicated to a third company, the company CARREFOUR FRANCE.


36. Next, the restricted committee considers that the information provided to the persons concerned was misleading and unfair since the company had expressly indicated, in this same notice of information, that it ''undertakes [to] not transmit any other information to Carrefour Fidélité'' than the names, first names and e-mail address of Pass card subscribers even though this was precisely not the case.


considered very serious ”provides:
37. The restricted panel therefore considers that a breach of Article 5 (1) (a) of the GDPR has occurred.


      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)
38. It notes, however, that on the day of the meeting, the company had completely overhauled the online subscription process for the Pass card and, in particular, rewrote the disputed information. Pass card subscribers wishing to be attached to the Carrefour loyalty program are now informed that personal data concerning them is transmitted to the company CARREFOUR FRANCE and are also informed of the exact nature of the data actually transmitted.


2016/679 are considered very serious and will prescribe after three years the infractions that
B. On the failure to inform individuals
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:


        (…)
39. Article 12 of the Regulation provides that: ''the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 […] regarding the processing to the data subject in a concise, transparent manner, understandable and easily accessible, in clear and simple terms […]'' .
      b) The processing of personal data without the concurrence of any of the


      conditions of legality of the treatment established in article 6 of the
40. L’article 13 de ce même Règlement dresse la liste des informations devant être communiquées aux personnes concernées lorsque les données à caractère personnel sont collectées auprès d’elles.
      Regulation (EU) 2016/679. "


                                          IV
1. S’agissant de l’accessibilité de l’information


41. '''En premier lieu''', le rapporteur considère que, tel qu’il ressort des constations effectuées par la délégation lors du contrôle en ligne, l’information mise à disposition des utilisateurs du site carrefour-banque.fr par le biais de différents canaux, n’était pas aisément accessible au sens de l’article 12 du Règlement.


      In the present case, after a detailed study of the
42. To read the information provided regarding the processing of their personal data, the user could first of all click on the tab ''Protection of banking data'' appearing at the footer of the site. Alternatively, he could also click on the link ''Legal notices'' at the foot of the site, go to point 3 of these notices, entitled ''3 - Protection and confidentiality of personal data processed by Carrefour Banque'' and, finally, click on the link ''For more find out more about our personal data protection policy see our dedicated page'' , which referred to the company's confidentiality policy entitled ''Protection and confidentiality of personal data processed by Carrefour Banque'' , without any other information having been previously provided to user before reaching this privacy policy.
documents in the present proceeding, and the claims of the defendant,
We must point out that the loan and credit agreement of
date 08/02/2018 the name of the claimant with her DNI signed by signature
Logalty stamped electronics, unique identifier and time stamping,


      It consists of the remission of the General Conditions sent by mail
43. The company maintains that it was perfectly justified to insert a link to its confidentiality policy in its legal notices and that in any case, this information was provided directly ''via'' the tab ''Protection of banking data'' appearing at the bottom page of the site.
electronic to the claimant and accessible additionally through the address
*** URL.1, as indicated in the contract.


      Likewise, the documentation provided by the claimant during the
44. The restricted committee recalls that in order to consider that a data controller fulfills his obligation of transparency, the information provided must in particular be ''easily accessible'' to the persons concerned within the meaning of Article 12 of the Regulation.
hiring process: a) copy of your ID, b) payroll of the claimant


corresponding to the month of June 2018 and c) savings passbook in your favor
45. It notes, in this regard, that this provision must be interpreted in the light of recital 61 of the Regulation, according to which: ''information on the processing of personal data relating to the data subject should be provided to him at the time when this data is collected from it'' .
of the bank account incorporated into the contract in the direct debit order
direct SEPA, IBAN account.


      Likewise, the certificate issued by Logalty certifying the perfection
46. ​​In this sense, it shares the position of the G29 presented in the guidelines on transparency within the meaning of the Regulation, adopted in their revised version on 11 April 2018 (hereinafter the guidelines on transparency), which recalls that ''the the person concerned should not have to search for the information but should be able to access it immediately'' .
contractual.


      Therefore, the file of this sanctioning procedure proceeds.
47. To illustrate how it is possible to meet this accessibility criterion, these same guidelines specify, in the case of an online environment that ''each company with a website should publish a statement or notice on the protection of privacy on its site. A direct link to this privacy statement or notice should be clearly visible on every page of this website under a commonly used term (such as Privacy, Privacy Policy, or Privacy Notice). Text or links whose layout or color choice makes them less visible or difficult to find on a web page are not considered to be easily accessible'' .


      Considering the cited precepts and others of general application, the Director of the
48. In the present case, the restricted committee considers, first of all, that the vagueness of the title of the tab ''Protection of banking data'' appearing at the footer of the site, referring to banking data and not personnel, could not allow the persons concerned to easily understand that by clicking on this link they would be redirected to the site's confidentiality policy, including information relating to the processing of their personal data. Indeed, for the general public, a large part of the data processed (address, number of children, etc.) does not come from banking data.
Spanish Agency for Data Protection RESOLVES:


49. Ensuite, s’agissant du second canal d’information, les utilisateurs du site carrefour-banque.fr ne pouvaient deviner d’eux-mêmes que le lien renvoyant vers la politique de confidentialité du site était inséré dans les mentions légales du site. Ainsi, pour parvenir jusqu’à cette politique de confidentialité, les utilisateurs devront, dans un certain nombre de cas, entreprendre préalablement plusieurs actions, comme, par exemple, cliquer sur les liens ''Accessibilité'' ou ''Conditions générales de vente'' figurant également en pied de la page d’accueil, avant de cliquer finalement sur le lien ''Mentions légales'' .


FIRST: ARCHIVE the sanctioning procedure PS / 00207/2020, instructed to
50. Il en résulte que l’information fournie aux utilisateurs du site carrefour-banque.fr n’était pas ''aisément accessible'' .
Prescriptor and Means of Payment Services, E.F.C., S.A.U. with NIF A86373701, for having
accredited person who used reasonable diligence, since the claimant formalized a
financing contract.


SECOND: NOTIFY this resolution to Prescriber Services and Media
51. '''En deuxième lieu''', le rapporteur estime que l’information relative à la carte Pass fournie dans le cadre du parcours de souscription en ligne sur le site carrefour-banque.fr et telle que constatée lors du contrôle en ligne n’était pas non plus ''aisément accessible'' dès lors que les souscripteurs de cette carte ne disposaient pas d’une information complète relative au traitement de leurs données sur la page de présentation du parcours de souscription et qu’ils n’étaient pas, non plus, invités à prendre connaissance d’une information plus complète, par exemple par le biais d’un lien hypertexte renvoyant vers des mentions d’information complémentaires.


Pago, E.F.C., S.A.U. with NIF A86373701
52. La société soutient qu’un tel lien existait déjà à travers l’onglet ''Protection des données bancaires'' figurant en pied de page du site.


In accordance with the provisions of article 50 of the LOPDPGDD, this
53. The restricted committee emphasizes that according to the principle of transparency, as recalled in particular in recital 61 of the GDPR, information must be communicated to people at the time the data is collected.
Resolution will be made public once it has been notified to the interested parties.


54. As an example, the G29 Transparency Guidelines state that, in an online context, ''a link to the privacy statement or notice should be provided at the point of collection of personal data, or that this information can be viewed on the same page as the one where the personal data is collected'' .


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
55. In the present case, the findings show that the company has chosen to adopt information at several levels.
LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the


C / Jorge Juan, 6 www.aepd.es
56. In this regard, if the company did provide, in the presentation page of the Pass card subscription process, the information expected as first-level information, namely the identity of the data controller, the purposes main processing and description of IT rights and Freedoms, the restricted training notes on the other hand that the company had neglected to complete these mentions by allowing people to read complete information by inserting, for example, a hypertext link to second-level information, in this case, to the company's confidentiality policy, which is supposed to detail all of the information required by article 13 of the Regulation.
28001 - Madrid sedeagpd.gob.es 7/7


57. With regard to the tab ''Protection of banking data'' put forward by the company, the restricted committee noted that this tab did not appear at the footer of the online subscription process for the Pass card and recalls that in all its title would not have enabled the people concerned to easily understand that by clicking on this link they would be redirected to the company's confidentiality policy.


58. In this way, the data subjects were not informed, at the time of the collection of their personal data, of all the information relating to the processing. As a result, all the information provided to Pass card subscribers on the carrefour-banque.fr site was not ''easily accessible'' .


59. The Restricted Panel therefore considers that the company disregarded the provisions of Article 12 of the Rules.


60. It notes, however, that on the day of the meeting, the company had completely overhauled its website and that the information provided today both to users of the site and to subscribers of the Pass card now meets the requirements of section 12 of the Regulations.


2. Regarding the content of the information


61. Le rapporteur considère que la politique de confidentialité de la société, intitulée ''Protection et confidentialité des données personnelles traitées par Carrefour Banque''  et accessible selon les modalités rappelées ci-avant, était à la fois imprécise et lacunaire s’agissant des mentions relatives aux durées de conservation. Ainsi, d’une part, la politique d’information comportait des formulations trop vagues, ne permettant pas d’identifier des durées définies et, d’autre part, la société ne donnait aucune information concernant certaines données qu’elle indiquait pourtant collecter, telles que les données de comportement, d’habitudes et de préférences de consommation en ligne collectées par les cookies déposés sur le terminal des utilisateurs à partir de son site web. Par ailleurs, la société ne précisait pas si elle archivait ou non les données des personnes concernées.


62. La société conteste le caractère imprécis de ses mentions d’information relatives aux durées de conservation et fait valoir que l’information relative aux cookies était disponible dans un autre développement de ses ''Mentions légales'' .


63. La formation restreinte rappelle qu’aux termes de l’article 13, paragraphe 2, a) du Règlement, le responsable du traitement fournit à la personne concernée les informations relatives à ''la durée de conservation des données à caractère personnel ou, lorsque ce n'est pas possible, les critères utilisés pour déterminer cette durée'' .


Director of the Spanish Agency for Data Protection within a month to
64. By way of clarification, the above transparency guidelines recommend that ''the retention period [be] formulated in such a way that the data subject can assess, depending on the situation in which they find themselves, what will be the retention period. retention in the case of specific data or for specific purposes. The controller cannot simply state in general that the personal data will be kept for as long as the legitimate purpose of the processing requires. Where appropriate, different storage periods should be mentioned for the different categories of personal data and / or the different processing purposes, in particular periods for archival purposes'' .
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the


National High Court, in accordance with the provisions of article 25 and section 5 of
65. In the present case, the restricted panel emphasizes, first of all, that the use of vague and undefined formulas such as ''the applicable legal limitation periods'' or ''the retention of your data by Carrefour Banque varies according to the regulations and laws. applicable'' or even expressions ''by way of example'' or of the adverb in ''particular'' necessarily made it confusing for the persons concerned to understand the extent and nature of the data stored as well as the retention periods applied to this data.
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the


day following notification of this act, as provided in article 46.1 of the
66. It adds, then, that the information was also incomplete insofar as the company neglected to specify the retention periods applicable to all the data processed or did not specify the criteria used to determine these periods. Thus, the company did not specify that it archived contractual data for five years, the period of the applicable legal limitation, in the event of litigation. In addition, it did not specify the retention periods for the data collected by cookies, since if the ''Legal Notice of'' the site did include a paragraph relating to cookies, the latter did not specify the retention periods for the data collected by these cookies. .
referred Law.


Mar Spain Martí
67. The restricted panel therefore considers that a breach of article 13 of the Rules had been established.


Director of the Spanish Agency for Data Protection
68. It notes, however, that on the day of the meeting, the company had completed its information notices and that its confidentiality policy now meets the requirements of Article 13 of the Regulation.


C. On the breach relating to cookies


69. Article 82 of the Data Protection Act (Article 32.II in a wording identical to the date of the findings) requires that users be informed and that their consent be obtained before any operation to access or register for information already stored in their equipment. Any deposit of cookie or other tracer must therefore be preceded by the information and consent of users. This requirement does not apply to cookies whose ''sole purpose is to allow or facilitate communication by electronic means'' or which are ''strictly necessary for the provision of an online communication service at the express request of the user'' .


70. Le rapporteur considère que la société ne respectait pas ces dispositions dès lors qu’il a été constaté lors du contrôle en ligne qu’en arrivant sur le site web carrefour-banque.fr, plusieurs cookies ne rentrant pas dans les deux cas rappelés ci-avant étaient déposés sur le terminal de l’utilisateur dès la connexion à la page d’accueil du site et avant toute action de sa part.


71. La société ne conteste pas ces éléments.


72. La formation restreinte relève, en l’espèce, que le dépôt de trente et un cookies était automatique dès l’arrivée sur la page d’accueil du site et avant toute action de l’utilisateur.


73. The Restricted Committee observes that five of these cookies (the ''MUIDB'' , ''GPS'' and ''gid'' , ''_ga'' and ''_gat_trackerBanque cookies'' ) had neither the exclusive purpose of allowing or facilitating electronic communication, nor were they strictly necessary for the provision of a service expressly requested by the user.


74. Regarding, first of all, the three cookies ''gid'' , ''_ga'' and ''_gat_trackerBanque'' , known as ''Google analytics,'' the restricted party emphasizes that there is no debate that the data collected by these cookies can be cross-checked with data from other processing to pursue purposes other than those limited by Article 82 of the Data Protection Act, in particular to carry out personalized advertising. Indeed, it emerges from the practical guide Association of Analytics and Google Ads accounts, posted on one of the sites of the Google company, that ''the integration of Google Analytics in Google Ads (…) allows [advertisers] to know precisely in how much [their] ads translate to conversions, and then quickly adjust creatives and bids accordingly. [Advertisers can] also combine products to identify [their] most interesting segments and then engage those users with personalized messages'' .


75. As regards, then, cookies ''MUIDB'' and ''GPS'' , the Restricted Committee notes that these two cookies are tracking cookies, the first allowing a user to be tracked by visiting different domain names belonging to the Microsoft company, the second registering an identifier on the user's terminal in order to geolocate it. Therefore, the deposit of these five cookies should have obliged the company to first obtain the user's consent.


76. The restricted committee therefore considers that a breach of article 82 of the Data Protection Act was established.


77. It notes, however, that on the day of the meeting, the company had completely overhauled its cookie policy. These changes have led, in particular, to stopping the automatic deposit of cookies on arrival on the home page of the site since March 4, 2020.


III. On corrective measures and advertising


78. Under III of Article 20 of the Data Protection Act:


''When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures: […]''


''7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous year, whichever is higher. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.''


79. L’article 83 du RGPD prévoit :


''1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.''


''2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:''


''a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered;''


''(b) whether the violation was committed willfully or negligently;''


''c) any measure taken by the controller or the processor to mitigate the damage suffered by the data subjects;''


''d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;''


''e) any relevant breach previously committed by the controller or processor;''


''(f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and mitigating any negative effects thereof;''


''g) the categories of personal data affected by the breach;''


''(h) how the supervisory authority became aware of the breach, including whether, and to what extent, the controller or processor notified the breach;''


''(i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures;''


''(j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and''


''k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation.''


80. '''In the first place''' , concerning the proposed sanction, the company maintains that since the breaches of loyalty and information are not characterized, the pronouncement of an administrative fine does not appear necessary.


81. It argues that it would be appropriate in any event to reduce the amount of the proposed fine, in so far as the infringements complained of are devoid of seriousness and that it has operated, since the start of the sanction procedure, an important work of compliance.


82. In the light of the relevant criteria provided for in article 83 of the Rules, the Restricted Panel considers, on the contrary, that the pronouncement of an administrative fine is necessary.


83. In this case, as regards, first, the nature, gravity and duration of the violation, the Restricted Committee notes that this criterion is characterized for the breach linked to loyalty as soon as the company has provides its customers with information that is contrary to the reality of the treatments implemented.


84. Second, with regard to the number of people concerned, the restricted committee emphasizes that the breach relating to cookies concerned a significant number of people since the cookies made it possible to follow in the same way, without distinction, online behavior subscribers of the Pass card and any prospects of the company, but also of all Internet users likely to browse its website.


85. In addition, breaches of loyalty and information also concerned all Pass card subscribers, whether or not they are attached to the Carrefour loyalty program, which, according to the elements noted by the delegation of control, amount to to at least […] people.


86. Thirdly, with regard to the measures taken by the controller to mitigate the damage suffered by the data subjects and the degree of cooperation with the supervisory authority, the restricted formation notes the perfect cooperation of the company throughout the sanctioning procedure and the very significant efforts made to achieve full compliance on the day of the session. It notes that the three shortcomings have been corrected to date.


87. Regarding the amount of the administrative fine, the restricted committee recalls that in 2018 the company achieved net banking income of 308 million euros and that in application of the provisions of article 83, paragraph 5 , it incurs a financial penalty of a maximum amount of 20 million euros.


88. Therefore, having regard to the financial capacities of the company and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the restricted panel considers that the imposition of a fine of € 800,000, which would therefore only represent 0.25% of this net banking income, appears to be effective, proportionate and dissuasive at the same time, in accordance with the requirements of Article 83, paragraph 1, of this Regulation.


89. '''In the second place''' , concerning the issuance of an injunction, the company maintains that insofar as it has remedied all the breaches alleged against it, the requests formulated under the injunction proposed under penalty charge lose all foundation.


90. The restricted committee notes in fact that, once the company has corrected all the shortcomings noted in the sanction report, the issuance of an injunction is no longer justified.


91. '''Thirdly''' , with regard to the publicity of this decision, the company maintains that such a measure would not respect the constitutional principle of the necessity of penalties since it would already have been part of an approach consisting in strengthening the compliance of its situation to the requirements of data protection regulations. She adds that advertising would have particularly damaging consequences in that it could affect its reputation in a lasting way.


92. The restricted committee considers that the publication of this decision is justified in view of the seriousness of the breaches sanctioned and the number of people concerned.


93. It considers that this measure will make it possible to inform all of the company's customers and potential prospects of the existence of various sanctioned breaches and in particular breaches of disloyalty and cookies.


94. Finally, the measure is not disproportionate since the decision will no longer identify the company by name after the expiry of a period of two years from its publication.


95. It follows from all of the above and from the consideration of the criteria set out in article 83 of the Regulation that an administrative fine of up to 800,000 euros as well as an additional publication sanction for a period of two years are justified and proportionate.


'''FOR THESE REASONS'''


'''The restricted formation of the CNIL, after having deliberated, decides to:'''


· '''Decision against the company CARREFOUR BANK an administrative fine of EUR 800,000 (eight hundred thousand) euros for breaches of Articles 5, paragraph 1 a), 12 and 13 GDPR and Article RGPD 82 of the Data Protection Act;'''


· '''Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.'''


President


Alexandre LINDEN


28001 - Madrid 6 sedeagpd.gob.es
</pre>
</pre>

Latest revision as of 17:09, 6 December 2023

CNIL - SAN-2020-009
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.11.2020
Published: 26.11.2020
Fine: 800000 EUR
Parties: Carrefour Banque
National Case Number/Name: SAN-2020-009
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Fra-data67

The French DPA (CNIL) fined Carrefour Banque € 800000 for several violations of the GDPR and French data protection law. The breaches concerned loyalty and transparency of data processing, accessibility and content of information concerning processing and illicit use of cookies.

English Summary

Facts

CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.

As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.

Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.

Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the GDPR and the French Data Protection law (Loi informatique et libertés).

Dispute

In this case, the French data protection authority investigated several issues :

  • Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in Article 5(1)(a) GDPR?
  • Is the information relating to personal data processing operations easily accessible within the meaning of Articles 12 and 13 GDPR?
  • Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR?
  • Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, Article 82?

Holding

The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it.

However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years.

On the violation of the obligation to fairly process personal data

When a subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOUR BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber.

The French DPA concluded that this was a violation of the principle of fairness within Article 5(1)(a) GDPR, as the information given to data subjects are imprecise and misleading. The French DPA outlined that despite the lack of definition of fairness in the GDPR, this was linked to the requirement of transparency within Article 12. More specifically, the CNIL highlights that:

  • CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription.
  • CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to the subscriber prior to this mention.

On the lack of accessibility to information on processing of personal data

Quoting Articles 12 GDPR, the French DPA distinguishes between :

  • Access to information relating to personal data protection: In this case, the user could access the information relating to the processing of his or her data, either by clicking directly on the "Protection of Banking Data" tab at the bottom of the page, or by accessing the Legal Notice which referred to the privacy policy, thus requiring several actions by the user. On this point, the CNIL recalls the WP29 guidelines on transparency, according to which data subjects should not have to search for information, but should have to immediate access to it. So the French DPA held that there was a violation of the obligation of transparency as per Article 12 GDPR. On the one hand, the vagueness of the title "Protection of Banking Data" does not make it easy for the data subjects that this tab refers the personal data protection. On the other hand, with regard to access to the privacy policy via the legal notices, the CNIL notes that users must first undertake several actions before being able to access this tab.
  • The information provided to data subjects throughout the online subscription process: According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complement these mentions by allowing people to read complete information by means of a link to this information. This was a violation of Article 12.

On the vagueness of data retention periods

Based on Article 13(2)(a) GDPR and WP29 guidelines on transparency, the CNIL noted that the CARREFOUR BANQUE’s privacy policy were imprecise and vague about data conservation information.

Indeed, the privacy policy contained vague and undefined formulations that confused data subjects as to the extent and nature of the data collected. Furthermore, the information policy did not specify the retention periods for all data and did not specify the criteria used to determine these periods.

On the use of cookies on the website

The French DPA recalls the provisions of Article 82 of the French data protection law (loi informatique et libertés), which requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.

In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.

Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.

Comment

The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the GDPR and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects.

This sanction made jointly with CNIL - SAN-2020-008 where the French DPA imposed a € 2250000 fine on Carrefour France.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

'''Deliberation of restricted training n ° SAN-2020-009 of November 18, 2020 concerning the company CARREFOUR BANQUE''' 

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ms Sylvie LEMMET and Christine MAUGÜE, members;

Considering the Convention n <sup>o</sup> 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n <sup>o</sup> 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following ;

Considering the decree n <sup>o</sup> 2019-536 of May 29, 2019 taken for the application of the law n <sup>o</sup> 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Considering the deliberation n <sup>o</sup> 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;

Considering the ordinance n ° 2020-306 of March 25, 2020 relating to the extension of the deadlines expired during the period of health emergency;

Considering the decisions n <sup>o</sup> 2019-081C of April 24, 2019 and n <sup>o</sup> 2019-102C of June 6, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or have carried out a mission verification of the processing implemented by this body or on behalf of the company CARREFOUR and its subsidiaries, and in particular the company CARREFOUR BANQUE;

Having regard to the decision of the Vice-President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated November 29, 2019;

Having regard to the report by Mr. Éric PÉRÈS, commissioner rapporteur, notified to the company CARREFOUR BANQUE on January 10, 2020;

Having regard to the written observations made by the board of the company CARREFOUR BANQUE on March 10, 2020;

Having regard to the rapporteur's response to these observations notified by email on April 22, 2020 to the board of the company;

Having regard to the written observations of the board of CARREFOUR BANQUE received on August 24, 2020;

Having regard to the oral observations made during the session of the restricted formation;

Having regard to the other documents in the file;

Were present during the restricted training session of September 17, 2020:

- Mr Éric PÉRÈS, commissioner, heard in his report;

As representatives of CARREFOUR BANQUE:

- […] ;

- […] ;

- […] ;

- […] ;

- […] ;

- […] ;

- […].

The CARREFOUR BANQUE company having spoken last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. CARREFOUR BANQUE is a subsidiary 40% owned by BNP PARIBAS SA and 60% by CARREFOUR SA, parent company of the CARREFOUR group.

2. Created in 1959, the CARREFOUR group (hereinafter the group), whose head office is at 93 avenue de Paris in Massy (91300), its main activity is mass distribution. He is also involved in other areas such as the banking and insurance sector, e-commerce and travel agencies. In 2018, it employed around 360,000 people and had a turnover of 76 billion euros.

3. Based at 1 place Copernic Courcouronnes in Évry Courcouronnes (91080), the company CARREFOUR BANQUE (hereinafter the company) is a banking establishment whose main activities include consumer credit, portfolio management, insurance brokerage and as investment services. In 2018, it employed around 300 people and achieved n net banking income of 308 million euros .

4. As part of its activities, the company publishes the website www.carrefour-banque.fr (hereinafter the site carrefour-banque.fr). It also markets a payment card intended for customers of the Carrefour group (hereinafter the Pass card), which can be attached to the group's loyalty program.

5. En application des décisions n<sup>o</sup> 2019-081C du 24 avril 2019 et n<sup>o</sup> 2019-102C du 6 juin 2019 de la présidente de la Commission, les services de la CNIL ont procédé à un contrôle en ligne, le 5 juillet 2019, relatif au site carrefour-banque.fr et aux traitements mis en œuvre à partir de ce site ainsi qu’à un contrôle sur place dans les locaux de la société CARREFOUR S.A., le 9 juillet 2019, relatif aux traitements concernant la carte Pass.

6. Ces missions avaient pour objet de vérifier, notamment, le respect, par la société, de l’ensemble des dispositions durèglement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 (ci-après le Règlement ou le RGPD ) et dela loi n<sup>o</sup> 78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés (ci-après la loi informatique et libertés ).

7. Dans le cadre du contrôle sur place, les représentants du groupe CARREFOUR ont précisé à la délégation que la société CARREFOUR BANQUE est responsable de traitement des deux programmes paiement (débit et crédit) de la carte Pass tandis que la société CARREFOUR FRANCE est responsable de traitement du troisième programme permettant le rattachement de la carte Pass à la base de données SIEBEL qui met en œuvre le programme de fidélité Carrefour.

8. Le 19 juillet 2019, la société a transmis à la délégation de contrôle les documents demandés dans le cadre du contrôle sur place du 9 juillet 2019 et notamment le comptage du nombre de cartes Pass rattachées au programme de fidélité Carrefour.

9. For the purposes of examining these elements, the Vice-President of the Commission appointed Mr. Éric PÉRÈS as rapporteur, on November 29, 2019, on the basis of Article 22 of the Data Protection Act.

10. At the end of his investigation, the rapporteur had a bailiff served on the company CARREFOUR BANQUE, on January 10, 2020, with a report detailing the breaches of the GDPR and of the Data Protection Act that he considered to be the species.

11. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into conformity with the provisions of Articles 5, 12 and 13 of the Regulations and of Article 82 of the Data Protection Act, together with a penalty, as well as an administrative fine. He also proposed that this decision be made public and no longer make it possible to identify the company by name after a period of two years from its publication.

12. On January 29, 2020, the company requested a one-month extension of the deadline within which it had to respond to the report, the postponement of the meeting initially scheduled for March 24, 2020 as well as a meeting with the rapporteur. On February 3, the president of the restricted party granted the requested extension for a period of one month. On February 6, the secretary general of the CNIL granted the request to postpone the meeting to April 21, 2020. On the same day, the rapporteur refused the meeting requested by the company.

13. On March 10, 2020, through its counsel, the company filed observations and made a request that the session before the restricted panel be held in camera.

14. By e-mail of 23 March 2020 and on the basis of article 40, paragraph 4, of decree n ° 2019-536 of 29 May 2019, the rapporteur asked the president of the restricted formation for an additional period of fifteen days to respond to comments from the company.

15. By letter of March 24, 2020, taking note in particular of the context of the health crisis, the president of the restricted group granted the rapporteur's request.

16. By letter of the same day, the company was informed of the additional time granted to the rapporteur and of the fact that it had, by virtue of paragraph 5 of article 40 of decree n ° 2019-536 of 29 May 2019, a period of one month to respond to the rapporteur's response. The letter also informed him of the second postponement of the restricted training session, scheduled for April 21, 2020.

17. By e-mail of April 7, 2020, the rapporteur asked the chairman of the restricted party for a new additional period of fifteen days to respond to the company's observations, which was granted to him on April 8, 2020. The company was. informed the same day.

18. Le rapporteur a répondu aux observations de la société le 22 avril 2020.

19. Par un courrier du même jour, le secrétaire général de la CNIL a informé la société qu’elle pouvait transmettre ses observations à la réponse du rapporteur jusqu’au 24 août 2020 en application de l’ordonnance n° 2020-306 du 25 mars 2020 relative à la prorogation des délais échus pendant la période d'urgence sanitaire.

20. Le 30 juin 2020, le président de la formation restreinte a fait droit à la demande de huis clos formulée par la société, au motif que certains éléments versés aux débats étaient protégés par le secret des affaires, tel que prévu par l’article L 151-1 du code du commerce.

21. Le 5 août 2020, les services de la CNIL ont notifié à la société une convocation à la séance de la formation restreinte du 17 septembre 2020.

22. Le 24 août 2020, la société a produit de nouvelles observations en réponse à celles du rapporteur.

23. La société et le rapporteur ont présenté des observations orales lors de la séance de la formation restreinte.

II. Motifs de la décision

A. Sur le manquement à l’obligation de traiter les données de manière loyale

24. Aux termes de l’article 5, paragraphe 1, a), du RGPD : ''Les données à caractère personnel doivent être: a) traitées de manière licite, loyale et transparente au regard de la personne concernée (licéité, loyauté, transparence)'' .

25. It emerges from the observations made by the delegation of control that when a subscriber of a payment card (Pass card) also wishes to join the Carrefour loyalty program, the company CARREFOUR BANQUE makes several requests to the company CARREFOUR FRANCE including, in particular, a request to join the Carrefour loyalty program.

26. Indeed, during the online check, the delegation noted that if they want to join the Carrefour loyalty program, the Pass card subscriber must in particular tick the box at the bottom of the page entitled My loyalty rewarded with support. which the following statement: ''contains I want to link my Carrefour Loyalty account to my Pass card (or failing that, create and link it). To do this, I accept that Carrefour Banque communicates to Carrefour Fidélité my name, first name and email. Carrefour Banque undertakes not to transmit any other information to Carrefour Fidélité'' .

27. It appears from the documents submitted to the delegation during the on-site inspection that the company CARREFOUR BANQUE also transmits to the company CARREFOUR FRANCE, in addition to the surname, first name and email address of the subscriber of the Pass card mentioned above, his address mailing as well as its telephone number (s). When it has this information, it also informs CARREFOUR FRANCE about the number of children declared by the subscriber.

28. The rapporteur therefore considers that the company breached the principle of loyalty when it transmitted to the company CARREFOUR FRANCE more personal data concerning the subscribers of the Pass card than those exhaustively listed in the context of the subscription process. online.

29. The company replied, first of all, that since the concept of loyalty was not defined in the Rules, the rapporteur could not ask the restricted panel to sanction the violation.

30. It notes, moreover, that the principle of loyalty can at most be linked to the obligation of transparency, provided for in Article 12 of the Rules. In this case, it claims to have complied with this requirement of transparency since the mention of information challenged by the rapporteur informs people of the existence of the processing, its purpose and the transfer of this data. to third parties.

31. It maintains, finally, that the practices complained of could all the less be qualified as unfair as they result only from a failure to update its website, due to a communication error between the various services of the two companies.

32. The restricted committee recalls that the principle of loyalty is an independent principle provided for in Article 5, paragraph 1, a) of the GDPR, the violation of which by a data controller is likely to give rise to the pronouncement of a corrective measure. from the supervisory authority.

33. It notes, in this regard, that this provision must be interpreted in the light of recital 60 of the Regulation, according to which: ''the principle of fair and transparent treatment requires that the data subject be informed of the existence of the transaction processing and its purposes. The controller should provide the data subject with any other information necessary to ensure fair and transparent processing, taking into account the particular circumstances and the context in which the personal data are processed'' .

34. In this case, the restricted panel considers that the information provided in this reference was both imprecise and misleading.

35. First of all, the restricted committee notes that the CARREFOUR BANQUE company mentions ''Carrefour Fidélité'' as the recipient of the data communicated even though this service, attached to the CARREFOUR FRANCE company, had never before this mention been presented to subscribers. of the Pass card. Thus, the persons concerned could not understand for themselves that their personal data were in fact communicated to a third company, the company CARREFOUR FRANCE.

36. Next, the restricted committee considers that the information provided to the persons concerned was misleading and unfair since the company had expressly indicated, in this same notice of information, that it ''undertakes [to] not transmit any other information to Carrefour Fidélité'' than the names, first names and e-mail address of Pass card subscribers even though this was precisely not the case.

37. The restricted panel therefore considers that a breach of Article 5 (1) (a) of the GDPR has occurred.

38. It notes, however, that on the day of the meeting, the company had completely overhauled the online subscription process for the Pass card and, in particular, rewrote the disputed information. Pass card subscribers wishing to be attached to the Carrefour loyalty program are now informed that personal data concerning them is transmitted to the company CARREFOUR FRANCE and are also informed of the exact nature of the data actually transmitted.

B. On the failure to inform individuals

39. Article 12 of the Regulation provides that: ''the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 […] regarding the processing to the data subject in a concise, transparent manner, understandable and easily accessible, in clear and simple terms […]'' .

40. L’article 13 de ce même Règlement dresse la liste des informations devant être communiquées aux personnes concernées lorsque les données à caractère personnel sont collectées auprès d’elles.

1. S’agissant de l’accessibilité de l’information

41. '''En premier lieu''', le rapporteur considère que, tel qu’il ressort des constations effectuées par la délégation lors du contrôle en ligne, l’information mise à disposition des utilisateurs du site carrefour-banque.fr par le biais de différents canaux, n’était pas aisément accessible au sens de l’article 12 du Règlement.

42. To read the information provided regarding the processing of their personal data, the user could first of all click on the tab ''Protection of banking data'' appearing at the footer of the site. Alternatively, he could also click on the link ''Legal notices'' at the foot of the site, go to point 3 of these notices, entitled ''3 - Protection and confidentiality of personal data processed by Carrefour Banque'' and, finally, click on the link ''For more find out more about our personal data protection policy see our dedicated page'' , which referred to the company's confidentiality policy entitled ''Protection and confidentiality of personal data processed by Carrefour Banque'' , without any other information having been previously provided to user before reaching this privacy policy.

43. The company maintains that it was perfectly justified to insert a link to its confidentiality policy in its legal notices and that in any case, this information was provided directly ''via'' the tab ''Protection of banking data'' appearing at the bottom page of the site.

44. The restricted committee recalls that in order to consider that a data controller fulfills his obligation of transparency, the information provided must in particular be ''easily accessible'' to the persons concerned within the meaning of Article 12 of the Regulation.

45. It notes, in this regard, that this provision must be interpreted in the light of recital 61 of the Regulation, according to which: ''information on the processing of personal data relating to the data subject should be provided to him at the time when this data is collected from it'' .

46. ​​In this sense, it shares the position of the G29 presented in the guidelines on transparency within the meaning of the Regulation, adopted in their revised version on 11 April 2018 (hereinafter the guidelines on transparency), which recalls that ''the the person concerned should not have to search for the information but should be able to access it immediately'' .

47. To illustrate how it is possible to meet this accessibility criterion, these same guidelines specify, in the case of an online environment that ''each company with a website should publish a statement or notice on the protection of privacy on its site. A direct link to this privacy statement or notice should be clearly visible on every page of this website under a commonly used term (such as Privacy, Privacy Policy, or Privacy Notice). Text or links whose layout or color choice makes them less visible or difficult to find on a web page are not considered to be easily accessible'' .

48. In the present case, the restricted committee considers, first of all, that the vagueness of the title of the tab ''Protection of banking data'' appearing at the footer of the site, referring to banking data and not personnel, could not allow the persons concerned to easily understand that by clicking on this link they would be redirected to the site's confidentiality policy, including information relating to the processing of their personal data. Indeed, for the general public, a large part of the data processed (address, number of children, etc.) does not come from banking data.

49. Ensuite, s’agissant du second canal d’information, les utilisateurs du site carrefour-banque.fr ne pouvaient deviner d’eux-mêmes que le lien renvoyant vers la politique de confidentialité du site était inséré dans les mentions légales du site. Ainsi, pour parvenir jusqu’à cette politique de confidentialité, les utilisateurs devront, dans un certain nombre de cas, entreprendre préalablement plusieurs actions, comme, par exemple, cliquer sur les liens ''Accessibilité'' ou ''Conditions générales de vente'' figurant également en pied de la page d’accueil, avant de cliquer finalement sur le lien ''Mentions légales'' .

50. Il en résulte que l’information fournie aux utilisateurs du site carrefour-banque.fr n’était pas ''aisément accessible'' .

51. '''En deuxième lieu''', le rapporteur estime que l’information relative à la carte Pass fournie dans le cadre du parcours de souscription en ligne sur le site carrefour-banque.fr et telle que constatée lors du contrôle en ligne n’était pas non plus ''aisément accessible'' dès lors que les souscripteurs de cette carte ne disposaient pas d’une information complète relative au traitement de leurs données sur la page de présentation du parcours de souscription et qu’ils n’étaient pas, non plus, invités à prendre connaissance d’une information plus complète, par exemple par le biais d’un lien hypertexte renvoyant vers des mentions d’information complémentaires.

52. La société soutient qu’un tel lien existait déjà à travers l’onglet ''Protection des données bancaires'' figurant en pied de page du site.

53. The restricted committee emphasizes that according to the principle of transparency, as recalled in particular in recital 61 of the GDPR, information must be communicated to people at the time the data is collected.

54. As an example, the G29 Transparency Guidelines state that, in an online context, ''a link to the privacy statement or notice should be provided at the point of collection of personal data, or that this information can be viewed on the same page as the one where the personal data is collected'' .

55. In the present case, the findings show that the company has chosen to adopt information at several levels.

56. In this regard, if the company did provide, in the presentation page of the Pass card subscription process, the information expected as first-level information, namely the identity of the data controller, the purposes main processing and description of IT rights and Freedoms, the restricted training notes on the other hand that the company had neglected to complete these mentions by allowing people to read complete information by inserting, for example, a hypertext link to second-level information, in this case, to the company's confidentiality policy, which is supposed to detail all of the information required by article 13 of the Regulation.

57. With regard to the tab ''Protection of banking data'' put forward by the company, the restricted committee noted that this tab did not appear at the footer of the online subscription process for the Pass card and recalls that in all its title would not have enabled the people concerned to easily understand that by clicking on this link they would be redirected to the company's confidentiality policy.

58. In this way, the data subjects were not informed, at the time of the collection of their personal data, of all the information relating to the processing. As a result, all the information provided to Pass card subscribers on the carrefour-banque.fr site was not ''easily accessible'' .

59. The Restricted Panel therefore considers that the company disregarded the provisions of Article 12 of the Rules.

60. It notes, however, that on the day of the meeting, the company had completely overhauled its website and that the information provided today both to users of the site and to subscribers of the Pass card now meets the requirements of section 12 of the Regulations.

2. Regarding the content of the information

61. Le rapporteur considère que la politique de confidentialité de la société, intitulée ''Protection et confidentialité des données personnelles traitées par Carrefour Banque''  et accessible selon les modalités rappelées ci-avant, était à la fois imprécise et lacunaire s’agissant des mentions relatives aux durées de conservation. Ainsi, d’une part, la politique d’information comportait des formulations trop vagues, ne permettant pas d’identifier des durées définies et, d’autre part, la société ne donnait aucune information concernant certaines données qu’elle indiquait pourtant collecter, telles que les données de comportement, d’habitudes et de préférences de consommation en ligne collectées par les cookies déposés sur le terminal des utilisateurs à partir de son site web. Par ailleurs, la société ne précisait pas si elle archivait ou non les données des personnes concernées.

62. La société conteste le caractère imprécis de ses mentions d’information relatives aux durées de conservation et fait valoir que l’information relative aux cookies était disponible dans un autre développement de ses ''Mentions légales'' .

63. La formation restreinte rappelle qu’aux termes de l’article 13, paragraphe 2, a) du Règlement, le responsable du traitement fournit à la personne concernée les informations relatives à ''la durée de conservation des données à caractère personnel ou, lorsque ce n'est pas possible, les critères utilisés pour déterminer cette durée'' .

64. By way of clarification, the above transparency guidelines recommend that ''the retention period [be] formulated in such a way that the data subject can assess, depending on the situation in which they find themselves, what will be the retention period. retention in the case of specific data or for specific purposes. The controller cannot simply state in general that the personal data will be kept for as long as the legitimate purpose of the processing requires. Where appropriate, different storage periods should be mentioned for the different categories of personal data and / or the different processing purposes, in particular periods for archival purposes'' .

65. In the present case, the restricted panel emphasizes, first of all, that the use of vague and undefined formulas such as ''the applicable legal limitation periods'' or ''the retention of your data by Carrefour Banque varies according to the regulations and laws. applicable'' or even expressions ''by way of example'' or of the adverb in ''particular'' necessarily made it confusing for the persons concerned to understand the extent and nature of the data stored as well as the retention periods applied to this data.

66. It adds, then, that the information was also incomplete insofar as the company neglected to specify the retention periods applicable to all the data processed or did not specify the criteria used to determine these periods. Thus, the company did not specify that it archived contractual data for five years, the period of the applicable legal limitation, in the event of litigation. In addition, it did not specify the retention periods for the data collected by cookies, since if the ''Legal Notice of'' the site did include a paragraph relating to cookies, the latter did not specify the retention periods for the data collected by these cookies. .

67. The restricted panel therefore considers that a breach of article 13 of the Rules had been established.

68. It notes, however, that on the day of the meeting, the company had completed its information notices and that its confidentiality policy now meets the requirements of Article 13 of the Regulation.

C. On the breach relating to cookies

69. Article 82 of the Data Protection Act (Article 32.II in a wording identical to the date of the findings) requires that users be informed and that their consent be obtained before any operation to access or register for information already stored in their equipment. Any deposit of cookie or other tracer must therefore be preceded by the information and consent of users. This requirement does not apply to cookies whose ''sole purpose is to allow or facilitate communication by electronic means'' or which are ''strictly necessary for the provision of an online communication service at the express request of the user'' .

70. Le rapporteur considère que la société ne respectait pas ces dispositions dès lors qu’il a été constaté lors du contrôle en ligne qu’en arrivant sur le site web carrefour-banque.fr, plusieurs cookies ne rentrant pas dans les deux cas rappelés ci-avant étaient déposés sur le terminal de l’utilisateur dès la connexion à la page d’accueil du site et avant toute action de sa part.

71. La société ne conteste pas ces éléments.

72. La formation restreinte relève, en l’espèce, que le dépôt de trente et un cookies était automatique dès l’arrivée sur la page d’accueil du site et avant toute action de l’utilisateur.

73. The Restricted Committee observes that five of these cookies (the ''MUIDB'' , ''GPS'' and ''gid'' , ''_ga'' and ''_gat_trackerBanque cookies'' ) had neither the exclusive purpose of allowing or facilitating electronic communication, nor were they strictly necessary for the provision of a service expressly requested by the user.

74. Regarding, first of all, the three cookies ''gid'' , ''_ga'' and ''_gat_trackerBanque'' , known as ''Google analytics,'' the restricted party emphasizes that there is no debate that the data collected by these cookies can be cross-checked with data from other processing to pursue purposes other than those limited by Article 82 of the Data Protection Act, in particular to carry out personalized advertising. Indeed, it emerges from the practical guide Association of Analytics and Google Ads accounts, posted on one of the sites of the Google company, that ''the integration of Google Analytics in Google Ads (…) allows [advertisers] to know precisely in how much [their] ads translate to conversions, and then quickly adjust creatives and bids accordingly. [Advertisers can] also combine products to identify [their] most interesting segments and then engage those users with personalized messages'' .

75. As regards, then, cookies ''MUIDB'' and ''GPS'' , the Restricted Committee notes that these two cookies are tracking cookies, the first allowing a user to be tracked by visiting different domain names belonging to the Microsoft company, the second registering an identifier on the user's terminal in order to geolocate it. Therefore, the deposit of these five cookies should have obliged the company to first obtain the user's consent.

76. The restricted committee therefore considers that a breach of article 82 of the Data Protection Act was established.

77. It notes, however, that on the day of the meeting, the company had completely overhauled its cookie policy. These changes have led, in particular, to stopping the automatic deposit of cookies on arrival on the home page of the site since March 4, 2020.

III. On corrective measures and advertising

78. Under III of Article 20 of the Data Protection Act:

''When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures: […]'' 

''7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous year, whichever is higher. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.'' 

79. L’article 83 du RGPD prévoit :

''1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.'' 

''2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:'' 

''a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered;'' 

''(b) whether the violation was committed willfully or negligently;'' 

''c) any measure taken by the controller or the processor to mitigate the damage suffered by the data subjects;'' 

''d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;'' 

''e) any relevant breach previously committed by the controller or processor;'' 

''(f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and mitigating any negative effects thereof;'' 

''g) the categories of personal data affected by the breach;'' 

''(h) how the supervisory authority became aware of the breach, including whether, and to what extent, the controller or processor notified the breach;'' 

''(i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures;'' 

''(j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and'' 

''k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation.'' 

80. '''In the first place''' , concerning the proposed sanction, the company maintains that since the breaches of loyalty and information are not characterized, the pronouncement of an administrative fine does not appear necessary.

81. It argues that it would be appropriate in any event to reduce the amount of the proposed fine, in so far as the infringements complained of are devoid of seriousness and that it has operated, since the start of the sanction procedure, an important work of compliance.

82. In the light of the relevant criteria provided for in article 83 of the Rules, the Restricted Panel considers, on the contrary, that the pronouncement of an administrative fine is necessary.

83. In this case, as regards, first, the nature, gravity and duration of the violation, the Restricted Committee notes that this criterion is characterized for the breach linked to loyalty as soon as the company has provides its customers with information that is contrary to the reality of the treatments implemented.

84. Second, with regard to the number of people concerned, the restricted committee emphasizes that the breach relating to cookies concerned a significant number of people since the cookies made it possible to follow in the same way, without distinction, online behavior subscribers of the Pass card and any prospects of the company, but also of all Internet users likely to browse its website.

85. In addition, breaches of loyalty and information also concerned all Pass card subscribers, whether or not they are attached to the Carrefour loyalty program, which, according to the elements noted by the delegation of control, amount to to at least […] people.

86. Thirdly, with regard to the measures taken by the controller to mitigate the damage suffered by the data subjects and the degree of cooperation with the supervisory authority, the restricted formation notes the perfect cooperation of the company throughout the sanctioning procedure and the very significant efforts made to achieve full compliance on the day of the session. It notes that the three shortcomings have been corrected to date.

87. Regarding the amount of the administrative fine, the restricted committee recalls that in 2018 the company achieved net banking income of 308 million euros and that in application of the provisions of article 83, paragraph 5 , it incurs a financial penalty of a maximum amount of 20 million euros. 

88. Therefore, having regard to the financial capacities of the company and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the restricted panel considers that the imposition of a fine of € 800,000, which would therefore only represent 0.25% of this net banking income, appears to be effective, proportionate and dissuasive at the same time, in accordance with the requirements of Article 83, paragraph 1, of this Regulation.

89. '''In the second place''' , concerning the issuance of an injunction, the company maintains that insofar as it has remedied all the breaches alleged against it, the requests formulated under the injunction proposed under penalty charge lose all foundation.

90. The restricted committee notes in fact that, once the company has corrected all the shortcomings noted in the sanction report, the issuance of an injunction is no longer justified.

91. '''Thirdly''' , with regard to the publicity of this decision, the company maintains that such a measure would not respect the constitutional principle of the necessity of penalties since it would already have been part of an approach consisting in strengthening the compliance of its situation to the requirements of data protection regulations. She adds that advertising would have particularly damaging consequences in that it could affect its reputation in a lasting way.

92. The restricted committee considers that the publication of this decision is justified in view of the seriousness of the breaches sanctioned and the number of people concerned.

93. It considers that this measure will make it possible to inform all of the company's customers and potential prospects of the existence of various sanctioned breaches and in particular breaches of disloyalty and cookies.

94. Finally, the measure is not disproportionate since the decision will no longer identify the company by name after the expiry of a period of two years from its publication.

95. It follows from all of the above and from the consideration of the criteria set out in article 83 of the Regulation that an administrative fine of up to 800,000 euros as well as an additional publication sanction for a period of two years are justified and proportionate.

'''FOR THESE REASONS''' 

'''The restricted formation of the CNIL, after having deliberated, decides to:''' 

· '''Decision against the company CARREFOUR BANK an administrative fine of EUR 800,000 (eight hundred thousand) euros for breaches of Articles 5, paragraph 1 a), 12 and 13 GDPR and Article RGPD 82 of the Data Protection Act;''' 

· '''Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.''' 

President

Alexandre LINDEN