CNIL (France) - SAN-2021-012

From GDPRhub
CNIL (France) - SAN-2021-012
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 14 GDPR
Article 28 GDPR
Article 28(3) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 26.08.2021
Published: 28.08.2021
Fine: 400000 EUR
Parties: Monsanto Company
National Case Number/Name: SAN-2021-012
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Marco Vermeil

The French DPA fined Monsanto €400,000 for creating files containing the personal data of more than 200 French and European political figures for the purpose of lobbying, without informing the data subjects, and without executing a data processing agreement with the relevant processor.

English Summary

Facts

In May 2019, several media outlets revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists and scientists involved in the glyphosate debate.

At the same time, the French DPA CNIL received seven complaints from data subjects whose personal information was included in Monsanto's filing system.

The investigation revealed that (i) the filing system had been created on behalf of Monsanto by several companies specialized in public relations and lobbying; (ii) the filing system contained different information about the data subjects including job description, professional email address, mobile phone number, and sometimes Twitter account. Furthermore, (iv) a rating was given to every data subject, to estimate their influence and their support to Monsanto's activities.

Holding

On the information of data subjects

The DPA found that the creation of contact files for the purpose of lobbying is not illegal in itself. However, the DPA found that the company had violated Article 14 GDPR for not having provided the data subjects with the mandatory information as soon as possible. Indeed, even if consent from those public figures was not necessary, they still had to be informed, so they could exercise their rights and especially their right to object.

The DPA found that data subject were informed of the existence of the filing system only in 2019, after revelations in the media, even though the Monsanto company had all of their contact information. The DPA also reminded that the fact of not informing the data subject of the existence of a processing harms the exercise of their others rights guaranteed under the GDPR.

On the absence of judicial document between the controller and the processors

The DPA found that the company had violated Article 28 GDPR. As a controller, Monsanto had to lead by a judicial document the processing realised by its processor, especially to guarantee security measures. The DPA found that no contract between the companies contained the terms provided by Article 28(3) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 

Deliberation of restricted training no. SAN-2021-012 of July 26, 2021 concerning company x

Deliberation of restricted training no SAN-2021-012 of July 26, 2021 concerning company X

The National Commission for Information Technology and Liberties, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Anne DEBET, Mr. Bertrand du MARAIS and Ms. Christine MAUGÜE, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms as amended, in particular its articles 20 et seq.;

Considering Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to referrals n°19009370, 19009429, 19009432, 19009439, 19009604, 19009666, 19017095;

Having regard to decision no. 2019-098C of May 13, 2019 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by the company Y, which became, from January 1, 2017, the company XY;

Having regard to decision no. 2019-099C of May 13, 2019 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by the company XX;

Having regard to decision no. 2019-111C of June 26, 2019 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by the company X;

Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated November 5, 2020;

Having regard to the report of Ms. Valérie PEUGEOT, commissioner rapporteur, notified, at the request of the companies, to the company ZZ, coming to the rights of the company X on February 15, 2021;

Having regard to the written observations submitted by the council of company X on March 15, 2021;

Considering the response of the rapporteur to these observations notified to the board of company X on April 9, 2021;

Considering the new written observations submitted by the council of company X, received on May 5, 2021;

Considering the oral observations made during the restricted training session;

Considering the other documents in the file;

Were present during the restricted training session on May 20, 2021:

- Mrs. Valérie PEUGEOT, commissioner, heard in her report;

As representatives of company X:

[ …]

As an interpreter:

[…]

Company X having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. Company X (hereinafter “Company The X group was acquired in June 2018 by the German ZZ group.

2. Company

3. During the month of May 2019, an article published in the newspaper " [...]" as well as two documentaries broadcast on the channel " [...]" revealed that between 2016 and 2017, companies Y (which became company XY) and company XX had created, on behalf of company of the environmental cause, scientists and farmers, as part of the campaign for the renewal of the authorization for the use of [...] by the European Commission.

4. Between May and September 2019, the National Commission for Information Technology and Liberties (hereinafter “the CNIL” or “the Commission”) received seven complaints (referrals nos. 19009370, 19009429, 19009432 , 19009439, 19009604, 19009666, 19017095) against the company in which the complainants indicated in particular that they had not been informed of the existence of this processing of their personal data.

5. Pursuant to decisions No. 2019-098C and No. 2019-099C of May 13, 2019 and No. 2019-111C of June 26, 2019 of the President of the Commission, a delegation from the CNIL carried out the following control operations :

- a documentary check, by sending a letter requesting documents on May 15, 2019 to company Y (which became company XY on January 1, 2017);

- a hearing of company Y on January 21, 2020;

- a documentary check, by sending a letter requesting documents on May 14, 2019, to company XX;

- a documentary check, by sending a questionnaire on August 6, 2019, to company X.

6. The purpose of these missions was to verify compliance by these companies with all the provisions of Law No. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the Data Protection Act” or “the law of January 6, 1978”) and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter “the GDPR” or “the Regulation”). In particular, this involved carrying out investigations in connection with the processing carried out at the request of company organize personal data with a view to carrying out a mission of representing interests concerning the use of [...] in Europe and around the world.

7. It emerges from the investigations carried out by the CNIL control delegation that, through a framework contract for the provision of services dated July 18, 2013, supplemented by three amendments and four specifications, company Y - which became the company XY on January 1, 2017 - a mission to represent interests concerning the use of [...] in Europe and around the world, from 2016 until May 31, 2019.

8. Indeed, among its activities, the company develops and markets phytosanitary products. The best known of them is […], one of the active substances of which is […]. With a view to the renewal of the authorization of [...] by the European Commission, which finally took place on November 27, 2017, company .

9. As part of this service, company Y carried out the identification and inventory of information relating to personalities involved in the debate on the renewal of the authorization to use [...] in Europe , which notably resulted in the development and maintenance of a list of “stakeholders” involved in this campaign. This file, entitled " [...]", included a list of 201 people residing in France, including members of environmental protection associations, farmers' associations, associations in the field of health, professional organizations, political figures, members of administrations, journalists, academics and farmers. For each of these people, the following information was provided: home organization and website, position held, professional address, professional landline number, mobile telephone number, professional email address and, where applicable, Twitter account ".

10. In addition, a score ranging from 1 to 5 was assigned to each person, in order to assess their influence, credibility and support for company genetically modified organisms, environment, food and health.

11. The file also included a free comment area in which the events these people had attended or which they had organized, the people with whom they worked, the contacts they had had with representatives of the company could be indicated. X or the articles they had published on the subject of [...].

12. In addition, between 2016 and 2017, company Y notably commissioned company XX, on behalf of company X, to identify influential people in the public debate in France, to produce analysis notes relating to electoral trends in France and to monitor the media on French legislative and political news in connection with the debate on the renewal of the authorization for the use of [...] in Europe. Company Y ended the mission of company XX in April 2017.

13. In order to examine these elements, the President of the Commission appointed Ms. Valérie PEUGEOT as rapporteur, on November 5, 2020, on the basis of article 22 of the law of January 6, 1978 as amended.

14. At the end of her investigation, the rapporteur had a bailiff serve on company Also attached to the report was a summons to the restricted training session on April 1, 2021, indicating to the company that it could produce its observations in response no later than March 16, 2021.

15. This report proposed to the restricted panel of the Commission to impose an administrative fine on company X. He also proposed that this decision be made public and no longer allow the company to be identified by name at the end of a period of two years from its publication.

16. On March 15, 2021, the company filed comments in response. On March 23, 2021, the rapporteur asked the president of the restricted formation, on the basis of article 40, paragraph 4, of decree no. 2019-536 of May 29, 2019 taken for the application of the Data Protection Act (hereinafter "the decree of May 29, 2019"), additional time to respond to the company's observations, which was granted to it on March 25, 2021. This information was brought to the company's attention the same day. She was also informed that the restricted training session initially scheduled for April 1 was postponed to a later date.

17. On March 23, 2021, the company made a request for the session of the restricted panel to be held behind closed doors, a request which was rejected by the president of the restricted panel, by letter of April 8, 2021.

18. The rapporteur responded to the company's observations on April 9, 2021. The same day, the secretary general of the CNIL informed the company that the restricted training session would be held on May 20, 2021.

19. On May 5, 2021, the company presented new observations in response to those of the rapporteur.

20. The company and the rapporteur presented oral observations during the restricted training session.

II. Reasons for decision

A. On the complaint relating to the impartiality of the procedure

21. Company XX during the checks would not have been transmitted to him. She also underlines that neither the CNIL services nor the rapporteur carried out her hearing while company Y was heard by the CNIL control delegation. It further emphasizes that company Y had every interest in attributing responsibility for the processing implemented to company X.

22. The company also criticizes the rapporteur for having only retained evidence against it and for having excluded certain documents from the debates. She further notes that certain documents annexed to the rapporteur's report have been partially obscured, thus depriving her of the right to effectively prepare her defense. In particular, the company complains that the impact study carried out by company Y was not communicated to it. It further notes that the audit report carried out by the company YY following the publication of the press articles and the broadcast of the reports, an audit which was carried out at the request of the company zz and whose report demonstrates the absence of the disputed file within the information system of company X, is not discussed by the rapporteur.

23. First of all, the restricted panel notes that the minutes of the hearing of the representatives of company Y, carried out by the CNIL control delegation on January 21, 2020, are part of the documents annexed to the sanction report which was was notified to the company on February 15, 2021 as well as all the other documents on which the rapporteur based her analysis and her proposal as part of the procedure. Thus, as provided for in Article 40 of Decree No. 2019 536 of May 29, 2019, the company had the opportunity to make written observations in response to the rapporteur's report and therefore to question any declaration made by company Y which she considered to be erroneous or misleading. Moreover, the restricted training emphasizes that the company also had the opportunity to produce new observations in response to those of the rapporteur and, finally, it was able to develop its arguments during the session of the restricted training of 20 May 2021, in accordance with article 42 of the aforementioned decree. Company X was therefore able to submit its observations at different stages of the procedure, in accordance with the applicable provisions.

24. Secondly, the restricted panel notes that the choice of the rapporteur to annex to her sanction report only the elements useful for characterizing the breaches which she considered the company to be accused of, and not all of the elements collected as part of the control procedures, in no way hinders the company's rights of defense. Indeed, on the one hand, the rapporteur was able to freely consider that certain documents were not useful for her demonstration and, on the other hand, as explained in the previous point, the adversarial procedure organized by the “Informatique et Libertés” law. and the decree taken for its application allowed the company to produce any document it considered useful to its defense.

25. Concerning the fact that certain documents communicated by the rapporteur contain concealments, the restricted panel notes that the rapporteur indicated that these concealments related to information protected by business secrecy, unrelated to this procedure, or to personal data. The restricted panel also notes that during its response to the company's observations dated April 9, 2021, the rapporteur finally communicated to the company several of these documents in their full version.

26. The restricted panel recalls, moreover, that it was not made recipient of the unhidden versions of these documents, so that it is not aware of any additional element which would not have been communicated to the company as part of the procedure. In any event, the restricted panel specifies that the concealments in question in no way distorted its understanding of the case and had no impact on its decision-making.

27. Thirdly, with regard to the absence of a hearing of the company, the restricted panel firstly notes that a documentary inspection of company X was carried out by a delegation from the CNIL, which This is translated by sending a questionnaire asking about the implementation of the processing in question, to which the company responded. The restricted panel thus observes that the company was heard during the procedure, in compliance with the applicable legal provisions, the documentary control constituting one of the four forms of control provided for by article 19 of the Data Protection Act. Freedoms. Then, it recalls that the hearing by the rapporteur of the body against which a sanction procedure has been initiated is only an option which is offered to the rapporteur by article 39 of the aforementioned decree and not an obligatory step of the procedure. The restricted panel further notes that the company did not request a hearing directly from the rapporteur either.

In view of the above, the restricted panel considers that the procedure followed in the present proceedings is not tainted by irregularity.

B. On the status of data controller of company X

28. Under Article 4 (7) of the GDPR, the data controller is defined as "the natural or legal person, public authority, service or other body which, alone or jointly with others , determines the purposes and means of the processing.

29. The rapporteur considers that in this case, company takes place and how its objective is to be achieved. Indeed, the file in question was intended to enable company ] by the European Commission. She thus recalls that it is to achieve this objective that she decided to entrust to company Y all activities linked to public relations and the reputation of the company and, more particularly from 2016, a mission representation of interests concerning the use of [...] in Europe and in the world and that it is within the framework of this mission that the file named " [...] " was established.

30. In defense, the company considers that responsibility for the processing fell exclusively to company Y and that the rapporteur confuses the notions of beneficiary of a service and that of data controller. She emphasizes that it was company Y which, in its capacity as a company specializing in consulting and public relations, constructed the file autonomously, according to a methodology that it itself defined, then which proposed to Company X.

31. The company emphasizes that it is because of the expertise of company Y that it used its services and that the creation of lists of names is a common practice in this sector of activity. She recalls that she never gave instructions to company Y as to how to carry out this mission and that she only reacted to the proposals made by the latter.

32. Company X further explains that, dissatisfied with the result obtained, it never used the file in question. However, she notes that if she had acted as data controller, she would have asked company Y to modify the file as she saw fit in order to obtain a result more in line with her expectations.

33. The company further indicates that company Y presents itself on its website as the data controller of the data processed within the framework of the missions entrusted to it by its clients. It also recalls that it was company Y which responded to the requests to exercise the rights of the data subjects in connection with the processing in question.

34. Firstly, the restricted training recalls that the data controller is the person who determines the purposes of the processing implemented, that is to say the expected or sought result, and the means of this processing, i.e. that is, how to achieve this result.

35. The notions of data controller and processor are clarified by the European Data Protection Board (hereinafter "the EDPS") in its guidelines 07/2020 adopted on September 2, 2020 and subject to public consultation . The EDPS states that "Determining the purposes and means amounts to deciding respectively the "why" and the "how" of the processing: with regard to a particular processing operation, the controller is the actor who determined why the processing takes place (i.e. "for what purpose" or "for what purpose") and how this aim is to be achieved (i.e. what means are to be used to achieve the aim ).A natural or legal person who exercises such influence over the processing of personal data thus participates in determining the purposes and means of such processing in accordance with the definition in Article 4(7) of the GDPR. controller must decide both the purpose and the means of processing described below. Therefore, the controller cannot determine only the purpose. He must also make decisions on the means of processing. Conversely, the party acting as processor can never determine the purpose of the processing.

36. In the present case, it is not disputed that company It is in order to achieve this objective that the company decided that the way to achieve this was to launch an interest representation campaign for the purposes of which it was necessary to establish the mapping of the stakeholders in the debate on the renewal of the authorization for the use of [...] in the European Union. It is to achieve this result that company X called on company Y, a company specializing in activities related to public relations.

37. The restricted panel notes that by a framework contract for the provision of services dated July 18, 2013 (exhibit no. 14 annexed to the sanction report), company public relations and strategic communications consulting agency, missions linked to the reputation of the company. From the signing on August 5, 2016 of amendment no. 13 (exhibit no. 17 annexed to the sanction report), company Y was more specifically responsible for establishing the list of "stakeholders". ) as part of the campaign for the renewal of the authorization of [...] in Europe.

38. The need for company is to add an additional layer to the stakeholder mapping in order to have a clearer picture of who is currently discussing [...], what they are saying about it and where they are saying it" (free translation). This request was included in amendment no. 7 dated October 15, 2016 (exhibit no. 16 annexed to the sanction report), which was renewed numerous times until May 31, 2019. It thus appears that the company Y was explicitly required to establish the list of stakeholders as part of the campaign for the renewal of the authorization of [...] in Europe.

39. Secondly, the restricted panel notes that, contrary to what Company stakeholders involved in the debate on [...], an activity which notably resulted in the development of the file in question. Furthermore, the very regular exchanges between the two companies show that company to the organization of meetings involving representatives of the two companies. The documents annexed to the sanction report thus attest to the involvement of company company X to monitor the progress of the tasks entrusted to Y and the delivery of the work completed or in progress.

40. The restricted panel considers that these exchanges demonstrate that company Y reported to company management power over the activities of company Y, thus depriving it of the autonomy normally enjoyed by a data controller. These elements demonstrate that company Y acted as a subcontractor of company X, within the meaning of article 4(8) of the GDPR.

41. The restricted panel finally notes that the circumstance that company on the fact that it was she who, through the directives given to Y, defined in advance the purposes and means of the processing which was implemented with a view in particular to establishing this file.

42. Thirdly, the restricted panel considers that it cannot be inferred from the mere fact that company Y proposed a stakeholder monitoring strategy to company X that the latter can be qualified as a data controller.

43. The restricted panel emphasizes on the contrary that it is the fact for company X, the ordering company, to decide to accept the proposal made by company Y, and to contractually ask it to carry out operations on its behalf as a provider, who made the treatment possible. Indeed, if company X had refused this proposal, company Y would not have implemented this treatment. It follows from the case law of the Court of Justice of the European Union (CJEU) that the fact of resorting to processing of personal data which has been designed by another actor and on which the sponsor can only make certain settings ( CJEU, June 5, 2018, Wirtschaftsakademie Schleswig-Holstein, C-210/16), or even no configuration (CJEU, July 29, 2019, Fashion ID GmbH & Co. KG, C-40/17) does not exempt anyone who resorts to this processing in its capacity as data controller. The Court also specifies that "a natural or legal person who influences, for their own purposes, the processing of personal data and therefore participates in determining the purposes and means of this processing, may be considered to be responsible for the processing, within the meaning of Article 2(d), of Directive 95/46" (CJEU, July 10, 2018, Tietosuojavaltuutettu/Jehovan todistajat, C-25/17).

44. Finally, the restricted panel considers that the fact of company Y having responded to requests for access rights does not necessarily qualify it as a data controller. Indeed, article 28-3-e of the GDPR provides that the subcontractor "helps the data controller, through appropriate technical and organizational measures, to the greatest extent possible, to fulfill its obligation to provide following requests made by the persons concerned in order to exercise their rights. Thus, with regard to the specificities of the processing, the subcontractor can itself respond to people's requests if this measure allows better respect for people's rights. It is also common for it to be the subcontractor who is best able to process requests to exercise rights.

The restricted panel therefore considers, taking into account these elements, that company X must be qualified as data controller.

C. On the competence of the CNIL

45. Article 55-1 of the GDPR provides that “each supervisory authority is competent to exercise the missions and powers with which it is vested in accordance with this regulation in the territory of the Member State to which it falls”.

46. Article 8-2° of the Data Protection Act further specifies that “the National Commission for Information Technology and Freedoms (…) ensures that the processing of personal data is implemented in accordance with the provisions of this law and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments".

47. Thus, the CNIL is competent to ensure, on French territory, that the processing operations to which the provisions of the GDPR or the amended one of January 6, 1978 apply are implemented in accordance with the provisions of these texts.

48. Firstly, Article 3-1) of the GDPR provides “this regulation applies to the processing of personal data carried out within the framework of the activities of an establishment of a data controller or a processor within the territory of the Union, whether or not the processing takes place in the Union".

49. It follows that the CNIL is competent to ensure compliance with the provisions of the GDPR of the processing of personal data implemented within the framework of the activities of an establishment of a subcontractor of a data controller. , when this establishment is located in France.

50. In the present case, the restricted panel notes that it appears from the documents in the file that the subsidiary of the company Y INC. based in Paris, the company Y France (now XY), was notably involved in the processing of personal data corresponding to the identification and mapping of stakeholders in the debate on the renewal of the authorization of the [...] ], which resulted in the creation of the file [...] "(exhibit no. 13 annexed to the sanction report).

51. The CNIL is therefore competent, on the basis of article 3-1) of the GDPR, to examine the processing of personal data implemented within the framework of the establishment of the file "[...] " by the company Y France.

52. Secondly, under Article 3(2)(b) of the GDPR, the provisions of the Regulation apply "to the processing of personal data relating to data subjects who are located in the territory of the GDPR Union by a controller or a processor who is not established in the Union, when the processing activities are linked (…) to the monitoring of the behavior of these persons, insofar as it concerns 'behavior which takes place within the Union'.

53. Furthermore, article 3 of the Data Protection Act provides that “the national rules taken on the basis of the provisions of the same regulation referring to national law the care of adapting or supplementing the rights and obligations provided for by this regulation apply when the person concerned resides in France, including when the data controller is not established in France.

54. It follows from these provisions that the CNIL is competent to ensure compliance with the provisions of the Data Protection Act and the GDPR with regard to the processing of personal data relating to the monitoring of the behavior of persons since these persons reside in France, in the event of tracking activity based on individual profiles, regardless of where the data controller is established.

55. In view of the above, the restricted panel notes that as part of its mission of representing interests on behalf of company stakeholders involved in the debate on the renewal of the authorization for the use of [...] in the European Union. The processing thus implemented proceeds from monitoring the behavior of the persons concerned within the meaning of the provisions of article 3-2)-b) of the GDPR and therefore falls within the territorial scope of the GDPR and the provisions of the Data Protection Act. and Freedoms, regardless of the place of establishment of the data controller.

D. On the applicability of the GDPR to the facts of the case

56. The rapporteur underlines that the processing of personal data corresponding to the identification and mapping of the stakeholders in the debate on the renewal of the authorization of [...], which took the form in particular of the development of the file [...] ", began in 2016 but continued until 2019, i.e. after the entry into application of the GDPR, as explicitly emerges from the specifications of the addendum No. 7, signed on October 15, 2016 and renewed numerous times until 2019.

57. The rapporteur considers that the alleged absence of modification of the file after 2017 cannot succeed insofar as the modification is not the only processing operation capable of prolonging the characterization of the breaches. It notes that under Article 4(2) of the GDPR, storage, copying or consultation constitute processing operations. She recalls on this point that company X was the recipient of the file in question and kept it as part of the archiving of its employees' emails.

58. However, the rapporteur notes that at a minimum, the reception, consultation and conservation of a file including personal data, established as part of processing whose purposes and means have been defined by the The interested party constitutes, for this data controller, a processing operation.

59. The rapporteur therefore considers that, the retention of the file by the company having continued over a long period of time, some of the breaches committed by the company are continuous breaches which began before the entry into force of the GDPR but continued afterwards.

60. The company considers for its part that the GDPR is not applicable to the facts of the case insofar as the disputed file, named " [...] " dates, in its most complete version, from August 22 2016. It notes that even if the restricted training was based on the declarations of company Y, which indicated to the CNIL that the file had not been updated after April 2017, the applicable law would be that in force at that time, and not the GDPR. She also emphasizes that companies Y and XX are not able to produce this file in an updated version after August 2016 or even find discussions on this subject. The company also indicates that the metadata of the file shows that it was last updated on December 19, 2016.

61. The company then emphasizes that amendment no. 7 which supplemented the framework contract for the provision of services concluded with company Y was signed in October 2016, i.e. after the creation of the file, and that this amendment could not therefore not concern the creation of the file in question. It further notes that the subsequent continuation of commercial relations with company Y does not imply that the processing linked to the file continued, given that the relations between the two companies were not simply limited to this processing. Finally, it argues that the simple fact that the file in question may have been kept in the storage space of an employee's professional email does not mean that the processing of the personal data contained in this file would have continued.

62. The company therefore considers that the disputed facts took place entirely before the entry into force of the GDPR and that it is, therefore, the “Informatique et Libertés” law in its version in force on August 22, 2016, or even on later in its version in force in April 2017, which should be applied to the facts of the case. According to the company, this implies that the CNIL should have sent it a formal notice prior to initiating a sanction procedure.

63. Firstly, the restricted panel notes that company [...]. This request was made in the framework contract for the provision of services of July 18, 2013 and then in amendment no. 13 of August 5, 2016, which explicitly provided for the creation of a map of the stakeholders in the debate relating to the [...] ]. The restricted training underlines that this request for identification of stakeholders was included in a second amendment dated October 15, 2016, identified as "amendment no. 7", which was renewed numerous times until 2019 , notably September 1, 2018 and January 1, 2019.

64. The maintenance of the file entitled "[...]", bringing together personal data collected by company Y, was therefore carried out as part of the service of identification, census and mapping of stakeholders which, it lasted until 2019.

65. In this regard, the restricted panel considers that the circumstance that this file was modified for the last time no later than April 2017, i.e. prior to the entry into application of the GDPR, has no effect on the persistence of the processing of personal data, as long as the file concerned continues to exist in the information system of the company in question, or of one of its service providers acting on its behalf, until a date after entry into force. application of the GDPR. In this case, the file was indeed kept in the electronic mail archives of an employee of company X.

66. The restricted training recalls that simple storage constitutes processing of personal data. Thus, since as data controller, company in its own right extend the existence of this file beyond the entry into application of the GDPR.

67. The restricted training also underlines that the creation of this file is part of a broader objective of identification, census and mapping of stakeholders in the debate on the renewal of [...]. On this point, amendment no. 7, renewed in particular on September 1, 2018 and January 1, 2019, explicitly contains instructions intended to update stakeholder maps, which corresponds well to the objective pursued by the disputed file .

68. Thus, if the services requested by company the conservation of this file, continued after the entry into force of this text.

69. Secondly, the restricted training notes that the failures relating to the information of individuals and the supervision of relations between the data controller and its subcontractor are continuous failures which persisted after the entry into application of the GDPR. She emphasizes that if the company informed people, through the YY firm in 2019, this information is subsequent to the entry into application of the GDPR and that it was only carried out after the revelation of the facts in the press. However, it was up to the company to ensure, itself or through its subcontractor, the information of individuals, either under the provisions applicable before the entry into force of the GDPR (in particular at the time of the creation of the file), or under the GDPR, to regularize the situation, after its entry into force. The restricted training also notes that the obligation to inform people whose data has not been collected from them already appeared in article 32-III of the law “Informatique et Libertés” in its version in in force on August 5, 2016, the date on which amendment No. 13 providing for the development of the file was signed. Likewise, although having a different scope, the obligation for a data controller to regulate its relations with its subcontractor through a legal act was provided for by article 35 of the “Informatique et Libertés” law.

70. The restricted panel recalls on this point that in its decision of March 1, 2021, Société Futura Internationale, no. 437808, the Council of State confirmed that the CNIL could sanction, on the basis of the GDPR, a continuous breach started before its entry into application and continued afterwards.

Consequently, the restricted panel considers that the “Informatique et Libertés” law, in its version prior to the entry into application of the GDPR, then the GDPR are applicable to the facts of the case.

E. On the failure to comply with the obligation to inform the persons concerned pursuant to Article 14 of the GDPR

71. Article 14 of the GDPR provides that when personal data have not been collected from the person concerned by the processing, the data controller provides the latter with the elements referred to in this same article "within a period reasonable after obtaining the personal data, but not exceeding one month, having regard to the particular circumstances in which the personal data are processed" or "if it is envisaged to communicate the information to another recipient, at most late when the personal data are communicated for the first time. "

72. The rapporteur notes that the persons whose personal data were collected and processed in this case were only informed of this processing in 2019, when company Z, after having acquired company to inform people through the YY firm. It considers that none of the exceptions to the obligation to inform individuals provided for in Article 14(5) of the GDPR can be used in this case.

73. In defense, company She considers that this obligation fell on company Y, which had control over the data contained in the file. She explains that in any event, informing people would have been of little interest to the extent that the data in question was public, that the people concerned could reasonably expect that their data would be the subject of such treatment and that she ultimately never used this file.

74. Firstly, it appears to the restricted training that processing of personal data, consisting of the collection of information aimed at identifying the influential people with whom a company wishes to represent its interests can, subject to certain conditions , be carried out on the basis of the legitimate interest pursued by the data controller. Indeed, processing such as that in question may be justified by the pursuit of the legitimate interest of the data controller provided that the interests and fundamental rights of the persons concerned do not prevail over the interests of the data controller. This balancing between the different interests involved requires in particular taking into account the reasonable expectations of the persons concerned as to the nature of the data collected and the way in which they are processed for the constitution of the processing in dispute, as provided for in recital 47 of the GDPR.

75. In the present case, the restricted panel notes that the persons whose data appeared in the disputed file could reasonably expect that company X, or more generally organizations whose activity is the representation of interests, would are interested in their position in the debate linked to [...], and processes their professional contact details as well as information relating to their public positions.

76. Indeed, the people present in the file in question took part in the public debate on the use of [...] or subjects linked to this theme, whether in particular through the development of decisions public, their influence on the representation or management of companies or public and private organizations notoriously involved in ecological and environmental subjects or even taking a public position or active participation in these debates. Therefore, these people could reasonably expect that actors in the sector in which they intervened would collect information concerning them from publicly and lawfully accessible data in order to know and understand their positions and possibly enter into contact with them. .

77. The restricted training notes that in all cases, the data controller who implements such processing must ensure compliance with the obligations provided for by the GDPR and in particular the obligation to inform people in order in particular that those they can exercise their rights.

78. The restricted training thus recalls that under Article 14 of the GDPR, the information that the data controller must provide to the data subject is, in particular, the identity and contact details of the data controller (and the case where applicable, the contact details of the data protection officer), the purposes of the processing, its legal basis, the categories of personal data concerned, where applicable the recipients or categories of recipients of the data, the fact that the controller intends to transfer the data to a third country as well as, if this is necessary to ensure fair and transparent processing, the duration of data retention, the existence of the various rights enjoyed by individuals, the existence of the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority, the source from which the data comes and the possible existence of automated decision-making.

79. The provision of this information allows the data subject to exercise their rights with the data controller. It thus contributes to making the activity of interest representation more transparent.

80. Secondly, the restricted panel recalls that under the terms of Article 14(5)(b) of the GDPR, this information obligation is not imposed when "the provision of such information proves impossible or would require disproportionate efforts” or when compliance with this information obligation “is likely to make impossible or seriously compromise the achievement of the objectives of said processing”.

81. With regard to the exceptions provided for in Article 14(5)(b) cited above, the restricted panel notes that the information of the persons appearing in the file entitled " [...] " would not have required the company X made disproportionate efforts and was, therefore, necessary. The restricted training first emphasizes that the file in question concerned more than 200 people and that the company had contact information for almost all of them such as an address, a telephone number or an address. electronic messaging.

82. The restricted panel recalls in this regard that, in its decision of March 12, 2014, Société Pages Jaunes Groupe, n°353193, the Council of State considered that the information by the data controller of 25 million people concerned by the collection of their personal data was not impossible and did not constitute a "disproportionate effort", taking into account the interest attached to respecting the fundamental freedoms and rights of these persons, particularly since the data controller had useful contact details to contact them.

83. The restricted panel also notes that the people concerned were finally informed individually in 2019, through the YY firm, which demonstrates that information was entirely possible.

84. It does not then appear that the provision of information to data subjects relating to the processing carried out would have been likely to make it impossible or seriously compromise the achievement of the objectives of said processing. Indeed, the restricted training notes that the legislative framework for the activity of interest representatives is evolving towards increased transparency both at the level of the European Union and at the national level. On this point, the French Association of Lobbying and Public Affairs Consultants defines lobbying as “the representation of interests (…) through contradictory and balanced information sharing”, which appears incompatible with an exercise of this activity in an opaque manner, without the knowledge of the persons concerned.

85. Finally, the restricted panel notes that the circumstances invoked by company and that this file has never been used by the company, do not constitute reasons likely to exempt the data controller from his obligation to provide information with regard to the provisions of Article 14 of the GDPR. In addition, contrary to what the company maintains, the responsibility for ensuring that the information has been delivered to the data subjects lies with the data controller and not with the subcontractor.

Therefore, the restricted panel considers that the aforementioned facts constitute a breach of Article 14 of the GDPR.

F. On the failure to comply with the obligation to regulate by a formalized legal act the processing carried out on behalf of the data controller

86. Article 28 of the Regulation provides that when processing is carried out by a processor, this processing is governed by a contract or other legal act which defines the object and duration of the processing, the nature and the purpose processing, the type of personal data, the categories of data subjects as well as the obligations and rights of the data controller. This contract also provides for the conditions under which the subcontractor undertakes to carry out processing operations on behalf of the controller.

87. The rapporteur notes that in this case, the processing relating to mapping between stakeholders was the subject of several successive contracts and amendments between companies X and Y but that none of them contains the information provided for in Article 28 of the GDPR.

88. In defense, the company recalls that, for the reasons already expressed in points 30 to 33, it was not acting as data controller and that, consequently, the obligation provided for by Article 28 of the GDPR does not is not opposable to him.

89. The restricted panel recalls that for the reasons set out in points 34 to 43, company X must be considered as acting as data controller and company Y as subcontractor.

90. The restricted panel notes that the processing of personal data in question, carried out by company Y within the framework of the mission of representing interests entrusted to it by company X, finds its origin in the framework contract of services signed between the two companies on July 18, 2013. This framework contract was supplemented by several amendments, in particular by amendment No. 7, the specifications of which were regularly renewed until May 2019.

91. However, the restricted panel notes that none of these acts concluded between the two companies from May 25, 2018, the date on which the obligation contained in Article 28 of the GDPR became applicable, contains the information provided for in this article 28.

Consequently, the restricted panel considers that these facts constitute a breach of Article 28 of the GDPR.

III. On corrective measures and publicity

92. Under the terms of III of article 20 of the law of January 6, 1978 as amended: "When the data controller or its subcontractor does not comply with the obligations resulting from regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Information Technology and Liberties may also, where applicable after having sent him the warning provided for in I of this article or, where appropriate in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncing, after adversarial procedure, one or more of the following measures: […]7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the total annual worldwide turnover of the preceding financial year, whichever is greater. the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

93. Article 83 of the GDPR provides that "Each supervisory authority shall ensure that administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.

94. In defense, company in this case and that, therefore, a formal notice should necessarily have been notified to him before a sanction procedure could be initiated, which could lead to the imposition of an administrative fine.

95. The company points out that apart from the fact that it does not have the status of data controller, the data appearing in the disputed file had all been made public by the persons concerned. It therefore considers that the damage suffered by them is low.

96. Furthermore, the company considers that the amount of the fine proposed by the rapporteur is disproportionate in view of the seriousness of the alleged breaches but also taking into account the recent sanction deliberations rendered by the restricted panel.

97. Finally, regarding the publicity of the sanction, the company emphasizes that it has already been widely exposed in the media in 2019 for the same facts. She considers that a public sanction would cause a new media wave damaging to her image.

98. Firstly, the restricted panel notes that the failure to comply with the obligation to inform the persons concerned infringed the rights of the latter, to the extent that, not having knowledge of what their personal data were processed by the company, these people were not able to control the use of their data in this context. It recalls that the obligation to provide information constitutes a central measure for the protection of individuals, insofar as it allows the exercise of rights. It also notes that article 83(5) of the GDPR provides that failure to comply with this obligation can be sanctioned up to 20 million euros or 4% of turnover, which constitutes the ceiling of highest fine.

99. Furthermore, the restricted panel notes that the breach was only brought to an end several years after the implementation of the processing in question and only after several media outlets revealed the existence of the disputed file.

100. The restricted panel then considers that the fact for company executive have not benefited from the protection offered by the GDPR. Indeed, Article 28 of the GDPR provides various concrete guarantees in terms of data protection, by providing for example the implementation of security measures or the assistance to be provided by the subcontractor to the data controller in matters exercise of rights.

101. Consequently, the restricted panel considers that it is appropriate to impose an administrative fine with regard to the breaches of Articles 14 and 28 of the GDPR.

102. Secondly, the restricted bench recalls that under the terms of Article 83(1), the fines imposed must be effective, proportionate and dissuasive. It considers in particular that the financial situation of the company must be taken into account when determining the sanction and in particular, in the event of an administrative fine, its amount. She notes in this regard that the company reports a turnover for the year 2018 of around 12 billion euros. Furthermore, it observes that the processing in question was implemented in particular with the objective of defending the economic interests of the company. In view of these elements, the restricted panel considers that the imposition of a fine of 400,000 euros appears justified.

103. Finally, the restricted panel considers that the publicity of the sanction is justified in view of the nature of the breaches noted, their duration and their seriousness. It also considers that this measure will make it possible to inform the persons concerned of the breaches sanctioned, in particular to the extent that these facts have been the subject of several complaints.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• impose an administrative fine against company X in the amount of 400,000 (four hundred thousand) euros;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within four months of its notification.
Retrieved from "https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2021-012&oldid=36576"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki