CNIL (France) - SAN-2021-012: Difference between revisions

From GDPRhub
No edit summary
Line 55: Line 55:


=== Facts ===
=== Facts ===
In may 2019, several medias revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists, scientists that are related to glyphosate debate.   
In May 2019, several media outlets revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists and scientists involved in the glyphosate debate.   


At the same time, the French DPA (Commission Nationale de l’Informatique et des Libertés CNIL) received seven complaints from data subjects who were on the filing system.  
At the same time, the Commission Nationale de l’Informatique et des Libertés ("CNIL" or "French DPA") received seven complaints from data subjects whose personal information was included in Monsanto's filing system.  


An investigation carried out by revealed that:
The investigation revealed that (i) the filing system had been created on behalf of Monsanto by several companies specialized in public relations and lobbying; (ii) the filing system contained different information about the data subjects including job description, professional email address,  mobile phone number, and sometimes Twitter account. Furthermore, (iv) a rating was given to every data subject, to estimate their influence and their support to Monsanto's activities.  
 
* The filing system has been created on behalf of Monsanto company, by several companies specialized in public relations and lobbying.
* The filing system contained, for every data subject, information like the job, professional mailbox,  mobile phone number, and sometimes the Twitter account.  
 
Furthermore, a rating was attributed to every data subject, to estimate their influence and their support to Monsanto company.  
=== Holding ===
=== Holding ===


==== On the information of data subjects ====
==== On the information of data subjects ====
The CNIL found that the company had violated Article 14 GDPR. The creation of contact files for the purpose of lobbying is not illegal in itself. On the other hand, even if consent of those public figures was not necessary, they had to be informed, so they could use their rights and especially their right to object.
The CNIL found that the creation of contact files for the purpose of lobbying is not illegal in itself. However, the French DPA found that the company had violated Article 14 GDPR for not having provided the data subjects with the mandatory information as soon as possible. Indeed, even if consent from those public figures was not necessary, they still had to be informed, so they could exercise their rights and especially their right to object.
 
The CNIL found that data subject were informed of the existence of the filing system only in 2019, after revelations in the media, even though the Monsanto company had all of their contact information.  


The CNIL also remind that the fact of not inform data subject of the existence of a processing harms the exercise of their others rights guaranteed under the GDPR.
The CNIL found that data subject were informed of the existence of the filing system only in 2019, after revelations in the media, even though the Monsanto company had all of their contact information. The CNIL also reminded that the fact of not informing the data subject of the existence of a processing harms the exercise of their others rights guaranteed under the GDPR.  


==== On the absence of judicial document between the controller and the processors ====
==== On the absence of judicial document between the controller and the processors ====
The CNIL found that the company has violated Article 28 GDPR. As a controller, Monsanto company had to lead by a judicial document the processing realised by its processor, especially to guarantee security measures.  
The CNIL found that the company had violated Article 28 GDPR. As a controller, Monsanto had to lead by a judicial document the processing realised by its processor, especially to guarantee security measures. The CNIL found that no contract between the companies contained the terms provided by the Article 28 GDPR.  
 
The CNIL found that no contract between the companies contained the terms provided by the article 28 GDPR.


== Comment ==
== Comment ==

Revision as of 13:17, 4 August 2021

CNIL (France) - SAN-2021-012
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 14 GDPR
Article 28 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 26.08.2021
Published: 28.08.2021
Fine: 400000 EUR
Parties: Monsanto Company
National Case Number/Name: SAN-2021-012
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Marco Vermeil

The French DPA fined Monsanto €400,000 for creating files containing the personal data of more than 200 French and European political figures for the purpose of lobbying, without informing the data subjects, and without executing a data processing agreement with the relevant processor.

English Summary

Facts

In May 2019, several media outlets revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists and scientists involved in the glyphosate debate.

At the same time, the Commission Nationale de l’Informatique et des Libertés ("CNIL" or "French DPA") received seven complaints from data subjects whose personal information was included in Monsanto's filing system.

The investigation revealed that (i) the filing system had been created on behalf of Monsanto by several companies specialized in public relations and lobbying; (ii) the filing system contained different information about the data subjects including job description, professional email address, mobile phone number, and sometimes Twitter account. Furthermore, (iv) a rating was given to every data subject, to estimate their influence and their support to Monsanto's activities.

Holding

On the information of data subjects

The CNIL found that the creation of contact files for the purpose of lobbying is not illegal in itself. However, the French DPA found that the company had violated Article 14 GDPR for not having provided the data subjects with the mandatory information as soon as possible. Indeed, even if consent from those public figures was not necessary, they still had to be informed, so they could exercise their rights and especially their right to object.

The CNIL found that data subject were informed of the existence of the filing system only in 2019, after revelations in the media, even though the Monsanto company had all of their contact information. The CNIL also reminded that the fact of not informing the data subject of the existence of a processing harms the exercise of their others rights guaranteed under the GDPR.

On the absence of judicial document between the controller and the processors

The CNIL found that the company had violated Article 28 GDPR. As a controller, Monsanto had to lead by a judicial document the processing realised by its processor, especially to guarantee security measures. The CNIL found that no contract between the companies contained the terms provided by the Article 28 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.