CNIL (France) - SAN-2022-024
| CNIL - SAN-2022-024 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 3 GDPR |
| Type: | Investigation |
| Outcome: | No Violation Found |
| Started: | |
| Decided: | |
| Published: | 26.12.2022 |
| Fine: | n/a |
| Parties: | Lusha Systems INC |
| National Case Number/Name: | SAN-2022-024 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNIL (in FR) |
| Initial Contributor: | n/a |
The DPA investigated a controller who offered a browser-extension and smartphone applications for the purpose verifying users on networks such as LinkedIn. The DPA held that the GDPR was not applicable and was therefore not able to impose penalties.
English Summary
Facts
The controller was a company located in the United States without an establishment in the European Economic Area (EEA). This controller offered a browser extension (extension) for computer-browsers which allowed its users to obtain the professional contact details (telephone number and e-mail address) of data subjects whose profiles were visited on LinkedIn or Salesforce.com. The names of data subjects that were collected with the extension were also compared by the controller with names stored in the controller’s database. The controller offered both paid and free versions of the extension and stated that the purpose of the extension was to combat identity fraud by allowing users of the extension to ensure that the target person whose profile they are visiting "is the person they claim to be or works for the company they claim to belong to. The controller also offered three smartphone applications for ‘contact management’ (it was not specified in the decision what this was supposed to mean). These applications were available to download if the data subject was in French territory. The application collected contact details of contacts stored on the data subject’s smartphone. After data subject created an account, the controller filtered data to keep only "professional" contact data (phone number(s) and/or email address(es)) of data subjects, excluding contact data for personal use. To carry out this filtering, the controller used publicly available information to understand the structure of a company's e-mail address and/or telephone number (e.g.: prenom.nom@societe.com and for a French company based in Paris: + 33 1) and, on the other hand, a white list of professional contact names drawn up by the CRUNCHBASE company comprising, at the time of the checks, the contacts of 5 to 7 million companies. Only the contacts on this white list were included in the database of the controller. Therefore, only ‘professional’ personal data was saved in the database of the controller. The applications were withdrawn from the French market in August 2022. The DPA started an investigation into the controller and conducted an online check of the extension and smartphone applications.
Holding
The DPA determined that the fact that the controller only stored ‘professional’ data, did not take away the personal nature of this personal data (CJEU, 9 November 2010, Volker and Others, Case C-92/09 and C-93/09, pt. 59). It assessed the inner working of both the extension and the application and concluded that the controller was processing personal data. in the collection, storage, structuring, cross-referencing and dissemination of personal data in particular the "raw" contact data of users of the "Simpler", "Mailbook" and "Cleaner Pro" applications and data from the CRUNCHBASE white list, are part of one and the same processing of personal data for the purposes of combating online fraud and providing contact details of prospective customers. The DPA also determined that the controller was responsible for all processing operations and was therefore the controller (Article 4(7) GDPR). However, the DPA determined that the GDPR was not applicable and was therefore not authorized to issue a sanction. The DPA explained why none of the requirements of Article 3 GDPR were applicable. The controller did not have an establishment in the European Union (Article 3(1) GDPR). The controller also determined that no services were offered to data subjects in the Union according to Article 3(2)(a) GDPR. The DPA did not specify why this was the case. The DPA concluded that Article 3(2)(b) GDPR was also not applicable, since it was not established that data subjects were subject to monitoring of their behaviour by the controller. The DPA acknowledged the fact that personal data of data subjects in the European Union was processed by the controller. However, this processing merely constituted the creation of a database of professional contact data (telephone, e-mail address) to identity persons whose profiles were visited on LinkedIn, with the purpose of verifying veracity. This was not processing that consisted of analyzing or predicting behaviour, personal preferences or movements, interests, economic situation or state of health. The DPA also considered that the controller did not use personal data processing techniques that consisted profiling. The DPA therefore concluded that the GDPR was not applicable and that it was not within the powers of the DPA to impose a penalty. It also stated that all users of the controller’s application should be informed that the processing operations by the controller were not subject to the GDPR and that the publication of this decision was therefore appropriate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
