CNIL (France) - SAN-2023-015

From GDPRhub
CNIL - SAN-2023-015
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 7(1) GDPR
Article 12(3) GDPR
Article 13 GDPR
Article 14 GDPR
Article 15 GDPR
Article 28(3) GDPR
Article 32 GDPR
Article 33 GDPR
Article L. 34-5 of the CPCE
Type: Investigation
Outcome: Violation Found
Started:
Decided: 12.10.2023
Published: 19.10.2023
Fine: 600,000 EUR
Parties: n/a
National Case Number/Name: SAN-2023-015
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: ar

The French DPA fined GROUPE CANAL+ €600,000 after receiving 31 complaints for the failure to comply with several GDPR Articles. The fine relates in particular to ‘cold’ calls, the exercise of rights by the data subjects, safety issues concerning the company's employees’ passwords and the company’s failure to notify the DPA when a serious personal data breach took place in 2020.

English Summary[edit | edit source]

Facts[edit | edit source]

Between November 2019 and January 2021, the French DPA received 31 complaints relating to ‘cold’ calls, a form of sales solicitation by phone from businesses to customers who have never interacted with the business before, and issues with the complainants’ exercise of their rights by GROUPE CANAL+ (the company), which specialises in the publishing of channels and the distribution of pay-TV offerings. Five of these complaints have been upheld in the present proceedings. Specifically, two of the complainants claimed that their right to erasure had not been complied with, and a third complainant stated that his request for an objection to the processing had also been disregarded.

Thus, in January 2021, the DPA held an online inspection of the processing operations carried out by the company, and in March 2023, a rapporteur was appointed to examine the documents.

At the end of the investigation, on 11 May 2023, the company was sent a report detailing the breaches of Article 12 GDPR, Article 13 GDPR, Article 14 GDPR, Article 15 GDPR, Article 28 GDPR, Article 32 GDPR and Article 33 GDPR, as well as of Article L. 34-5 of the French Post and Electronic Communications Code (the CPCE). Following this, the company submitted additional observations, and on 14 September 2023, the rapporteur and the company presented oral observations to the DPA.

Holding[edit | edit source]

Following the meeting, the French DPA first found that the company had electronic commercial canvassing operations carried out on its behalf by service providers and was unable to provide proof of validly expressed consent by prospective customers to be ‘cold’ called. The data from these prospects came from the service providers, but the prospective costumers did not validly consent to receive 'cold' calls from the company, as they were not informed of the identity of the canvasser on whose behalf the consent was collected when ticking the box to consent to receive commercial canvassing by electronic means. Additionally, when the company did not collect consent directly from the prospective customers, it was the company's responsibility to obtain such consent before carrying out any canvassing activity. And pursuant to Article 7(1) GDPR, the company must be able to prove that it had such consent. Thus, the company failed to comply with its obligations arising from Article L. 34-5 of the French CPCE and Article 7(1) GDPR, as clarified by Article 4(11) GDPR.

Secondly, the DPA found no breach of Article 13 GDPR as the company's privacy policy was amended and clarified the data retention period. And even if there was no mention of the right to lodge a complaint with the French DPA in the company's privacy policy, this could be understood by the compilation of several documents, accessible from the website.

Moreover, regarding the information provided to prospective customers during ‘cold’ calls, the DPA established a breach of Article 14 GDPR since when the company collected a telephone number from a third party for ‘cold’ calls, it should have informed the person of the purpose of the data processing or the existence of various rights, while the costumers were not always made aware of this.

Fourthly, based on the complaints lodged by three complainants, the DPA considered that the company had failed to comply with its obligations under Article 12 GDPR. The DPA noted that the requests made by the complainants were clear and addressed directly to the company's DPO. However, the company failed to provide the data subjects with information on the measures taken in response to their requests within a maximum period of one month under Article 12(3) GDPR, confirming a breach of Article 12 GDPR. Taking this last consideration, the DPA noted that it was clear from the information gathered that the complainants' requests had been received by the company, meaning that it failed to fulfil its obligations to process the requests, failing to comply with Article 15 GDPR.

Additionally, the DPA addressed the company’s contract with its processor. During the inspections, the DPA found that all the relevant information under Article 28 GDPR was present. However, the document was amended without communicating this to the DPA, and not all the information required under Article 28(3) GDPR was included. The DPA noted that the new documents now contain all the necessary information. Nonetheless, it considered that the past processing operations still failed to comply with Article 28(3) GDPR.

The DPA also found safety obligations issues and a breach of Article 32 GDPR as it noted that the company should have implemented a robust authentication policy as a basic security measure to keep passwords secure and comply with the Articles' obligations. Meanwhile the MD4 algorithm used by the company to store employee passwords at the time of the inspections was obsolete and insufficiently robust to ensure the confidentiality of passwords. According to the DPA, it had been known for years that the MD4 algorithm is subject to vulnerability and is immediately exploitable by attackers.

Lastly, the DPA addressed the company’s failure to comply with the obligation to notify the DPA of a personal data breach. Indeed, on 5 February 2020, the company was informed by subscribers of a data breach as subscribers accessing their account were able to view information relating to other subscribers, such as their postal address and telephone number. The DPA noted that 10,154 people were affected by the breach, not a negligible number, and since the breach was likely to infringe on subscribers' right to privacy, the company should have notified the DPA of the personal data breach. Thus, there had been a breach of Article 33 GDPR.

Due to the numerous breaches committed, some structural and certainly serious while others less severe and taking into consideration as mitigating factors the measures taken by the company, which has brought itself into compliance on certain points, the French DPA fined the company €600,000, on the basis of Article 83 GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training no. SAN-2023-015 of October 12, 2023 concerning the company GROUPE CANAL +

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Christine MAUGÜÉ and MM. Alain DRU and Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to referrals no. […];

Having regard to decision no. 2021-017C of January 21, 2021 of the President of the National Commission for Information Technology and Liberties to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by the company CANAL + GROUP or on its behalf, in any place likely to be affected by their implementation;

Considering the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated March 9, 2023;

Having regard to the report of Ms. Valérie PEUGEOT, commissioner rapporteur, notified to the company GROUPE CANAL + on May 11, 2023;

Having regard to the written observations submitted by the company GROUPE CANAL + on June 12, 2023;

Considering the oral observations made during the restricted training session of September 14, 2023;

Considering the other documents in the file;

Were present during the restricted training session:

- Ms. Valérie PEUGEOT, commissioner, heard in her report;

As representatives of the GROUPE CANAL + company:

- […].

The company GROUPE CANAL + having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. Founded in 1998 in France, the company GROUPE CANAL + (hereinafter the “company”) specializes in the publishing of channels and the distribution of pay television offers. In 2021, GROUPE CANAL + employed approximately 3,223 employees in France and had achieved, for the year 2022, a turnover of 1,851,312,842 euros.

2. The company offers a publishing service for premium and thematic channels, in the production and distribution of cinema films and television series. It also publishes free channels on digital terrestrial television (DTT).

3. Between November 2019 and January 2021, the National Commission for Information Technology and Liberties (hereinafter "the CNIL" or "the Commission") received 31 complaints, relating in particular to prospecting by telephone, the transmission of banking data and the exercise of rights. Five of these complaints were upheld in this procedure.

4. Pursuant to decision no. 2021-017C of January 21, 2021 of the President of the Commission, a delegation from the CNIL carried out several checks on the company in order to verify compliance with the provisions of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the Data Protection Act" or "law of January 6, 1978") and Regulation (EU) 2016/679 of Parliament European Union and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data (hereinafter the “Regulation” or “GDPR”).

5. Thus, on January 26, 2021, the delegation carried out an online inspection mission of the processing implemented by the company or on its behalf, on the website www.canalplus.com. This inspection gave rise to report no. 2021-017/1, notified the same day to the company.

6. On February 25, 2021, the delegation sent a questionnaire to the company, to which the latter responded on March 26, 2021, relating to its organization, the processing of personal data that it implements, its qualification as data controller, on its relationships with its customers and partners and on its management of requests to exercise rights.

7. From April 2021 to January 2022, the supervisory delegation sent several additional requests to the company, which responded by providing the requested elements.

8. On March 9, 2023, the President of the Commission, on the basis of article 22 of the law of January 6, 1978, appointed Ms. Valérie PEUGEOT as rapporteur for the purposes of examining these elements.

9. On March 30, 2023, the rapporteur sent a supplementary request to which the company responded on April 6, 2023.

10. On May 11, 2023, at the end of her investigation, the rapporteur notified the company of a report detailing the breaches of articles 12, 13, 14, 15, 28, 32 and 33 of the GDPR and article L. 34-5 of the Postal and Electronic Communications Code (hereinafter “the CPCE”) which it considered constituted in this case.

11. On June 12, 2023, the company produced observations in response to the rapporteur's report.

12. By letter dated July 4, 2023, the rapporteur, in application of article 40, III, of decree no. 2019-536 of May 29, 2019 taken for the application of the Data Protection Act, informed the company that the investigation was closed.

13. By letter dated July 11, 2023, the company requested that a closed session be declared for the restricted training session. This request was rejected by the president of the restricted formation on July 24, 2023.

14. By email of August 14, 2023, the company communicated additional observations.

15. The rapporteur and the company presented oral observations during the restricted training session of September 14, 2023.

16. […], computer security expert of the company […], service provider of the company GROUPE CANAL +, was heard on the basis of article 22, paragraph 1, of the law of January 6, 1978.

II. Reasons for decision

A. On the complaints raised by the company in connection with the procedure

17. The company asserts that it was led to produce defense elements which were not requested during the investigation and which nevertheless relate to decisive factual information making it possible to empty of their substance the reasons for certain complaints formulated by the rapporteur.

18. It further considers that the exculpatory elements produced by GROUPE CANAL + were not taken into account, the report being based on samples of information or a very fragmentary perception of the compliance measures taken by the company.

19. Firstly, the restricted training notes that during the inspection mission, the company was able to respond to requests from the CNIL services, produce any supporting documents and share its observations. Each request for additional information subsequently made by the CNIL services was accompanied by a deadline allowing the company to gather the elements it deemed relevant to respond.

20. Secondly, the provisions of Article 40 of Decree No. 2019-536 of May 29, 2019, which provides in particular that the natural or legal person to whom a report proposing a sanction is notified has a deadline of one month to transmit its observations in response, were respected.

21. In view of these elements, the restricted panel considers that the procedure is not tainted by irregularity.

B. On the failure to comply with the obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means

22. Under the terms of article L. 34-5 of the CPCE, "direct prospecting by means of an automated electronic communications system […], a fax machine or electronic mail using the contact details of a natural person […] who has not previously expressed their consent to receive direct marketing by this means. For the application of this article, consent means any manifestation of free, specific and informed will by which a person accepts that personal data concerning him or her be used for direct marketing purposes. […] ".

23. Article 4(11) of the GDPR provides that “consent” of the data subject means “any free, specific, informed and unambiguous manifestation of will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning them are subject to processing".

24. Article 7(1) of the GDPR provides that "in cases where processing is based on consent, the controller is able to demonstrate that the data subject has given consent to the processing of data to personal character concerning her.

25. To propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from articles L. 34-5 of the CPCE and 7, paragraph 1, of the GDPR, as clarified by the provisions of article 4 , paragraph 11, of the GDPR, the rapporteur relies on the fact that the company GROUPE CANAL +, which has electronic commercial prospecting operations carried out on its behalf by service providers, is not able to have and provide the proof of consent validly expressed by prospects to be canvassed in this way. Indeed, the data from these prospects comes from suppliers […] (hereinafter “[…]”), in this case […]. However, the rapporteur notes that these prospects, by checking the box provided on the collection forms to give their consent to receive commercial prospecting electronically, have not validly consented to receiving prospecting from the company GROUPE CANAL +, to the extent that they have not been informed of the identity of this prospector on whose behalf the consent would be collected, the information not being available on the collection forms or via a link Clickable URL.

26. In defense, the company maintains that the responsibility for obtaining the lawful consent of the prospects concerned does not fall on it but on the […] who are at the origin of the data collection and with whom it has concluded contracts distributing the responsibilities of each party. She adds that these […] are responsible for sharing their customers’ data. She also considers that the report does not specify the legal basis which would establish its own obligation to collect this consent. The company also affirms that the applicable regulations do not require information from individuals on the identity of the recipients of their data for consent to be considered validly collected. It concludes that in view of these elements, the report disregards the principles of legality of offenses and penalties and the principle of personal responsibility.

27. First of all, the restricted panel recalls that, in application of the combined provisions of articles L. 34-5 of the CPCE and 7, paragraph 1, of the GDPR, as clarified by article 4, paragraph 11, of the GDPR, the organization – in this case the company GROUPE CANAL + – which carries out commercial prospecting operations electronically using data collected by its partners, must have consent constituting a “manifestation of will, free, specific, informed and unambiguous” of the persons concerned. When prospects' data has not been collected directly from them by the prospecting organization, consent may have been obtained at the time of initial data collection by the first-time collector, on behalf of of the organization which will carry out subsequent prospecting operations. Failing this, it is up to the prospecting organization to obtain such consent before carrying out prospecting acts. Pursuant to the provisions of Article 7(1) of the GDPR, the prospector must then be able to prove that he has this consent. In addition, for consent to be informed, individuals must be clearly informed of the identity of the prospector on whose behalf the consent is collected and the purposes for which the data will be used. To do this, in the event of consent collected by the first-time collector on behalf of prospectors, an exhaustive and updated list is made available to people at the time of obtaining their consent, for example directly on the collection medium. or, if this is too long, via a hypertext link to the said list and the confidentiality policies of service providers and suppliers (see to this effect, CNIL, FR, November 24, 2022, SANCTION, n° SAN-2022 -021, published).

28. In the present case, the restricted panel notes that 3,346,632 prospects whose data were collected from […] and 588,324 from […] were the subject of prospecting by electronic means during the year 2021 by the service provider acting on behalf of the company GROUPE CANAL +. For all of these prospects, the company is not able to provide documents demonstrating the obtaining of consent validly collected from individuals, whether by itself – which it has specified that it does not do – or by first-time collectors.

29. Indeed, if the company provided the control delegation with examples of standard forms for collecting data from prospects made available by […], the restricted training notes that no list of partners – including GROUPE CANAL + – which must be made available to prospects at the time of consent, has not been communicated as part of the procedure. For the company […], the collection form provides a check box with the following statement: “accept to receive commercial information for services/products […] and partners”. For the company […], the notice specifies: “accept to receive commercial information from the companies of […] or their partners according to my interests or the location where I am”. In both cases, no information on the identity of the partners concerned is available on the collection form or via a clickable hyperlink.

30. Thus, the company GROUPE CANAL + has not established that it has valid consent from individuals for its commercial prospecting operations by electronic means. Indeed, if the people have indeed given their consent to the companies [...] to receive electronic commercial prospecting by checking the boxes present for this purpose on the forms in question, they have not validly consented to receiving electronic commercial prospecting. prospecting by the company GROUPE CANAL +, to the extent that they have not been informed of the identity of this prospector on whose behalf the consent would be collected. The consent obtained cannot be considered as informed, as the persons concerned are not informed of the identity of the prospector on whose behalf the consent is collected, namely the company GROUPE CANAL +. In the absence of this information, consent cannot be considered valid.

31. Secondly, the company argues that the prospects' data would not be transmitted directly to it, but to service providers, and that the company would therefore not be the recipient of the electronic mail addresses of customers of […], which are not in its database. The restricted panel considers that the circumstance according to which the company uses service providers to carry out prospecting operations has no impact on the fact that, in order to be able to rely on valid consent obtained by the first-time collector, the company GROUPE CANAL + must appear in the list of partners to whom the data is transmitted, as long as these subcontracting service providers act on its behalf. The company is responsible for the commercial prospecting it carries out, including when it is carried out on its behalf by a subcontractor.

32. Thirdly, the restricted panel notes that, as part of the documentary inspection, the company indicated that […] are responsible for collecting the consent of the persons concerned. The company specified that it does not exercise any control over the consent collection forms used, indicating that “these forms are managed solely by the […] concerned, in [their] capacity as data controller. Consequently, Canal+ Group is not responsible for defining the terms and conditions for collecting consent from […] subscribers.

33. The restricted panel therefore considers that the measures put in place by the company GROUPE CANAL + to ensure with its partners that consent had been validly given by prospects before approaching them were insufficient.

34. Under these conditions, the restricted panel considers that the company has failed to comply with its obligations resulting from articles L. 34-5 of the CPCE and 7, paragraph 1, of the GDPR, as clarified by the provisions of article 4 , paragraph 11, of the GDPR.

C. On breaches relating to the obligation to inform the persons concerned of the processing of their personal data

1) Regarding the information provided to users when creating an account for the MyCanal service

35. Article 12(1) of the GDPR provides that "the data controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to carry out any communication under Articles 15 to 22 and of Article 34 with regard to the processing of the data subject in a concise, transparent, understandable and easily accessible manner (…)".

36. Article 13, paragraph 1, of the GDPR requires the data controller to provide the data subject with various information relating in particular to their identity and contact details, the purposes of the processing implemented, its legal basis, the recipients or categories of data recipients and whether the controller intends to transfer data to a third country.

37. Article 13(2) of the GDPR provides that, where this appears necessary to ensure fair and transparent processing of data, the data controller must provide the person with "the retention period of the personal data or, when this is not possible, the criteria used to determine this duration" and information relating to the "right to lodge a complaint with a supervisory authority".

38. The guidelines on transparency within the meaning of Regulation (EU) 2016/679, clarifying the aforementioned provisions, specify that: “the retention period […] should be formulated in such a way that the person concerned can assess, depending on the situation in which it finds itself, what the retention period will be in the case of specific data or in the case of specific purposes. The data controller cannot simply declare in general that data of a nature personal data will be kept for as long as the legitimate purpose of the processing requires it. Where applicable, different storage periods should be mentioned for different categories of personal data and/or different purposes of processing, in particular periods for archival purposes.”

39. In this case, the rapporteur notes that when creating an account on the MyCanal service, a link located under the data collection form takes the user to a page entitled "Personal data and confidentiality". She considers that the company's confidentiality policy does not specify the retention periods of data in a sufficiently precise manner. It notes in fact that this is limited to indicating that "your personal data are kept for periods determined with regard to our purposes and the legal, tax and accounting obligations incumbent on us. The data linked to your subscription makes the subject to electronic archiving for the entire subscription period and during the legal limitation periods. Furthermore, the rapporteur observes that the possibility of submitting a complaint to the CNIL is not mentioned in the confidentiality policy.

40. The company argues, on the one hand, that if the GDPR does require informing the persons concerned about the retention period of their data, neither the GDPR nor the G29 transparency guidelines contain an indication as to the degree of granularity expected for the provision of this information. The choice made by the company allows it to be transparent without excessively burdening its confidentiality policy.

41. However, it specifies that it modified its confidentiality policy on February 6, 2023 to provide more precise and granular information.

42. On the other hand, with regard to the information relating to the possibility of lodging a complaint with the CNIL, the company acknowledges that it did not appear in the confidentiality policy at the time of the check but that it was added during the redesign. She specifies that the information was, however, provided in the general conditions of use, available from the website, and in the general subscription conditions provided with each subscription to a service.

43. Firstly, with regard to the duration of data retention, the restricted panel notes that the document, dated December 3, 2020, is not precise enough in that it is limited to stating that the duration of Conservation of data is linked to the pursuit of certain purposes (compliance with legal, accounting, tax obligations) or to the duration of the subscription, without indicating the precise durations applicable. The retention periods are stated generically and are not sufficiently explicit, with the restricted training also noting that some users of the service are not subscribers but have only created a personal space on the site.

44. However, the restricted panel considers that this information is important to guarantee “fair and transparent processing” since it helps to ensure that users have control over the processing of their data.

45. In view of the above, the restricted panel considers that the information relating to the retention period of user data is not sufficiently detailed, which constitutes a breach of Article 13 of the GDPR.

46. The restricted committee notes, however, that the retention periods indicated in the confidentiality policy modified on February 6, 2023 are in accordance with the recommendations of the CNIL.

47. Secondly, the restricted panel notes that there is no mention of the right to lodge a complaint with the CNIL in the company's confidentiality policy although this information is expressly referred to in Article 13. , paragraph 2, d), of the GDPR.

48. However, it notes that the compilation of several documents, accessible from the website, makes it possible to obtain the information, which is therefore not missing, even if it is not easily accessible. This last complaint, however, falling under Article 12 of the GDPR, was not raised by the rapporteur in her sanction report.

49. Under these conditions, the restricted panel considers that the breach of Article 13 of the GDPR, with regard to information relating to the possibility of lodging a complaint with the CNIL, is not constituted.

50. Furthermore, the restricted panel notes that the company has modified its confidentiality policy, accessible from the collection form, which is now complete.

51. The restricted panel notes that during the procedure, the company modified its confidentiality policy to mention the right to lodge a complaint with the CNIL.

2) Concerning the information provided to prospects during telephone canvassing calls

52. Article 14 of the GDPR specifies the information to be provided when personal data has not been collected from the data subject. This article provides that the same elements of information as those referred to in Article 13 of the GDPR must be provided to the data subject, as well as the categories of personal data collected and, if this is necessary to guarantee fair and transparent treatment, other elements including the source from which this data comes.

53. Article 14 of the GDPR also specifies that the information must be communicated to the data subject "within a reasonable period after obtaining the personal data, but not exceeding one month, having regard to the particular circumstances in which the personal data are processed” or “if the personal data are to be used for the purposes of communication with the data subject, at the latest at the time of the first communication to that person”.

54. In this case, the rapporteur notes that, as part of the inspection, the company provided the CNIL delegation with a sample consisting of seventy recordings of telephone calls made by a subcontractor in the framework of prospecting campaigns carried out using data obtained through its partners.

55. It notes that listening to these recordings revealed that sixteen people approached by telephone on behalf of the company did not benefit from complete information provided under the conditions provided for by the Article 14 cited above and, for four other people, no information was provided.

56. In defense, the company indicates that, with regard to the sixteen calls for which the information is incomplete, the information is complete in three cases. For six calls, she claims that the telephone advisor did not have time to provide this information because the prospect hung up too quickly. In one case, the call concerned a person who had already subscribed, who had therefore already received this information on several occasions. For the last six cases, the company recognizes that the prospect did not have all the required information, but that it puts in place specific procedures aimed at ensuring that these situations do not occur.

57. Regarding the four calls for which no information was provided, the company notes that these are very short calls, for which the telephone advisor was not able to provide this information.

58. The company indicates, in general, that these cases represent only a minority in relation to the number of calls made.

59. The restricted training recalls that it follows from Article 14 of the GDPR that, when a prospector obtains a telephone number from a third party for the purposes of prospecting by telephone, he must inform the prospected person of the processing of these data for this purpose, at the latest during the telephone call. When information provided for by the GDPR is provided in the context of telephone exchanges, it is accepted that this information may be limited to the most important elements for the interlocutor, in order to remain brief, provided that a means of communication is indicated. 'obtain complete information (examples: button to activate on the telephone, email received by the interlocutor, referral to a web page) (see to this effect, CNIL, FR, June 23, 2022, SANC-TION, no. SAN- 2022-011, published). Information on the processing of data transmitted by […], in particular the telephone contact details of individuals, for telephone prospecting purposes, in application of Article 14 of the GDPR, and that relating to the registration of the conversation, in application of article 13 of the GDPR, can also be merged.

60. The restricted panel notes that the company provided the CNIL supervisory delegation with a sample of call recordings made as part of the prospecting campaigns and specified that the recordings were made randomly. The company also clarified to the delegation that the people called are in principle informed, at the very beginning of the call, of their discretionary right to oppose the recording, in accordance with the instructions received by the "advisors internal and external calls". However, in all the cases covered by the report (incomplete information or absence of information), the restricted training notes that the teleadvisor had started the discussion on the offers proposed by GROUPE CANAL +. So, even if the call was brief, the telephone advisor had initiated a prospecting process.

61. The restricted panel further observes that, in certain cases, the people contacted for prospecting purposes did not benefit from any information. In other cases, certain points provided for in Article 14 of the GDPR – such as the purposes of the processing or the existence of different rights – have not been brought to their attention, and the company does not has not put in place a method allowing data subjects to obtain more complete information relating to the processing of their data, for example via the activation of a key on the telephone keypad. However, the restricted training notes that all calls referred to by the rapporteur last at least thirty seconds, and that the telephone advisor would therefore have had time to proceed, for example, to a referral to the confidentiality policy of GROUPE CANAL +.

62. Finally, the restricted panel considers that if the recordings communicated to the CNIL do not reveal the existence of a structural failure in terms of information, the fact remains that it disregarded its obligations within the framework of the above-mentioned calls.

63. Under these conditions, the restricted panel considers that the breach of Article 14 of the GDPR has been established.

D. On the breach of obligations relating to the modalities of exercise of the rights of individuals

64. Under Article 12(3) of the GDPR, "the controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, in the as soon as possible and in any case within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. The person responsible for processing informs the data subject of this extension and the reasons for the postponement within one month of receipt of the request. Where the data subject submits their request in electronic form, the information is provided electronically where possible, unless the person concerned requests otherwise.”

65. Under the terms of Article 12, paragraph 4, of the GDPR, "If the data controller does not respond to the request made by the data subject, he shall inform the data subject without delay and at the latest within a period of 'one month from receipt of the request for reasons for inaction and the possibility of lodging a complaint with a supervisory authority and filing a legal appeal.'

66. The rapporteur, to propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 12 of the GDPR, relies on the referrals from three complainants, Mr […] (referral no […] ) and Ms […] (referral no […]) and […] (referral no […]). The first two report difficulties encountered in erasing their personal data, the third concerns a request for opposition.

67. The rapporteur observes that it appears from the findings made during the control procedure that these requests were processed by the company but without the persons concerned being informed of the action taken on their request. Furthermore, regarding the opposition request, it was processed by the company outside the deadlines provided for by the GDPR.

68. In defense, with regard to the two erasure requests, the company indicates that these concerned, each time, a request for termination and a request for erasure. Due to an error in qualifying the request, the erasure was processed but the person concerned was not notified. The company argues that these are isolated cases and that the erasure request was processed.

69. Regarding the opposition request, the company considers that the complainant's initial request was not identified as such by customer service. But as part of the documentary check, the company became aware of the existence of the complaint and contacted the complainant. The request was ultimately identified as a request to object to commercial solicitations, a request which was processed the same day.

70. The restricted panel first notes that the requests made by the complainants to the company were clear, in that they aimed at a request for "deletion" or a request for "opposition" and that they were addressed directly to the company's data protection officer.

71. Next, the restricted committee observes that under Article 12(3) of the GDPR, the data controller must in principle provide data subjects with information on the measures taken following a request in a maximum period of one month. However, on the day of the documentary inspection, carried out on February 25, 2021, i.e. well over a month after the initial requests – sent respectively on October 30, 2019 and December 17, 2020 – the company had not informed the people concerned about the follow-up given, which she does not dispute.

72. Finally, the restricted panel considers that if the referrals received by the CNIL do not reveal the existence of a structural failure in terms of the exercise of rights, as the company emphasizes, the fact remains that it -he disregarded his obligations in processing the requests sent to him.

73. Under these conditions, the restricted panel considers that the breach of Article 12 of the GDPR has been established.

E. On the failure in terms of the right of access of the persons concerned

74. Article 15(1) of the GDPR provides for the right of an individual to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and, where they are, to access to said personal data as well as certain information, in particular "when the personal data are not collected from the person concerned, any information available as to their source". It is also provided in paragraph 3 of the same article that "the controller provides a copy of the personal data subject to processing".

75. The rapporteur, to propose to the panel to consider that the company has failed to comply with its obligations resulting from Article 15 of the GDPR, relies on three referrals to the CNIL, emanating from MM. […] (n° […]) and […] (n° […]) and Ms […] (n° […]), these people reporting the lack of response from the company to their requests .

76. The company acknowledges an error or malfunction in the qualification of the subject of the request with regard to referral no. […] and claims to have never received the request relating to referral no. […].

77. On the other hand, with regard to referral no. […], the company considers that the complainant's request was not precisely formulated as a request for access to her personal data. She considers that this was a request for proof of a subscription contract, which does not fall under the GDPR.

78. The restricted panel first notes that it appears from the elements of the file that the complainants' requests were all received by the company.

79. Next, it considers that the requests were formulated in sufficiently clear terms. Regarding referral no. […], the complainant asked the company to "send to her the elements available to you as soon as possible, or failing that, to cancel this current contract and also to proceed with the deletion of personal data […] in accordance with the provisions of article 17.1 of the General Regulations on the protection of personal data". The complainant thus explicitly expressed the wish to obtain the transmission of the elements available to the company. This should have led the company to treat the request as a request for access and then erasure.

80. Finally, the restricted panel considers that if the referrals received by the CNIL do not reveal the existence of a structural failure in terms of exercising the right of access, the fact remains that the company has failed to recognize its obligations in processing requests sent to it.

81. Under these conditions, the restricted panel considers that the breach of Article 15 of the GDPR has been established.

F. On the failure to comply with the obligation to regulate by a formalized legal act the processing carried out on behalf of a data controller

82. Article 28(3) of the Regulation provides that processing carried out by a processor on behalf of a data controller is governed by a contract or any other formalized legal act which defines the purpose and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects as well as the obligations and rights of the data controller. This contract also provides for the conditions under which the subcontractor undertakes to carry out processing operations on behalf of the controller.

83. The rapporteur noted that several subcontracting contracts relating to the hosting of personal data, communicated by the company, did not contain all the notices provided for by the aforementioned article. It notes that contracts with […] were concluded before the entry into force of the GDPR and have not since been updated to include the information provided for in Article 28, paragraph 3, of the Regulations.

84. In defense, the company claims that it terminated the hosting services provided by […] from 2016, i.e. before the entry into force of the GDPR. This service having been transferred to another subcontractor, the contract has not been updated. Regarding the contract with […], the company affirms that amendments have been signed until 2022 and that these amendments are supplemented by contracts relating to the processing of personal data containing all the information prescribed by the GDPR. The contractual relationship with […] ended on June 27, 2023. Regarding the contract with […], the company indicates that the contract contains several documents, including one which was not communicated to the CNIL during the inspection on parts. The combination of these documents would show that the notices provided for by the GDPR indeed govern the contractual relationship between the two actors. Following the acquisition of […] by the company […], a new contractual framework including a “Data Processing” appendix is also currently being discussed.

85. The restricted panel notes that numerous elements were communicated by the company as part of the sanction procedure, after notification of the report.

86. In light of these elements, it appears that with regard to the contract governing relations with […], these ended in 2016, before the entry into force of the GDPR, so that the breach does not is not constituted

87. Then regarding the acts governing relations with the company […], with regard to the original contract concluded with […] which was communicated in response to the sanction report, and which supplements that communicated by GROUPE CANAL + during checks, the restricted training notes that all of the information required by Article 28 of the GDPR appears in the contracts when the two documents are read together. The breach is therefore not constituted for the supervision of these relationships.

88. Finally, regarding the contract concluded with […], the amendments to the contract were not communicated to the CNIL services as part of the control procedure, which the company acknowledges. During the documentary inspection on February 25, 2021, the company provided the CNIL delegation with a contract dating from 2019, concluded for a period of one year, which did not include all of the information required under the Article 28(3) of the GDPR. It subsequently provided, in response to the sanction report, amendments which would have been concluded at the expiration of this contract, and which would have been renewed since. The restricted training notes that these new documents now contain all the necessary information. However, it observes that these documents provided are not signed and appear to be working versions (some include a note highlighted in yellow indicating "[...] Cloud Service Agreement for INSERT DESCRIP-TION OT THE SYSTEM" and "contract number" without the contract number). In addition, the only date indicated is a "revised" version of March 4, 2022. These observations on the form of the documents provided in defense having been raised, the restricted panel considers, in any event, that it is not necessary to determine whether the amendments provided constitute admissible supporting evidence to the extent that the breach is indeed established for past facts, in view of the findings made by the delegation at the time of the inspection.

89. Under these conditions, the restricted panel considers that the breach of Article 28, paragraph 3, of the GDPR is constituted for the past facts concerning the contract governing relations with […].

G. On the breach of the security obligation

90. Article 32(1) of the GDPR provides that “Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks , the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk […] " and in particular " means to guarantee the constant confidentiality, integrity, availability and resilience of processing systems and services " and a " procedure aimed at testing, analyzing and evaluating regularly the effectiveness of technical and organizational measures to ensure the security of the processing".

91. The rapporteur considers that the storage of the passwords of the company's employees in the application […] in hashed form using the MD4 algorithm does not comply with the state of the art.

92. In defense, the company notes that the insufficiency of security measures referred to in the sanction report has not been established. She states that the report is based on short answers given to targeted questions formulated during the control, which were not intended to allow the CNIL to be fully informed of the overall level of security surrounding the passwords processed by the Company. It thus highlights other measures that would be put in place by the company and which would ensure an appropriate level of security, such as for example permanent monitoring of activity within the computer network or a limited number of administered accounts. -trators. It also specifies that a migration policy towards a new version of Windows Server encouraged it to evolve the algorithms used towards more robust versions, with a migration completed in February 2023. Since then, the algorithm chain [ …] is used.

93. The company further considers that the rapporteur wrongly relies on deliberation no. 2022-100 of July 21, 2022 adopting a recommendation relating to passwords and other shared secrets and repealing deliberation no. 2017 -012 of January 19, 2017, which does not have a normative character, is subsequent to the control and admits the implementation of supplementary devices to passwords only. Its violation could therefore not be punishable.

94. The restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller is required to ensure that the automated data processing that it implements is sufficiently secure. The sufficiency of security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it induces, and on the other hand, taking into account the state of knowledge and the cost of the measures.

95. Implementing a robust authentication policy constitutes a basic security measure which generally contributes to compliance with the obligations of Article 32 of the GDPR. Thus, in terms of authentication, it is necessary to ensure that a password allowing authentication to a system cannot be disclosed. Keeping passwords secure is a basic precaution when it comes to protecting personal data. As early as 2013, the National Information Systems Security Agency (ANS-SI) warned and recalled good practices regarding the retention of passwords, indicating that they must "be stored in a form transformed by a one-way cryptographic function (hash function) and slow to calculate such as PBKDF2" and that "the transformation of passwords must involve a random salt to prevent an attack by precalculated tables" (ANSSI, "Bulletin d' news CERTA-2013-ACT-046", November 15, 2013, https://www.cert.ssi.gouv.fr/actualite/CERTA-2013-ACT-046/). Likewise, in its deliberation no. 2017-012 of January 19, 2017 adopting a recommendation relating to passwords, the CNIL already indicated that it "recommends [that the password] be transformed by means of 'a non-reversible and secure cryptographic function (i.e. using a public algorithm deemed strong whose software implementation is free of known vulnerabilities), integrating the use of a salt or a key.' Indeed, non-robust hash functions present known vulnerabilities which do not guarantee the integrity and confidentiality of passwords in the event of a brute force attack after compromise of the servers which host them.

96. However, the restricted training notes that the MD4 algorithm, used by the company for storing employee passwords at the time of checks, was already deemed obsolete and insufficiently robust to ensure the confidentiality of passwords. the date of the findings made by the delegation. Indeed, the MD4 hashing function is the subject of a vulnerability known for several years and immediately exploitable by attackers (presenting a risk of collision) (See in this sense ANSSI, "CERTFR-2014-ACT News Bulletin -028", July 11, 2014, https://www.cert.ssi.gouv.fr/actualite/CERTFR-2014-ACT-028/). If the company argued that the positions taken by ANSSI in 2014 documents have since been replaced by other more recent documents, the fact remains that a hash function which was no longer the state of the art in 2014 was no more so on the day of the controls. The use of the MD4 algorithm requires the use of the NTLM protocol for authentication, while this protocol was already criticized by the ANSSI at the time of the controls (See in this sense ANSSI, "Recommendations for the protection essential information systems", December 18, 2020, https://www.ssi.gouv.fr/uploads/2020/12/guide_protection_des_systemes_essentiels.pdf). The use of this hash function therefore does not guarantee the security of the personal data concerned. The restricted training further considers that the robustness of peripheral security measures is not sufficient to compensate for the use of the MD4 algorithm. Indeed, the inherent fragility of the hash function used, on which the security of the password storage of the company's employees is based, is such that it cannot be rectified by other measures.

97. Under these conditions, the restricted panel considers that the breach of Article 32 of the GDPR has been established.

98. The restricted panel notes that, since February 2023, the company has been using a new version of Windows Server which uses an algorithm consistent with the state of the art.

H. On the failure to notify the CNIL of a personal data breach

99. Article 4.12 of the GDPR defines a personal data breach as “a breach of security resulting, accidentally or unlawfully, in the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data.

100. Article 33 of the GDPR provides that "in the event of a personal data breach, the data controller shall notify the breach in question to the competent supervisory authority in accordance with Article 55, as soon as possible and, if possible, no later than 72 hours after becoming aware of it, unless the violation in question is not likely to create a risk for the rights and freedoms of natural persons. When notification to the supervisory authority does not take place within 72 hours, it is accompanied by the reasons for the delay (…) If, and to the extent that, it is not possible to provide all the information at the same time, the information may be communicated in a staggered manner without further undue delay".

101. Recital 87 of the GDPR specifies that "it should be verified whether all appropriate technical and organizational protection measures have been implemented to immediately establish whether a personal data breach has occurred and to promptly inform the "supervisory authority and the data subject".

102. In the Guidelines on personal data breach notification of 6 February 2018, the European Data Protection Board (EDPS) considers, by way of illustration, "that a controller should be considered as having become “aware” [of the personal data breach] when it is reasonably certain that a security incident has occurred and that this incident has compromised personal data. The GDPR requires the controller to implement all appropriate technical and organizational protection measures to immediately establish whether a personal data breach has occurred and to promptly inform the supervisory authority and the authorities. persons concerned (…). The data controller is therefore required to take the necessary measures to ensure that he becomes “aware” of any violation as soon as possible in order to be able to react appropriately.

103. The EDPS provides the following example: "a third party informs a data controller that it has accidentally received the personal data of one of its clients and provides proof of this unauthorized disclosure. Since the controller has received clear evidence attesting to a breach of confidentiality, there is no doubt that he was 'aware' of it.

104. The rapporteur notes that the company was informed by subscribers, on February 5, 2020, of a data breach. Following an update to the CANAL + customer area, subscribers accessing their account were able to view information relating to other subscribers. Despite the number of people concerned and the type of data made accessible, the rapporteur notes that the company did not notify the CNIL of this data breach. The rapporteur considers that by not making this notification, the company failed to comply with the provisions of Article 33 of the GDPR.

105. In defense, the company indicates that it would have followed the EDPS guidelines and the recommendations of the European Union Agency for Network and Information Security (ENISA) to conclude that she did not have to notify the violation. On the basis of these texts, it considers that given the insensitive nature of the data concerned and the small number of people potentially impacted, it was not required to make a notification. She argues in particular that the temporary loss of confidentiality, which allowed seven people to view the data of other customers, lasted only 5 hours 35 minutes. She adds that the data concerned is not sensitive and that the people who were able to view it are other subscribers, without malicious intent and without particular expertise allowing them to extract the accessible data. It also specifies that the precise number of people who may have had access to the data of 10,154 subscribers is unknown. However, it would be limited to a maximum of 777 people, who were, according to the company, technically capable of having access.

106. The restricted panel firstly notes that the number of people affected by the violation, 10,154, is not negligible. She notes that several people have indicated to the company that they actually had access to third-party data. The restricted panel then notes that the personal data made accessible by the violation were of a nature that could infringe the right to respect for the private life of subscribers since their postal address and telephone number had been disclosed. Consequently, the company should have notified the CNIL of a personal data breach.

107. Under these conditions, the restricted panel considers that the breach of Article 33 of the GDPR has been established.

III. On the issuance of corrective measures and publicity

108. Article 20 of Law No. 78-17 of January 6, 1978 as amended provides that: "when the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27 2016 or this law, the president of the National Commission for Information Technology and Liberties may […] refer the matter to the restricted formation of the commission with a view to pronouncing, after adversarial procedure, one or more of the following measures : […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the figure d total global annual business of the previous financial year, the highest amount being retained. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these The ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted training takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

109. Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the Data Protection Act, provides that: “Each supervisory authority ensures that the administrative fines imposed in under this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and to decide the amount of this fine.

110. Firstly, on the principle of issuing a sanction, the company indicates that in addition to the fact that it contests the failings alleged by the rapporteur or justifies them, it has already taken measures to remedy to some of the alleged facts and ensure its compliance with applicable legislation. She adds that some of the complaints made to her by the rapporteur are made with regard to recommendations and a framework of the CNIL which do not have mandatory value, and which moreover postdate the facts in question. It further emphasizes that several of the alleged breaches are not substantial in this case and that they represented a limited or even non-existent impact on the rights and freedoms of the persons concerned. Finally, she emphasizes the good will and efforts she demonstrated throughout the procedure. The company considers that the mitigation factors provided for in Article 83, paragraph 2, of the GDPR should lead the restricted body not to impose a financial sanction, or at the very least, to very significantly reduce the amount of the fine. proposed by the rapporteur.

111. The restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the breach.

112. The restricted training underlines that the breaches committed by the company relate, for some, to obligations relating to the fundamental principles of the protection of personal data and that numerous breaches are made. It notes that some of these breaches are structural and of certain seriousness, others are less serious.

113. Thus, with regard more particularly to the collection of consent for prospecting purposes by electronic means, the restricted training recalls that the company processes a significant number of data for commercial prospecting purposes. It appears from the information communicated by the company that 3,934,956 prospects were canvassed electronically in 2021.

114. The restricted training takes into consideration, as mitigating factors, the measures taken by the company, which has complied on certain points, as well as the low seriousness of certain breaches, in particular the fact that appeals canvassing for which the lack of information is retained only concerns a small part of the people canvassed. The restricted panel further notes, with regard to the referrals made during the debates, that the breaches of people's rights are not structural and mainly result from human errors. Finally, it notes the isolated nature of the contract for which the supporting documents do not allow us to conclude that it complies with the requirements of the GDPR.

115. In view of all these elements, the restricted panel considers that it is appropriate to impose an administrative fine for the breaches of Articles 7, paragraph 1, 12, 13, 14, 15, 28, 32 and 33 of the GDPR and article L. 34-5 of the CPCE.

116. Secondly, the restricted panel recalls that the violations of the GDPR noted in this case involve breaches of principles likely to be subject, under Article 83 of the GDPR, to an administrative fine which may be Raise up to 20,000,000 euros or up to 4% of the global annual turnover of the previous financial year, whichever is higher.

117. It also recalls that administrative fines must be both dissuasive and proportionate. It considers in particular that the activity of the company and its financial situation must be taken into account in determining the amount of the administrative fine. It notes in this regard that the company GROUPE CANAL + achieved a turnover of 1,851,312,842 euros in 2022.

118. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83, paragraph 2, of the GDPR mentioned above, the restricted panel estimates that a fine of 600,000 euros appears justified.

119. Thirdly, with regard to the publicity of the sanction, the company asks the restricted panel not to make its decision public.

120. The restricted panel considers, on the contrary, that the publicity of this decision is justified in view of the seriousness of some of the breaches in question, the scope of the processing and the number of people concerned.

121. It also notes that this measure will make it possible to inform the people concerned by the company's prospecting operations. This information will allow them, if necessary, to assert their rights with the company.

122. Finally, it considers that this measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• impose an administrative fine against the company GROUPE CANAL + in the amount of six hundred thousand euros (€600,000) for breaches of articles 7, paragraph 1, 12, 13, 14, 15, 28, 32 and 33 of the GDPR and article L. 34-5 of the postal and electronic communications code;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from its publication.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within two months of its notification.