CNIL (France) - SAN-2023-025
From GDPRhub
| CNIL - SAN-2023-025 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 6(1)(a) GDPR Article 30 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 25.03.2022 |
| Decided: | 29.12.2023 |
| Published: | 30.01.2024 |
| Fine: | 75,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | SAN-2023-025 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Légifrance (in FR) |
| Initial Contributor: | nzm |
The French DPA imposed a €75,000 fine to TAGADAMEDIA for collecting personal data through forms that were deceptive by design which did not allow the controller to obtain valid consent under Article 6(1)(a) GDPR.
English Summary
Facts
Between March 2022 and October 2022, the French DPA (“CNIL”) carried out on-site inspections of TAGADAMEDIA (“controller”), as well as online inspections of their website. The CNIL discovered that the controller collected data (first name, surname, date of birth, postal address, e-mail address, phone number) from prospects through forms when offering them to participate in competitions or product testing on its website.
The controller used two forms to do so: before 2017, the controller used a single-button form – below the fields allowing data subjects to enter their details, there was a single “I VALIDATE” button with a green background and an arrow. Above the button, a text in a much smaller font stated that by clicking on the button, the user accepted that the data collected would be used to send offers from the controller’s partners and hyperlinks provided access to the data protection policy. The end of the text indicated that if the data subject wished to continue without receiving offers from the company’s partners, they could click on a link in the text (“I click here”), allowing the data subject to accept, or refuse that their personal data be sent to the controller’s partners.
The second form implemented from 2017 until the notification of the sanction report in 2023 was a two-button form with an “I VALIDATE” button written in white on a red background and an “I REFUSE” button written in black on a grey background, in a font smaller than the first button. Above these buttons, a text written in a font much smaller than that used for the buttons specified that by clicking on the "I VALIDATE" button, the user accepted that the data collected would be used to send offers from the company's partners.
The CNIL initiated a sanctioning procedure against the controller on 22 June 2023. During this procedure, the controller proposed a new form composed of an “I ACCEPT” button and a “NEXT STEP” button, both written in white on a red background and having a text in a much smaller font specifying that by clicking on the “I ACCEPT” button, the data subject accepted that the data would be used to send them offers from the controller’s partners, whereas the “NEXT STEP” button allowed them to continue without receiving offers from partners.
Holding
Firstly, the controller based its processing on consent under Article 6(1)(a) GDPR. The DPA reiterated that it is necessary to ensure that data subjects have given their unambiguous, specific, free and informed consent.
Regarding the one-button form, the CNIL considered that the form did not allow data subjects to make a valid choice reflecting their preferences regarding the transmission of data for commercial purposes. The CNIL emphasized on the fact that the “I VALIDATE” button had a size and colour that made it stand out from the other information provided, whereas the hyperlink which enabled the data subject to take part in the game without agreeing to the transmission of their data was presented in the body of the text and in much smaller characters.
Regarding the two-button form, the CNIL noted that there was no mention of the consequences of clicking on the “I REFUSE” button and that as designed, the form did not make it possible to obtain unambiguous and free consent from the user under Article 4(11) GDPR.
Regarding the new form, the CNIL considered that although the two buttons were identical in size, font and colour, the “NEXT STEP” button suggested that there was a sequence between these two buttons. Therefore, the choices in design did not compensate for the risk that the data subject may consent without measuring the consequences.
Thus, the CNIL considered that the forms did not sufficiently inform the data subjects that they were consenting to the transmission of their data for commercial prospecting purposes and that the controller did not have valid consent within the meaning of Article 6(1)(a) GDPR and Article 4(11) GDPR.
Secondly, the CNIL discovered that the phone number and postal address of data subjects who refused to have their data transmitted to the controller’s partners were nonetheless transmitted for another purpose (the performance of technical and qualification operations) and on another legal basis (legitimate interest). The CNIL considered that in order to transmit this data to its partners, and insofar as it had chosen the legal basis of consent for this processing, the controller should have obtained the consent of the data subjects, therefore breaching Article 6 GDPR, as well as Article 5(1)(b) GDPR.
Thirdly, Article 30 GDPR stipulates that the controller must keep a register of processing activities. The CNIL noted that the controller shared a register of processing activities with another company but did not specify which one of the companies was acting as the controller for each processing. The DPA concluded that given the amount of data processed in its activity, the controller should have ensured that its register was exhaustive, accurate and up to date. Therefore, the controller failed to comply with Article 30 GDPR but did update its register during the sanctioning procedure.
Fourthly, Article 32(1) GDPR provides that the controller shall implement appropriate technical and organisational measures in order to guarantee a level of security appropriate to the risk. The CNIL considered that despite the use of a single administration account to access the database, the controller required a connection to a VPN using individual authentication keys which allowed access and actions carried out within the database to be attributed, given the small number of people accessing the administration account. Therefore, the DPA established that there was no infringement of Article 32 GDPR.
The CNIL imposed a €75,000 fine for the infringements to Article 6 GDPR and Article 30 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
Deliberation of restricted training no. SAN-2023-025 of December 29, 2023 concerning the company TAGADAMEDIA
The National Commission for Information Technology and Liberties, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Isabelle LATOURNAIRE-WILLEMS and Ms. Christine MAUGÜÉ, MM. Alain DRU and Bertrand du MARAIS, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;
Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;
Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to computing, files and freedoms;
Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;
Having regard to decision no. 2022-054C of March 25, 2022 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by the company TAGADAMEDIA or on its behalf, in any place likely to be affected by their implementation;
Having regard to the decision of the president of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated June 22, 2023;
Having regard to the report of Ms. Valérie PEUGEOT, commissioner rapporteur, notified to the company TAGADAMEDIA on August 25, 2023;
Considering the written observations submitted by the company TAGADAMEDIA on September 29, 2023;
Considering the response of the rapporteur notified to the company on October 20, 2023;
Considering the written observations submitted by the company TAGADAMEDIA on November 20, 2023;
Considering the closure of the investigation, notified to the company on November 22, 2023;
Considering the oral observations made during the restricted training session of December 7, 2023;
Considering the other documents in the file;
Were present during the restricted training session:
- Ms. Valérie PEUGEOT, commissioner, heard in her report;
As representatives of the TAGADAMEDIA company:
- […].
The TAGADAMEDIA company having spoken last;
The restricted formation adopted the following decision:
I. Facts and procedure
1. The company TAGADAMEDIA (hereinafter "the company") is a simplified joint stock company (SAS) with capital of 100,000 euros, located at 55 rue Legendre in PARIS (75017). Created in 2015, it mainly operates online competition and product testing sites through which it collects prospect data. This data is then sold to advertising partners carrying out canvassing operations.
2. In 2016, the company TAGADAMEDIA acquired 100% of the company […]. Created in 2004, the company […] distributes newsletters which include commercial messages on behalf of advertising clients. The newsletters are addressed to prospects whose data has been collected by the sites published by the company TAGADAMEDIA or the company […].
3. In 2023, the TAGADAMEDIA company had six employees. For the year 2022, it achieved a turnover of […] euros for a net result of […] euros. For the period from January 1, 2023 to August 31, 2023, its turnover amounted to […] euros.
4. In application of decision no. 2022-054C of March 25, 2022 of the President of the Commission, a delegation from the CNIL carried out an online monitoring mission of the website accessible via the URL https://www. tagadamedia.com/fr in order to verify compliance with the provisions of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the Data Protection Act" or "law of January 6, 1978") and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data and the free movement of such data (hereinafter the "Regulation" or “GDPR”).
5. This online control gave rise to report no. 2022-054/1 of May 16, 2022, notified on May 27, 2022 to the company.
6. In application of decision no. 2022-054C of March 25, 2022 of the president of the CNIL, a delegation from the Commission carried out an on-site inspection mission of the company TAGADAMEDIA. Minutes No. 2022-054/2 and No. 2022-054/3 of May 18 and 19, 2022 were drawn up and notified to the company by letter of May 23, 2022.
7. By letters of June 3 and 10, 2022, the company communicated the elements requested as part of the online and on-site checks. On July 13 and September 30, 2022, the supervisory delegation sent additional requests, to which the company responded on July 26 and October 12, 2022.
8. On October 18, 2022, a second online check was carried out by the CNIL services. Minute No. 2022-054/4 was notified on December 5, 2022 and the company communicated the requested elements on December 20, 2022. A final additional request was sent on May 3, 2023, to which the company responded on May 22, 2023.
9. On June 22, 2023, the President of the Commission, on the basis of article 22 of the law of January 6, 1978, appointed Ms. Valérie PEUGEOT as rapporteur for the purposes of examining these elements.
10. On August 25, 2023, at the end of her investigation, the rapporteur notified the company of a report detailing the breaches of Articles 5, 6, 30 and 32 of the GDPR which she considered to have occurred in this case. This report proposed to the restricted panel to impose an administrative fine against the company. He also proposed that this decision be made public.
11. On September 29, 2023, the company produced observations in response to the rapporteur's report.
12. At the request of the rapporteur and by decision no. 2023-235C of October 17, 2023 of the President of the CNIL, a delegation from the CNIL carried out an online check to verify the conformity of any processing accessible from the URL “https://testonsensemble.com/testez-de-nouveaux-produits/signup/1” or relating to personal data collected from the latter. This inspection gave rise to report no. 2023-235/1.
13. On October 20, 2023, the rapporteur's response was notified to the company.
14. On November 20, 2023, the company sent new observations in response to those of the rapporteur.
15. By letter dated November 21, 2023, the rapporteur, in application of III of article 40 of decree no. 2019-536 of May 29, 2019 taken for the application of the Data Protection Act, informed the company that the The investigation was closed.
16. The rapporteur and the company presented oral observations during the restricted training session of December 7, 2023.
I. Reasons for the decision
A. On the failure to comply with the obligation to have a legal basis for the processing carried out
17. Under Article 6(1) of the GDPR, “Processing is only lawful if, and to the extent that, at least one of the following conditions is met:
a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;
b) the processing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject;
c) the processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary to safeguard the vital interests of the data subject or another natural person;
e) the processing is necessary for the performance of a mission of public interest or relating to the exercise of public authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the person concerned is a child.
18. Under Article 4(11) of the GDPR, consent of the data subject means "any free, specific, informed and unambiguous manifestation of will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning them are subject to processing".
1) Regarding prospect data collection forms
19. The rapporteur notes that the company collects data from prospects via participation forms in online competitions. This data is then transmitted to the company's partners, who carry out commercial prospecting operations electronically. The rapporteur also notes that the data protection policy, accessible via the websites that the company TAGADAMEDIA publishes, provides that the legal basis for the transmission of prospect data for prospecting purposes by electronic means is consent.
20. To propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from Article 6 of the GDPR, as clarified by the provisions of Article 4, paragraph 11 of the GDPR, the rapporteur relies on the fact that the design of these forms does not allow users to demonstrate their consent by a clear and unambiguous positive act, and strongly encourages them to accept the transmission of their data to the company's partners for prospecting purposes.
21. In defense, the company confirms that it has chosen to base its processing relating to commercial prospecting on the collection of consent, whether for prospecting by electronic means, by post or by telephone. It specifies that the collection of "single action" consent is accompanied by an unsubscribe center which allows you to completely unsubscribe from all prospecting methods.
22. The company used, successively, two types of form, one based on a single button, the other on two buttons.
23. Regarding the single-button form, the company indicates that its design meant that the Internet user's participation in the game/competition was only conditional on his acceptance of the rules. The latter could thus click on the link located in the explanatory text to participate in the game without agreeing to transmit their data to the partners.
24. Furthermore, generally speaking, the company asserts that the two forms indeed allowed Internet users to make a choice relating to the transmission of their data, which would guarantee the free nature of the consent. It indicates, on the one hand, that participation in the game and the collection of consent for the transmission of data are uncorrelated, and on the other hand, that consent is specifically collected for commercial prospecting. It also specifies that the forms clearly indicate the implications of Internet users' clicks, while recognizing that modifications were necessary regarding the implications of the "I REFUSE" button on the two-button form. Finally, the company affirms that consent would be unequivocal because it is manifested by a click on the button, which makes it a positive action. During the restricted training session, the company clarified that the single-button form was implemented in 2015 but is now obsolete, the two-button form having been in effect since 2017.
25. Following receipt of the first report from the rapporteur, the company indicated that it had implemented a new type of form, which it considered compliant with the requirements of the GDPR. According to the company, the explanatory text is perfectly readable and contains all the necessary information for the user who does not present any particular vulnerability. She adds that the position of the buttons, by first displaying the "I ACCEPT" button with explanatory text in smaller characters, as it appears on the new form, would be considered "neutral", according to studies on cookies produced by the CNIL, and would therefore be lawful. The company specifies that it is possible to continue your user journey without agreeing to receive offers from partners.
26. In this regard, the company notes that the CNIL has not published any specific recommendations on the digital marketing sector. It specifies that it has put in place numerous measures to ensure respect for people's rights and communicates statistics revealing a very high number of "opt-in" people and a low number of "non-opt-in" people. , that is to say having requested to unsubscribe / having requested the deletion of their data / or having completed another game form while refusing the transmission of their data.
27. Finally, the company affirms that it has never intended to deceive or mislead the prospects registered in its database, the success of its activity being based on the quality of its collection practices and people registered on its database.
28. The restricted training first notes that, both the data protection policy, accessible via the websites, and the register of the company's processing activities, provide that the legal basis for the transmission of prospect data to for prospecting purposes by electronic, telephone or postal means is consent, which the company confirms.
29. The restricted training recalls that the specific consent required by the provisions of Article 6 of the GDPR can only result from express consent from the user, given in full knowledge of the facts after adequate information on the use which will be made of his personal data. In this regard, it is necessary to ensure that the persons concerned have given unequivocal, specific, free and informed consent when collecting their personal data via competition participation forms.
30. The restricted training notes in this regard that the work carried out on the practices implemented in terms of cookies with regard to banners for collecting consent can usefully serve to assess in a more general manner the conditions for collecting free consent , unambiguous, specific and informed, and serve as a reference in matters of commercial prospecting when it is based on the collection of consent.
31. Furthermore, on the same conditions of consent, the Court of Justice of the European Union (CJEU) specified, in its Planet49 GmbH decision: "Article 7(a) of Directive 95 provides that the consent of the data subject can make such processing lawful provided that this consent is "undoubtedly" given by the data subject. However, only active behavior on the part of this person with a view to demonstrating consent is likely to fulfill this requirement” (CJEU, Grand Chamber, October 1, 2019, Planet49 GmbH, C-673/17, ECLI:EU:C:2019:801, §54). Therefore, it should be considered that if consent is not given without doubt, it must be considered as lacking, which makes the processing illegal for lack of legal basis. More precisely on the methods of collection, the CJEU states that "the manifestation of will referred to in Article 2(h) of Directive 95/46 must, in particular, be "specific", in the sense that it must relate precisely to the data processing concerned and cannot be deduced from a manifestation of will having a distinct object. In this case, contrary to what Planet49 argued, the fact for a user to activate the button participation in the promotional game organized by this company cannot therefore be sufficient to consider that the user has validly given consent to the placement of cookies” (Idem, §§ 58-59).
32. Furthermore, the Council of State held that "free, specific, informed and unequivocal consent can only be an express consent of the user, given in full knowledge of the facts and after adequate information on the use that will be made of his personal data." (EC, 10th and 9th chambers combined, June 19, 2020, Google LLC, no. 430810, pt. 21).
33. The restricted training also notes, by way of example, that guidelines 5/2020 on consent, adopted on May 4, 2020 by the "article 29" working group (now the European Data Protection Board, hereinafter "EDPS"), specify that the free nature of consent "implies a choice and real control for the data subjects. As a general rule, the GDPR provides that if the data subject is not genuinely able to exercise a choice, feels forced to consent or will suffer significant negative consequences if he or she does not give consent, the consent is not valid […] In general terms, any inappropriate pressure or influence exerted on the person concerned (which may manifest in different ways) preventing him from exercising his will will render the consent invalid.
34. By way of illustration and comparison, in its deliberation no. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of use of "cookies and other tracers", the Commission therefore recommends to the organizations concerned to ensure "that users take the full measure of the options available to them, in particular through the design chosen and the information provided (§ 10) […] In order not to mislead users, the Commission recommends that data controllers ensure that interfaces for collecting choices do not include potentially misleading design practices leading users to believe that their consent is obligatory or which visually highlight one choice rather than another. It is recommended to use buttons and font of the same size, offering the same ease of reading, and highlighted in the same way" (§ 34). She adds that it is necessary "to be careful that the information accompanying each actionable element allowing consent or refusal to be expressed is easily understandable and does not require efforts of concentration or interpretation on the part of the the user. Thus, it is particularly recommended to ensure that it is not written in such a way that a quick or careless reading could lead one to believe that the selected option produces the opposite of what users thought they were choosing." (§ 23). Otherwise, the unequivocal nature of the consent would not be characterized.
35. The restricted training also recalls that studies carried out on the practices of digital interfaces, in particular concerning cookies, note the considerable impact of the appearance of consent collection banners on the choice of users, which can encourage the latter to make choices that do not reflect their preferences on data sharing.
36. In this case, it appears from the documents in the file that the company TAGADAMEDIA transmits to partners the data collected, namely the name, first name, title, date of birth, postal address, e-mail address, the telephone number of prospects, collected via its competition, product testing and survey sites. These partners then carry out commercial prospecting operations, particularly electronically, with these prospects.
37. The restricted training notes that, at the time of the checks, access to two collection forms was noted on the sites used to collect prospect data: a single-button form and a two-button form.
38. Regarding the single-button form, the restricted panel notes that under the fields allowing the persons concerned to insert their contact details there is a single button "I VALIDATE" on a green background with an arrow. Above this button, a text written in characters of a size significantly smaller than that used for the buttons specifies that by clicking on said button, the user accepts that the data collected will be used to send him offers from partners of the society. Hypertext links provide access to the data protection policy and the list of partners concerned. The end of the text specifies that if the user wishes to continue without receiving offers from the company's partners, they can click on a link present in the text ("I click here"). In addition, a check box is provided to accept the payment of the transaction.
39. Thus, the user confronted with this form can either check the box accepting the rules of the operation and click on the green button "I VALIDATE" to participate in the competition while accepting that their data will be used to send offers from the company's partners, either check the payment acceptance box and click on the "I click here" link allowing you to continue without receiving these offers.
40. The restricted panel considers that as it is designed, the proposed form does not allow data subjects to validly express a choice reflecting their preferences regarding the transmission of data for commercial prospecting purposes. The overall overview of the interface particularly highlights the “I VALIDATE” button which, by its size and color, stands out from the other information provided. Likewise, its title evokes more the conclusion of the user journey than a transmission of data to partners. Finally, its location and the use of the verb validate give the impression that it must be clicked to complete registration and participate in the competition. Conversely, the hypertext link allowing you to participate in the game without accepting the transmission of your data is presented in the body of the text, in characters of a size significantly smaller than that used for the buttons and without particular emphasis, so that It does not appear intuitive that it is possible to participate without clicking on the “I VALIDATE” button and therefore without transmitting your data to third parties for prospecting purposes. The consent obtained is therefore deprived of its unequivocal and free character.
41. While noting that this form was still accessible in May 2022, i.e. at the time of the CNIL delegation's checks, the restricted training takes note that the company no longer uses it operationally.
42. Regarding the double-button form put in place since 2017 until the notification of the sanction report in 2023, the restricted panel notes that, under the fields allowing the persons concerned to insert their contact details, there are two buttons : an “I VALIDATE” button, written in white on a red background, and an “I REFUSE” button, written in black on a gray background and whose font size is smaller than that of the “I VALIDATE” button. Above these buttons, a text written in characters of a size significantly smaller than that used for the buttons specifies that by clicking on the "I VALIDATE" button, the user accepts that the data collected will be used to send him offers from the company's partners. In addition, a check box is provided to accept the payment of the transaction.
43. The restricted panel notes that on this form, there is no mention of the consequences of clicking on the “I REFUSE” button.
44. Thus, the user confronted with this interface can either check the box accepting the rules of the operation and click on the "I VALIDATE" button to participate in the competition while accepting that their data will be used for send them the offers from the company's partners, or check the payment acceptance box and click on the "I REFUSE" button to continue without receiving these offers.
45. Like the form mentioned in paragraphs 38 to 40 and for the same reasons, the restricted panel considers that as it is designed, the form described does not make it possible to obtain unequivocal and free consent from the user.
46. It further notes that in the absence of any clarification on the consequences linked to clicking on the “I REFUSE” button, the collection of consent is not informed. The latter could just as easily mean that the refusal to transmit one's data does not allow one to participate in the competition, which is not the case in this case.
47. Regarding the new form proposed by the company following the rapporteur's report, the restricted panel notes that under the fields allowing the persons concerned to insert their contact details are located two buttons: an "I ACCEPT" button , written in white on a red background, and a “NEXT STEP” button, the appearance of which is identical to the first. Above these buttons, text written in characters of a size significantly smaller than that used for the buttons specifies that by clicking on the "I ACCEPT" button, the user accepts that the data collected will be used for him send offers from the company's partners. By clicking on “NEXT STEP”, it continues without receiving offers from partners.
48. The restricted training considers that, although they are identical in size, font and color, the terms chosen strongly encourage users to first click on “I ACCEPT” placed before the “NEXT STEP” button. Indeed, users are pushed to click on the first button "I ACCEPT" then the second button "NEXT STEP" suggesting that there is a sequencing between these two buttons, the first constituting a prerequisite for the second, while the The user journey continues by clicking on “I ACCEPT”, without the need to click on “NEXT STEP”. The restricted training notes that if explanations are provided on the consequences of each of the two options, the particular highlighting of the two buttons in the overall visual of the form, in relation to the appearance of said text in terms of font and color, does not compensate for the risk that the person goes directly from filling in the fields to the “I ACCEPT” button without measuring the consequences.
49. The restricted training therefore considers that the forms do not sufficiently inform the persons concerned of the fact that they consent to the transmission of their data for commercial prospecting purposes, in a context where the very purpose of these websites is to offer a prospect of gains that cannot suggest the objective of long-term collection of this data for such purposes. These people are not able to demonstrate their consent by a clear and unambiguous positive act.
50. The restricted body considers, under these conditions, that the company TAGADAMEDIA does not have valid consent within the meaning of articles 6 and 4 to transmit prospect data to its partners for the purposes of carrying out commercial prospecting operations. of the GDPR.
51. In addition and for the same reasons, the restricted panel considers that the consent collected via the last form proposed by the company during the investigation does not meet the requirements of the GDPR and that the breach of article 6 of the GDPR persists.
2) Concerning the transmission of prospect data to partners
52. The rapporteur notes that the company TAGADAMEDIA transmits prospect data to partners for canvassing purposes by post or electronic means. The rapporteur notes that the personal data protection policy, accessible via the company's website, specifies that the legal basis for the transmission of data to TAGADAMEDIA partners for prospecting purposes "by postal mail or by telemarketing" is the consent.
53. The rapporteur observes that the fact of not consenting to the transmission of their data does allow the user to prevent the transmission of their email address. However, the rapporteur notes that, despite the absence of consent, the postal address or telephone number is transmitted to partners for prospecting purposes by post or by telephone.
54. The rapporteur therefore considers that the company carried out unfair processing of the data of prospects who did not consent to their transmission to partners, which constitutes unfair treatment, contrary to Article 5, paragraph 1, a) of the GDPR.
55. In defense, the company asserts that it transmits data to its partners on the one hand, for commercial prospecting purposes and on the other hand, for the carrying out of technical and qualification operations, the latter purpose being the responsibility of legitimate interest. The transmission of database exports is done via a “registration drawing” specific to each partner. These registration drawings may or may not include a column relating to the status of the “opt-in prospect”. If the column is present, all the data is transmitted, the column must govern the use of prospect data (if it is indicated "opt-in = 0", the partner must not prospect on the transmitted data but will be content to carry out the technical and qualification operations). If there is no column, the prospect's email address and telephone number are not transmitted and the partner will only receive postal contact details for technical and qualification operations.
56. The company maintains that the exploitation of postal data when prospects have refused the transmission of their data is not the result of a generalized fact and that it discovered the existence of this practice at the time of the control . She adds that although certain partners have proceeded in this way, this situation does not concern all partners, is not intentional on the part of TAGADAMEDIA and does not bring it any economic advantage.
57. Finally, the company specifies that it no longer transmits to its partners, since February 1, 2023, the data of prospects who have not given their consent (“non-opt-in”).
58. The restricted training notes that the company's personal data protection policy indicates that: "In the event of express acceptance on your part, your data may also be used by Tagadamedia and/or its partners for: • You send commercial and promotional offers by email, including of a political or trade union nature, by email, by SMS/MMS, by post or by telemarketing • Send you newsletters • Carry out a statistical evaluation of site traffic • Carry out statistical segmentation and cross-checking. The legal basis for processing is consent.
59. The restricted training considers that the purposes targeted by the company as relating to the carrying out of technical and qualification operations, namely postal standardization, deduplication, telephone enrichment, etc., participate in the carrying out of the operations of commercial prospecting of its partners. These processing operations are carried out on the basis of data transmitted by the company TAGADAMEDIA, within the framework of contracts whose purpose is, in particular with the company […], “the technical integration of the TAGADAMEDIA SAS database at […] and its marketing for rental by […] "(article 1 of the contract).
60. The restricted training notes that the data of persons who have not consented to their transmission to partners are entirely or partially transmitted to partner companies for the purposes of technical operations and qualification and are used, in certain cases, for purposes prospecting.
61. The restricted training considers that as soon as a prospect does not consent to the transmission of his data to the company's partners, the company is not authorized to transmit them, including for the purposes of carrying out operations. techniques and qualifications.
62. Moreover, the restricted panel notes that the company's confidentiality policy does not specify that the data of users who have refused the transmission of their data to partners for commercial prospecting purposes are still transmitted to these partners for other purposes and on another legal basis.
63. The restricted training notes that the company was only aware of the use of postal data by its partners for commercial prospecting purposes, when the prospects had refused the transmission of their data, at the time of the control in 2022.
64. It considers that to transmit this data to its partners, and to the extent that it chose the legal basis of consent for processing relating to prospecting by post or telephone, the company should have obtained the consent of the persons concerned. , which is not the case in this case.
65. The restricted panel thus concludes that there has been a breach of Article 6 of the GDPR. It notes, however, that since February 1, 2023, the company no longer transmits “non-opt-in” prospect data to its partners.
B. Failure to comply with the obligation to implement a register of processing activities
66. Article 30 of the Regulation provides that the data controller, regardless of the number of its employees, has the obligation to keep a record of processing activities, provided that the processing of personal data is not not occasional. In this case, the register of processing activities must include all the information listed in 1. of Article 30 of the GDPR, namely: the name and contact details of the data controller, his representative and the data protection delegate. data, the purposes of the processing, the categories of data subjects and the categories of personal data, possible data transfers and, where possible, the deadlines for erasure of the data and the description of technical and organizational measures implemented to guarantee a level of data security adapted to the risk.
67. The rapporteur noted that the company shares a register of processing activities with the company […]. However, this register does not specify which of the companies acts as data controller.
68. In defense, the company first notes that it has set up a register of processing activities and that it is a simplified register model proposed by the CNIL. She adds that this register includes all the information provided for in Article 30 of the GDPR.
69. She adds that it is relatively rare for the CNIL to sanction organizations on the basis of Article 30 of the GDPR and that the decisions targeting this breach would concern more serious facts (total absence of register, lack of compliance after formal notice, etc.).
70. The restricted panel notes that the company TAGADAMEDIA implements a register of processing activities, held jointly with the company […], acquired by it, for processing relating to human resources or prospecting activities.
71. The restricted panel notes that the said register does not distinguish which company acts as data controller for the activity in question. Indeed, it is not specified for human resources or prospecting activities whether it is the TAGADAMEDIA company or the company […] which acts as data controller. However, the company TAGADAMEDIA should have, given the number of data processed and its activity, ensured that its register of processing activities was exhaustive, precise and up to date.
72. It follows from the above that the breach of Article 30 of the GDPR is characterized.
73. The restricted panel notes that the company has updated its register of processing activities which now complies with the requirements of the GDPR.
C. On the failure to comply with the obligation to ensure the security of personal data
74. Article 32(1) of the GDPR provides that "Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks , the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk [… ] " and in particular " means to guarantee the constant confidentiality, integrity, availability and resilience of processing systems and services " and a " procedure aimed at regularly testing, analyzing and evaluating the effectiveness technical and organizational measures to ensure the security of the processing".
75. The rapporteur notes that as part of the on-site inspection carried out on May 19, 2022, the company indicated that “there is a single database administrator account. It is shared by Mr […] and the technical director ". It considers that this practice does not comply with security requirements and recalls that in accordance with the basic rules relating to the security of information systems, to be effective, a password must remain secret and individual. However, the use of non-individual accounts does not make it possible to precisely identify connections and trace the uses and actions carried out by people with access to the administrator account.
76. In defense, the company claims that authentication and access to the database are made possible via two authentication steps: a VPN connection using an individual authentication key and a second authentication step to the administration account shared between the two authorized employees. The VPN connection is made through a process of editing individual authentication keys, the keys not being shared between employees.
77. She adds that the rapporteur's arguments are not relevant given the size and structure of TAGADAMEDIA.
78. The restricted training considers that connecting to the VPN using individual authentication keys constitutes good practice and that it allows, given the limited number of people accessing the administration account and their quality, to impute access and actions carried out within the database by a shared administrator account if necessary.
79. The restricted panel concludes, taking into account the nature, scope, context and purposes of the processing as well as the risks for the rights and freedoms of natural persons, that the company had implemented appropriate technical measures in order to guarantee a level of security appropriate to the risk.
80. It follows from the above that there is no breach of Article 32 of the GDPR.
II. On the pronouncement of corrective measures
81. Article 20 of Law No. 78-17 of January 6, 1978 as amended provides that: "when the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27 2016 or this law, the president of the National Commission for Information Technology and Liberties may […] refer the matter to the restricted formation of the commission with a view to pronouncing, after adversarial procedure, one or more of the following measures : […]2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or this law or to satisfy requests presented by the data subject with a view to exercising their rights, which may be accompanied, except in cases where the processing is implemented by the State, with a penalty the amount of which cannot exceed €100,000 per day of delay from the date set by the training restricted; […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the figure total global annual sales for the previous financial year, whichever is greater. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83.
82. Article 83 of the GDPR provides that: "Each supervisory authority shall ensure that the administrative fines imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each cases, effective, proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.
83. The company indicates that it considers that the amount proposed by the rapporteur, of five hundred thousand euros, is not proportionate to the seriousness of the alleged facts. The company refers to the EDPS Guidelines 04/2022 of May 12, 2022 on the calculation of the amount of administrative fines. In light of these guidelines, it recalls that the processing undertaken does not involve any particular sensitivity, that the processing is not cross-border, that the damage suffered by the prospects is not substantial and that it has not did not want to mislead prospects in the context of data collection.
84. Firstly, the restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation. , the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the violation.
85. Concerning the obligation to have a legal basis for the processing carried out, the restricted training firstly emphasizes the fact that the ecosystem of the resale of data from partners to partners requires particularly guarantees. strong as to the quality and validity of the consent obtained by the first data collector and which the partners rely on for commercial prospecting purposes. It recalls that the absence of obtaining valid consent deprives the transmission of prospect data to partners of a legal basis, which therefore appears unlawful. It considers that the requirements must be particularly strengthened with regard to the methods of obtaining the consent of users of websites published by the company, the purpose of which is to offer prospects of earning, these people not necessarily being aware of the scope of their agreement as part of their registration. She also points out that the company's lead database has approximately six million leads.
86. The restricted training also notes that, by transmitting prospect data to its partners for the purposes of technical operations and qualification while this processing falls within the scope of commercial prospecting and the persons concerned have not specifically consented to this transmission, the TAGADEMEDIA company did not have a legal basis. The restricted training notes that the company has stopped this practice.
87. Regarding the failure to comply with the obligation to implement a register of processing activities, the restricted panel considers that even if this failure is of low seriousness, the imposition of a fine appears justified.
88. In view of all of these elements, the restricted panel considers that it is appropriate to impose an administrative fine for the breaches of Articles 6 and 30 of the GDPR.
89. Secondly, with regard to the amount of the administrative fine, the restricted committee recalls that certain violations of the GDPR noted involve breaches of principles likely to be subject, under Article 83 of the GDPR, to a fine of up to 20,000,000 euros or up to 4% of the global annual turnover of the previous financial year, whichever is higher.
90. It considers that the activity of the company and its financial situation must in particular be taken into account.
91. Therefore, with regard to the liability of the company, its financial capacities, its cooperation during the procedure and the relevant criteria of Article 83(2) of the GDPR, the restricted panel considers that a fine of seventy-five thousand euros appears justified.
92. Thirdly, with regard to the issuance of an injunction, the restricted panel notes that the consent collected via the collection form proposed by the company as part of its first observations and referred to in paragraphs 47 and 48 does not still does not present a unambiguous character. The restricted panel considers that it is necessary to issue an injunction on this point.
93. In view of these elements, the restricted panel considers justified the imposition of a penalty in the amount of one thousand (1,000) euros per day of delay and payable after a period of one month.
94. Fourth, with regard to the publicity of the sanction, the company raises the disastrous consequences for its reputation by designating it as a negligent actor even though it is truly invested in respecting GDPR standards. This advertising would impact both its reputation with its economic partners and Internet users. She therefore requests that the decision not be made public or, failing that, that it be made anonymous within fifteen days of publication.
95. The restricted panel considers that the publicity of this decision is justified in view of the seriousness of some of the breaches in question, the scope of the processing and the number of people concerned, i.e. approximately 6 million prospects.
96. It also notes that this measure will make it possible to inform the people concerned by the company's prospecting operations. This information will allow them, if necessary, to assert their rights with the company.
97. Finally, it considers that this measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.
FOR THESE REASONS
The restricted formation of the CNIL, after having deliberated, decides to:
• impose an administrative fine against the company TAGADAMEDIA in the amount of seventy-five thousand (€75,000) for breaches of Articles 6 and 30 of the GDPR;
• issue an injunction against the company TAGADAMEDIA to implement on the sites it publishes a form for collecting prospect data making it possible to collect free, specific, informed and unequivocal consent regarding the transmission of their data of a personal nature to partners for prospecting purposes;
• attach the injunction to a penalty of one thousand (1,000) euros per day of delay at the end of a period of one month following notification of this deliberation, proof of compliance must be sent to restricted training within this period;
• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from its publication.
President
Alexandre LINDEN
This decision may be the subject of an appeal before the Council of State within two months of its notification.
