CNIL - Délibération n°SAN-2020-003

From GDPRhub
CNIL - Délibération n°SAN-2020-003
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 13 GDPR
Article 32(1) GDPR
Article 56(1) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 28.07.2020
Published: 05.08.2020
Fine: 250.000 EUR
Parties: SPARTOO SAS
National Case Number/Name: Délibération n°SAN-2020-003
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Alexandra Ziaka

In the context of an investigation against SPARTOO SAS, a company specialised in online footwear shopping with activities in thirteen EU countries, the French DPA (Commission Nationale de l'Informatique et des Libertés- CNIL), as the lead supervisory authority in cooperation with DPAs from other EU countries held that the processing activities of SPARTOO SAS did not comply with a series of GDPR provisions (art. 5§1(c), 5§1(e), 13, 32 GDPR). In that respect, CNIL imposed a fine of 250,000 euros and called SPARTOO SAS to bring its processing activities in conformity with GDPR in a period of three months since the publication of the decision.

English Summary[edit | edit source]

Facts[edit | edit source]

On 31 May 2018, CNIL initiated an investigation in the premises of SPARTOO SAS in order to investigate whether the processing of the personal data of its clients, prospect clients and employees, are compliant with GDPR. CNIL focused on several processing activities of SPARTOO SAS: 1) recording the customer service calls on a permanent basis, 2) storage of customers' bank details 2) no determination of retention period initially 3) determination of retention period of five years since the customer's last activity 4) establishing as last activity of the prospect customer the mere opening of an email 5) storage of personal data of more than three millions of non-connected customers for more than five years in a non-anonymised way 6) no erasure of personal data on a regular basis, 7) request the customer's health card in Italy in the context of the fight against fraud, 8) lack of strong password policy, 9) not adequate information provided to customers, prospect customers and employees regarding the processing of their personal data.

Dispute[edit | edit source]

Holding[edit | edit source]

CNIL found that the collection of bank details and the recording of customer service conversations was excessive and not necessary for the purported aim, that is the training of employees, given that only one call per employee was examined per week. Also, the collection of the health cards in Italy was found excessive, and together with the above-mentioned activities, CNIL held that the data minimisation principle had been violated (5§1(c) GDPR). CNIL also found a violation of the storage limitation principle (5§1(e) GDPR), given the lack of retention period in the first place, the storage of data of many inactive customers for more than five years and the excessive storage of prospect customers' personal data, which should be limited to 2 years. Furthermore, the information provided to the data subjects was found inadequate and contrary to the obligation of transparency (13 GDPR). More specifically, CNIL held that there are more legal bases for the processing of clients' personal data except for consent, such as the performance of a contract and the legitimate interest of the controller. Also, the information provided to the employees of the company regarding the recording of the customer service calls, did not include the purpose of the processing, the legal basis, the recipients, the retention period and their rights. Finally, CNIL held that SPARTOO SAS failed to implement appropriate measures in order to ensure the security of the processing (art. 32 GDPR), as it did not impose a strict password policy.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.


Deliberation n ° SAN-2020-003 of July 28, 2020
Deliberation of the restricted formation n ° SAN-2020-003 of July 28, 2020 concerning the company SPARTOO SAS
Status: FORCE
The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ms Anne DEBET and Christine MAUGÜE, members;

Having regard to Convention 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms modified, in particular its articles 20 and following;

Considering Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms;

Having regard to deliberation no 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Freedoms;

Considering the decision n ° 2018-076C of March 30, 2018 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing operations implemented by this body or on behalf of SPARTOO;

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated April 29, 2019;

Having regard to the report by Mr. Bertrand du MARAIS, commissioner rapporteur, notified to the company SPARTOO on September 23, 2019;

Having regard to the written observations made by the company SPARTOO on October 24, 2019;

Having regard to the rapporteur's response to these observations notified on November 7, 2019 to the company's board;

Having regard to the new written observations of the board of the company SPARTOO received on November 22, 2019 as well as the oral observations made during the session of the restricted formation, on November 28, 2019;

Having regard to the other documents in the file;

Were present during the restricted training session on November 28, 2019:

- Mr. Bertrand du MARAIS, commissioner, heard in his report;

As representatives of SPARTOO:

- […];

- […];

- […];

- […];

- […];

- […].

The SPARTOO company having had the floor last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. The company SPARTOO SAS (hereinafter the company) is a simplified joint stock company created in 2006, specialized in the distance selling sector of shoes, whose head office is located at 16 rue Henri Barbusse, in Grenoble (38100 ).

2. In 2018, the company SPARTOO SAS achieved a net turnover of more than […] euros and a negative net result of almost […] euros. In the same year, the SPARTOO group, comprising the company SPARTOO SAS and its subsidiaries, achieved a net turnover of around […] euros and a negative net result of around […] euros. The SPARTOO group employs around 1000 people.

3. The company publishes, for the needs of its activity, sixteen websites within thirteen countries of the European Union, namely France, Spain, Germany, Italy, the Netherlands, Slovakia, Denmark, Poland, Sweden, Finland, Belgium, the Czech Republic and Hungary as well as the United Kingdom. Two other websites (spartoo.eu) and (spartoo.net) are aimed at consumers from other countries paying in euros and dollars.

4. On May 31, 2018, in application of the President's decision no 2018-076C, a delegation from the National Commission for Informatics and Liberties (hereinafter the CNIL or the Commission) carried out a control mission in the premises of the company SPARTOO. The purpose of this mission was to verify that this company complied with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the Regulation or the GDPR) and of the Law n ° 78-17 of January 6, 1978, as amended, relating to data processing, files and freedoms (hereinafter the law of January 6, 1978 as amended or the Data Protection Act). The control focused more particularly on the processing of personal data of the company's customers and prospects, as well as on the recording of telephone conversations between customers and the company's customer service employees.

5. During this control mission, the delegation was informed that the company implements processing aimed at combating fraud and unpaid debts, during payments made on its websites. When the 3DSecure protocol is not validated, an email is sent to the person who placed the order so that they can send proof of address and a scan of the front of their bank card. The company also informed the delegation that no retention period for personal data had been defined and that it was not carrying out any regular erasure of data relating to customers and prospects at the end of 'a defined period.

6. The delegation noted that in the context of recording telephone conversations between client advisers and clients, people calling the company could object to the recording of telephone calls by pressing a button on their telephone. .

7. Finally, the delegation noted that when creating an account by a user, on the company's website, passwords consisting of six digits, containing only one type of character, were accepted. The company also indicated that account passwords were kept in the production database in hashed form using the MD5 hash function, using a salt present directly in the database field relating to matching passwords.

8. Furthermore, following the audit, the company sent the Commission, by email of June 7, 2018, the additional documents requested and in particular a count made in the database relating to the number of customers and prospects not 'not being connected, since 2008, to its websites distributed in the different countries in which it is present. The following were provided by the company:

- 118,768 customers whose personal data was present in the database had not connected since May 25, 2008;

- 682,164 customers had not logged in since May 25, 2010;

- 3,620,401 customers had not logged in since May 25, 2013;

- 5,790,121 customers had not logged in since May 25, 2015;

- 25,911,675 prospects had been inactive since May 25, 2015.

9. It also emerged from that statement that SPARTOO had more than [...] customer accounts and more than [...] prospects.
10. In addition, the company provided the CNIL, by email of June 27, 2018, with the new data protection policy for its various websites.

11. In accordance with article 56 of the RGPD, the CNIL informed on July 27, 2018 all the European supervisory authorities of its competence to act as the lead supervisory authority concerning the cross-border processing carried out by the company. and opening the procedure for the declaration of the authorities concerned on this case.

12. For the purposes of examining these elements, the President of the Commission appointed Mr. Bertrand du MARAIS as rapporteur, on April 18, 2019, on the basis of article 47 of the law of January 6, 1978 amended in its version applicable on the day of designation.

13. By letter of May 17, 2019, the company was summoned by the rapporteur to a hearing on the following June 19, in application of article 74 of decree n ° 2005-1309 of October 20, 2005 as amended.

14. At the end of his investigation, the rapporteur had the company SPARTOO SAS notified by a bailiff, on September 23, 2019, of a report detailing the breaches of the GDPR that he considered constituted in this case.
15. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into conformity with the provisions of Articles 5-1-c), 5-1 e), 13, 32 and 35-1 of the Rules, accompanied by a fine at the end of a period of three months following the notification of the deliberation of the restricted formation, as well as an administrative fine. He also proposed that this decision be made public and no longer allow the company to be identified by name after a period of two years from its publication.

16. Also attached to the report was an invitation to the restricted training session of November 28, 2019, indicating to the company that it had one month to submit its written observations.

17. On October 23, 2019, through its counsel, the company filed comments. The rapporteur replied on the following November 7.

18. On November 22, the company filed further observations in response to those of the rapporteur.

19. The company and the rapporteur presented oral observations during the restricted session on November 28, 2019.
20. The draft decision adopted by the restricted body was sent to the European supervisory authorities concerned on February 16, 2020, in accordance with Article 60.4 of the General Data Protection Regulation (GDPR). The restricted committee ruled, in its draft decision, on the breaches proposed by the rapporteur and discussed by the parties within the framework of the respect of the adversarial principle, namely the breaches of articles 5-1-c), 5 -1 e), 13, 32 and 35-1 of the GDPR; no breach of Article 6 of the GDPR and of Directive 2002/58 / EC of the Parliament and of the Council known as the ePrivacy Directive not having been raised by the rapporteur.

21. On March 13 and 17, the supervisory authorities in Italy, Portugal and Lower Saxony raised relevant and reasoned objections to the draft decision. The restricted formation decided to modify its draft decision in order to take these objections into account. As these did not propose to deviate from the draft decision by taking into account a new factual circumstance, to add a breach or to worsen the nature of the corrective measure initially proposed, the restricted committee decided not to communicate them to the reporter or to the SPARTOO company.

22. The revised draft decision was submitted to the relevant supervisory authorities on June 25, 2020.

II. Reasons for the decision

A. On the breach of the principle of data minimization (obligation to ensure the adequacy, relevance and non-excessive nature of the data)

23. Article 5-1 c) of the Regulation provides that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization).

24. First, the rapporteur maintains that the full and permanent recording of telephone calls received by customer service employees appears excessive in view of the purpose of their evaluation by the company.

25. The company contends that the telephone recordings are neither permanent nor systematic as customers have the option of objecting to the recording of the call. It also considers that the full recording of telephone conversations is proportionate to the objectives of evaluation and training of employees pursued by the company. Finally, she maintains that the rapporteur is wrong to assert that the recording of telephone calls would be excessive on the grounds that the person responsible for carrying out the training generally listens only to one recording per week, per employee, whereas this average would be, according to the company, likely to evolve according to the needs of the company. It specifies that the number of recordings that the trainer must be able to listen to must be greater than the number of recordings that he actually listens to.

26. The restricted training notes, first of all, that if certain customers object to the recording of the telephone call made, the company implements a treatment allowing to record all the telephone conversations of its employees, without them having the opportunity to oppose it. Next, it considers that the company does not justify the need to record all telephone conversations made by customer service, with regard to the purpose of the processing, namely the training of employees. The restricted training notes that the company indicated, during the hearing of June 19, 2019, that the person in charge of this training generally listens to only one recording per week and per employee. In addition, if the company affirmed, during the meeting of November 28, 2019, that the recording rate of telephone conversations went from 100% to 30%, it does not produce any supporting documents on this point.

27. While the number of records may vary depending on each employee and the circumstances, in particular the training needs of the latter, the restricted training considers that the company does not demonstrate that it has set up, for the past and 'future, a recording of employees' telephone conversations limited to what is necessary with regard to the purpose pursued. However, a controller cannot set up processing of personal data without ensuring that it is necessary for his needs, especially when it is based on a device that is particularly intrusive for employees.

28. The restricted committee therefore considers, in view of these elements, that a breach of Article 5-1-c) of the GDPR has occurred.

29. Secondly, the rapporteur criticizes the company for not having put in place measures to prevent the recording of customer bank details during telephone calls made with the company. He also considers that the measure proposed by the company, following the hearing, consisting in eliminating every day calls in connection with orders placed by telephone with payment by bank card, remains unsatisfactory in that the processing of data banking for a day is not justified with regard to the purpose of the processing, which is the evaluation of employees. He recalls that the processing of bank details is aimed at making payment and that such data does not have to be recorded by the company, even for a single day, once the payment has been validated.

30. The company maintains that the erasure of the bank data recorded during telephone conversations, every day, set up following the hearing of June 19, 2019, makes it possible to ensure data retention in accordance with the principle of minimization . It specifies that the implementation of a measure allowing a recording to be interrupted when a client's bank details are communicated would require the development of complex technical tools and would incur a particularly heavy financial and human cost.

31. The restricted group observes that the company has, at least until June 19, 2019, recorded during the recording of the conversations of employees for training purposes, the bank details of customers who placed orders by telephone and kept such data in its database, in clear, for fifteen days.

32. It notes that bank details are data which, given their nature and the associated risks of fraud, must be the subject of enhanced protection by data controllers. Indeed, as noted by the rapporteur, their use by unauthorized third parties, in the context of fraudulent payments, is likely to result in harm to the persons concerned.

33. The restricted formation notes that the company recorded and kept data for which it had no use with regard to the purpose of the processing in question, namely the training of employees.

34. It therefore considers, in view of these elements, that a breach of Article 5-1-c) of the GDPR has occurred.

2. Data collected in the context of the fight against fraud
35. First of all, the rapporteur maintains that the company disregards the principle of data minimization since it keeps, in the context of the fight against fraud, supporting documents sent by customers such as a copy of the national card identity, which are not required.

36. The company maintains that keeping a document spontaneously transmitted by a person is not excessive. It considers that it can keep copies of the national identity card of persons sent spontaneously to the extent that the CNIL indicates in its practical guide to online purchases that a data controller can request proof of identity and / or domicile to ascertain the identity of the holder.

37. The restricted committee notes that the company informed the CNIL, during the hearing on June 19, 2019, that it was asking customers located in France, for the purposes of combating fraud, to provide a copy of proof of address and a scan of their bank card. However, she told the Commission that even if she does not ask for a copy of the identity card to be provided, people sometimes communicate such a document to her and that in such a case she keeps this document for six months. , in the same way as the other supporting documents sent to it.

38. The restricted committee notes that a copy of the identity card may constitute relevant proof in the context of the fight against fraud. Consequently, in view of the purpose of the processing implemented by the company and the residual nature of the number of copies of identity cards processed by the company, it considers that there is no need to retain, in 'case, the alleged breach.
39. Secondly, the rapporteur pointed out in his report that the company collected, in Italy, as part of the fight against fraud, the copy of the health card (tessera sanitaria) and of the identity card in the process of being issued. validity. He criticized the company for not having been able to indicate at the hearing why the collection of this document is necessary in the context of the fight against fraud. Subsequently, the rapporteur took note of the information provided by the company according to which it indicated that its statements made during the hearing on June 19, 2019 were false and that in reality it was only asking customers for the communication of their identity card to the exclusion of any other documentary evidence. The latter also indicated that following a communication error, the sales department of the company asked, between June 27 and July 18, 2019, to customers to send a copy of this health card, but that this practice has ceased and that the documents thus collected have been deleted. The rapporteur therefore considered that there was no longer any need to take this fact into account in support of the aforementioned infringement.

40. The restricted committee notes that the Italian health card contains a significant amount of information on its holder, namely his name, first name, gender, tax code, place of birth corresponding for citizens born in Italy to the municipality of birth and for foreigners in the country of birth. It can also be inferred from the expiry date of the card that the person has a residence permit in Italy.
41. It considers that the communication of two documents making it possible to justify the identity of the person for the purposes of combating fraud, namely the health card and the identity document, was excessive and irrelevant for the purposes of article 5-1 c) of the GDPR. It appears that only the collection of the identity card was relevant with regard to the purpose of the processing carried out. In this case, the collection of the health card containing more information than the identity card, irrelevant in the fight against fraud, was excessive. In this regard, the restricted panel notes that the company recognizes that such collection was not necessary, it having ceased in July 2019. The restricted panel considers that even if the company would have collected such a document only during a limited period of three weeks, such elements constitute a breach of the obligation for the controller to process only adequate, relevant and limited data to what is necessary with regard to the purposes for which they are processed, under the principle of data minimization.

42. The restricted committee therefore considers that a breach of Article 5-1 c) of the GDPR is established for these facts.

B. On the breach of the obligation to limit the retention period of data
43. Article 5-1 e) of the Regulation provides that personal data must be kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed. ; personal data may be kept for longer periods as long as they will be processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 , paragraph 1, provided that the appropriate technical and organizational measures required by this Regulation are implemented in order to guarantee the rights and freedoms of the data subject (limitation of retention).

44. First of all, the rapporteur noted that during the control of May 31, 2018, the company informed the CNIL that no retention period for customer and prospect data had been determined and that it was not carrying out any erasure. regular or any archiving of such data after a defined period. During the hearing on June 19, 2019, the company informed the rapporteur that it had set a retention period for these data of five years, on an active basis, from the date of the last activity of customers and prospects, which may correspond for example , to a connection to the customer account, to a click in a newsletter or to the opening of this one.

45. To determine the number of customers and prospects to be taken into consideration, those located in the United Kingdom should be included, since that State was a member of the European Union at the time of the facts in question, the GDPR is applicable. In addition, as part of the withdrawal agreement between the European Union and the United Kingdom, a transitional period has been agreed during which Union law continues to apply in the United Kingdom.
46. ​​The statements made by the company, at the request of the delegation of control, made it possible to establish that the company was keeping the data of 118,768 customers who had not logged into their account since May 25, 2008, those of 682,164 customers who have not logged into their account since May 25, 2010 and the data of 3,620,401 customers who have not logged into their account since May 25, 2013.

47. The limited training deduces that at least until the counting carried out on June 7, 2018 in the database, the company kept a particularly large amount of data concerning its customers who had not logged into their account for more than ten years.

48. In addition, the fact, alleged by the company, that only the legal manager has access to the stored customer data is in any event irrelevant, the retention period being independent of access.

49. Regarding prospects, the rapporteur considers that the company does not justify the need to apply a retention period for their data for five years from the last contact from them.

50. The company maintains, for its part, that the retention period of five years for such data is adequate given the specificity of its general e-commerce platform. In addition, it has been established that certain prospects log in to view the offers offered after a period of inactivity of four years.

51. The restricted committee notes that the company kept in June 2018, with regard to the various countries of the European Union in which the company operates and the United Kingdom, the data of more than 25 million prospects not having had no activity since May 25, 2015, i.e. for more than three years. In addition, as a significant example, the data of 4,801,596 prospects who had no activity for more than three years, concerning Spain, those of 5,616,503 prospects concerning Italy and those of more than 12 million prospects for France. The restricted committee notes that after having indicated to the services of the CNIL that the data was kept indefinitely, the company indicated, during the hearing, that it now keeps these data for five years from the last contact. , even though it maintains that it will no longer revive them after a period of inactivity of two years. The restricted committee considers that the company has not established how the conservation of the data of prospects, who are people who have never placed an order on the company's site or former customers whose data is used for prospecting purposes after the end of the commercial relationship, is necessary beyond the period of two years during which it carries out its prospecting operations. The company has indicated that it only sends messages promoting its products or containing commercial offers to its prospects for a period of two years.

52. On this point, the restricted committee considers that in this case, the duration of two years appears proportionate in view of the purpose of the processing. This period responds to the company's wish to promote, like any merchant, its products to its former customers and to people who have not objected to receiving such messages. The company further specifies that a mechanism allows people to unsubscribe at any time to no longer receive prospecting messages. On the other hand, the retention period put in place by the company with regard to prospect data, namely five years, exceeds that necessary with regard to the purposes for which they are processed.

53. The restricted committee therefore considers that the company has disregarded the provisions of Article 5-1 e) of the GDPR.
54. Secondly, the rapporteur criticizes the company for determining as the starting point for the retention period for prospect data, in particular the opening of a prospecting email.

55. The restricted training notes that prospect data allows a data controller to send messages, for example by e-mail, to people who show an interest in its products or services. The Commission considers in this regard that when the starting point of the data retention period is the last contact from the prospect, it must be an event making it possible to demonstrate the interest of the person in the message received, such as than a click on a hyperlink contained in an email. However, the mere opening of an email cannot be considered as a contact from the prospect, since the prospect may be opened unintentionally due to the operating methods of the email software used or by mistake.

56. The restricted committee therefore considers that the company cannot, without disregarding the principle of limiting the period of data retention, consider that the simple opening of a prospecting email by a person makes it possible to restart the starting point of the period of retention of prospect data and thus keep such data even though the prospects have not demonstrated, by a clear act, an interest in the products or services of the company for several years.

57. Thirdly, the rapporteur maintains that at the end of the period of retention of customer data, the company does not delete all of the data stored, but keeps the email addresses of customers as well. their passwords, in a pseudonymized form, which would not allow compliance with the principle of data retention limitation.

58. The company claims that the anonymization of e-mail addresses of former customers is carried out using a process based on SHA-256 technology and that decryption of hashed data with this function requires very sophisticated technical skills. It therefore considers that the data of inactive customers is indecryptable and therefore anonymous.

59. The training notes that at the end of a client's period of inactivity, the company deletes certain data, namely the name, first name and date of birth of the latter, but keeps other such data. as his email address and password which are hashed by an algorithm and transferred within another table. The company thus wishes to allow a customer to reconnect to his account with the same username and password as those used when creating his account, at the end of the data retention period set up.

60. The restricted committee considers that the data of its former clients, even chopped, is not anonymized, but pseudonymized, and would make it possible to re-identify people.

61. The company claims that the e-mail addresses and passwords of its former customers are hashed using a SHA-256 algorithm which is particularly robust and which would make the data anonymous.

62. The restricted panel noted that the SHA-256 algorithm is a hash function to ensure the integrity of personal data processed by the company. While this is, to date, a function that cannot be reversed and is therefore considered by the National Information Systems Security Agency (ANSSI) and the CNIL as guaranteeing a sufficient level of security for data, this does not make it possible to anonymize the data and therefore justify their storage indefinitely by a controller.
63. Consequently, the restricted body considers that the company keeps the data in question for a period exceeding that necessary for the purposes for which they are processed. It notes in this regard, that the company itself indicates that the objective of the implementation of such a measure is to allow its customers to reconnect to their account, even though the data is supposed to have been deleted. . The personal data of former customers must be permanently deleted at the end of the retention period for them in an active database or in an archive database, once the legal obligations have expired and cannot be kept for a hypothetical future use. .

64. The restricted committee therefore considers that the company has, once again, disregarded the provisions of Article 5-1 e) of the GDPR.

C. On the breach of the obligation to inform people

65. Article 13 of the GDPR requires the data controller to provide, at the time the data is collected, information relating to his identity and contact details, those of the data protection officer, the purposes of the processing and its legal basis, the recipients of the personal data, where applicable the transfers of personal data, the retention period of the personal data, the rights enjoyed by individuals as well as the right to lodge a complaint with 'a supervisory authority.

66. As regards the clients, the rapporteur criticized the company for not informing them, within the data confidentiality policy, accessible on the company's website as well as via a link on the creation form account, that their data is transferred to Madagascar, in the context of telephone calls. He also criticized the company for citing within these documents only a single legal basis for all of its processing, namely consent, while some processing was based on a different legal basis.

67. The rapporteur noted, in his observations of 7 November 2019, that despite the company's claims, the privacy policy had not been corrected to include the transfer of data to Madagascar.

68. Regarding the legal bases of the processing, the company claimed that it based its processing on the consent of individuals, which, in its view, could not be criticized as this legal basis is more protective for individuals. people and therefore a failure to inform people could not be held against him with regard to these facts.

69. The restricted committee notes that it appears from the information provided by the company relating to the various processing operations implemented that several of them, namely, for example, the fight against fraud or those implemented within the framework of purchases made on the company's website cannot be based on the consent of individuals, but, as the rapporteur has indicated, on the contract or the legitimate interests pursued by the company. Recalling that recital 41 of the GDPR requires that the legal basis for processing be clear and precise, it considers that the company cannot aim solely within its data confidentiality policy as the legal basis of consent for all the processing operations implemented. artwork.

70. Consequently, if the company has indeed, as the texts require, integrated information on the legal basis and taken care to retain the most protective basis, according to it, of the rights of the people, the restricted formation recalls that Article 13 of the GDPR requires granular information relating to the legal basis of each treatment. It can therefore only note that the company has not fully complied with the provisions of this article by refraining from indicating, for each processing operation implemented, the corresponding legal basis in its confidentiality policy.

71. In addition, the restricted committee takes note of the changes made to its website, concerning the transfer of data to Madagascar. However, it considers that a breach of Article 13 of the GDPR is made until November 18, 2019, the date on which the company indicates that it has made changes to its website.

72. As regards the employees, the rapporteur criticizes the company for not informing them individually of the recording of their telephone calls.

73. The company maintains that employees are informed of the recording of telephone calls made with customers, thanks to several documents, such as a certificate of presence, information project telephone tapping dated January 14, 2016, a document from May 2014 as well as performance evaluation sheets dated 2017. The company has also provided certificates from three client advisers affirming that they have read the document dated January 14, 2016, that they have understood the purpose of these eavesdropping and that 'they can contact the legal department for further information.

74. The restricted training recalls that informing employees of the setting up of systems for listening and recording telephone conversations in the workplace is fundamental and is linked to the fair and transparent nature of any processing carried out. by a data controller. As indicated in recital 39 of the GDPR, the principle of transparency requires that all information and communication relating to the processing of such personal data is easily accessible, easy to understand, and formulated in clear and simple terms.

75. The obligation of transparency obliges the company to provide information relating to such a system to each employee, who cannot be satisfied with a single piece of information, as in this case in 2016, which would not be provided to new employees subsequently employed.

76. Moreover, the restricted committee also notes that Article L. 1222-4 of the Labor Code provides that no information concerning an employee personally can be collected by a device that has not been previously brought to his attention. . In addition, the Commission has recalled on several occasions, and in particular in a guide for employers and employees available on its website as well as in recommendation 2014-474 of 27 November 2014 relating to the recording of calls on the place of work, that employees must be provided with a certain amount of information regarding the treatments implemented by employers.

77. Finally, the restricted committee notes that the documents produced by the company do not provide employees with information relating to the purposes pursued by the processing, the legal basis of the system, the recipients of data from the system, the duration of data retention, their rights in particular of access to data concerning them as well as the possibility of filing a complaint with the CNIL, guaranteeing full information of employees in accordance with Article 13 of the GDPR.

78. The restricted committee therefore considers, in view of these elements, that a breach of Article 13 of the GDPR has occurred.

D. A breach of the obligation to ensure data security


79. Article 32-1 of the Regulation provides: Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, including the degree probability and severity vary, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk and in particular the means to ensure the continued confidentiality, integrity, availability and resiliency of processing systems and services.

80. The controller must therefore, in accordance with article 32-2 of the GDPR, take into account the risks presented by the processing, resulting in particular from the destruction, loss, alteration or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data, accidentally or unlawfully.

81. The CNIL delegation noted, during the inspection on May 31, 2018, that people wishing to create a user account on the company's website could create a password consisting of six characters comprising a single category of characters. During the hearing on June 19, 2019, the company clarified that, since the control of the CNIL, a one-minute blocking measure for the account was put in place, after 19 unsuccessful access attempts to an account at from a single IP address in less than a minute.
82. In defense, the company argues that it has changed the rules for constituting account passwords and now requires its customers to create passwords that are at least eight characters long. It also calls into question the recommendations of the CNIL in the matter and maintains that the technical recommendations in terms of securing passwords resulting from the deliberation n ° 2017-190 of June 22, 2017 of the Commission are the subject of contestation by cybersecurity experts. Maintaining that overly complex rules have led to the standardization of passwords, she preferred to opt for the imposition of short and simpler passwords, these being less predictable for a possible attacker, the hazard being based on a human logic.

83. The rapporteur maintains that passwords, consisting of six or eight characters, without complexity criteria, are not strong enough and do not ensure the security of data processed by the company. He considers that such passwords do not prevent brute force attacks which consist in successively and systematically testing numerous passwords and can thus lead to a compromise of the associated accounts and personal data which 'they contain.

84. The Restricted Panel considers that, contrary to what society maintains, the length and complexity of a password remain elementary criteria by which to assess the strength of it. It recalls that, to ensure a sufficient level of security and meet the requirements of password strength, when authentication is based solely on a username and password, the password must be at least twelve characters long - containing at least 12 characters. minus one uppercase letter, one lowercase letter, one number and one special character - or the password must be at least eight characters long - containing three of these four categories of characters - and be accompanied by an additional measure such as timeout access to the account after several failures (temporary suspension of access, the duration of which increases with the number of attempts), the establishment of a mechanism to protect against automated and intensive submission of attempts (e.g. captcha) and / or blocking the account after several unsuccessful authentication attempts.

85. The restricted committee notes that the need for a strong password is also emphasized by ANSSI, which indicates that a good password is above all a strong password, that is to say difficult to find. even using automated tools. The strength of a password depends on its length and the number of possibilities available for each character in it. This is because a password made up of lower case letters, upper case letters, special characters and numbers is technically more difficult to discover than a password made up of all lower case letters.

86. In the present case, it considers that the strength of a password consisting of eight characters and only one category of characters is very weak and that the company does not at any time demonstrate how a password is short and simple would be more likely to resist a brute force attack than a password consisting of more characters and multiple categories of characters.

87. The restricted committee therefore considers that the passwords set up by the company to access the accounts created on its website do not meet the required requirements in terms of robustness.


88. It was noted, during the control of May 31, 2018, that the company asks its customers, as part of the fight against fraud, to send it by email a scan of the bank card used when ordering. For its customers in France, an email specifying the 16 digits on the front panel, please let appear at least the first 4 and the last 4, the validity date and the name of the holder must appear clearly is then sent to the persons. E-mails making such a request are also sent to people ordering on the Italian, Spanish, Hungarian, Slovak, Danish and Greek sites. the company was found to keep bank card scans unblocked.

89. The rapporteur therefore considers that the company's email addressed to people, particularly French people, encourages them to provide a full copy of the payment card instead of inviting customers to hide a minimum number of their bank card numbers.

90. It was further noted that bank card scans are kept by the company in the clear for six months from the registration of the documents, in the event of a dispute.

91. By letter of June 28, 2019, the company indicated that an online platform dedicated to sending supporting documents would be set up at the end of August 2019. Furthermore, the company maintains that it has been authorized by the CNIL to implement processing for the purpose of combating fraud and that it can validly collect the expiry dates and truncated bank card numbers.

92. In the first place, the restricted committee notes that the company was indeed authorized by deliberation of the CNIL of July 2, 2009 to process the truncated bank card number as well as the expiry date, as part of the implementation implementation of processing for the purpose of combating fraud. However, it is established that the company processed copies of customers' bank cards containing full numbers, while it was only allowed to process a truncated portion of them. The restricted committee therefore considers that the authorization issued by the CNIL cannot justify the processing of all customer bank card numbers.

93. Secondly, the restricted committee notes that it was noted by the CNIL delegation that the system set up by the company allowed customers to send unencrypted, by unencrypted email from their electronic mailbox. , photographs or scans of their bank card containing the full number of the bank card and that such data was kept, in the same way as the supporting documents requested in the context of the fight against fraud, for six months, in clear in the database.

94. Under these conditions, the restricted committee considers that the company has not put in place, at least until August 2019, security measures to guarantee the security of its customers' banking data.

95. On the basis of all of these elements, the restricted panel considers that the breach of article 32 of the Rules has been established.

E. On corrective measures and their publicity

96. Under III of article 20 of the amended law of 6 January 1978:
When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures: […]

2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty payment the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; […]

7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous financial year, whichever is higher. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

97. Article 83 of the GDPR provides:

1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.

2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:

a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered;

(b) whether the violation was committed willfully or negligently;

c) any measure taken by the controller or processor to mitigate the damage suffered by the data subjects;

d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;

e) any relevant breach previously committed by the controller or processor;

f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating any negative effects thereof;

g) the categories of personal data affected by the breach;

(h) how the supervisory authority became aware of the breach, including whether, and to what extent, the controller or processor notified the breach;

(i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures;

(j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and

k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation.

98. First, concerning the fine proposed by the rapporteur, the company maintains that it was never condemned by the CNIL, that it had few references before the entry into force of the RGPD and that the Commission announced a tolerance period for new breaches of the GDPR, such as data minimization or pseudonymization.

99. The restricted panel considers that, in the present case, the aforementioned breaches justify the imposition of an administrative fine against the company for the following reasons.

100. First of all, it notes that, contrary to what the company maintains, the shortcomings found relate, for the most part, to obligations that Law No. 78-17 of 6 January 1978 as amended already imposed on data controllers. and which did not arise from the GDPR, including with regard to the principle of minimizing and limiting the duration of data retention. It further recalls that questions relating to the pseudonymization of data were asked well before the entry into force of the GDPR.

101. Next, it notes that several of these breaches concern employees and in particular their right to receive information on the processing of their personal data. Here again, the restricted training recalls that this is not a novelty introduced following the entry into force of the GDPR.

102. Finally, it underlines that bank data is data that must be the subject of particular vigilance by data controllers and that the Commission has continued to support them on this subject for many years.

103. Secondly, the company underlines its cooperation with the rapporteur and the measures put in place, as well as certain sanctions previously imposed by the restricted party. It also considers that it cannot be blamed for a lack of speed, when the hearing took place a year after the check carried out on its premises and when no formal notice was notified to it within this time.
104. The restricted committee notes that although several measures were put in place by the company in order to remedy in whole or in part certain shortcomings, these were only adopted following the control of the CNIL on the 31st. May 2018, with regard to the establishment of retention periods for customer and prospect data and that following the hearing of June 19, 2019, and the report, regarding the deletion of records containing customer bank details and information to individuals on the website relating to the transfer of their data outside the European Union.

105. Next, the restricted committee considers that the seriousness of certain breaches is characterized. More particularly with regard to the failure to record telephone conversations, the restricted committee notes that the company recorded for several years all the telephone conversations of its employees, even though it had none. utility and that such treatment can be compared to constant monitoring. It also notes that employee information about the implementation of the call recording system is particularly deficient, it being either incomplete before 2016, or non-existent for employees hired by the company subsequently.

106. In addition, the seriousness of the breaches is characterized in view of the particular category of personal data processed by the company, namely banking data which is considered to be data exposing people to a risk of fraud, and therefore of damage, and must therefore be the subject of special vigilance. Finally, the restricted committee also considers that the seriousness is characterized because of the number of people affected by the breaches, in particular with regard to the retention periods of data, which has affected several thousand people.
107. The company then claims to be a medium-sized business and to operate in a particularly competitive sector. It considers that a high administrative fine would affect its financial health and commercial position.

108. In this regard, the restricted committee considers that the company is an established player in e-commerce, and that, created long before the entry into force of the GDPR, it could not ignore the basic rules of the protection of personal data.

109. Next, the restricted panel recalls that § 3 of Article 83 of the Rules provides that in the event of multiple violations, as is the case in this case since four breaches are characterized, the total amount of the fine may not exceed the amount set for the most serious violation. Insofar as the company is accused of a breach of Articles 5 and 12 of the Regulation, the maximum amount of the fine that may be retained is 20 million euros or 4% of annual worldwide turnover, the higher amount being retained.

110. However, the restricted committee also takes into account, in determining the fine imposed, the measures that the company has taken during the sanction procedure to partially comply as well as the cooperation with the Commission services. .

111. Third, concerning the need to issue an injunction, the company considers that a formal notice without penalty would be more appropriate given the speed already observed in order to comply with several breaches.

112. Without ignoring the steps taken by the company to comply with the GDPR, the restricted committee considers that the company has not demonstrated, on the day of the closing of the investigation, the total compliance of the treatments it puts implemented in Articles 5-1-c), 5-1 e) 13 and 32 of the Regulation.

113. If the company fails to comply with these breaches, an injunction should be issued.

114. Fourthly, the restricted committee considers that the publication of the sanction is justified in view of the importance of the issues raised concerning the employees, as well as the nature of the data in question, whereas the company is a major player in the sector. in which it intervenes.

115. It follows from all of the above and taking into account the criteria set out in Article 83 of the GDPR that an administrative fine of up to 250,000 euros, an injunction accompanied by a fine as well as an additional penalty publication for a period of two years are justified and proportionate.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

Issue an injunction against the company SPARTOO SAS to bring the processing into conformity with the obligations resulting from articles 5-1 c), article 5-1 e), 13 and 32 of Regulation No. 2016/679 of April 27 2016 relating to data protection, and in particular:

· Regarding the breach of the principle of minimization of personal data:

o justify the end of non-one-off and non-random recordings of advisers' telephone conversations when the purpose pursued is their training or evaluation;

With regard to the breach of the principle of limiting the retention period of data, define and implement a retention period policy for data relating to customers and prospects that does not exceed the period necessary for the purposes for which they are collected and processed, and in particular:

o justify the intermediate archiving procedure for customer personal data put in place, after sorting the relevant data to be archived and deleting irrelevant data, as well as the starting point for this archiving;

o justify the restriction of employees' access to personal data present in the active database to only those who need to know it;

o stop processing the data of prospects beyond the period after which the company no longer contacts them (in this case two years) and stop taking into account, as the last point of contact emanating from them, the simple opening of an email;

o stop keeping the e-mail addresses and hashed passwords of former customers at the end of the fixed period of inactivity and proceed with the purging of such data kept by the company until the date of the deliberation of the restricted formation ;

o justify the deletion of data concerning customers beyond the defined period of inactivity, for which it will be up to the company to justify, and concerning prospects beyond two years of inactivity;

· With regard to the failure to inform people:

o inform employees about the implementation of a device for recording telephone conversations, particularly concerning the purposes pursued, the legal basis of the device, the recipients of data from the device, the retention period of the data , the rights of employees, in particular access to data concerning them, the possibility of lodging a complaint with the CNIL;

o provide complete information to customers, by providing information relating to the various legal bases of the processing carried out by the company;

With regard to the breach of the obligation to ensure the security of personal data, take any measure, for all the processing of personal data implemented, to preserve the security of this data and prevent that unauthorized third parties have access to it in accordance with Article 32 of the GDPR, in particular:

o implement a binding password management policy for customer accounts according to one of the following methods;

§ passwords are at least twelve characters long, containing at least one uppercase letter, one lowercase letter, one number and one special character;

§ Passwords are made up of at least eight characters, containing three of the four categories of characters (upper case letters, lower case letters, numbers and special characters) and are accompanied by an additional measure such as the account access timeout after several failures (temporary suspension of access, the duration of which increases with the number of attempts), the establishment of a mechanism to guard against automated and intensive submission of attempts (eg: captcha) and / or blocking of the account after several unsuccessful authentication attempts (maximum ten);
Attach a fine of 250 (two hundred and fifty) euros per day of delay at the end of a period of 3 (three) months following the notification of this deliberation, the proof of compliance to be sent to the restricted committee within this period;

For breaches of Articles 5-1 c), 5-1 e), 13 and 32 of the GDPR, pronounce against the company SPARTOO SAS an administrative fine in the amount of 250,000 (two hundred and fifty thousand) euros;

· Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.

President

Alexandre LINDEN