CNIL (France) - SAN-2019-010

From GDPRhub
(Redirected from CNIL - SAN-2019-010)
CNIL (France) - SAN-2019-010
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR
Article 12 GDPR
Article 13 GDPR
Article 21(2) GDPR
Article 46 GDPR
Article 49 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 21.11.2019
Published: 26.11.2019
Fine: 500,000 EUR
Parties: Futura International
Anonymous
National Case Number/Name: SAN-2019-010
European Case Law Identifier: n/a
Appeal: Unknown
CE (France)
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA (CNIL) imposed a fine of €500,000 for marketing solicitations which violate the GDPR.

English Summary

Facts

The CNIL received a complaint on the ground that he was very regularly cold called by a company whose activity consists of direct marketing solicitations via phone (the controller). Although the complainant had previously informed the controller they did not want to be called and had already exercised their right to object via e-mail, the controller continously sent them marketing emails. Thus, a complaint was lodged with the CNIL.

Dispute

In addition to the violation of the right to object, could unsolicited direct marketing phone calls lead to additional GDPR infringments?

Holding

The investigation carried out by the CNIL revealed that the controller had received several letters from people complaining that they were still being solicited despite their opposition. It also appeared that the company's files contained several excessive comments related to customers or their health conditions. In addition, people were not properly informed about the processing of their personal data, or about the recording of the conversations they had with the company.

In total, following its investigations the CNIL found five breaches of the GDPR:

-         Violation of the right to object, Article 21(2) GDPR: no procedure was implemented to ensure effectively that persons who opposed telephone solicitation were no longer called);

-         Violation of the principle of data minimization, Article 5(1)(c) GDPR: inadequate and offensive comments or irrelevant comments related to people's health were found in the company's customer file;

-         Violation of Articles 12 and 13 GDPR: insufficient information on the processing of data subject’s personal data and their rights;

-         Violation of Articles 46 and 49 GDPR:  the controller did not provide appropriate safeguards for data subjects;

-         Failure to cooperate with the CNIL, Article 31 GDPR.

As a consequence, the CNIL imposed a fine of EUR 500.000.

Comment

This decision was appealed by Futura International before the Conseil d'Etat. However, the Conseil d'Etat rejected the appeal.

See the summary here: CE - 437808

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the French original for more details.

National Commission for Information Technology and Civil Liberties
Deliberation No. SAN-2019-010 of November 21, 2019
Deliberation of the restricted formation n°SAN-2019-010 of November 21, 2019 concerning the company FUTURA INTERNATIONALE
Status: EFFECTIVE

The Commission nationale de l'informatique et des libertés, in its restricted formation, composed of Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Anne DEBET, Sylvie LEMMET and Christine MAUGÜE, members;

Having regard to Council of Europe Convention No. 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data;

Having regard to Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, as amended, in particular Articles 20 et seq. thereof ;

Having regard to Decree No. 2019-536 of 29 May 2019 implementing Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties;

Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the rules of procedure of the National Commission on Information Technology and Civil Liberties ;

Having regard to the referral PL18002670 received by the National Commission for Data Processing and Liberties on 6 February 2018;

Having regard to Decision No. 2018-060C of 16 March 2018 of the President of the National Commission for Data Processing and Liberties to instruct the Secretary General to carry out or have carried out a mission to verify all prospecting processing implemented by or on behalf of the company FUTURA INTERNATIONALE ;

Having regard to the decision of the President of the Commission nationale de l'informatique et des libertés appointing a rapporteur to the restricted formation, dated 29 April 2019;

Having regard to the report of Mrs. Sophie LAMBREMON, commissioner-rapporteur, notified to the company FUTURA INTERNATIONALE on 11 June 2019;

Having regard to the written observations of Maître [...], lawyer for FUTURA INTERNATIONALE, received on 10 July 2019;

Having regard to the reply of the rapporteur to these observations notified on 25 July 2019 to the board of the company ;

Having regard to the new written observations of the board of FUTURA INTERNATIONALE received on 31 July 2019 and the oral observations made at the restricted formation meeting on 19 September 2019;

Having regard to the documents communicated by e-mail on October 7, 2019, after the closing of the investigation;

Having regard to the other documents in the file;

Were present, during the restricted training session of 19 September 2019:

    Ms. Sophie Lambremon, Commissioner, in her report;

As representative of the company FUTURA INTERNATIONALE:

- [...], counsel for the company;

The board of FUTURA INTERNATIONALE having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

FUTURA INTERNATIONALE (hereafter referred to as the Company) is a simplified joint stock company with a single shareholder, whose registered office is located at 1 avenue des Violettes, in Bonneuil-sur-Marne (94380). Its activity is the installation of insulation equipment, heat pumps and windows.

In 2017, the company had a turnover of 27,647,300 euros and a net profit of more than 500,000 euros. The turnover was EUR [...] with a net result of approximately EUR [...] in 2018. In March 2018 it had about 75 employees.

On 6 February 2018, Ms [...] lodged a complaint with the Commission nationale de l'informatique et des libertés (hereinafter CNIL or the Commission) alleging telephone canvassing by the company FUTURA INTERNATIONALE. The complainant also stated that, despite opposition to the canvassing expressed orally to the telephone operators and by letter addressed to the company's headquarters, calls had not stopped several months after these approaches.

On 20 March 2018, pursuant to Decision No. 2018-060C of the President, a CNIL delegation carried out an inspection mission to the premises of the company FUTURA INTERNATIONALE. The purpose of this mission was to verify the compliance of all processing operations relating to commercial prospecting carried out by or on behalf of the company with the provisions of the amended Act of 6 January 1978 and, more specifically, to investigate the complaint of Mrs [...].

During this audit, the delegation was informed that, in the course of its business, the company processes customer and prospect data obtained either directly from the persons concerned (whether they contact the company on their own initiative or are contacted as part of telephone canvassing operations by service providers using their own directories) or collected from third parties as part of a sponsorship programme.

The delegation was informed that the company's commercial telephone canvassing was carried out by several call centres acting as subcontractors, most of which are located in North Africa. The company indicated to these subcontractors the department it wished to target, and the call centre operators would call the persons concerned to offer the company's services. If people expressed an interest, they were either put directly in contact with an employee of FUTURA INTERNATIONALE or called back later to check the eligibility criteria for energy saving certificates, a device better known as the one-euro insulation. People could also be contacted in this way when they had been sponsored by customers of the company who had given their contact details. The delegation was informed that the company had not set up a centralised mechanism to take into account requests for objection expressed by those approached. The delegation took copies of 19 e-mails sent to the company by individuals expressing their refusal to participate in future prospecting operations.

The delegation was informed that customer data were processed in the Progibos customer management software, in which telesales agents could record comments on customers for the employees of FUTURA INTERNATIONALE. The delegation noted, among these comments, remarks relating to the state of health of the persons contacted and insulting remarks against them.

Having obtained copies of recordings of conversations between teleoperators and prospects, the delegation noted that, in a significant number of conversations, the persons were not informed of the recording of the call. When individuals were notified of the recording, no further information on the protection of personal data was provided.

Furthermore, following the audit, the Commission services requested the company to provide several documents necessary for the performance of their task, in order to assess the company's liability. These documents included the contracts concluded with the call centres. The company was given eight days to submit these documents. At the company's request, two extensions were granted, until 11 April and then until 20 April 2018. The company sent certain documents on 11, 17, 19 and 20 April, without all the requested documents being provided, despite two reminders from the Commission services on 23 April and 4 June 2018, one of which was sent by registered letter with acknowledgement of receipt.

In the light of these facts, the President notified the company of Decision No MED-2018-039 of 27 September 2018 giving it formal notice, within two months, to take the following measures:

ensure the adequacy, relevance and non-excessiveness of the data collected, in accordance with Article 5(1)(c) of the general data protection regulation No 2016/679 of 27 April 2016 , in particular by :

deleting comments which are inappropriate and excessive in relation to the purpose of the processing operation ;

taking the necessary measures to prevent excessive comments from being recorded in the PROGIBOS software, for example by setting up a system for automatically detecting words that are inappropriate, irrelevant and excessive in relation to the purpose of the processing operation, in order to exclude them from the comment fields, and by making staff aware of the need to record only adequate, relevant and non-excessive data;

justifying the reasons why partial replies were sent to the Commission's email of 23 April 2018 and letter of 4 June 2018 and communicating them to the Commission:

the exhaustive list of call centres working on behalf of the company ;

for each of the call centres, the fifty most recent records relating to prospecting telephone calls made on behalf of the company;

the one hundred most recent recordings available to the Company of telephone conversations between prospects and Company employees;

inform the persons from whom personal data are collected directly, under the conditions now provided for in Articles 12 and 13 of the General Data Protection Regulation No 2016/679 of 27 April 2016 , in particular by providing, at the time the personal data are collected, information on the identity of the controller, the purpose of the processing, the rights of individuals and the transfer of data to a non-EU Member State, and by providing, on the www.futura-internationale.fr , information on data transfers to a non-EU Member State and on the storage periods of the categories of data processed or the criteria used to determine those periods;

provide information to persons from whom personal data are collected indirectly, under the conditions now laid down in Article 14 of the general data protection regulation No 2016/679 of 27 April 2016 , in particular by providing godchildren, at the latest at the time of the first communication with them, with information on the identity of the controller, the purpose of the processing, the rights of individuals and the transfer of data to a non-EU Member State, and by providing a full information notice on the website www.futura-internationale.fr ;

define and implement an effective procedure for the right of objection in order to comply with the provisions of Article 21(2) of the general data protection regulation No 2016/679 of 27 April 2016 and, in particular, grant the request made by Ms [...] ;

no longer transfer personal data to a State which does not ensure an adequate level of protection of privacy and fundamental rights and freedoms, unless one of the conditions laid down in Articles 46 to 49 of the general data protection regulation No 2016/679 of 27 April 2016 is fulfilled;

justify to the CNIL that all of the aforementioned requests have been complied with within the time limit set.

The formal notice was received by the company on October 2, 2018.

On November 29, 2018, the President of the CNIL received a request for an extension of the deadline set by the formal notice. In this letter, a lawyer representing the company explained that she had been appointed as data protection delegate at the CNIL, without having been informed of this, and that the company was late in receiving this formal notice. As a result, the company's board requested that the two-month period initially granted be doubled, which request was granted on 13 December 2018.

On 15 February 2019, the company's board sent a letter to the president of the CNIL, informing her that, despite several reminders from her, it had been unable to obtain the supporting evidence requested from the company. Consequently, he could not justify the compliance of FUTURA INTERNATIONALE but nevertheless communicated some documents provided by the company.

In order to examine these elements, the President of the Commission appointed Mrs. Sophie LAMBREMON as rapporteur on April 29, 2019, on the basis of article 47 of the law of January 6, 1978 as amended in its version applicable on the date of appointment.

At the end of his investigation, on 11 June 2019, the rapporteur sent a report by bearer to FUTURA INTERNATIONALE detailing the breaches of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter the Regulation or the DPMR) which he considered to have occurred in this case.

The report proposed that the restricted panel of the Commission issue an injunction to bring the processing into conformity with the provisions of Articles 5(1)(c), 12, 13, 14, 21 and 44 of the Regulation, together with a penalty payment of five hundred euros per day of delay at the end of a period of fifteen days following notification of the restricted panel's decision, and an administrative fine of five hundred thousand euros. It also proposed that this decision be made public but that it should no longer allow the company to be identified by name after a period of two years from its publication.

The report also included a notice convening the meeting of the restricted session of 19 September 2019, giving the company one month to submit its written comments.

On July 10, 2019, the Company, through its new Board, filed comments. The rapporteur replied on 25 July.

On 31 July, the company submitted further comments in response to the rapporteur's comments.

At the session of the restricted formation on 19 September 2019, the rapporteur maintained the proposals made in his sanction report with the exception of the injunction relating to the adequacy of free comments, as the company complied on this point.

II Reasons for the decision

1 On the applicable law

The restricted training notes that the control carried out by the Commission services took place on 20 March 2018. This date is prior to the entry into force of the RGPD. For this reason, the letter of formal notice of 27 September 2018, although notified after the entry into force of the text, is indicative of breaches of Law No 78-17 of 6 January 1978 as amended, while calling for compliance with the Regulation, which is now applicable.

The Panel considers that the principle of non-retroactivity of criminal sanctions in principle prohibits the application of the Regulation to punish instantaneous breaches that occurred before its entry into force.

It nevertheless notes that the breaches noted in the letter of formal notice are continuous breaches, which are defined by an action (or an omission) extending over a certain period of time, within the meaning of the case-law of the European Court of Human Rights (European Court of Human Rights, Grand Chamber, case of Rohlena v. the Czech Republic, req. 59552/08, paragraph 28).

The restricted panel considers that these failures continued at least until the notification of the sanction report, i.e. after the entry into force of the RGPD, because the company failed to demonstrate compliance.

The restricted formation points out that, in the event of continuing breaches, account must be taken of the law applicable at the time of the last state of the breach (EC 9/10, 5 November 2014, UBS France SA, No 371585, point 24).

Consequently, the panel considers that the RGPD is applicable to the facts of the case and that the infringements must therefore be assessed in the light of that text.

(2) Failure to comply with the obligation to process adequate and relevant data limited to that which is necessary for the purposes for which they are processed.

Article 5(1)(c) of the GDMP provides that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed.

The restricted training notes that abusive terms relating to the state of health of individuals have been found in the Progibos software for the management of the company's clients. It considers that, by their very nature, the offensive comments are inappropriate in relation to the purpose for which the data are processed and that there is no justification, in this case, for the presence of data relating to the health of individuals in the software for managing clients and prospects. It notes in this regard that the excessive nature of those data is not called into question by the company.

The restricted formation also notes that the company has not demonstrated that it had deleted the excessive or inadequate comments by the expiry of the period granted in the notice and that, consequently, the failure to comply with the obligation to process only adequate, relevant data limited to what is necessary for the purposes for which they are processed was constituted at that date.

The Panel therefore considers, in the light of these elements, that a failure to comply with Article 5(1)(c) of the RGPD was constituted at the end of the period laid down in the letter of formal notice.

The Panel notes that the company provides evidence that it purged the excessive comments during the sanction proceedings.

The Panel also takes note of the observations made by the rapporteur at the sitting of 19 September 2019. The rapporteur considers that the company has demonstrated its compliance and that, therefore, there is no longer any need to issue an injunction on this point.

However, the restricted formation notes that, although information is actually delivered by means of a contextual banner to users of the Progibos software, the bailiff's report drawn up on 30 July 2019 does not show that the company has put in place a computerised mechanism preventing the recording in the software of offensive terms or terms relating to the state of health of persons. This is also not apparent from the documents provided by the company during the sanction procedure, nor from the statements made by its board during the meeting of 19 September 2019.

However, in view of the observations made by the supervisory delegation on 20 March 2018 regarding the nature of the comments entered by users of the Progibos software, the restricted formation considers that a mere mention of information intended for users cannot suffice, in the case in point, to ensure compliance with the provisions of Article 5(1)(c) of the RGPD. On the contrary, it considers that the data controller must set up a binding system enabling it to ensure that the behaviour observed is not repeated, either by automatically preventing the recording of certain terms as soon as they are entered, or by carrying out an automated daily review of the comments recorded.

These elements are therefore not such as to call into question the characterisation of the breach referred to at the end of the investigation.

3) Failure to inform individuals of the obligation to provide information

The first paragraph of Article 12 of the PGRD provides that the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 [...] regarding the processing to the data subject in a concise, transparent, comprehensible and easily accessible manner in clear and simple terms, in particular any information specifically intended for a child. Information shall be provided in writing or by other means, including, where appropriate, by electronic means. Where the data subject so requests, the information may be provided orally, provided that the identity of the data subject is proved by other means .

As regards information to persons whose personal data are collected directly from them by the company, Article 13 of the RGPD provides :

1. Where personal data relating to a data subject are collected from that person, the controller shall provide him/her, at the time when the data in question are obtained, with all the following information :

(a) the identity and contact details of the controller and, where appropriate, of the representative of the controller ;

(b) where applicable, the contact details of the Data Protection Officer ;

(c) the purposes of the processing operation for which the personal data are intended and the legal basis of the processing operation ;

(d) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party ;

(e) the recipients or categories of recipients of the personal data, if any; and

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organisation, and the existence or absence of a decision on adequacy issued by the Commission or, in the case of transfers as referred to in Articles 46 or 47 or in the second subparagraph of Article 49(1), the reference to appropriate or adequate safeguards and the means of obtaining a copy of them or the place where they have been made available ;

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are obtained, with the following additional information which is necessary to guarantee fair and transparent processing :

(a) the period for which personal data are stored or, where that is not possible, the criteria used to determine that period ;

(b) the existence of the right to request access, rectification or erasure of personal data from the controller, or a restriction on the processing in respect of the data subject, or the right to object to the processing and the right to data portability ;

(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing operation based on the consent given prior to its withdrawal ;

(d) the right to lodge a complaint with a supervisory authority ;

(e) information as to whether the requirement to supply personal data is regulatory or contractual in nature or whether it is a condition for entering into a contract and whether the data subject is under an obligation to supply the personal data, as well as the possible consequences of failure to supply such data ;

(f) the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, relevant information as to the underlying logic, as well as the importance and the intended consequences of such processing for the data subject.

As regards the information to be provided where the personal data have not been obtained from the data subjects, Article 14 provides :

1. Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with all the following information:

(a) the identity and contact details of the controller and, where appropriate, of the representative of the controller ;

(b) where applicable, the contact details of the Data Protection Officer ;

(c) the purposes of the processing operation for which the personal data are intended and the legal basis of the processing operation ;

(d) the categories of personal data concerned ;

(e) where applicable, the recipients or categories of recipients of the personal data;

(f) where applicable, the fact that the controller intends to carry out a transfer of personal data to a recipient in a third country or an international organisation, and the existence or absence of a decision on adequacy issued by the Commission or, in the case of transfers as referred to in Articles 46 or 47 or in the second subparagraph of Article 49(1), the reference to appropriate or adequate safeguards and the means of obtaining a copy thereof or the place where it was made available ;

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to guarantee fair and transparent processing in respect of the data subject :

(a) the period for which personal data will be kept or, where that is not possible, the criteria used to determine that period ;

(b) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party ;

(c) the existence of the right to request access, rectification or erasure of personal data from the controller, or a restriction on the processing in respect of the data subject, as well as the right to object to the processing and the right to data portability ;

(d) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing operation based on consent prior to its withdrawal ;

(e) the right to lodge a complaint with a supervisory authority ;

(f) the source from which the personal data originate and, where appropriate, an indication as to whether or not they originate from publicly available sources ;

(g) the existence of automated decision making, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, relevant information as to the underlying logic, as well as the importance and the intended consequences of such processing for the data subject.

3. 3. The controller shall provide the information referred to in paragraphs 1 and 2:

(a) within a reasonable time after having obtained the personal data, but not exceeding one month, having regard to the specific circumstances in which the personal data are processed ;

(b) if the personal data are to be used for the purpose of communicating with the data subject, no later than the time of the first communication to the data subject; or

(c) if it is intended to communicate the information to another recipient, no later than when the personal data are first communicated.

Guidelines on transparency within the meaning of Regulation (EU) 2016/679 were adopted by the Article 29 Working Party on 29 November 2017 (revised version adopted on 11 April 2018, WP260 rev.01). They specify, on page 22, that while multi-level information is possible for the sake of clarity, the G29 recommends that the first level [...] should include details of the purpose of the processing, the identity of the controller and a description of the rights of the data subjects, before recommending that this information should be brought directly to the attention of the data subject at the time of collection of the personal data.

The restricted training notes that it appears from the telephone recordings provided by the company that the persons who are the subject of telephone canvassing are either not provided with any information regarding the recording of the call or are simply informed about the recording of the conversation without any further information about the processing of their personal data, such as the purpose of the processing, the identity of the controller or the rights they have.

The restricted formation points out that the company does not claim or demonstrate that it has put in place, within the period granted by the formal notice, an information mechanism in compliance with the abovementioned provisions, as no details were provided on this point in the summary response to the formal notice of 15 February 2019. The same applies to the information provided to sponsored persons whose personal data are indirectly collected.

The Panel therefore considers that, in the light of these elements, a breach of Articles 12, 13 and 14 of the RGPD was constituted at the expiry of the deadline set by the letter of formal notice.

The restricted formation takes note of the fact that the company states that it will henceforth communicate complete information in the form of an e-mail to any person who is the subject of telephone canvassing, as well as to persons whose data are not collected directly.

However, the restricted training notes that, although the company states that it makes complete information available to persons who are the subject of telephone canvassing and those whose data are collected indirectly, it has not justified the information it provides, for example by producing a model of the e-mail sent. Furthermore, with regard to persons whose data are collected directly, the restricted training notes that the company indicates that it provides information in the form of an e-mail sent after the telephone exchange. The restricted training recalls that Article 13 of the GDMP requires that information be provided at the time of collection of personal data. Indeed, in the light of this text, it is necessary that the individual be put in a position to be informed of the information relating to the processing of his personal data at the time when his data are collected, and not only subsequently. Thus, information, even summary information, must be communicated to him through the voice service or the teleoperator, offering him the possibility of obtaining complete information either by pressing a key on his telephone keypad or by sending an e-mail, for example.

These elements are therefore not such as to call into question the characterisation of the breach referred to at the close of the investigation.

4. on the failure to respect the right of opposition

The second paragraph of Article 21 of the EPR provides that where personal data are processed for the purpose of canvassing, the data subject shall have the right to object at any time to the processing of personal data relating to him for such purposes, including profiling insofar as it relates to such canvassing .

Moreover, Article 12(2) of the abovementioned GDMP provides that the controller shall facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22.

The restricted formation therefore considers, under these two articles combined, that it was up to the company to put in place a mechanism allowing effective consideration of the right of objection expressed by persons subject to telephone canvassing. In this respect, it had to be able to ensure that the opposition expressed by the persons concerned was respected and that the persons who had expressed their opposition no longer received canvassing calls from its subcontractors.

The restricted formation notes that it appears from the statements of the company's employees, collected during the audit carried out on 20 March 2018, that no procedure had been put in place to ensure that the opposition expressed to the company was communicated to its subcontractors or that the opposition expressed directly to the call centre operators was centralised at the company's head office and passed on to the company and all subcontractors.

Consequently, it appears that the opposition expressed by the persons canvassed was in vain: when it was expressed to the company's head office, the subcontractors were not informed and continued the canvassing operations; when it was expressed directly to a subcontractor, neither the head office nor the thirty-five other call centres then working for the company were informed, and the canvassing continued despite the refusal expressed by the persons. It is clear from the above that, whatever the means of expressing opposition, it remained ineffective.

The Panel also considers that the failure to take account of the opposition expressed is apparent from the complaint of Mrs [...], who reports a very large number of calls received after having expressed her opposition. This fact is also apparent from the e-mails received by the partnership that no longer wished to be the target of telephone canvassing, the majority of these e-mails reporting several calls received despite the expressed refusal.

The Panel notes that the company sent to the Commission services, after the monitoring carried out on 20 March 2018, three certificates from call centres stating that they had received a list of persons who no longer wished to be canvassed from the company.

The limited training notes that only three certificates were provided, even though the company indicated that it was working at that time with 36 call centres. It therefore takes the view, in view of the company's obligation vis-à-vis these three call centres, that no steps were taken to ensure that the objection was actually complied with by all its subcontractors.

In addition, the restricted formation notes that the information contained in the certificates, which the company claims to have provided to the call centres, does not allow sufficient identification of the persons who expressed their refusal to be canvassed by telephone. On the one hand, the absence of any mention of the telephone number prevents the registration of the person on a list opposing telephone canvassing. On the other hand, the mere mention of the person's e-mail address and surname (a fortiori when the latter is particularly widespread) creates a risk of confusion in the event of homonymy. Thus, the subcontractors were not put in a position to ensure that the persons concerned would no longer be contacted by them.

Lastly, the restricted formation considers that the evidence produced by the company does not show that, at the end of the period allowed in the formal notice, the company ensured that the opposition expressed by a person canvassed by the teleoperator of a subcontracted call centre was communicated for the purpose of being centralised and then forwarded to all subcontractors. The restricted formation considers that, in the absence of such a mechanism, any opposition expressed during a telephone canvassing call will not lead to the cessation of any canvassing operation on behalf of the company, in particular by another call centre.

The Panel therefore considers, in the light of these elements, that a failure to comply with Article 21 of the RGPD was constituted at the expiry of the time limit set by the formal notice.

The panel notes the company's statements, both during the written exchanges with the rapporteur and at the sitting of 19 September 2019, that it has set up a regularly updated opposition list in the Progibos software.

However, the restricted formation considers that this mechanism is insufficient to impose its respect by the call centres and, consequently, the effective taking into account of people's opposition. Indeed, the restricted formation notes that this exclusion list takes the form of a simple table, to which an information banner in the software inviting call centre teleoperators to consult the table refers. Nothing is put in place to automate the process and ensure its reliability, for example by providing that each number called by a teleoperator is automatically and beforehand compared with this do not call list to prevent the call. With regard firstly to the economic interests represented by commercial prospecting, both for FUTURA INTERNATIONALE and its subcontractors, secondly to the volume of calls made on behalf of the company and thirdly to the number of data subjects (more than 300 people had already expressed their opposition on the day of the meeting), the restricted formation considers that only an automated mechanism is sufficiently effective to ensure that the opposition expressed by the data subjects is respected.

Furthermore, the restricted panel notes that this list contains data relating to the postal address of the individuals. These data are personal data and are not necessary for the specific purpose of this processing operation, which is to constitute an objection list to telephone canvassing. Indeed, surnames, first names and telephone numbers are sufficient to ensure compliance with this obligation, unless it can be demonstrated that the list also makes it possible to demonstrate opposition to postal canvassing.

Finally, the restricted formation observes that the company does not show that the data of the persons having expressed their opposition to the processing have indeed been purged from the Progibos software, the judicial officer's statement of facts issued on 30 July 2019 being silent on this point.

This element is thus not likely to call into question the characterization of the failure evoked at the end of the investigation.

5 On the failure to cooperate with the supervisory authority

Article 31 of the GDMP provides that the controller and the processor and, where appropriate, their representatives shall cooperate with the supervisory authority, at the latter's request, in the performance of its tasks.

The restricted training notes the numerous requests made by the Commission services after the supervision of 20 March 2018 for communication of the documents necessary for the performance of their tasks, as well as the very partial replies from FUTURA INTERNATIONALE, which provided only a very small proportion of the information requested. It also notes that the Commission has systematically granted the company's requests for extensions of time limits, without this allowing the documents requested to be provided.

The Panel also notes that the company did not reply satisfactorily to the formal notice notified to it since the reply was not accompanied by the supporting evidence requested in the context of this procedure and did not cover all the shortcomings identified. Again, the restricted formation notes that the company requested and obtained a maximum extension of the deadline granted by the formal notice.

The company states that it was poorly advised, but the restricted panel notes, on the one hand, that, as controller, it was the sole responsibility of the company to respond to the requests addressed to it and to report on compliance with the DMPR, it being responsible for choosing the competent professionals to whom it intended to entrust the defence of its interests, if necessary. It was up to the company to call on new interlocutors if it considered that it was confronted with the incompetence of the first seizures.

Furthermore, the Panel notes that the failure relating to the lack of cooperation with the Commission's services, which it considers to be characteristic of this case, cannot stem from a simple ignorance of the rules on data protection that the company puts forward to explain the difficulty it had in responding to the CNIL's requests. It considers that the lack of response to the requests made by the CNIL and to the formal notice sent by the President of the Commission, as well as the failure to take those requests into account prior to the notification of a penalty report, are sufficient to demonstrate, if not the clearly expressed desire not to respond to the CNIL's requests, at the very least a flagrant lack of interest in those matters.

The Panel notes that this failure ended with the notification of the sanction report, which was the only point at which an exchange of views with the company, through its board, could take place.

Finally, the company wrongly considers that the characterisation of this failure is incompatible with the possibility given to the company to comply by means of a formal notice and to make comments during the exchanges with the rapporteur in the context of the sanction procedure. The principle of cooperation laid down by Article 31 of the RGPD pre-exists the procedure initiated: its non-compliance is constituted as such and is not linked to the company's subsequent compliance or to the principle of adversarial proceedings which governs the sanction procedure.

The Panel therefore considers, in the light of these elements, that a failure to comply with Article 31 of the RGPD was constituted at the end of the period prescribed by the formal notice.

The restricted panel takes note of the reality of the cooperation between the company and the rapporteur. It takes account of the controller's efforts to bring it into line where these are demonstrated, but the decision it delivers is also intended to punish past conduct.

This element is therefore not such as to call into question the characterisation of the breach referred to at the end of the period of notice.

6) Failure to comply with the obligation to regulate transfers of personal data outside the European Union

Article 44 of the GDMP provides: a transfer to a third country or to an international organisation of personal data which are or are intended to be processed further to such transfer may take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and the processor, including as regards further transfers of personal data from the third country or international organisation to another third country or international organisation. All the provisions of this Chapter shall be applied in such a way that the level of protection of natural persons guaranteed by this Regulation is not compromised .

The restricted formation notes that the company was, on the day of the check, transferring data to States considered not to provide an adequate level of protection in accordance with Article 45 of the GDR (Côte d'Ivoire, Morocco, Tunisia) through its Progibos software.

In view of the lack of adequacy, the restricted formation notes that it was up to the company FUTURA INTERNATIONALE to provide appropriate guarantees, in accordance with the provisions of Article 46 of the RGPD.

Concerning the situation on the day of the control carried out and subsequently emerging from the elements communicated by the board of the company in response to the formal notice, the data controller chose to frame the transfer of personal data to its processors located outside the territory of the European Union by contractual clauses. However, the restricted formation notes that these clauses do not meet the requirements of Articles 44 et seq. of the GDMP since they were not adopted by the European Commission or by a supervisory authority, contrary to the requirements of Article 46 of the GDMP.

The restricted formation takes note of the new clauses on the protection of personal data that the company's board communicated to the rapporteur in the context of the sanction procedure and notes that these clauses take over the European Commission's standard contractual clauses.

Nevertheless, the restricted formation notes, on the one hand, that, on the day of the closure of the investigation, the contracts communicated to it are not final documents, since certain clauses are not entirely drafted, in particular the clauses relating to the remuneration of the service provider.

Secondly, and despite the rapporteur's requests on this very point during the procedure, the restricted formation observes that, on the day the investigation was closed, the company had not communicated a version of those contracts signed by both parties. The panel finds that a cursory examination of the contract between FUTURA INTERNATIONALE and its subcontractor [...] reveals that the company's stamp and the signature of its representative do not appear on the contract itself but only on the printout of the photograph of the contract, since the stamp extends beyond the photograph and cannot therefore appear on the original document. Consequently, that document does not enable the restricted formation to ascertain the company's compliance on that point.

Furthermore, the restricted formation notes that the contract and the annex binding FUTURA INTERNATIONALE and its subcontractor [...] is not signed by both parties.

Finally, the European Commission's standard contractual clauses provide that these clauses are subject to the law of the Member State where the personal data exporter is established, in this case France. However, the Restricted Training notes that, in the contracts provided by the company, the clauses are systematically subject to the law of the State where the sub-contractor is established.

The Panel therefore considers that, in the light of the foregoing, there was a breach of Article 44 of the GDR at the end of the period prescribed by the formal notice.

The restricted formation takes note of the communication to the rapporteur of contracts concluded between the company and its subcontractors. It notes, however, that the company has not justified the establishment, in its relations with its subcontractors, of a legal framework complying with the provisions of Articles 44 to 50 of the Regulation, and in particular the fact that it has co-signed with them amendments to the contracts corresponding to the standard contractual clauses on the protection of personal data adopted by the European Commission. Indeed, the restricted formation notes that the contracts communicated on 31 July 2019 are incomplete, and that the documents photographed are not signed by the two co-contractors, only the photograph being stamped and signed by the company FUTURA INTERNATIONALE. Moreover, a contract remains unsigned by all the contracting parties.

This element is thus not likely to call into question the characterization of the breach mentioned at the end of the investigation.

III. on corrective measures and their publicity

Under the terms of III of Article 20 of the Act of 6 January 1978 as amended :

Where the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or this Act, the President of the Commission Nationale de l'Informatique et des Libertés may also, where appropriate after having sent him the warning provided for in I of this article or, where appropriate in addition to a formal notice provided for in II, refer the matter to the restricted formation of the Commission with a view to the pronouncement, after an adversarial procedure, of one or more of the following measures: […]

2° An injunction to bring the processing into conformity with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Law or to comply with the requests made by the data subject to exercise his rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment of not more than €100,000 per day of delay from the date set by the restricted formation; [...].

7° With the exception of cases where the treatment is implemented by the State, an administrative fine may not exceed EUR 10 million or, in the case of an undertaking, 2% of the total annual worldwide turnover of the previous financial year, whichever is the higher. In the cases referred to in Article 83(5) and (6) of Regulation (EU) 2016/679 of 27 April 2016, these ceilings are increased to EUR 20 million and 4 % of that turnover, respectively. In determining the amount of the fine, the restricted formation shall take into account the criteria set out in Article 83 of Regulation (EU) No 2016/679.

Article 83 of the RGPD provides for :

1. Each enforcement authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.

2. 2. Depending on the specific features of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of the following elements :

(a) the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them ;

(b) whether the breach was committed intentionally or through negligence or misconduct ;

(c) any measures taken by the controller or the processor to mitigate the damage suffered by the data subjects ;

(d) the degree of responsibility of the controller or the processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32;

(e) any relevant breach previously committed by the controller or the processor;

(f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating its possible negative effects ;

(g) the categories of personal data concerned by the breach ;

(h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or the processor notified the breach ;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures ;

(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and

(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach.

Firstly, with regard to the fine proposed by the rapporteur, the small group considers that, in the case in point, the abovementioned breaches justify the imposition of an administrative fine on the company for the following reasons:

The Panel finds that the breaches of Articles 5(1)(c), 12, 13, 14, 21 and 44 of the Regulation have persisted beyond the time limit set by the President of the Commission's formal notice and that it was only when the penalty report was notified that the company took steps to comply, more than eight months after the formal notice was notified. The company thus did not fully cooperate with the Commission services until the initiation of the sanction procedure and did not demonstrate compliance by the expiry of the deadline.

It also notes that most of the failures relate to obligations which Law No 78-17 of 6 January 1978 as amended already imposed on data controllers and which did not arise from the RGPD. It therefore considers that the argument that the company derives from the difficulty it has had in applying a new legal framework in a short space of time is not valid.

It also notes that some of these shortcomings relate to the rights of individuals (right to information and right to object), which were not respected by the company. As of the closing date of the investigation, there was no evidence that the company and its sub-contractors had complied with these requirements. However, the restricted formation considers that the non-respect of their rights affects the persons concerned, particularly with regard to the right of opposition, which is demonstrated by the tone of the e-mails sent by the prospects to the company. Consequently, in view of the consequences for individuals, such breaches should be severely punished.

The restricted training also reminds that the obligation to regulate the transfer of personal data outside the territory of the European Union is the consequence of the non-existence, on the territory of many states, of protective regulations relating to personal data. Failure by the data controller to comply with this obligation runs the risk of having such data processed outside any protective legal framework, to the detriment of the rights of the data subjects. The restricted training therefore considers that it must pay particular attention to the compliance of data controllers with this obligation.

All these reasons justify the imposition of an administrative fine.

Secondly, as regards the amount of this fine, the company argues that it is disproportionate in view of the good will of the company, which had no intention of contravening the GDMP and was merely ill-informed.

On this point, on the contrary, the restricted formation points to a lack of cooperation which is perfectly characteristic of the case. The Panel considers that, far from being a factor which should lead it to reduce the amount of the fine imposed, the conduct of the company up to the notification of the penalty report should, on the contrary, be taken into account in order to increase the penalty imposed, as required by Article 83(2)(b) of the RGPD.

The company then considers that the amount of the fine is disproportionate in relation to the undertaking's turnover, since the rapporteur did not take useful account of the reduction in turnover that occurred in 2018 and was announced for 2019.

In this regard, the restricted formation considers that the amount of the fine proposed by the rapporteur is measured against the accounting information provided by the company, which shows a turnover of approximately EUR 27 million in 2017 and EUR 20 million in 2018. The Commission notes that, in view of the infringements in question, Article 83(5)(b) of the ECMR sets the amount of the fine at EUR 20 million, and that the amount of the fine proposed corresponds to 2,5 % of the company's annual turnover, which is not excessive in view of the company's conduct, in particular prior to the notification of the penalty report, and in view of the seriousness of the infringements, in particular the infringement of the rights of individuals. Finally, if the company demonstrates that its turnover decreased in 2018, this result remains of the same order of magnitude as the result for 2017 despite a decrease in net income, and does not justify a reduction in the amount of the fine imposed, which is not directly correlated to the company's financial results, even if the latter are taken into account in its calculation.

The restricted formation underlines the plurality of the infringements in question and their persistence and gravity. It takes particular account of the consequences for the persons concerned and notes that this case originated in a complaint lodged by an individual with the Commission. It also notes the company's reluctance to take account of the applicable legislation on the protection of personal data and its lack of diligence in remedying the breaches observed, despite numerous reminders from the Commission services.

However, the restricted training also takes into account the steps taken by the company during the sanction procedure to achieve partial compliance, the fact that it is an SME and the evolution of its financial situation, in order to determine the amount of a fair and proportionate administrative fine, recalling that the fine must nevertheless be dissuasive.

Thirdly, as regards the need to issue an injunction, the company considers that it has brought its practices into line with the requirements of the RGPD. It considers that this progress is demonstrated by its responses to the sanction report and then to the rapporteur's comments and that, therefore, an injunction is not necessary as compliance has already been achieved.

As explained above, the Panel considers that the company has not demonstrated, at the closing date of the investigation, the compliance of its treatment with Articles 5(1)(c), 12, 13, 14, 21 and 44 of the RGPD.

If the company has not complied with these failures, the proposed injunction should be issued.

Fourthly, regarding the publicity of its decision, the company states that such publicity would have dramatic consequences for the privacy of persons whose personal data are processed by the company, since it would make it a target of computer attacks.

On this point, the restricted training notes that the publicity has no impact on the security of personal data since its decision does not reveal any vulnerabilities that could be exploited by malicious persons.

In view of the company's statements as to its position in its field of intervention, as it claims to be a major player in its sector, the restricted formation considers that the publicity of the sanction is justified in view of the importance of the problem of commercial prospecting, both in relation to its scale and its practical consequences for the persons canvassed. In addition, it meets a legitimate expectation of persons who have been or may in the future be the subject of commercial canvassing by telephone by the company or other actors and will alert them to their rights.

It follows from all of the above and taking into account the criteria laid down in Article 83 of the RGPD that an administrative fine of EUR 500 000, an injunction accompanied by a periodic penalty payment and an additional publication penalty for a period of two years are justified and proportionate.

FOR THESE REASONS

The restricted formation of the CNIL, after deliberation, decides to :

    issue an injunction against the company FUTURA INTERNATIONALE to bring the processing into compliance with the obligations resulting from Articles 5 paragraph 1 point c), 12, 13, 14, 21 and 44 of Regulation No. 2016/679 of 27 April 2016 on data protection, and in particular :

- take measures to effectively prevent excessive comments from being recorded in the PROGIBOS software, for example by setting up a system for automatically detecting words which are inappropriate, irrelevant and excessive in relation to the purpose of the processing operation, in order to exclude them from the comment fields or prevent them from being entered ;

- inform the persons from whom personal data are collected directly and indirectly, under the conditions provided for in Articles 12, 13 and 14 of the general data protection regulation No 2016/679 of 27 April 2016, for example by directly informing the data subject, by means of the voice service or the teleoperator, of the existence and purpose of the device and of his right to object, and by offering him the possibility of obtaining full information either by pressing a key on his telephone keypad or by sending an e-mail ;

- to implement a procedure to ensure the effectiveness of the rights of opposition expressed by the persons being prospected, this procedure having to ensure that the opposition expressed to the subcontractors carrying out the prospecting campaigns is transmitted to the company and passed on to the other subcontractors, that the opposition expressed to the company is transmitted to the subcontractors carrying out the prospecting campaigns, and to ensure that the calls made by the subcontracting teleoperators do not target persons who have already expressed their opposition to the processing of their personal data for prospecting purposes;

- to regulate the relations between the company and its subcontractors carrying out telephone prospecting campaigns by legal acts meeting the criteria laid down in Articles 44 to 49 of the Regulation and to ensure, if the company chooses the standard data protection clauses adopted by the European Commission, that the clauses are signed by the parties and governed by the law of the Member State in which the data exporter is established, in this case France ;

    attach to the order a penalty payment of EUR 500 (five hundred) per day of delay at the end of a period of 1 (one) month following notification of this decision, with proof of compliance to be sent to the restricted formation within that period;
    for breaches of articles 5-1-c), 12, 13, 14, 21, 31 and 44, impose an administrative fine on FUTURA INTERNATIONALE in the amount of 500,000 (five hundred thousand) euros;
    to make public, on the CNIL site and on the Légifrance site, its decision, which will no longer identify the company by name at the end of a period of two years from the date of its publication.

The Chairman

Alexandre LINDEN