CNIL - SAN-2020-003.
|CNIL - Délibération n°SAN-2020-003|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 5(1)(e) GDPR
Article 13 GDPR
Article 32(1) GDPR
Article 56(1) GDPR
|National Case Number/Name:||Délibération n°SAN-2020-003|
|European Case Law Identifier:||n/a|
|Original Source:||Legifrance (in FR)|
|Initial Contributor:||Alexandra Ziaka|
In the context of an investigation against SPARTOO SAS, a company specialised in online footwear shopping with activities in thirteen EU countries, the French DPA (Commission Nationale de l'Informatique et des Libertés- CNIL), as the lead supervisory authority in cooperation with DPAs from other EU countries held that the processing activities of SPARTOO SAS did not comply with a series of GDPR provisions (art. 5§1(c), 5§1(e), 13, 32 GDPR). In that respect, CNIL imposed a fine of 250,000 euros and called SPARTOO SAS to bring its processing activities in conformity with GDPR in a period of three months since the publication of the decision.
On 31 May 2018, CNIL initiated an investigation in the premises of SPARTOO SAS in order to investigate whether the processing of the personal data of its clients, prospect clients and employees, are compliant with GDPR. CNIL focused on several processing activities of SPARTOO SAS: 1) recording the customer service calls on a permanent basis, 2) storage of customers' bank details 2) no determination of retention period initially 3) determination of retention period of five years since the customer's last activity 4) establishing as last activity of the prospect customer the mere opening of an email 5) storage of personal data of more than three millions of non-connected customers for more than five years in a non-anonymised way 6) no erasure of personal data on a regular basis, 7) request the customer's health card in Italy in the context of the fight against fraud, 8) lack of strong password policy, 9) not adequate information provided to customers, prospect customers and employees regarding the processing of their personal data.
CNIL found that the collection of bank details and the recording of customer service conversations was excessive and not necessary for the purported aim, that is the training of employees, given that only one call per employee was examined per week. Also, the collection of the health cards in Italy was found excessive, and together with the above-mentioned activities, CNIL held that the data minimisation principle had been violated (5§1(c) GDPR). CNIL also found a violation of the storage limitation principle (5§1(e) GDPR), given the lack of retention period in the first place, the storage of data of many inactive customers for more than five years and the excessive storage of prospect customers' personal data, which should be limited to 2 years. Furthermore, the information provided to the data subjects was found inadequate and contrary to the obligation of transparency (13 GDPR). More specifically, CNIL held that there are more legal bases for the processing of clients' personal data except for consent, such as the performance of a contract and the legitimate interest of the controller. Also, the information provided to the employees of the company regarding the recording of the customer service calls, did not include the purpose of the processing, the legal basis, the recipients, the retention period and their rights. Finally, CNIL held that SPARTOO SAS failed to implement appropriate measures in order to ensure the security of the processing (art. 32 GDPR), as it did not impose a strict password policy.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.