CNIL - SAN-2020-008
|CNIL - SAN-2020-008|
|Relevant Law:||Article 5(1)(e) GDPR|
Article 12 GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 14 GDPR
Article 15 GDPR
Article 15(1)(g) GDPR
Article 17 GDPR
Article 17(1)(c) GDPR
Article 21 GDPR
Article 32 GDPR
Article 33 GDPR
Article 83 GDPR
Article 83(5) GDPR
Code des postes et des communications électroniques
Loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|National Case Number/Name:||SAN-2020-008|
|European Case Law Identifier:||n/a|
|Original Source:||Legifrance (in FR)|
English Summary[edit | edit source]
Facts[edit | edit source]
The French retail company Carrefour France operates the online store carrefour.fr The CNIL has received fifteen complaints related to this website between June 2018 and April 2019. Several failures were pointed out in these complaints :
- Carrefour sending prospecting e-mail despite data subjects objecting to it
- Lack of positive response to data deletion and access requests
- Absence of "unsubscribe" link in a commercial email
In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as its database storing client's personal data.
Several written exchanges happened during the investigative procedure and Carrefour quickly implemented measures to be compliant with the law. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.
Dispute[edit | edit source]
The CNIL investigated several questions regarding Carrefour France's data processing :
- Is keeping data on loyalty program members for four years after their last contact with the company excessive in regards to Article 5(1)(e) GDPR ?
- Is keeping a copy of the ID card of a data subject after its request has been met excessive ?
- Is systematically requesting an ID card for the exercise of right by a data subject a violation of Article 12 GDPR ?
- Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ?
- Spreading the mandatory information on data processing across several webpages
- Making the information part of the terms and conditions of the loyalty program
- The use of vague wording such as "These treatments mainly include", "for one or more of the following purposes for which your data may be used"
- In the case of a company acquisition, should the personal data originally controlled by the acquired company be considered directly collected from the data subject by the acquiring company ? This question relates to the relevant information to be transmitted according to Article 15(1)(g) GDPR.
- Is responding to a data deletion request by removing the user of a business solicitation database sufficient regarding Article 17 GDPR ?
- Is requesting the recipient of a solicitation email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, Article L34-5 ?
- Does having purchase invoice containing personal data publicly available on the web through unprotected URL addresses violate Article 32 GDPR on data security ?
- Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates Article 82 of the French data protection law (Loi Informatique & Libertés)?
Holding[edit | edit source]
The CNIL imposed a € 2250000 sanction on Carrefour France on the account of several breaches of GDPR and the French national data protection law (Loi Informatique & Libertés). Due to the seriousness of the breaches and the large user database of the company the French DPA made the sanction public and decided to publish the decision on its website, deleting the name of Carrefour after a two year period.
The CNIL acknowledged Carrefour efforts to rectify its wrongdoings even before the end of the investigating procedure and that it did not gain any financial advantage from it. However, it pointed out that the breaches relate to "essential requirements" of a data controller in justifying the severity of the sanction.
On the data retention period[edit | edit source]
The CNIL reminded that in order to determine the appropriate data retention period, one should examine the purpose of the processing as well as the specifics of the business sector of the data controller. In this case, members of a loyalty program for a retail company tend to shop frequently at the company's stores. As such, a client who has not had contacts with the company for four years cannot be deemed active. The CNIL recommends a maximum retention period of three years in this case.
On the ID retention period when dealing with data subjects' exercise of rights, the CNIL states that the copy of the ID cannot be kept longer than necessary in order to satisfy the request. By keeping this data for up to six years, Carrefour violated Article 5(1)(e) GDPR.
On the systematic request for an ID in order to exercise a right[edit | edit source]
According to the CNIL, the data controller should only request an ID when there is a reasonable doubt as to the identity of the person when dealing with an exercise of a right. As such, systematically requesting an ID violates Article 12 GDPR by making the exercise of right harder than it should be.
On the more general topic of exercise of right, the CNIL pointed out that Carrefour exceeded regularly the one month delay to answer a request, sometime taking up to 9 months in order to answer. Furthermore, on several occasions Carrefour did not respond to the request of the data subject but confused it with another request.
On the several questionable practices regarding the right to information[edit | edit source]
Quoting Article 12 GPDR , the CNIL reminded that the information provided to the data subject must be "concise, transparent, intelligible and easily accessible".
The DPA deemed the information not easily accessible because it was spread-out across several webpages, including as part of the terms and conditions of the loyalty program which was very long and redundant.
The CNIL specified that the information can be given at different levels of the website on the condition that the data subject can easily identify the information, presented in a unique document distinct from the terms and conditions, as recommended in the WP29 guidelines on transparency.
Secondly, the French DPA concluded that the information was not clear and in plain language as the company used ambiguous and imprecise wording as previously quoted. The CNIL also pointed out that the information was not organized nor prioritized, making it harder to understand. This was a violation of the requirements in Articles 12 and 13 GDPR.
Finally, the DPA stated that the information given was insufficient to comply with Articles 13 and 14 GDPR as several mandatory information were missing or incorrect, mainly regarding the identity of the data controller, the legal basis for the processes, the transfer of data outside of the EU and the data retention period.
On the right of access in the case of a company acquisition[edit | edit source]
The CNIL ruled that in the case of a company acquisition, the data originally controlled by the acquired company should be considered indirectly collected by the acquiring company. Thus, when a data subject exercises its right to access data, the data controller should inform it of the provenance of the data as required by Article 15(1)(g) GDPR.
In this present case, Carrefour France failed to inform a data subject that its data originated from the acquisition of the online store Ooshop where the data subject had an account.
On the removal from the solicitation database as an answer to a data deletion request[edit | edit source]
Carrefour argued that the email address was a core data of the user's profile and as such, could not remove it from its database. As a result Carrefour responded to deletion requests by removing the user from its solicitation database.
The CNIL rebuked this argument, stating that the data subjects' requests were clear and that by keeping data on users despite their request, Carrefour violated Article 17 GDPR.
On the matter of deletion request, the DPA pointed out that on several other occasions Carrefour did not meet data subjects' requests due to technical or human errors. This problem occurred with the exercise of the right to object to processing as well, in violation of Article 21 GDPR.
On the objection to solicitation emails[edit | edit source]
The CNIL stated that requesting a data subject to login to a website in order to object to receiving solicitation emails violated the French Law on electronic communication, as some recipients of the email did not have an account on Carrefour's website, thus making it impossible for them to object.
On the data security breach[edit | edit source]
The French DPA concluded that by making personal data publicly available on the web by using unprotected URL addresses, Carrefour did not set-up the appropriate technical measures to secure personal data.
The CNIL also pointed out the company identified a data breach on November 16th, 2018 and failed to implement the necessary corrective measures. Carrefour also did not notify the CNIL of the data breach, violating Article 33 GDPR.
[edit | edit source]
Comment[edit | edit source]
This sanction was taken jointly with CNIL - SAN-2020-009 which imposed a € 800000 fine on Carrefour Banque, a sister company of Carrefour France.
The use of unprotected URL addresses allowing personal data to be made publicly available has often been sanctioned by the French DPA as a violation of Article 32 GDPR. On this topic see CNIL - SAN-2019-005.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.