Editing CNIL - SAN-2020-008

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 78: Line 78:
 
}}
 
}}
  
The French DPA (CNIL) imposed a € 2250000 fine on Carrefour France for several violations of the GDPR and French data protection law. These include: excessive data retention periods, incomplete and unclear information on data processes, lack of proper answer to data subjects' requests, security breaches and illicit use of cookies.
+
Work in progress
  
 
==English Summary==
 
==English Summary==
  
 
===Facts===
 
===Facts===
The French retail company Carrefour France operates the online store [https://carrefour.fr carrefour.fr] The CNIL has received fifteen complaints related to this website between June 2018 and April 2019. Several failures were pointed out in these complaints :
+
The French retail company Carrefour France operates the online store "carrefour.fr" The CNIL has received fifteen complaints related to this website between June 2018 and April 2019. Several failures were pointed out in these complaints :
  
*Carrefour sending prospecting e-mail despite data subjects objecting to it
+
- Carrefour sending prospecting e-mail despite data subjects objection to it
*Lack of positive response to data deletion and access requests
+
- Lack of positive response to data deletion and access requests
*Absence of "unsubscribe" link in a commercial email
+
- Absence of "unsubscribe" link in a prospecting email
  
In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as its database storing client's personal data.
+
In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as data security management.
  
Several written exchanges happened during the investigative procedure and Carrefour quickly implemented measures to be compliant with the law. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.
+
Several written exchanges happened during the investigative procedure and Carrefour quickly implemented corrective measures. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.
  
 
===Dispute===
 
===Dispute===
 
The CNIL investigated several questions regarding Carrefour France's data processing :
 
The CNIL investigated several questions regarding Carrefour France's data processing :
  
*Is keeping data on loyalty program members for four years after their last contact with the company excessive in regards to [https://gdprhub.eu/Article_5_GDPR#1#e Article 5(1)(e) GDPR] ?
+
* Is keeping data on loyalty program members for four years after their last contact with the company excessive in regards to [https://gdprhub.eu/Article_5_GDPR#1#e Article 5(1)(e) GDPR] ?
*Is keeping a copy of the ID card of a data subject after its request has been met excessive ?
+
* Is keeping a copy of the ID card of a data subject after its request has been met excessive ?
*Is systematically requesting an ID card for the exercise of right by a data subject a violation of [https://gdprhub.eu/Article_12_GDPR Article 12 GDPR] ?
+
* Is systematically requesting an ID card for the exercise of right by a data subject a violation of [https://gdprhub.eu/Article_12_GDPR Article 12 GDPR] ?
*Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ?
+
* Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ?
**Spreading the mandatory information on data processing across several webpages
+
** Spreading the mandatory information on data processing across several webpages
**Making the information part of the terms and conditions of the loyalty program
+
** Making the information part of the terms and conditions of the loyalty program
**On a paper information media, referring the data subject to the privacy policy on the carrefour.fr website without specifying the exact URL adress of the policy.
+
** On a paper information media, referring the data subject to the privacy policy on the carrefour.fr website without specifying the exact URL adress of the policy.
**The use of vague wording such as "''These treatments <u>mainly</u> include''", "''<u>for one or more</u> of the following purposes for which your data <u>may</u> be used''"
+
** The use of vague wording such as "''These treatments <u>mainly</u> include''", "''<u>for one or more</u> of the following purposes for which your data <u>may</u> be used''"
*In the case of a company acquisition, should the personal data originally controlled by the acquired company be considered directly collected from the data subject by the acquiring company ? This question relates to the relevant information to be transmitted according to [[Article 15 GDPR#1#g|Article 15(1)(g) GDPR]].
+
* Is responding to a data deletion request by removing the user of a business prospecting database sufficient regarding [https://gdprhub.eu/Article%2017%20GDPR Article 17 GDPR] ?
*Is responding to a data deletion request by removing the user of a business solicitation database sufficient regarding [https://gdprhub.eu/Article%2017%20GDPR Article 17 GDPR] ?
+
* Is requesting the recipient of a prospecting email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006465787/2004-07-10 Article L34-5] ?
*Is requesting the recipient of a solicitation email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006465787/2004-07-10 Article L34-5] ?
+
* Does having purchase invoice containing personal data publicly available on the web through unprotected URL adress violates [https://gdprhub.eu/Article%2032%20GDPR Article 32 GDPR] on data security ?
*Does having purchase invoice containing personal data publicly available on the web through unprotected URL addresses violate [https://gdprhub.eu/Article%2032%20GDPR Article 32 GDPR] on data security ?
+
* Does placing 38 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law (Loi Informatique & Libertés), [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82] ?
*Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82] of the French data protection law (Loi Informatique & Libertés)?
 
  
 
===Holding===
 
===Holding===
The CNIL imposed a € 2250000 sanction on Carrefour France on the account of several breaches of GDPR and the French national data protection law (Loi Informatique & Libertés). Due to the seriousness of the breaches and the large user database of the company the French DPA made the sanction public and decided to publish the decision on its website, deleting the name of Carrefour after a two year period.
+
Work in progress
 
 
The CNIL acknowledged Carrefour efforts to rectify its wrongdoings even before the end of the investigating procedure and that it did not gain any financial advantage from it. However, it pointed out that the breaches relate to "''essential requirements''" of a data controller in justifying the severity of the sanction.
 
 
 
====On the data retention period====
 
The CNIL reminded that in order to determine the appropriate data retention period, one should examine the purpose of the processing as well as the specifics of the business sector of the data controller. In this case, members of a loyalty program for a retail company tend to shop frequently at the company's stores. As such, a client who has not had contacts with the company for four years cannot be deemed active. The CNIL recommends a maximum retention period of three years in this case.
 
 
 
On the ID retention period when dealing with data subjects' exercise of rights, the CNIL states that the copy of the ID cannot be kept longer than necessary in order to satisfy the request. By keeping this data for up to six years, Carrefour violated Article 5(1)(e) GDPR.
 
 
 
====On the systematic request for an ID in order to exercise a right====
 
According to the CNIL, the data controller should only request an ID when there is a reasonable doubt as to the identity of the person when dealing with an exercise of a right. As such, systematically requesting an ID violates Article 12 GDPR by making the exercise of right harder than it should be.
 
 
 
On the more general topic of exercise of right, the CNIL pointed out that Carrefour exceeded regularly the one month delay to answer a request, sometime taking up to 9 months in order to answer. Furthermore, on several occasions Carrefour did not respond to the request of the data subject but confused it with another request.
 
 
 
====On the several questionable practices regarding the right to information====
 
Quoting Article 12 GPDR , the CNIL reminded that the information provided to the data subject must be "''concise, transparent, intelligible and easily accessible''".
 
 
 
The DPA deemed the information not easily accessible because it was spread-out across several webpages, including as part of the terms and conditions of the loyalty program which was very long and redundant.
 
 
 
The CNIL specified that the information can be given at different levels of the website on the condition that the data subject can easily identify the information, presented in a unique document distinct from the terms and conditions, as recommended in the [https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 WP29 guidelines on transparency].
 
 
 
Secondly, the French DPA concluded that the information was not clear and in plain language as the company used ambiguous and imprecise wording as previously quoted. The CNIL also pointed out that the information was not organized nor prioritized, making it harder to understand. This was a violation of the requirements in Articles 12 and 13 GDPR.
 
 
 
Finally, the DPA stated that the information given was insufficient to comply with Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR as several mandatory information were missing or incorrect, mainly regarding the identity of the data controller, the legal basis for the processes, the transfer of data outside of the EU and the data retention period.
 
 
 
====On the right of access in the case of a company acquisition====
 
The CNIL ruled that in the case of a company acquisition, the data originally controlled by the acquired company should be considered indirectly collected by the acquiring company. Thus, when a data subject exercises its right to access data, the data controller should inform it of the provenance of the data as required by Article 15(1)(g) GDPR.
 
 
 
In this present case, Carrefour France failed to inform a data subject that its data originated from the acquisition of the online store Ooshop where the data subject had an account.
 
 
 
====On the removal from the solicitation database as an answer to a data deletion request====
 
Carrefour argued that the email address was a core data of the user's profile and as such, could not remove it from its database. As a result Carrefour responded to deletion requests by removing the user from its solicitation database.
 
 
 
The CNIL rebuked this argument, stating that the data subjects' requests were clear and that by keeping data on users despite their request, Carrefour violated Article 17 GDPR.
 
 
 
On the matter of deletion request, the DPA pointed out that on several other occasions Carrefour did not meet data subjects' requests due to technical or human errors. This problem occurred with the exercise of the right to object to processing as well, in violation of [[Article 21 GDPR]].
 
 
 
====On the objection to solicitation emails====
 
The CNIL stated that requesting a data subject to login to a website in order to object to receiving solicitation emails violated the French Law on electronic communication, as some recipients of the email did not have an account on Carrefour's website, thus making it impossible for them to object.
 
 
 
====On the data security breach====
 
The French DPA concluded that by making personal data publicly available on the web by using unprotected URL addresses, Carrefour did not set-up the appropriate technical measures to secure personal data.
 
 
 
The CNIL also pointed out the company identified a data breach on November 16<sup>th</sup>, 2018 and failed to implement the necessary corrective measures. Carrefour also did not notify the CNIL of the data breach, violating [[Article 33 GDPR]].
 
 
 
====On the use of cookies on the website====
 
The CNIL concluded that Carrefour did not comply with the French law on cookies. The company used some cookies for a purpose which was not listed in its privacy policy and placed 39 cookies on the user's terminal prior to collecting its consent.
 
  
 
==Comment==
 
==Comment==
This sanction was taken jointly with [[CNIL - SAN-2020-009]] which imposed a € 800000 fine on Carrefour Banque, a sister company of Carrefour France.
+
''Share your comments here!''
 
 
The use of unprotected URL addresses allowing personal data to be made publicly available has often been sanctioned by the French DPA as a violation of Article 32 GDPR. On this topic see [[CNIL - SAN-2019-005]].
 
  
 
==Further Resources==
 
==Further Resources==

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: