Editing CNIL - SAN-2020-008

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 87: Line 87:
 
*Carrefour sending prospecting e-mail despite data subjects objecting to it
 
*Carrefour sending prospecting e-mail despite data subjects objecting to it
 
*Lack of positive response to data deletion and access requests
 
*Lack of positive response to data deletion and access requests
*Absence of "unsubscribe" link in a commercial email
+
*Absence of "unsubscribe" link in a prospecting email
  
In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as its database storing client's personal data.
+
In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as data security management.
  
Several written exchanges happened during the investigative procedure and Carrefour quickly implemented measures to be compliant with the law. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.
+
Several written exchanges happened during the investigative procedure and Carrefour quickly implemented corrective measures. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.
  
 
===Dispute===
 
===Dispute===
Line 104: Line 104:
 
**On a paper information media, referring the data subject to the privacy policy on the carrefour.fr website without specifying the exact URL adress of the policy.
 
**On a paper information media, referring the data subject to the privacy policy on the carrefour.fr website without specifying the exact URL adress of the policy.
 
**The use of vague wording such as "''These treatments <u>mainly</u> include''", "''<u>for one or more</u> of the following purposes for which your data <u>may</u> be used''"
 
**The use of vague wording such as "''These treatments <u>mainly</u> include''", "''<u>for one or more</u> of the following purposes for which your data <u>may</u> be used''"
*In the case of a company acquisition, should the personal data originally controlled by the acquired company be considered directly collected from the data subject by the acquiring company ? This question relates to the relevant information to be transmitted according to [[Article 15 GDPR#1#g|Article 15(1)(g) GDPR]].
 
 
*Is responding to a data deletion request by removing the user of a business solicitation database sufficient regarding [https://gdprhub.eu/Article%2017%20GDPR Article 17 GDPR] ?
 
*Is responding to a data deletion request by removing the user of a business solicitation database sufficient regarding [https://gdprhub.eu/Article%2017%20GDPR Article 17 GDPR] ?
 
*Is requesting the recipient of a solicitation email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006465787/2004-07-10 Article L34-5] ?
 
*Is requesting the recipient of a solicitation email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006465787/2004-07-10 Article L34-5] ?
*Does having purchase invoice containing personal data publicly available on the web through unprotected URL addresses violate [https://gdprhub.eu/Article%2032%20GDPR Article 32 GDPR] on data security ?
+
*Does having purchase invoice containing personal data publicly available on the web through unprotected URL addresses violates [https://gdprhub.eu/Article%2032%20GDPR Article 32 GDPR] on data security ?
*Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82] of the French data protection law (Loi Informatique & Libertés)?
+
*Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law (Loi Informatique & Libertés), [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 Article 82] ?
  
 
===Holding===
 
===Holding===
The CNIL imposed a € 2250000 sanction on Carrefour France on the account of several breaches of GDPR and the French national data protection law (Loi Informatique & Libertés). Due to the seriousness of the breaches and the large user database of the company the French DPA made the sanction public and decided to publish the decision on its website, deleting the name of Carrefour after a two year period.
+
The CNIL imposed a € 2250000 sanction on Carrefour France on the account of several breaches of GDPR and the French national law. Due to the seriousness of the breaches and the large user database of the company the French DPA made the sanction public and decided to publish the decision on its website, deleting the name of Carrefour after a two year period.
  
The CNIL acknowledged Carrefour efforts to rectify its wrongdoings even before the end of the investigating procedure and that it did not gain any financial advantage from it. However, it pointed out that the breaches relate to "''essential requirements''" of a data controller in justifying the severity of the sanction.
+
the CNIL aknowledged Carrefour efforts to rectify its wrongdoings even before the end of the investigating procedure and that it did not gain any financial advantage from it. However, it pointed out that the breaches relate to "''essential requirements''" of a data controller in justifying the severity of the sanction.
  
 
====On the data retention period====
 
====On the data retention period====
Line 121: Line 120:
  
 
====On the systematic request for an ID in order to exercise a right====
 
====On the systematic request for an ID in order to exercise a right====
According to the CNIL, the data controller should only request an ID when there is a reasonable doubt as to the identity of the person when dealing with an exercise of a right. As such, systematically requesting an ID violates Article 12 GDPR by making the exercise of right harder than it should be.
+
According to the CNIL, when dealing with an exercise of right requesting an ID should only be done when there is a reasonable doubt as to the identity of the person. As such, systematically requesting an ID violates Article 12 GDPR by making the exercise of right harder than it should be.
  
On the more general topic of exercise of right, the CNIL pointed out that Carrefour exceeded regularly the one month delay to answer a request, sometime taking up to 9 months in order to answer. Furthermore, on several occasions Carrefour did not respond to the request of the data subject but confused it with another request.
+
On the more general topic of exercise of right, the CNIL pointed out that Carrefour exceeded regularly the one month delay to answer a request, sometime taking up to 9 months in order to answer. Furthermore, on several occasions Carrefour did not respond to the request of the data subject but confused it with another request.
  
 
====On the several questionable practices regarding the right to information====
 
====On the several questionable practices regarding the right to information====
Quoting Article 12 GPDR , the CNIL reminded that the information provided to the data subject must be "''concise, transparent, intelligible and easily accessible''".
+
Quoting Article 12 GPDR, the CNIL reminded that the information provided to the data subject must be "''concise, transparent, intelligible and easily accessible''".
  
The DPA deemed the information not easily accessible because it was spread-out across several webpages, including as part of the terms and conditions of the loyalty program which was very long and redundant.
+
The DPA deemed the information not easily accessible because it was spread-out across several webpages, including as part of the terms and conditions of the loyalty program which was very long.
  
 
The CNIL specified that the information can be given at different levels of the website on the condition that the data subject can easily identify the information, presented in a unique document distinct from the terms and conditions, as recommended in the [https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 WP29 guidelines on transparency].
 
The CNIL specified that the information can be given at different levels of the website on the condition that the data subject can easily identify the information, presented in a unique document distinct from the terms and conditions, as recommended in the [https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=622227 WP29 guidelines on transparency].
  
Secondly, the French DPA concluded that the information was not clear and in plain language as the company used ambiguous and imprecise wording as previously quoted. The CNIL also pointed out that the information was not organized nor prioritized, making it harder to understand. This was a violation of the requirements in Articles 12 and 13 GDPR.
+
Secondly, the French DPA concluded that the information was not clear and in plain language as the company used ambiguous and imprecise wording as previously quoted. The CNIL also pointed out that the information was not organized nor prioritized making it harder to understand.
  
 
Finally, the DPA stated that the information given was insufficient to comply with Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR as several mandatory information were missing or incorrect, mainly regarding the identity of the data controller, the legal basis for the processes, the transfer of data outside of the EU and the data retention period.
 
Finally, the DPA stated that the information given was insufficient to comply with Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR as several mandatory information were missing or incorrect, mainly regarding the identity of the data controller, the legal basis for the processes, the transfer of data outside of the EU and the data retention period.
 
====On the right of access in the case of a company acquisition====
 
The CNIL ruled that in the case of a company acquisition, the data originally controlled by the acquired company should be considered indirectly collected by the acquiring company. Thus, when a data subject exercises its right to access data, the data controller should inform it of the provenance of the data as required by Article 15(1)(g) GDPR.
 
 
In this present case, Carrefour France failed to inform a data subject that its data originated from the acquisition of the online store Ooshop where the data subject had an account.
 
  
 
====On the removal from the solicitation database as an answer to a data deletion request====
 
====On the removal from the solicitation database as an answer to a data deletion request====
Carrefour argued that the email address was a core data of the user's profile and as such, could not remove it from its database. As a result Carrefour responded to deletion requests by removing the user from its solicitation database.
+
Carrefour argued that the email address was a core data of the user's profile and such, could not remove it from its database. As a result Carrefour responded to deletion requests by removing the user from its solicitation database.
  
 
The CNIL rebuked this argument, stating that the data subjects' requests were clear and that by keeping data on users despite their request, Carrefour violated Article 17 GDPR.
 
The CNIL rebuked this argument, stating that the data subjects' requests were clear and that by keeping data on users despite their request, Carrefour violated Article 17 GDPR.
  
On the matter of deletion request, the DPA pointed out that on several other occasions Carrefour did not meet data subjects' requests due to technical or human errors. This problem occurred with the exercise of the right to object to processing as well, in violation of [[Article 21 GDPR]].
+
On the matter of deletion request, the DPA pointed out that on several other occasions Carrefour did not met data subjects' request due to technical or human errors.This problem occurred with objection to processes as well, in violation of [[Article 21 GDPR]].
  
 
====On the objection to solicitation emails====
 
====On the objection to solicitation emails====
Line 160: Line 154:
  
 
==Comment==
 
==Comment==
This sanction was taken jointly with [[CNIL - SAN-2020-009]] which imposed a € 800000 fine on Carrefour Banque, a sister company of Carrefour France.
 
 
 
The use of unprotected URL addresses allowing personal data to be made publicly available has often been sanctioned by the French DPA as a violation of Article 32 GDPR. On this topic see [[CNIL - SAN-2019-005]].
 
The use of unprotected URL addresses allowing personal data to be made publicly available has often been sanctioned by the French DPA as a violation of Article 32 GDPR. On this topic see [[CNIL - SAN-2019-005]].
  

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: