Editing CNIL - SAN-2020-008

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 104: Line 104:
 
**On a paper information media, referring the data subject to the privacy policy on the carrefour.fr website without specifying the exact URL adress of the policy.
 
**On a paper information media, referring the data subject to the privacy policy on the carrefour.fr website without specifying the exact URL adress of the policy.
 
**The use of vague wording such as "''These treatments <u>mainly</u> include''", "''<u>for one or more</u> of the following purposes for which your data <u>may</u> be used''"
 
**The use of vague wording such as "''These treatments <u>mainly</u> include''", "''<u>for one or more</u> of the following purposes for which your data <u>may</u> be used''"
*In the case of a company acquisition, should the personal data originally controlled by the acquired company be considered directly collected from the data subject by the acquiring company ? This question relates to the relevant information to be transmitted according to [[Article 15 GDPR#1#g|Article 15(1)(g) GDPR]].
 
 
*Is responding to a data deletion request by removing the user of a business solicitation database sufficient regarding [https://gdprhub.eu/Article%2017%20GDPR Article 17 GDPR] ?
 
*Is responding to a data deletion request by removing the user of a business solicitation database sufficient regarding [https://gdprhub.eu/Article%2017%20GDPR Article 17 GDPR] ?
 
*Is requesting the recipient of a solicitation email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006465787/2004-07-10 Article L34-5] ?
 
*Is requesting the recipient of a solicitation email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000006465787/2004-07-10 Article L34-5] ?
Line 136: Line 135:
 
Finally, the DPA stated that the information given was insufficient to comply with Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR as several mandatory information were missing or incorrect, mainly regarding the identity of the data controller, the legal basis for the processes, the transfer of data outside of the EU and the data retention period.
 
Finally, the DPA stated that the information given was insufficient to comply with Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14]] GDPR as several mandatory information were missing or incorrect, mainly regarding the identity of the data controller, the legal basis for the processes, the transfer of data outside of the EU and the data retention period.
  
====On the right of access in the case of a company acquisition====
+
==== On the right of access ====
The CNIL ruled that in the case of a company acquisition, the data originally controlled by the acquired company should be considered indirectly collected by the acquiring company. Thus, when a data subject exercises its right to access data, the data controller should inform it of the provenance of the data as required by Article 15(1)(g) GDPR.
+
<br />
 
 
In this present case, Carrefour France failed to inform a data subject that its data originated from the acquisition of the online store Ooshop where the data subject had an account.
 
 
 
 
====On the removal from the solicitation database as an answer to a data deletion request====
 
====On the removal from the solicitation database as an answer to a data deletion request====
 
Carrefour argued that the email address was a core data of the user's profile and as such, could not remove it from its database. As a result Carrefour responded to deletion requests by removing the user from its solicitation database.
 
Carrefour argued that the email address was a core data of the user's profile and as such, could not remove it from its database. As a result Carrefour responded to deletion requests by removing the user from its solicitation database.

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: