CNIL - SAN-2020-008
|CNIL - SAN-2020-008|
|Relevant Law:||Article 5(1)(e) GDPR|
Article 12 GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 14 GDPR
Article 15 GDPR
Article 15(1)(g) GDPR
Article 17 GDPR
Article 17(1)(c) GDPR
Article 21 GDPR
Article 32 GDPR
Article 33 GDPR
Article 83 GDPR
Article 83(5) GDPR
Code des postes et des communications électroniques
Loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|National Case Number/Name:||SAN-2020-008|
|European Case Law Identifier:||n/a|
|Original Source:||Legifrance (in FR)|
Work in progress
The French retail company Carrefour France operates the online store "carrefour.fr" The CNIL has received fifteen complaints related to this website between June 2018 and April 2019. Several failures were pointed out in these complaints :
- Carrefour sending prospecting e-mail despite data subjects objection to it - Lack of positive response to data deletion and access requests - Absence of "unsubscribe" link in a prospecting email
In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as data security management.
Several written exchanges happened during the investigative procedure and Carrefour quickly implemented corrective measures. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.
The CNIL investigated several questions regarding Carrefour France's data processing :
- Is keeping data on loyalty program members for four years after their last contact with the company excessive in regards to Article 5(1)(e) GDPR ?
- Is keeping a copy of the ID card of a data subject after its request has been met excessive ?
- Is systematically requesting an ID card for the exercise of right by a data subject a violation of Article 12 GDPR ?
- Are the following practices an infringement on data subjects' information right as described in Article 12 GDPR ?
- Spreading the mandatory information on data processing across several webpages
- Making the information part of the terms and conditions of the loyalty program
- The use of vague wording such as "These treatments mainly include", "for one or more of the following purposes for which your data may be used"
- Is responding to a data deletion request by removing the user of a business prospecting database sufficient regarding Article 17 GDPR ?
- Is requesting the recipient of a prospecting email to login to a website in order to object to the processing compliant with the French postal and electronic communications code, Article L34-5 ?
- Does having purchase invoice containing personal data publicly available on the web through unprotected URL adress violates Article 32 GDPR on data security ?
- Does placing 38 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law (Loi Informatique & Libertés), Article 82 ?
The CNIL imposed a 2250000 EUR sanction on Carrefour France on the account of several breaches of GDPR and the French national law. Due to the seriousness of the breaches and the large user database of the company the French DPA made the sanction public and decided to publish the decision on its website, deleting the name of Carrefour after a two year period.
the CNIL aknowledged Carrefour efforts to rectify its wrongdoings even before the end of the investigating procedure and that it did not gain any financial advantage from it. However, it pointed out that the breaches relate to "essential requirements" of a data controller in justifying the severity of the sanction.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.