CNIL - SAN-2020-008
|CNIL - SAN-2020-008|
|Relevant Law:||Article 5(1)(e) GDPR|
Article 12 GDPR
Article 13 GDPR
Article 13(2)(a) GDPR
Article 14 GDPR
Article 15 GDPR
Article 15(1)(g) GDPR
Article 17 GDPR
Article 17(1)(c) GDPR
Article 21 GDPR
Article 32 GDPR
Article 33 GDPR
Article 83 GDPR
Article 83(5) GDPR
Code des postes et des communications électroniques
Loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|National Case Number/Name:||SAN-2020-008|
|European Case Law Identifier:||n/a|
|Original Source:||Legifrance (in FR)|
Work in progress
The French retail company Carrefour France operates the online store "carrefour.fr" The CNIL has received fifteen complaints related to this website between June 2018 and April 2019. Several failures were pointed out in these complaints :
- Carrefour sending prospecting e-mail despite data subjects objection to it - Lack of positive response to data deletion and access requests - Absence of "unsubscribe" link in a prospecting email
In May-June 2019, several online and on-site investigations were conducted by the French DPA. In addition to the breaches alleged in the complaints, the CNIL decided to investigate Carrefour's loyalty program as well as data security management.
Several written exchanges happened during the investigative procedure and Carrefour quickly implemented corrective measures. In January 2020, the CNIL sent to Carrefour a full report detailing the breaches identified to which Carrefour responded in a back-and-forth between the company and the DPA from March to August 2020.
The CNIL investigated several questions regarding Carrefour France's data processing :
- Is keeping data on loyalty program members for four years after their last contact with the company excessive in regards to Article 5(1)(e) GDPR ? - Is keeping a copy of the ID card of a data subject after its request has been met excessive ? - Is systematically requesting an ID card for the exercise of right by a data subject a violation of Article 12 GDPR ? - Are the following practices an infringement on data subject's information right as described in Article 12 GDPR ?
Work in progress
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.