CNIL - SAN-2020-009

From GDPRhub
This is the approved revision of this page, as well as being the most recent.
CNIL - SAN-2020-009
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Complaint
Outcome: Upheld
Decided: 18.11.2020
Published: 26.11.2020
Fine: 800000 EUR
Parties: Carrefour Banque
National Case Number/Name: SAN-2020-009
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Fra-data67

The French DPA (CNIL) fined Carrefour Banque € 800000 for several violations of the GDPR and French data protection law. The breaches concerned loyalty and transparency of data processing, accessibility and content of information concerning processing and illicit use of cookies.

English Summary[edit | edit source]

Facts[edit | edit source]

CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.

As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.

Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.

Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the GDPR and the French Data Protection law (Loi informatique et libertés).

Dispute[edit | edit source]

In this case, the French data protection authority investigated several issues :

  • Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in Article 5(1)(a) GDPR?
  • Is the information relating to personal data processing operations easily accessible within the meaning of Articles 12 and 13 GDPR?
  • Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR?
  • Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, Article 82?

Holding[edit | edit source]

The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it.

However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years.

On the violation of the obligation to fairly process personal data[edit | edit source]

When a subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOUR BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber.

The French DPA concluded that this was a violation of the principle of fairness within Article 5(1)(a) GDPR, as the information given to data subjects are imprecise and misleading. The French DPA outlined that despite the lack of definition of fairness in the GDPR, this was linked to the requirement of transparency within Article 12. More specifically, the CNIL highlights that:

  • CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription.
  • CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to the subscriber prior to this mention.

On the lack of accessibility to information on processing of personal data[edit | edit source]

Quoting Articles 12 GDPR, the French DPA distinguishes between :

  • Access to information relating to personal data protection: In this case, the user could access the information relating to the processing of his or her data, either by clicking directly on the "Protection of Banking Data" tab at the bottom of the page, or by accessing the Legal Notice which referred to the privacy policy, thus requiring several actions by the user. On this point, the CNIL recalls the WP29 guidelines on transparency, according to which data subjects should not have to search for information, but should have to immediate access to it. So the French DPA held that there was a violation of the obligation of transparency as per Article 12 GDPR. On the one hand, the vagueness of the title "Protection of Banking Data" does not make it easy for the data subjects that this tab refers the personal data protection. On the other hand, with regard to access to the privacy policy via the legal notices, the CNIL notes that users must first undertake several actions before being able to access this tab.
  • The information provided to data subjects throughout the online subscription process: According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complement these mentions by allowing people to read complete information by means of a link to this information. This was a violation of Article 12.

On the vagueness of data retention periods[edit | edit source]

Based on Article 13(2)(a) GDPR and WP29 guidelines on transparency, the CNIL noted that the CARREFOUR BANQUE’s privacy policy were imprecise and vague about data conservation information.

Indeed, the privacy policy contained vague and undefined formulations that confused data subjects as to the extent and nature of the data collected. Furthermore, the information policy did not specify the retention periods for all data and did not specify the criteria used to determine these periods.

On the use of cookies on the website[edit | edit source]

The French DPA recalls the provisions of Article 82 of the French data protection law (loi informatique et libertés), which requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.

In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.

Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.

Comment[edit | edit source]

The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the GDPR and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects.

This sanction made jointly with CNIL - SAN-2020-008 where the French DPA imposed a € 2250000 fine on Carrefour France.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

'''Deliberation of restricted training n ° SAN-2020-009 of November 18, 2020 concerning the company CARREFOUR BANQUE''' 

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ms Sylvie LEMMET and Christine MAUGÜE, members;

Considering the Convention n <sup>o</sup> 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n <sup>o</sup> 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following ;

Considering the decree n <sup>o</sup> 2019-536 of May 29, 2019 taken for the application of the law n <sup>o</sup> 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Considering the deliberation n <sup>o</sup> 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;

Considering the ordinance n ° 2020-306 of March 25, 2020 relating to the extension of the deadlines expired during the period of health emergency;

Considering the decisions n <sup>o</sup> 2019-081C of April 24, 2019 and n <sup>o</sup> 2019-102C of June 6, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or have carried out a mission verification of the processing implemented by this body or on behalf of the company CARREFOUR and its subsidiaries, and in particular the company CARREFOUR BANQUE;

Having regard to the decision of the Vice-President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated November 29, 2019;

Having regard to the report by Mr. Éric PÉRÈS, commissioner rapporteur, notified to the company CARREFOUR BANQUE on January 10, 2020;

Having regard to the written observations made by the board of the company CARREFOUR BANQUE on March 10, 2020;

Having regard to the rapporteur's response to these observations notified by email on April 22, 2020 to the board of the company;

Having regard to the written observations of the board of CARREFOUR BANQUE received on August 24, 2020;

Having regard to the oral observations made during the session of the restricted formation;

Having regard to the other documents in the file;

Were present during the restricted training session of September 17, 2020:

- Mr Éric PÉRÈS, commissioner, heard in his report;

As representatives of CARREFOUR BANQUE:

- […] ;

- […] ;

- […] ;

- […] ;

- […] ;

- […] ;

- […].

The CARREFOUR BANQUE company having spoken last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. CARREFOUR BANQUE is a subsidiary 40% owned by BNP PARIBAS SA and 60% by CARREFOUR SA, parent company of the CARREFOUR group.

2. Created in 1959, the CARREFOUR group (hereinafter the group), whose head office is at 93 avenue de Paris in Massy (91300), its main activity is mass distribution. He is also involved in other areas such as the banking and insurance sector, e-commerce and travel agencies. In 2018, it employed around 360,000 people and had a turnover of 76 billion euros.

3. Based at 1 place Copernic Courcouronnes in Évry Courcouronnes (91080), the company CARREFOUR BANQUE (hereinafter the company) is a banking establishment whose main activities include consumer credit, portfolio management, insurance brokerage and as investment services. In 2018, it employed around 300 people and achieved n net banking income of 308 million euros .

4. As part of its activities, the company publishes the website www.carrefour-banque.fr (hereinafter the site carrefour-banque.fr). It also markets a payment card intended for customers of the Carrefour group (hereinafter the Pass card), which can be attached to the group's loyalty program.

5. En application des décisions n<sup>o</sup> 2019-081C du 24 avril 2019 et n<sup>o</sup> 2019-102C du 6 juin 2019 de la présidente de la Commission, les services de la CNIL ont procédé à un contrôle en ligne, le 5 juillet 2019, relatif au site carrefour-banque.fr et aux traitements mis en œuvre à partir de ce site ainsi qu’à un contrôle sur place dans les locaux de la société CARREFOUR S.A., le 9 juillet 2019, relatif aux traitements concernant la carte Pass.

6. Ces missions avaient pour objet de vérifier, notamment, le respect, par la société, de l’ensemble des dispositions durèglement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 (ci-après le Règlement ou le RGPD ) et dela loi n<sup>o</sup> 78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés (ci-après la loi informatique et libertés ).

7. Dans le cadre du contrôle sur place, les représentants du groupe CARREFOUR ont précisé à la délégation que la société CARREFOUR BANQUE est responsable de traitement des deux programmes paiement (débit et crédit) de la carte Pass tandis que la société CARREFOUR FRANCE est responsable de traitement du troisième programme permettant le rattachement de la carte Pass à la base de données SIEBEL qui met en œuvre le programme de fidélité Carrefour.

8. Le 19 juillet 2019, la société a transmis à la délégation de contrôle les documents demandés dans le cadre du contrôle sur place du 9 juillet 2019 et notamment le comptage du nombre de cartes Pass rattachées au programme de fidélité Carrefour.

9. For the purposes of examining these elements, the Vice-President of the Commission appointed Mr. Éric PÉRÈS as rapporteur, on November 29, 2019, on the basis of Article 22 of the Data Protection Act.

10. At the end of his investigation, the rapporteur had a bailiff served on the company CARREFOUR BANQUE, on January 10, 2020, with a report detailing the breaches of the GDPR and of the Data Protection Act that he considered to be the species.

11. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into conformity with the provisions of Articles 5, 12 and 13 of the Regulations and of Article 82 of the Data Protection Act, together with a penalty, as well as an administrative fine. He also proposed that this decision be made public and no longer make it possible to identify the company by name after a period of two years from its publication.

12. On January 29, 2020, the company requested a one-month extension of the deadline within which it had to respond to the report, the postponement of the meeting initially scheduled for March 24, 2020 as well as a meeting with the rapporteur. On February 3, the president of the restricted party granted the requested extension for a period of one month. On February 6, the secretary general of the CNIL granted the request to postpone the meeting to April 21, 2020. On the same day, the rapporteur refused the meeting requested by the company.

13. On March 10, 2020, through its counsel, the company filed observations and made a request that the session before the restricted panel be held in camera.

14. By e-mail of 23 March 2020 and on the basis of article 40, paragraph 4, of decree n ° 2019-536 of 29 May 2019, the rapporteur asked the president of the restricted formation for an additional period of fifteen days to respond to comments from the company.

15. By letter of March 24, 2020, taking note in particular of the context of the health crisis, the president of the restricted group granted the rapporteur's request.

16. By letter of the same day, the company was informed of the additional time granted to the rapporteur and of the fact that it had, by virtue of paragraph 5 of article 40 of decree n ° 2019-536 of 29 May 2019, a period of one month to respond to the rapporteur's response. The letter also informed him of the second postponement of the restricted training session, scheduled for April 21, 2020.

17. By e-mail of April 7, 2020, the rapporteur asked the chairman of the restricted party for a new additional period of fifteen days to respond to the company's observations, which was granted to him on April 8, 2020. The company was. informed the same day.

18. Le rapporteur a répondu aux observations de la société le 22 avril 2020.

19. Par un courrier du même jour, le secrétaire général de la CNIL a informé la société qu’elle pouvait transmettre ses observations à la réponse du rapporteur jusqu’au 24 août 2020 en application de l’ordonnance n° 2020-306 du 25 mars 2020 relative à la prorogation des délais échus pendant la période d'urgence sanitaire.

20. Le 30 juin 2020, le président de la formation restreinte a fait droit à la demande de huis clos formulée par la société, au motif que certains éléments versés aux débats étaient protégés par le secret des affaires, tel que prévu par l’article L 151-1 du code du commerce.

21. Le 5 août 2020, les services de la CNIL ont notifié à la société une convocation à la séance de la formation restreinte du 17 septembre 2020.

22. Le 24 août 2020, la société a produit de nouvelles observations en réponse à celles du rapporteur.

23. La société et le rapporteur ont présenté des observations orales lors de la séance de la formation restreinte.

II. Motifs de la décision

A. Sur le manquement à l’obligation de traiter les données de manière loyale

24. Aux termes de l’article 5, paragraphe 1, a), du RGPD : ''Les données à caractère personnel doivent être: a) traitées de manière licite, loyale et transparente au regard de la personne concernée (licéité, loyauté, transparence)'' .

25. It emerges from the observations made by the delegation of control that when a subscriber of a payment card (Pass card) also wishes to join the Carrefour loyalty program, the company CARREFOUR BANQUE makes several requests to the company CARREFOUR FRANCE including, in particular, a request to join the Carrefour loyalty program.

26. Indeed, during the online check, the delegation noted that if they want to join the Carrefour loyalty program, the Pass card subscriber must in particular tick the box at the bottom of the page entitled My loyalty rewarded with support. which the following statement: ''contains I want to link my Carrefour Loyalty account to my Pass card (or failing that, create and link it). To do this, I accept that Carrefour Banque communicates to Carrefour Fidélité my name, first name and email. Carrefour Banque undertakes not to transmit any other information to Carrefour Fidélité'' .

27. It appears from the documents submitted to the delegation during the on-site inspection that the company CARREFOUR BANQUE also transmits to the company CARREFOUR FRANCE, in addition to the surname, first name and email address of the subscriber of the Pass card mentioned above, his address mailing as well as its telephone number (s). When it has this information, it also informs CARREFOUR FRANCE about the number of children declared by the subscriber.

28. The rapporteur therefore considers that the company breached the principle of loyalty when it transmitted to the company CARREFOUR FRANCE more personal data concerning the subscribers of the Pass card than those exhaustively listed in the context of the subscription process. online.

29. The company replied, first of all, that since the concept of loyalty was not defined in the Rules, the rapporteur could not ask the restricted panel to sanction the violation.

30. It notes, moreover, that the principle of loyalty can at most be linked to the obligation of transparency, provided for in Article 12 of the Rules. In this case, it claims to have complied with this requirement of transparency since the mention of information challenged by the rapporteur informs people of the existence of the processing, its purpose and the transfer of this data. to third parties.

31. It maintains, finally, that the practices complained of could all the less be qualified as unfair as they result only from a failure to update its website, due to a communication error between the various services of the two companies.

32. The restricted committee recalls that the principle of loyalty is an independent principle provided for in Article 5, paragraph 1, a) of the GDPR, the violation of which by a data controller is likely to give rise to the pronouncement of a corrective measure. from the supervisory authority.

33. It notes, in this regard, that this provision must be interpreted in the light of recital 60 of the Regulation, according to which: ''the principle of fair and transparent treatment requires that the data subject be informed of the existence of the transaction processing and its purposes. The controller should provide the data subject with any other information necessary to ensure fair and transparent processing, taking into account the particular circumstances and the context in which the personal data are processed'' .

34. In this case, the restricted panel considers that the information provided in this reference was both imprecise and misleading.

35. First of all, the restricted committee notes that the CARREFOUR BANQUE company mentions ''Carrefour Fidélité'' as the recipient of the data communicated even though this service, attached to the CARREFOUR FRANCE company, had never before this mention been presented to subscribers. of the Pass card. Thus, the persons concerned could not understand for themselves that their personal data were in fact communicated to a third company, the company CARREFOUR FRANCE.

36. Next, the restricted committee considers that the information provided to the persons concerned was misleading and unfair since the company had expressly indicated, in this same notice of information, that it ''undertakes [to] not transmit any other information to Carrefour Fidélité'' than the names, first names and e-mail address of Pass card subscribers even though this was precisely not the case.

37. The restricted panel therefore considers that a breach of Article 5 (1) (a) of the GDPR has occurred.

38. It notes, however, that on the day of the meeting, the company had completely overhauled the online subscription process for the Pass card and, in particular, rewrote the disputed information. Pass card subscribers wishing to be attached to the Carrefour loyalty program are now informed that personal data concerning them is transmitted to the company CARREFOUR FRANCE and are also informed of the exact nature of the data actually transmitted.

B. On the failure to inform individuals

39. Article 12 of the Regulation provides that: ''the controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 […] regarding the processing to the data subject in a concise, transparent manner, understandable and easily accessible, in clear and simple terms […]'' .

40. L’article 13 de ce même Règlement dresse la liste des informations devant être communiquées aux personnes concernées lorsque les données à caractère personnel sont collectées auprès d’elles.

1. S’agissant de l’accessibilité de l’information

41. '''En premier lieu''', le rapporteur considère que, tel qu’il ressort des constations effectuées par la délégation lors du contrôle en ligne, l’information mise à disposition des utilisateurs du site carrefour-banque.fr par le biais de différents canaux, n’était pas aisément accessible au sens de l’article 12 du Règlement.

42. To read the information provided regarding the processing of their personal data, the user could first of all click on the tab ''Protection of banking data'' appearing at the footer of the site. Alternatively, he could also click on the link ''Legal notices'' at the foot of the site, go to point 3 of these notices, entitled ''3 - Protection and confidentiality of personal data processed by Carrefour Banque'' and, finally, click on the link ''For more find out more about our personal data protection policy see our dedicated page'' , which referred to the company's confidentiality policy entitled ''Protection and confidentiality of personal data processed by Carrefour Banque'' , without any other information having been previously provided to user before reaching this privacy policy.

43. The company maintains that it was perfectly justified to insert a link to its confidentiality policy in its legal notices and that in any case, this information was provided directly ''via'' the tab ''Protection of banking data'' appearing at the bottom page of the site.

44. The restricted committee recalls that in order to consider that a data controller fulfills his obligation of transparency, the information provided must in particular be ''easily accessible'' to the persons concerned within the meaning of Article 12 of the Regulation.

45. It notes, in this regard, that this provision must be interpreted in the light of recital 61 of the Regulation, according to which: ''information on the processing of personal data relating to the data subject should be provided to him at the time when this data is collected from it'' .

46. ​​In this sense, it shares the position of the G29 presented in the guidelines on transparency within the meaning of the Regulation, adopted in their revised version on 11 April 2018 (hereinafter the guidelines on transparency), which recalls that ''the the person concerned should not have to search for the information but should be able to access it immediately'' .

47. To illustrate how it is possible to meet this accessibility criterion, these same guidelines specify, in the case of an online environment that ''each company with a website should publish a statement or notice on the protection of privacy on its site. A direct link to this privacy statement or notice should be clearly visible on every page of this website under a commonly used term (such as Privacy, Privacy Policy, or Privacy Notice). Text or links whose layout or color choice makes them less visible or difficult to find on a web page are not considered to be easily accessible'' .

48. In the present case, the restricted committee considers, first of all, that the vagueness of the title of the tab ''Protection of banking data'' appearing at the footer of the site, referring to banking data and not personnel, could not allow the persons concerned to easily understand that by clicking on this link they would be redirected to the site's confidentiality policy, including information relating to the processing of their personal data. Indeed, for the general public, a large part of the data processed (address, number of children, etc.) does not come from banking data.

49. Ensuite, s’agissant du second canal d’information, les utilisateurs du site carrefour-banque.fr ne pouvaient deviner d’eux-mêmes que le lien renvoyant vers la politique de confidentialité du site était inséré dans les mentions légales du site. Ainsi, pour parvenir jusqu’à cette politique de confidentialité, les utilisateurs devront, dans un certain nombre de cas, entreprendre préalablement plusieurs actions, comme, par exemple, cliquer sur les liens ''Accessibilité'' ou ''Conditions générales de vente'' figurant également en pied de la page d’accueil, avant de cliquer finalement sur le lien ''Mentions légales'' .

50. Il en résulte que l’information fournie aux utilisateurs du site carrefour-banque.fr n’était pas ''aisément accessible'' .

51. '''En deuxième lieu''', le rapporteur estime que l’information relative à la carte Pass fournie dans le cadre du parcours de souscription en ligne sur le site carrefour-banque.fr et telle que constatée lors du contrôle en ligne n’était pas non plus ''aisément accessible'' dès lors que les souscripteurs de cette carte ne disposaient pas d’une information complète relative au traitement de leurs données sur la page de présentation du parcours de souscription et qu’ils n’étaient pas, non plus, invités à prendre connaissance d’une information plus complète, par exemple par le biais d’un lien hypertexte renvoyant vers des mentions d’information complémentaires.

52. La société soutient qu’un tel lien existait déjà à travers l’onglet ''Protection des données bancaires'' figurant en pied de page du site.

53. The restricted committee emphasizes that according to the principle of transparency, as recalled in particular in recital 61 of the GDPR, information must be communicated to people at the time the data is collected.

54. As an example, the G29 Transparency Guidelines state that, in an online context, ''a link to the privacy statement or notice should be provided at the point of collection of personal data, or that this information can be viewed on the same page as the one where the personal data is collected'' .

55. In the present case, the findings show that the company has chosen to adopt information at several levels.

56. In this regard, if the company did provide, in the presentation page of the Pass card subscription process, the information expected as first-level information, namely the identity of the data controller, the purposes main processing and description of IT rights and Freedoms, the restricted training notes on the other hand that the company had neglected to complete these mentions by allowing people to read complete information by inserting, for example, a hypertext link to second-level information, in this case, to the company's confidentiality policy, which is supposed to detail all of the information required by article 13 of the Regulation.

57. With regard to the tab ''Protection of banking data'' put forward by the company, the restricted committee noted that this tab did not appear at the footer of the online subscription process for the Pass card and recalls that in all its title would not have enabled the people concerned to easily understand that by clicking on this link they would be redirected to the company's confidentiality policy.

58. In this way, the data subjects were not informed, at the time of the collection of their personal data, of all the information relating to the processing. As a result, all the information provided to Pass card subscribers on the carrefour-banque.fr site was not ''easily accessible'' .

59. The Restricted Panel therefore considers that the company disregarded the provisions of Article 12 of the Rules.

60. It notes, however, that on the day of the meeting, the company had completely overhauled its website and that the information provided today both to users of the site and to subscribers of the Pass card now meets the requirements of section 12 of the Regulations.

2. Regarding the content of the information

61. Le rapporteur considère que la politique de confidentialité de la société, intitulée ''Protection et confidentialité des données personnelles traitées par Carrefour Banque''  et accessible selon les modalités rappelées ci-avant, était à la fois imprécise et lacunaire s’agissant des mentions relatives aux durées de conservation. Ainsi, d’une part, la politique d’information comportait des formulations trop vagues, ne permettant pas d’identifier des durées définies et, d’autre part, la société ne donnait aucune information concernant certaines données qu’elle indiquait pourtant collecter, telles que les données de comportement, d’habitudes et de préférences de consommation en ligne collectées par les cookies déposés sur le terminal des utilisateurs à partir de son site web. Par ailleurs, la société ne précisait pas si elle archivait ou non les données des personnes concernées.

62. La société conteste le caractère imprécis de ses mentions d’information relatives aux durées de conservation et fait valoir que l’information relative aux cookies était disponible dans un autre développement de ses ''Mentions légales'' .

63. La formation restreinte rappelle qu’aux termes de l’article 13, paragraphe 2, a) du Règlement, le responsable du traitement fournit à la personne concernée les informations relatives à ''la durée de conservation des données à caractère personnel ou, lorsque ce n'est pas possible, les critères utilisés pour déterminer cette durée'' .

64. By way of clarification, the above transparency guidelines recommend that ''the retention period [be] formulated in such a way that the data subject can assess, depending on the situation in which they find themselves, what will be the retention period. retention in the case of specific data or for specific purposes. The controller cannot simply state in general that the personal data will be kept for as long as the legitimate purpose of the processing requires. Where appropriate, different storage periods should be mentioned for the different categories of personal data and / or the different processing purposes, in particular periods for archival purposes'' .

65. In the present case, the restricted panel emphasizes, first of all, that the use of vague and undefined formulas such as ''the applicable legal limitation periods'' or ''the retention of your data by Carrefour Banque varies according to the regulations and laws. applicable'' or even expressions ''by way of example'' or of the adverb in ''particular'' necessarily made it confusing for the persons concerned to understand the extent and nature of the data stored as well as the retention periods applied to this data.

66. It adds, then, that the information was also incomplete insofar as the company neglected to specify the retention periods applicable to all the data processed or did not specify the criteria used to determine these periods. Thus, the company did not specify that it archived contractual data for five years, the period of the applicable legal limitation, in the event of litigation. In addition, it did not specify the retention periods for the data collected by cookies, since if the ''Legal Notice of'' the site did include a paragraph relating to cookies, the latter did not specify the retention periods for the data collected by these cookies. .

67. The restricted panel therefore considers that a breach of article 13 of the Rules had been established.

68. It notes, however, that on the day of the meeting, the company had completed its information notices and that its confidentiality policy now meets the requirements of Article 13 of the Regulation.

C. On the breach relating to cookies

69. Article 82 of the Data Protection Act (Article 32.II in a wording identical to the date of the findings) requires that users be informed and that their consent be obtained before any operation to access or register for information already stored in their equipment. Any deposit of cookie or other tracer must therefore be preceded by the information and consent of users. This requirement does not apply to cookies whose ''sole purpose is to allow or facilitate communication by electronic means'' or which are ''strictly necessary for the provision of an online communication service at the express request of the user'' .

70. Le rapporteur considère que la société ne respectait pas ces dispositions dès lors qu’il a été constaté lors du contrôle en ligne qu’en arrivant sur le site web carrefour-banque.fr, plusieurs cookies ne rentrant pas dans les deux cas rappelés ci-avant étaient déposés sur le terminal de l’utilisateur dès la connexion à la page d’accueil du site et avant toute action de sa part.

71. La société ne conteste pas ces éléments.

72. La formation restreinte relève, en l’espèce, que le dépôt de trente et un cookies était automatique dès l’arrivée sur la page d’accueil du site et avant toute action de l’utilisateur.

73. The Restricted Committee observes that five of these cookies (the ''MUIDB'' , ''GPS'' and ''gid'' , ''_ga'' and ''_gat_trackerBanque cookies'' ) had neither the exclusive purpose of allowing or facilitating electronic communication, nor were they strictly necessary for the provision of a service expressly requested by the user.

74. Regarding, first of all, the three cookies ''gid'' , ''_ga'' and ''_gat_trackerBanque'' , known as ''Google analytics,'' the restricted party emphasizes that there is no debate that the data collected by these cookies can be cross-checked with data from other processing to pursue purposes other than those limited by Article 82 of the Data Protection Act, in particular to carry out personalized advertising. Indeed, it emerges from the practical guide Association of Analytics and Google Ads accounts, posted on one of the sites of the Google company, that ''the integration of Google Analytics in Google Ads (…) allows [advertisers] to know precisely in how much [their] ads translate to conversions, and then quickly adjust creatives and bids accordingly. [Advertisers can] also combine products to identify [their] most interesting segments and then engage those users with personalized messages'' .

75. As regards, then, cookies ''MUIDB'' and ''GPS'' , the Restricted Committee notes that these two cookies are tracking cookies, the first allowing a user to be tracked by visiting different domain names belonging to the Microsoft company, the second registering an identifier on the user's terminal in order to geolocate it. Therefore, the deposit of these five cookies should have obliged the company to first obtain the user's consent.

76. The restricted committee therefore considers that a breach of article 82 of the Data Protection Act was established.

77. It notes, however, that on the day of the meeting, the company had completely overhauled its cookie policy. These changes have led, in particular, to stopping the automatic deposit of cookies on arrival on the home page of the site since March 4, 2020.

III. On corrective measures and advertising

78. Under III of Article 20 of the Data Protection Act:

''When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures: […]'' 

''7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous year, whichever is higher. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.'' 

79. L’article 83 du RGPD prévoit :

''1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.'' 

''2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:'' 

''a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered;'' 

''(b) whether the violation was committed willfully or negligently;'' 

''c) any measure taken by the controller or the processor to mitigate the damage suffered by the data subjects;'' 

''d) the degree of responsibility of the controller or the processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;'' 

''e) any relevant breach previously committed by the controller or processor;'' 

''(f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and mitigating any negative effects thereof;'' 

''g) the categories of personal data affected by the breach;'' 

''(h) how the supervisory authority became aware of the breach, including whether, and to what extent, the controller or processor notified the breach;'' 

''(i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures;'' 

''(j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and'' 

''k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation.'' 

80. '''In the first place''' , concerning the proposed sanction, the company maintains that since the breaches of loyalty and information are not characterized, the pronouncement of an administrative fine does not appear necessary.

81. It argues that it would be appropriate in any event to reduce the amount of the proposed fine, in so far as the infringements complained of are devoid of seriousness and that it has operated, since the start of the sanction procedure, an important work of compliance.

82. In the light of the relevant criteria provided for in article 83 of the Rules, the Restricted Panel considers, on the contrary, that the pronouncement of an administrative fine is necessary.

83. In this case, as regards, first, the nature, gravity and duration of the violation, the Restricted Committee notes that this criterion is characterized for the breach linked to loyalty as soon as the company has provides its customers with information that is contrary to the reality of the treatments implemented.

84. Second, with regard to the number of people concerned, the restricted committee emphasizes that the breach relating to cookies concerned a significant number of people since the cookies made it possible to follow in the same way, without distinction, online behavior subscribers of the Pass card and any prospects of the company, but also of all Internet users likely to browse its website.

85. In addition, breaches of loyalty and information also concerned all Pass card subscribers, whether or not they are attached to the Carrefour loyalty program, which, according to the elements noted by the delegation of control, amount to to at least […] people.

86. Thirdly, with regard to the measures taken by the controller to mitigate the damage suffered by the data subjects and the degree of cooperation with the supervisory authority, the restricted formation notes the perfect cooperation of the company throughout the sanctioning procedure and the very significant efforts made to achieve full compliance on the day of the session. It notes that the three shortcomings have been corrected to date.

87. Regarding the amount of the administrative fine, the restricted committee recalls that in 2018 the company achieved net banking income of 308 million euros and that in application of the provisions of article 83, paragraph 5 , it incurs a financial penalty of a maximum amount of 20 million euros. 

88. Therefore, having regard to the financial capacities of the company and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the restricted panel considers that the imposition of a fine of € 800,000, which would therefore only represent 0.25% of this net banking income, appears to be effective, proportionate and dissuasive at the same time, in accordance with the requirements of Article 83, paragraph 1, of this Regulation.

89. '''In the second place''' , concerning the issuance of an injunction, the company maintains that insofar as it has remedied all the breaches alleged against it, the requests formulated under the injunction proposed under penalty charge lose all foundation.

90. The restricted committee notes in fact that, once the company has corrected all the shortcomings noted in the sanction report, the issuance of an injunction is no longer justified.

91. '''Thirdly''' , with regard to the publicity of this decision, the company maintains that such a measure would not respect the constitutional principle of the necessity of penalties since it would already have been part of an approach consisting in strengthening the compliance of its situation to the requirements of data protection regulations. She adds that advertising would have particularly damaging consequences in that it could affect its reputation in a lasting way.

92. The restricted committee considers that the publication of this decision is justified in view of the seriousness of the breaches sanctioned and the number of people concerned.

93. It considers that this measure will make it possible to inform all of the company's customers and potential prospects of the existence of various sanctioned breaches and in particular breaches of disloyalty and cookies.

94. Finally, the measure is not disproportionate since the decision will no longer identify the company by name after the expiry of a period of two years from its publication.

95. It follows from all of the above and from the consideration of the criteria set out in article 83 of the Regulation that an administrative fine of up to 800,000 euros as well as an additional publication sanction for a period of two years are justified and proportionate.

'''FOR THESE REASONS''' 

'''The restricted formation of the CNIL, after having deliberated, decides to:''' 

· '''Decision against the company CARREFOUR BANK an administrative fine of EUR 800,000 (eight hundred thousand) euros for breaches of Articles 5, paragraph 1 a), 12 and 13 GDPR and Article RGPD 82 of the Data Protection Act;''' 

· '''Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.''' 

President

Alexandre LINDEN