CNIL - SAN-2020-009
|CNIL - SAN-2020-009|
|Relevant Law:||Article 5(1)(a) GDPR|
Article 12 GDPR
Article 13 GDPR
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|National Case Number/Name:||SAN-2020-009|
|European Case Law Identifier:||n/a|
|Original Source:||Legifrance (in FR)|
English Summary[edit | edit source]
Facts[edit | edit source]
CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.
As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.
Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.
Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the GDPR and the French Data Protection law (Loi informatique et libertés).
Dispute[edit | edit source]
In this case, the French data protection authority investigated several issues :
- Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in Article 5(1)(a) GDPR?
- Is the information relating to personal data processing operations easily accessible within the meaning of Articles 12 and 13 GDPR?
- Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR?
- Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, Article 82?
Holding[edit | edit source]
The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it.
However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years.
On the violation of the obligation to fairly process personal data[edit | edit source]
When a subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOUR BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber.
The French DPA concluded that this was a violation of the principle of fairness within Article 5(1)(a) GDPR, as the information given to data subjects are imprecise and misleading. The French DPA outlined that despite the lack of definition of fairness in the GDPR, this was linked to the requirement of transparency within Article 12. More specifically, the CNIL highlights that:
- CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription.
- CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to the subscriber prior to this mention.
On the lack of accessibility to information on processing of personal data[edit | edit source]
Quoting Articles 12 GDPR, the French DPA distinguishes between :
- The information provided to data subjects throughout the online subscription process: According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complement these mentions by allowing people to read complete information by means of a link to this information. This was a violation of Article 12.
On the vagueness of data retention periods[edit | edit source]
[edit | edit source]
The French DPA recalls the provisions of Article 82 of the French data protection law (loi informatique et libertés), which requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.
In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.
Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.
Comment[edit | edit source]
The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the GDPR and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects.
This sanction made jointly with CNIL - SAN-2020-008 where the French DPA imposed a € 2250000 fine on Carrefour France.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.