CNIL (France) - SAN-2020-009

From GDPRhub
Revision as of 08:10, 30 November 2020 by Fra-data67 (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2020-009 |ECLI= |Origin...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - SAN-2020-009
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Complaint
Outcome: Upheld
Started:
Decided: 18.11.2020
Published: 26.11.2020
Fine: 800000 EUR
Parties: Carrefour Banque
National Case Number/Name: SAN-2020-009
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Fra-data67

After several checks between May and July 2019, the French data protection authority (CNIL) fined € 800 000 on CARREFOUR BANQUE following several violations of rules contained in the GDPR and French data protection law (Loi informatique et libertés) : loyalty and transparency of data processing, accessibility and content of information concerning data processing, illicit use of cookies.

English Summary

Facts

CARREFOUR BANQUE is a subsidiary owned 40% by BNP PARIBAS SA and 60% by CARREFOUR SA, the parent company of the CARREFOUR group. CARREFOUR BANQUE is a banking company whose main activities are consumer credit, portfolio management, insurance brokerage and investment services.

As part of its activities, the company publishes the website www.carrefour-banque.fr and markets a payment card for customers of the CARREFOUR group, which can be attached to the group's loyalty programme.

Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.

Following an online inspection carried out by the CNIL on 5 July 2019, the rapporteur noted several breaches of the RGPD and the French Data Protection law.

Dispute

In this case, the French data protection authority investigated several issues :

  • Does the transmission of data by CARREFOUR BANQUE to CARREFOUR France when joining the loyalty programme comply with the principle of fair and transparent processing contained in Article 5(1)(a) GDPR?
  • Is the information relating to personal data processing operations easily accessible within the meaning of articles 12 and 13 GDPR?
  • Is the information provided to data subjects throughout the subscription process in compliance with the provisions of Article 13 GDPR?
  • Does placing 39 cookies on the data subjects' computer before any act of consent or refusal on its part violates the French data protection law, Article 82?

Holding

The CNIL ordered CARREFOUR BANQUE to pay an administrative fine of €800,000. Insofar as the company took the necessary measures to put an end to the breaches of which it was accused before the end of the proceedings, the CNIL did not issue an injunction against it.

However, in view of the seriousness of the breaches sanctioned and the number of people concerned, the restricted formation pronounced an additional publication sanction for a period of two years.

1° On the violation of the obligation to fairly process personal data

In this case, when the subscriber to the payment card also wanted to join the CARREFOUR loyalty programme, he had to tick a box which provided: “I accept that CARREFOUR BANQUE communicates to CARREFOUR FIDELITE my surname, first name and email”. CARREFOUR BANQUE undertakes not to transmit any other information to CARREFOUR FIDELITE”. Nonetheless, the French DPA noticed that CARREFOURS BANQUE also transmits to CARREFOUR FRANCE other information: postal address, telephone numbers, and the number of children declared by the subscriber.

The French DPA concluded to the violation of article 5-1 (a) GDPR, as the information given to data subjects are imprecise and misleading. More specifically, the CNIL highlights that:

  • CARREFOUR BANQUE transmits to CARREFOUR FRANCE more data than those restrictively listed at the time of subscription.
  • CARREFOUR BANQUE mentions CARREFOUR FIDELITE as the recipient of the data communicated by data subjects, whereas this service, attached to the company CARREFOUR FRANCE, had never been presented to subscriber prior to this mention.

2° On the lack of accessibility to information on processing of personal data

Quoting articles 12 & 13 GDPR, the French DPA distinguishes between :

  • Access to information relating to personal data protection : In this case, the user could access the information relating to the processing of his or her data, either by clicking directly on the Banking Data Protection tab at the bottom of the page, or by accessing the Legal Notice which referred to the privacy policy, thus requiring several actions by the user. On this point, the CNIL recalls the WP29 guidelines on transparency, according to which data subjects should not have to search for information, but should have to immediate access to it. So the French data authority notices the violation of access information related to personal data protection. On the one hand, the vagueness of the title Protection of banking data does not make it easy for the data subjects that this tab refers the personal data protection. On the other hand, with regard to access to the privacy policy via the legal notices, the CNIL notes that users must first undertake several actions before being able to access this tab.


  • The information provided to data subjects throughout the online subscription process : According to the CNIL, the information provided throughout the payment card subscription process was not easily accessible by data subjects. Although CARREFOUR BANQUE did provide the information expected as first level information on the page presenting the payment card subscription process (identity of the controller, purposes of the processing, description of the rights recognized to data subjects), the CNIL nevertheless emphasizes that CARREFOUR BANQUE neglected to complete these mentions by allowing people to read complete information by means of a link to this information.  

3° On the vagueness of data retention periods

Based on article 13(2)(a) GDPR and WP29 guidelines on transparency, the CNIL notes that the CARREFOUR BANQUE’s privacy policy is imprecise and vague about data conservation information.

Indeed, the privacy policy contains vague and undefined formulations that confuse the data subjects as to the extent and nature of the data collected. Furthermore, the information policy did not specify the retention periods for all data and did not specify the criteria used to determine these periods.

4° On the use of cookies on the website

The French DPA recalls the provisions of article 82 of the French data protection law (loi informatique et libertés), wich requires that any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.

In this case, the CNIL notices that 31 cookies were automatically deposed on users’ device upon arrival on the site’s home page and before any action by the user. More specifically, two of them were intended to trace the user and three of them were intended for advertising targeting.

Concluding that these five cookies do not fall within the scope of the exceptions detailed in Article 82 of the French Data Protection law, the CNIL noted the breach of Article 82 and underlines that the deposit of these five cookies should have required the company to obtain the user's prior consent.

Comment

The issue of information to the data subjects has an important place in this case. The CNIL reaffirms, in line with the principles of the RGPD and the WP29 guidelines, the standards related to the quality of information delivered by controller to data subjects.

This sanction was taken jointly with CNIL - SAN-2020-008 which imposed a € 2 250 000 fine on Carrefour France.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.