CNIL - SAN-2020-016
|CNIL - SAN-2020-016|
|Relevant Law:||Article 2(2) GDPR|
Article 3(1) GDPR
Article 5(1)(e) GDPR
Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 14 GDPR
Article 21(2) GDPR
Code des postes et des communications électroniques
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|National Case Number/Name:||SAN-2020-016|
|European Case Law Identifier:||n/a|
|Original Source:||Légifrance (in FR)|
The French DPA (CNIL) imposed a fine of €7300 on the company PERFOMECLIC for sending commercial prospecting emails without proof of prior consent and without providing satisfactory information.
English Summary[edit | edit source]
Facts[edit | edit source]
The PERFORMECLIC Company's activity is the sending of commercial e-mails on behalf of advertisers. As such, the company holds a database of 20 million e-mail addresses that it has purchased from a third party company.
Following the report made by the SIGNAL SPAM association, the French DPA carried out an on-site inspection at the company's premises on 18 September 2019.
Dispute[edit | edit source]
- Insofar as the operational activities of the company were implemented from Morocco, is the GDPR applicable and is the CNIL competent in this case?
- How is the notion of "consent" to be understood in the context of email prospecting operations?
- Is the processing of the telephone number in the context of prospection operations carried out solely by e-mail contrary to the principle of data minimisation provided for in Article 5(1)(e) GDPR?
- Is the simple opening of a prospecting e-mail sufficient to characterise the prospect's interest in the products and services of the sender of the message, and thus to extend the retention period of this data?
- Is the apposition of a standard mention at the bottom of a prospecting e-mail sufficient regarding the information standards provided for in Article 14 GDPR?
Holding[edit | edit source]
The CNIL orders PERFORMECLIC to pay an administrative fine of €7300. It also issued an injunction to bring the processing into compliance with the provisions of the French Post and Electronic Communications Code and the GDPR, accompanied by a penalty payment of 1,000 euros per day of delay at the end of a two-month period following notification of the decision. Finally, the French DPA has made its decision public.
The CNIL based its decision on the following grievances :
On the competence of the French DPA[edit | edit source]
At the time of the audit, the manager of the company indicated to the CNIL that the operational activities of the company were carried out from Morocco and that, in the near future, he intended to end the company's activities in France and carry them out in their entirety from Morocco, so that the GDPR did not apply in this case.
As per Articles 3 GDPR and 8 of the French Data Protection Act, the CNIL retains its jurisdiction and confirms the application of the GDPR insofar as the company is established in France, and addresses its prospecting messages to the French public only.
On the failure to obtain the consent of the person concerned by a direct marketing operation by means of electronic mail[edit | edit source]
According to article L. 34-5(1) of the French Post and Electronic Communications Code, "direct prospecting by means of an automated electronic communications system, a fax machine or electronic mail using the contact details of a natural person, subscriber or user, who has not previously expressed his consent to receive direct prospecting by this means, is prohibited". With regard to this article, the notion of consent should be understood as any expression of free, specific and informed will by which a person agrees to the use of personal data concerning him/her for the purpose of direct prospecting. Thus, the consent of individuals must be obtained before sending any commercial e-mail.
In this case, the absence of elements attesting the effective existence of a valid consent of the persons concerned, in relation to the number of reports received by the association SIGNAL SPAM concerning the company (163,126 reports over the period from 1 January 2019 to 11 June 2019 making it the issuer of e-mails most reported by French Internet users to SIGNAL SPAM over this period) leads the Cnil's sub commission to retain a breach of Article L. 34-5 of the French Post and Electronic Communications Code.
On the failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company[edit | edit source]
The CNIL recalls the provisions of Article 5(1)(c) GDPR, according to which personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimisation).
In the present case, the CNIL notes that the prospecting files contained the telephone number of the prospects. However, it emerges from the monitoring operations that this information is not used by the company, which only addresses marketing by e-mail.
Consequently, the French DPA considers that the telephone number should not have been collected and processed by the company and should have been deleted from the databases. In these circumstances, the restricted formation considers that the company has failed to comply with the obligation provided for in Article 5(1)(c) GDPR to process only adequate, relevant personal data limited to what is necessary for the purposes for which they are processed.
On the failure to comply with the obligation to process personal data for no longer than is necessary for the purposes for which they are processed[edit | edit source]
Article 5(1)(e) GDPR provides that personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed.
According to the findings of the CNIL, it appears that the company kept prospect data for more than three years, with the contact details of approximately 5 million prospects having only opened the prospecting e-mails sent by the company, without any further action on their part, in particular without having clicked on one of the links contained in the said prospecting e-mails.
The CNIL finds that the provisions of Article 5(1)(e) GDPR have been breached, emphasising in particular that the starting point set by the company to calculate the retention period for prospect data cannot be the simple opening of an email, insofar as the opening of an email does not necessarily reflect the prospect's interest in the products or services of the sender of the message, as the prospect may have opened the email by mistake or automatically, in particular due to the operation of his email software. By proceeding in this way, the company has not ensured the effective interest of the subjects in the commercial prospecting messages that it sends.
On the failure to comply with the obligation to inform the data subjects[edit | edit source]
Article 14 GDPR requires the controller to provide the data subject with several pieces of information, such as the identity and contact details of the controller, the purposes of the processing operation, its legal basis, the categories of personal data concerned, the recipients of these data, the storage period, or the terms and conditions of the rights granted to the data subjects. In addition, this information must be provided at the latest at the time of the first communication with the individual.
In this case, the CNIL notes that in emails sent to prospects, information is provided by a standard mention at the bottom of the email. However, the CNIL points out that the company must provide individuals with complete information, whether it be from this first level of information given in the e-mails or by allowing them easy access to additional information, within a second level of information.
However, the mention provided for at the end of e-mails sent to prospective customers does not include all the elements provided for by Article 14 GDPR. The CNIL also notes that no hypertext link refers to more complete information than that standard mention in the mail. Consequently, the CNIL retains the failure to comply with the information obligation referred to in Article 14 GDPR.
On the failure to respect the right to object of data subjects[edit | edit source]
In this case, the CNIL holds that the company carries out its commercial emailing activity by silos: the personal data of prospects contained in the database is replicated within nine different accounts, and each account is associated with two different domain names. Thus, when a person clicks on an unsubscribe link to exercise their right of opposition, they are unsubscribed from the account used to send the prospecting campaign in question but not from the other accounts used by the company for other campaigns.
Article 21(2) GDPR provides that where personal data are processed for marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him for such marketing purposes, including profiling insofar as it relates to such direct marketing.
With regard to this article, the CNIL notes that the management of marketing campaigns by silos by the company makes it ineffective for individuals to oppose the processing of their data by the company for the purposes of commercial e-mailing when this right is exercised by means of the unsubscribe link at the bottom of the e-mail messages. Indeed, when a person clicks on an unsubscribe link to exercise his or her right to object, that person is unsubscribed only from the account used to send the prospecting campaign concerned but not from the other accounts used by the company for other campaigns.
In order to defend itself, the company has indicated to the delegation of control that, in order to be unsubscribed from all accounts used for sending prospecting emails by the company, the person concerned must either make this request by replying by return message to the prospecting emails received, or fill in an online form available from the PERFORMECLIC.FR domain.
In this respect, the CNIL recalls that Article 12(2) GDPR requires the data controller to facilitate the exercise of the rights conferred on the data subject under Articles 15 to 22 GDPR, which the company has in any event failed to do by not offering the data subjects a satisfactory means of exercising their rights and by not informing them of the existence of channels enabling them to unsubscribe from all accounts and inviting them to use them to exercise their right of opposition.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.