CNIL (France) - SAN-2020-018: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2020-018 |ECLI= |Origin...")
 
Line 66: Line 66:
The French DPA (CNIL) imposed a fine of €20,000 on the catering company Nestor. The company sent commercial emails without gathering consent (Article L. 34-5 Postal and Electronic Communication law), it did not provide sufficient information to data subjects (Articles 12 and 13 GDPR), it failed to respect data subjects' right of access (Article 15) and finally, did not afford sufficient security to personal data it processed (Article 32)
The French DPA (CNIL) imposed a fine of €20,000 on the catering company Nestor. The company sent commercial emails without gathering consent (Article L. 34-5 Postal and Electronic Communication law), it did not provide sufficient information to data subjects (Articles 12 and 13 GDPR), it failed to respect data subjects' right of access (Article 15) and finally, did not afford sufficient security to personal data it processed (Article 32)


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Nestor SAS, founded in 2015, provides a service of prepared and delivered meals to office employees which order these on their website. It was subject to various complaints over time.
Nestor SAS, founded in 2015, provides a service of prepared and delivered meals to office employees which order these on their website. It was subject to various complaints over time.


Line 77: Line 77:
Another two complainants attempted to get a copy of their personal data from Nestor, without success. Nestor did not either respond to requests asking information about the purpose of processing, the duration of processing or their source.
Another two complainants attempted to get a copy of their personal data from Nestor, without success. Nestor did not either respond to requests asking information about the purpose of processing, the duration of processing or their source.


The CNIL also conducted a investigation of the Nestor website and app in May 2019. This was performed to check its compliance with the GDPR and the French national data protection law 1978 as amended (loi n°78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés). CNIl did this again in February 2020.
The CNIL also conducted a investigation of the Nestor website and app in May 2019. This was performed to check its compliance with the GDPR and the French national data protection law 1978 as amended (loi n°78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés). CNIL did this again in February 2020.


The CNIL also inspected the company's headquarters in May 2019.  
The CNIL also inspected the company's headquarters in May 2019.  
Line 83: Line 83:
CNIL continued its investigation in June and September 2019 by requiring further information on the legal basis for processing data, the right to object and the duration of processing of personal data.
CNIL continued its investigation in June and September 2019 by requiring further information on the legal basis for processing data, the right to object and the duration of processing of personal data.


=== Dispute ===
===Dispute===
There were four key material law questions:  
There were four key material law questions:  


- Did Nestor violate Article L. 34-5 of the Postal and Electronic Communication law (Code des postes et des communications électroniques) by sending commercial emails without consent?
* Did Nestor violate Article L. 34-5 of the Postal and Electronic Communication law (Code des postes et des communications électroniques) by sending commercial emails without consent?  
- Did Nestor fail to provide sufficient information to the data subject at the moment of collecting their personal data in violation of Articles 12 and 13 GDPR?
* Did Nestor fail to provide sufficient information to the data subject at the moment of collecting their personal data in violation of Articles 12 and 13 GDPR?  
- Did Nestor fail to respect the exercises of the right of access in violation of Article 15 GDPR?
* Did Nestor fail to respect the exercises of the right of access in violation of Article 15 GDPR?  
- Did Nestor fail to satisfy the obligation of security in violation of Article 32 GDPR?  
* Did Nestor fail to satisfy the obligation of security in violation of Article 32 GDPR?  
 
===Holding===
 
==== Regularity of the Procedure: ====
''Claim that CNIL did not have to power to impose measures:''


=== Holding ===
Regularity of the Procedure:
Claim that CNIL did not have to power to impose measures:
Nestor claimed that the CNIL lacked powers to impose any sanctioning measures unless there was continuous non-compliance with the law.
Nestor claimed that the CNIL lacked powers to impose any sanctioning measures unless there was continuous non-compliance with the law.


Line 100: Line 102:
The CNIL highlights that this interpretation of Article 20 1978 law in coherent with the GDPR as highlighted in Recital 148.  
The CNIL highlights that this interpretation of Article 20 1978 law in coherent with the GDPR as highlighted in Recital 148.  


The CNIL also referred to a decision n°423559 by the French Supreme Administrative Court (Conseil d'Etat) which allowed for such sanctions, even if the violation had been corrected. https://www.legifrance.gouv.fr/ceta/id/CETATEXT000038388017/
The CNIL also referred to a [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000038388017/ decision n°423559] by the French Supreme Administrative Court (Conseil d'Etat) which allowed for such sanctions, even if the violation had been corrected.  


Therefore, the CNIL dismissed the argument brought by Nestor that they did not have the power to impose sanctions.  
Therefore, the CNIL dismissed the argument brought by Nestor that they did not have the power to impose sanctions.  


Claim that the CNIL did not have standing:  
''Claim that the CNIL did not have standing:''
 
Nestor also argued that the CNIL misinterpreted the scope of the referral for the investigation, which did not refer to Article L. 34-5 of the French Postal and Electronic Communication law (Code des postes et des communications électroniques). Therefore, the CNIL could not pronounce itself on the violations of Article L. 34-5 of that law.
Nestor also argued that the CNIL misinterpreted the scope of the referral for the investigation, which did not refer to Article L. 34-5 of the French Postal and Electronic Communication law (Code des postes et des communications électroniques). Therefore, the CNIL could not pronounce itself on the violations of Article L. 34-5 of that law.


However, the CNIL referred to Article 8 of the 1978 law (amended) to specify that the CNIL has for mission to apply the 1978 law, as well as other provisions relating to data protection law in legislative texts, EU legislation and international agreements that France is signatory to. Therefore, Article L. 34-5 of the French Postal and Electronic Communication law falls within that scope.  
However, the CNIL referred to Article 8 of the 1978 law (amended) to specify that the CNIL has for mission to apply the 1978 law, as well as other provisions relating to data protection law in legislative texts, EU legislation and international agreements that France is signatory to. Therefore, Article L. 34-5 of the French Postal and Electronic Communication law falls within that scope.  


The French Supreme Administrative Court also confirmed that the CNIL could ensure respect of Article L. 34-5 of the French Postal and Electronic Communication law in its decision n°368624. https://www.legifrance.gouv.fr/ceta/id/CETATEXT000030445581/
The French Supreme Administrative Court also confirmed that the CNIL could ensure respect of Article L. 34-5 of the French Postal and Electronic Communication law in its [https://www.legifrance.gouv.fr/ceta/id/CETATEXT000030445581/ decision n°368624].


Therefore, the CNIL could apply the Postal and Electronic Communication law to investigate potential violation of that law.
Therefore, the CNIL could apply the Postal and Electronic Communication law to investigate potential violation of that law.


Claim that the allegations lacked precision:
''Claim that the allegations lacked precision:''
 
The CNIL rejected the argument that the allegations it made lacked precision as it deems that there was sufficient material and temporal information to allow Nestor to exercise its right of defense.
The CNIL rejected the argument that the allegations it made lacked precision as it deems that there was sufficient material and temporal information to allow Nestor to exercise its right of defense.


Violation of the obligation to gather consent as prescribed by Article L. 34-5 of the Postal and Electronic Communication law:  
==== Violation of the obligation to gather consent as prescribed by Article L. 34-5 of the Postal and Electronic Communication law: ====
Lack of consent from natural persons receiving commercial emails:
''Lack of consent from natural persons receiving commercial emails:''
 
The CNIL found in its investigation that Nestor worked with two companies to create a database of personal data to send commercial emails. This was achieved by combining the name of the natural person with the company they work for and collating it in a database. Nestor revealed that 635,033 commercial emails were send that way since 2017.  
The CNIL found in its investigation that Nestor worked with two companies to create a database of personal data to send commercial emails. This was achieved by combining the name of the natural person with the company they work for and collating it in a database. Nestor revealed that 635,033 commercial emails were send that way since 2017.  


Line 126: Line 131:
Therefore, Nestor violated Article L. 34-5 of the Postal and Electronic Communication law.  
Therefore, Nestor violated Article L. 34-5 of the Postal and Electronic Communication law.  


Lack of consent to receive commercial emails from natural persons creating accounts on Nestor's website or app:
''Lack of consent to receive commercial emails from natural persons creating accounts on Nestor's website or app:''
 
The CNIL held that Nestor did not gather valid consent to send commercial emails to users creating account on their website or app.  
The CNIL held that Nestor did not gather valid consent to send commercial emails to users creating account on their website or app.  


This was therefore in violation of Article L. 34-5 of the Postal and Electronic Communication law. Nestor has since corrected this issue.
This was therefore in violation of Article L. 34-5 of the Postal and Electronic Communication law. Nestor has since corrected this issue.


Violations of the obligations to inform as prescribed by Article 12 and 13 GDPR:
==== Violations of the obligations to inform as prescribed by Article 12 and 13 GDPR: ====
The CNIL held that the information provided by Nestor to data subjects concerning the processing of their personal data, at the moment of collecting such data, was incomplete and hence, in violation of Article 13 GDPR. The questionnaire to subscribe to Nestor did not include all the information required by Article 13 GDPR: there was no information on legal bases for processing, recipients of the personal data, duration of processing nor the right to file a complaint before the relevant authority.  
The CNIL held that the information provided by Nestor to data subjects concerning the processing of their personal data, at the moment of collecting such data, was incomplete and hence, in violation of Article 13 GDPR. The questionnaire to subscribe to Nestor did not include all the information required by Article 13 GDPR: there was no information on legal bases for processing, recipients of the personal data, duration of processing nor the right to file a complaint before the relevant authority.  


Line 140: Line 146:
Therefore, Nestor, violated Articles 12 and 13 GDPR. The company has since remedied these issues.  
Therefore, Nestor, violated Articles 12 and 13 GDPR. The company has since remedied these issues.  


Violations of the obligations to respect the right of access as prescribed by Article 15 GDPR:
==== Violations of the obligations to respect the right of access as prescribed by Article 15 GDPR: ====
The CNIL held that Nestor failed to provide a requesting data subject a copy of their personal data that Nestor had on their database. Nestor only unsubscribed the data subject from their mailing list. This was therefore a failure to respect the exercise of the right of access as per Article 15(3) GDPR.  
The CNIL held that Nestor failed to provide a requesting data subject a copy of their personal data that Nestor had on their database. Nestor only unsubscribed the data subject from their mailing list. This was therefore a failure to respect the exercise of the right of access as per Article 15(3) GDPR.  


Additionally, CNIL held that Nestor responded to an request for information under Article 15 after more than 5 months had pass (Article 12(4) GDPR requires this to be done in 1 month) Similarly, Nestor failed to provide information as to their source for collecting personal data: it only described that the data subject's email was reconstituted based on another email address without mentioning that the latter had been obtained on a professional social media platform. Nestor also did not provide any copy of the data to the data subject
Additionally, the CNIL held that Nestor responded to an request for information under Article 15 after more than 5 months had pass (Article 12(4) GDPR requires this to be done in 1 month) Similarly, Nestor failed to provide information as to their source for collecting personal data: it only described that the data subject's email was reconstituted based on another email address without mentioning that the latter had been obtained on a professional social media platform. Nestor also did not provide any copy of the data to the data subject


Therefore, Nestor failed to respect data subjects' exercise of their right of access in violation of Article 15.
Therefore, Nestor failed to respect data subjects' exercise of their right of access in violation of Article 15.


Violations of the obligations to ensure security of personal data as prescribed by Article 32 GDPR:
==== Violations of the obligations to ensure security of personal data as prescribed by Article 32 GDPR: ====
The CNIL found that Nestor's subscription page allowed data subjects to have a password of only one character on the app, and of 6 characters on the website.  
The CNIL found that Nestor's subscription page allowed data subjects to have a password of only one character on the app, and of 6 characters on the website.  


The CNIL held that the app's requirements for password were insufficient to ensure security of the personal data as required by Article 32 GDPR. According to the DPA, length and complexity of a password is what is necessary for security purposes. The CNIL referred to it recommendations found in the Deliberation n° 2017-012 du 19 janvier 2017 on password security. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033928007
The CNIL held that the app's requirements for password were insufficient to ensure security of the personal data as required by Article 32 GDPR. According to the DPA, length and complexity of a password is what is necessary for security purposes. The CNIL referred to it recommendations found in the [https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000033928007 deliberation n° 2017-012] (19 January 2017) on password security.


The CNIL therefore held that Nestor violated Article 32 GDPR.  
The CNIL therefore held that Nestor violated Article 32 GDPR.  


Corrective measures:
==== Corrective measures: ====
For the aforementioned violations, the CNIL imposed a fine of €20,000 on Nestor SAS having considered the economic impact of COVID-19 on the catering company. It also required Nestor to ensure compliance with the violated Article in the future (including the access requests).  
For the aforementioned violations, the CNIL imposed a fine of €20,000 on Nestor SAS having considered the economic impact of COVID-19 on the catering company. It also required Nestor to ensure compliance with the violated Article in the future (including the access requests).  


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the French original. Please refer to the French original for more details.
The decision below is a machine translation of the French original. Please refer to the French original for more details.


<pre>
<pre>
Deliberation of restricted training n ° SAN-2020-018 of December 8, 2020 concerning the company NESTOR SAS
The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Dominique CASTERA, Mrs. Anne DEBET and Mrs. Christine MAUGÜE, members;
Having regard to Convention No. 108 of the Council of Europe of January 28, 1981 for the protection of individuals with regard to automatic processing of personal data;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;
Considering the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms modified, in particular its articles 20 and following;
Considering Ordinance No. 2020-306 of March 25, 2020 relating to the extension of deadlines expired during the period of health emergency;
Considering the decree no 2019-536 of May 29, 2019 taken for the application of the law no 78-17 of January 6, 1978 relating to data processing, files and freedoms;
Having regard to deliberation no 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Freedoms;
Having regard to referrals nos […], […], […], […] and […];
Considering the decision n ° 2019-082C of April 24, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or to have carried out a mission to verify the processing implemented by this body or on behalf of NESTOR;
Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated December 19, 2019;
Having regard to the report by Mr. François PELLEGRINI, commissioner rapporteur, notified to the company NESTOR on February 28, 2020;
Having regard to the written observations made by the company NESTOR on August 21, 2020;
Having regard to the rapporteur's response to these observations notified on September 18, 2020 to the company's board;
Having regard to the new written observations made by the board of the company NESTOR, received on October 16, 2020, as well as the oral observations made during the restricted training session;
Having regard to the internal procedure for managing requests for the exercise of rights paid by the Board of NESTOR on November 6, 2020;
Having regard to the other documents in the file;
Were present during the restricted training session of November 5, 2020:
Mr François PELLEGRINI, commissioner, heard in his report;
As representatives of NESTOR:
[…] ;
[…] ;
[…] ;
[…] ;
[…].
The NESTOR company having had the floor last;
The restricted committee adopted the following decision:
I. Facts and procedure
The company NESTOR SAS (hereinafter the company) is a simplified joint stock company created in February 2015, whose activity is the preparation and delivery of meals to office workers, ordered from the company's website. nestorparis.com and a mobile application. Its head office is located at 113, rue Victor Hugo in Levallois-Perret (92300).
In 2018, NESTOR SAS achieved a turnover of around […] euros and a negative net result of around […] euros. In 2019, the company achieved a turnover of approximately […] euros and a negative net result of approximately […] euros. NESTOR employs approximately 74 people. On May 14, 2019, the company had 169,768 customer accounts created via its site and its mobile application.
In November 2018 and January 2019, the National Commission for Informatics and Freedoms (hereinafter the CNIL or the Commission) received four complaints from people who are not clients of the company, indicating that they had received prospecting emails from by the latter without their having provided their prior consent (referrals no. […], […], […] and […]). These emails contained information relating to commercial offers and menus offered by the company. Some complainants informed the CNIL that the company had told them that it had reconstituted their e-mail address, in order to contact them, on the basis of the format of their company's e-mail address from the data disseminated on the company's professional social network [... ].
Furthermore, a complainant indicated that she encountered difficulties in objecting to the processing of her personal data by the company for the purposes of prospecting by electronic mail (referral no. […]). Several complainants also indicated that despite their unsubscription from the newsletter received by email, they continued to receive prospecting messages through this means.
Finally, two complainants indicated that they had unsuccessfully requested from the company a copy of the personal data concerning them processed by it, as well as several information relating to the purpose of the processing, to the recipients of the data, to the retention periods. data or the source of their data (referrals no. […] and […]).
On May 3, 2019, in application of the decision no 2019-082C of the president of the CNIL, a delegation of the CNIL carried out an online control mission, on the website and the mobile application implemented by the society. The purpose of this mission was to verify that this company complied with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the Regulation or the GDPR) and of the Law n ° 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter the law of January 6, 1978 as amended or the Data Protection Act).
During this control mission, the delegation followed the registration process of a person on the website as well as on the company's mobile application and created an account in the name of the CNIL. It thus carried out checks in relation to the data entered by the persons when they registered, the information relating to the protection of personal data provided to the persons concerned as well as the security measures put in place by the company with regard to passwords associated with the accounts.
On May 14, 2019, a delegation from the CNIL carried out a control mission on the company's premises, in application of the aforementioned decision n ° 2019-082C. During this check, the company told the delegation that it was redesigning its website in order to comply with the GDPR, in particular with regard to informing individuals and the means of opposition to the receipt of the newsletter. The company also explained to the delegation how they build their prospect database. Finally, verifications were carried out with regard to the follow-up to complaints submitted to the CNIL, with regard to the rights of access and opposition of individuals.
In response to a request of June 21, 2019, the company provided the CNIL control delegation, by email of the following July 3, with information relating to the source of the personal data contained in its prospect database. Finally, by email of September 11, 2019, the company provided the CNIL with information relating to the legal basis of the processing carried out for the purposes of commercial prospecting, the right of opposition as well as the retention periods for the data of prospects and customers.
For the purposes of examining these elements, the President of the Commission appointed Mr. François PELLEGRINI as rapporteur, on December 19, 2019, on the basis of article 22 of the law of January 6, 1978 amended in the version applicable to day of designation.
On February 20, 2020, in order to update the findings already made, a CNIL delegation carried out a new online control mission of the nestorparis.com site and the company's mobile application. The Delegation again created an account on behalf of the Commission, on the website and mobile application, and carried out checks on the transparency of the information provided to individuals as well as the strength of the passwords associated with accounts.
At the end of his investigation, the rapporteur notified the company NESTOR SAS, on February 28, 2020, of a report detailing the breaches of the GDPR that he considered constituted in this case.
This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into line with the provisions of Articles L. 34-5 of the Postal and Electronic Communications Code (hereinafter the CPCE) and 12, 13, 15 and 32 of the Rules, accompanied by a fine of five hundred euros per day of delay at the end of a period of three months following the notification of the deliberation of the restricted formation, as well as an administrative fine. He also proposed that this decision be made public and no longer make it possible to identify the company by name after a period of two years from its publication.
Also attached to the report was a notice to attend the restricted training session of May 7, 2020 indicating to the company that it had one month to communicate its written observations in application of the provisions of article 40 of the decree. n ° 2019-536 of May 29, 2019.
On March 11, 2020, through its council, NESTOR requested by reasoned letter, a deadline to produce its observations. By email of March 18, 2020, the president of the restricted formation informed the company NESTOR that it could produce its defense observations until April 20, 2020.
April 8, 2020, by virtue of order n ° 2020-306 of March 25, 2020 relating to the extension of deadlines expired during the period of health emergency and to the adaptation of procedures during this same period, taken in application of emergency law n ° 2020-290 of 23 March 2020 to deal with the Covid-19 epidemic, the president of the restricted formation informed the company that it had additional time to submit its observations to the rapporteur's report, until August 24, 2020.
On August 21, 2020, through its counsel, the company filed comments. The rapporteur replied on the following September 18.
On September 10, 2020, the Commission services sent the company a notice to attend the restricted training session on November 5, 2020.
By email of August 25, 2020, on the basis of article 40, paragraph 4, of decree n ° 2019-536 of May 29, 2019 taken for the application of the Data Protection Act (hereinafter the decree of 19 May 2019), the rapporteur asked the chairman of the restricted formation for an additional fifteen days to respond to the company's observations, which was granted to him on August 27, 2020. The company was informed on the same day.
On October 16, the company produced further submissions in response to those of the rapporteur.
The company and the rapporteur presented oral observations during the restricted training session on November 5, 2020.
II.Reasons for the decision
A. On the regularity of the procedure
1.On the complaint alleging the lack of powers of the restricted panel
The company considers that the restricted formation only has the power to pronounce the measures referred to in article 20 III of the Data Protection Act in the presence of persistent breaches.
First, it maintains that this analysis follows from the interpretation of the terms of the law, Article 20 III of the Data Protection Act providing for the possibility for the restricted training to have recourse to the measures provided for in the aforementioned article. when the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law.
The rapporteur maintains that the interpretation of article 20 III of the Data Protection Act presented by the company cannot be followed. The legislator intended to allow the restricted formation of the CNIL to pronounce a sanction, in particular pecuniary, including in the event of breach duly noted but for which a formal notice would be pointless, the breach having ceased and no longer calling for correction. .
The restricted committee considers that the measures taken by a data controller to put an end to a noted breach, if they justify that no formal notice or no injunction be sent to it for the future, do not deprive it of the possibility of pronouncing a corrective measure, and in particular an administrative fine, insofar as the compliance of the controller does not have the effect of eliminating the existence of past breaches.
It emphasizes that this interpretation of article 20 of the Data Protection Act is in line with the RGPD in that this article aims at the accountability of data controllers. The corrective measures falling under the powers of the CNIL's restricted formation can be taken directly in all cases, whether or not the breach may still be brought into conformity or not. Recital 148 of the GDPR specifies that any violation of this Regulation may be subject to sanctions: In order to strengthen the application of the rules of this Regulation, sanctions including administrative fines should be imposed for any violation of this Regulation, in addition to or instead of the appropriate measures imposed by the supervisory authority under this Regulation. […]. However, due account should be taken of the nature, gravity and duration of the breach, the intentional nature of the breach and the measures taken to mitigate the damage suffered, the degree of liability or any relevant breach previously committed, the manner in which the supervisory authority became aware of the violation […]. The criterion of duration of the breach therefore applies to both a completed and a persistent breach.
In addition, the restricted formation observes that the Council of State adopted this interpretation by recalling that: It follows from these provisions, clarified by the preparatory work of the law of October 7, 2016, that the restricted formation of the CNIL can, without prior notice, sanction a data controller whose breaches of obligations incumbent on him are not likely to be rectified, either they cannot be rectified, or they have already been remedied. (CE, n ° 423559, April 17, 2019, Association for the development of stoves).
Secondly, the company maintains that the absence of prescription rules for breaches in the Data Protection Act and the GDPR shows that only breaches in progress on the day of the restricted training session can be sanctioned and that an interpretation otherwise would run up against the case-law adopted by the European Court of Human Rights according to which limitation rules are a condition of a fair trial.
The rapporteur recalls that the Commission received four complaints between 2018 and 2019, that checks were carried out by the CNIL delegation in May 2019 and February 2020 and that the rapporteur appointed in December 2019 for the purposes of investigating these elements notified its report on February 28, 2020. The restricted panel therefore considers that the Commission applied a reasonable time between the findings made by the control delegation and the referral to the restricted panel.
The restricted committee notes in this regard that it follows from the case law of the Court of Justice of the European Union that the obligation of the administration to act within a reasonable time, compliance with which is likely to be monitored by the Union judge, offers a sufficient level of protection in situations where no limitation period is fixed by the texts. (CJEU, n ° T-342/14, Order of the General Court, CR v European Parliament and Council of the European Union, December 12, 2014).
The restricted committee therefore considers that the company is not justified in claiming that it only has the power to pronounce the measures referred to in Article 20 III of the Data Protection Act in the presence of persistent and current breaches, and that the procedure followed before it infringed the right to a fair trial.
2. The complaint alleging failure to understand the scope of the referral to the restricted committee
The company considers that the restricted committee cannot pronounce on the alleged breach of the provisions of Article L. 34-5 of the Postal and Electronic Communications Code (hereinafter the CPCE).
In the first place, the company maintains that the control decision n ° 2019-082C of the president of the CNIL, the acts of investigation or instruction which followed, as well as the decision of the president of December 19, 2019 appointing a rapporteur and referral to the restricted committee, do not apply to article L. 34-5 of the CPCE. Consequently, the restricted committee could not rule on the alleged breach of the provisions of Article L. 34-5 of the CPCE without disregarding the scope of its referral.
The company also maintains that the restricted panel cannot rely on the elements of the investigation to establish a breach of Article L. 34-5 of the CPCE without disregarding the principles of the investigation's specialty - requiring that the investigation or carried out within the limits of its field defined by the decision which constitutes its legal basis - and of fairness of the investigation - obliging the investigators to mention the object and the legal basis of the investigations.
The rapporteur recalls that the aforementioned decisions concern the Data Protection Act and the GDPR and that the resulting investigative or investigative acts are carried out within this framework. Article 8 of the law sets the missions of the CNIL and specifies in particular that it ensures that the processing of personal data is implemented in accordance with the provisions of this law and other provisions relating to the protection of personal data. personal data provided for by laws and regulations, European Union law and France's international commitments.
The rapporteur therefore maintains that the amended law of 6 January 1978 refers to all the provisions relating to the protection of personal data provided for by legislative and regulatory texts. The prospecting operations referred to in Article L. 34-5 of the CPCE concern the processing of personal data and this article gives competence to the CNIL to ensure compliance with it when the processed data is of a personal nature. Paragraph 6 of Article L. 34-5 of the CPCE thus provides that: The National Commission for Informatics and Freedoms monitors, as regards direct prospecting using the contact details of a subscriber or a person physical, compliance with the provisions of this article by using the skills recognized by law n ° 78-17 of 6 January 1978 mentioned above.
The restricted party considers that it is within this framework that the CNIL delegation carried out three checks on the company and that the restricted party was contacted.
The restricted committee also underlines that this interpretation was adopted by the Council of State which recognized the competence of the CNIL to ensure compliance with the provisions of Article L. 34-5 of the CPCE (CE, n ° 368624, March 11, 2015, TUTO4PC Company).
Consequently, the restricted committee was regularly seized and it is without disregarding the principles of specialty and loyalty that it relies on the elements of the controls to examine the facts committed by the company with regard to the provisions of article L 34-5 of the CPCE.
Secondly, the company maintains that, if the restricted committee could be seized of alleged breaches of article L. 34-5 of the CPCE, the investigators of the CNIL cannot carry out investigative measures to this effect, this prerogative being reserved, by virtue of paragraph 7 of article L. 34-5 of the CPCE, to the agents of competition, consumption and the repression of fraud and to the civil servants in charge of missions of economic protection of the consumers.
However, the rapporteur recalls that the provisions of paragraph 6 of article L. 34-5 of the CPCE provide that the CNIL uses its powers in order to ensure compliance with the aforementioned article with regard to direct prospecting using contact details of a subscriber or a natural person. These powers are specified in the law of 6 January 1978 as amended and they include, under Articles 19 and 20, powers of investigation and sanction.
The restricted committee therefore considers that the CNIL agents are competent to carry out control missions under the provisions of Article L. 34-5 of the CPCE in order to ensure compliance with this article specifically concerning direct prospecting. using the contact details of a subscriber or a natural person.
3. The vagueness of the complaints against the company
The company stresses that the grievances notified in the sanction report are neither materially nor in time and do not meet the standard of proof required in criminal matters. As a result, the company maintains that it is unable to exercise its rights of defense effectively.
The rapporteur indicates that the facts on which the breaches were based were noted during the checks carried out by the CNIL delegation on May 3 and 14, 2019 and February 20, 2020. These breaches were materially and temporally characterized in the notified report. to the society. The rapporteur therefore considers that he has enabled the company to exercise its rights of defense.
The rapporteur also stresses that the restricted formation is not a criminal jurisdiction and that it has the power to pronounce sanctions of an administrative nature and that therefore the standard of proof required before the restricted formation must not meet the requirements of the criminal matters but to those set by the Data Protection Act and by its implementing decree.
In this regard, the rapporteur also recalls that each complaint is supported by elements resulting from the control operations within the framework of which a report, including attached documents, is drawn up.
In view of all of these elements, the restricted committee considers that the delegation of control ensured a high standard of proof which guarantees their reliability, that the shortcomings were materially and temporally characterized in the report notified to the company and that thus, the company cannot take advantage of an imprecision of the complaints which are opposed to it.
B. On the failure to obtain the consent of the person concerned by a direct prospecting operation by means of an automated electronic communications system in application of Article L. 34-5 of the CPCE
1.On the absence of consent from people to receive commercial prospecting messages
Article L. 34-5 of the CPCE provides: Direct prospecting by means of an automated electronic communications system within the meaning of 6 ° of Article L. 32, a fax machine or electronic mail using the contact details of '' a natural person, subscriber or user, who has not previously expressed his consent to receive direct prospecting by this means.
For the purposes of this article, consent is understood to mean any free, specific and informed manifestation of will by which a person accepts that personal data concerning him / her be used for the purpose of direct prospecting. […].
Under paragraph 6 of the same article, the National Commission for Informatics and Liberties ensures, with regard to direct prospecting using the contact details of a subscriber or a natural person, compliance with the provisions of this article by using the skills which are recognized by the aforementioned law n ° 78-17 of 6 January 1978. To this end, it may in particular receive, by any means, complaints relating to breaches of the provisions of this article […].
The rapporteur maintains that the company does not obtain the consent of persons whose personal data are accessible on the Internet, prior to sending commercial prospecting messages.
The rapporteur noted that, during the control of March 14, 2019, the company indicated to the CNIL control delegation that it is building its prospect database from personal data accessible online on the network website. social professional of society [...]. She specified that she was working with two companies, A and B, for the creation of personal databases intended for commercial prospecting.
First, company A establishes prospecting lists containing the first and last names of prospects, associated with the name of the company in which they work. These data are collected by the Sales Navigator service offered by the company [...], which lists all the people working in a company and a region. The NESTOR company then transfers the file established by company A to company B, which enriches this file, in particular by adding the professional e-mail address of the persons.
The company indicated to the CNIL control delegation that the files compiled with the help of these two companies allow it, subsequently, to contact people likely to be interested in its services. To do this, it is finally up to another company, company C, to send these prospects information emails and promotional codes on behalf of NESTOR.
The company informed the delegation that, since 2017, 635,033 prospects have received such prospecting emails.
The company maintains that the legal basis of the processing for the purpose of commercial prospecting of people, carried out on their professional email address, is the legitimate interest of the controller. The company also specified that its ambition is to become the benchmark for business lunch delivery services to its clients' business premises and that it is therefore vital for it to acquire a base of potential business clients.
The rapporteur noted that at first, the company had informed the delegation that it was not obtaining the consent of the people since this prospecting emailing - the legal basis of which is the legitimate interest of NESTOR - strictly intervenes in the professional framework constituted by company lunches (professional email address, delivery to professional premises, during the client's professional activity hours, etc.).
In its response to the sanction report, the company went on to argue that it ensured individuals' consent for their personal data to be used for ad targeting purposes by choosing the services of the company ... ], whose confidentiality policy provides for the communication of the personal data of its members to advertisers: By choosing the services of the company [...], NESTOR has taken the necessary precautions to ensure the consent of prospects to that their data is used for advertising targeting purposes and that it is communicated to advertisers. In this case, NESTOR uses the services of the company [...] as one of its subcontractors. The company [...] therefore acts in the name and on behalf of NESTOR, which can therefore legitimately rely on the consent obtained by the company [...] on its behalf.
The restricted training notes that the professional social network [...] allows people to register in order to get in touch with professionals, as part of a job search, or to share information with their professional network and to extend this professional network. The limited training therefore considers that the prospecting messages sent by the company for the sale of meals at the workplace of people have little connection with the professional activity of prospects.
The restricted party also considers that the prospects canvassed were not aware of the collection of their personal data by the company and that it carried out prospecting by email and SMS, without having previously obtained their consent.
In addition, the restricted committee emphasizes that the commercial prospecting carried out by the company falls within the scope of paragraph 1 of Article L. 34-5 of the CPCE which provides for a specific legal basis based on consent, thus ruling out the possibility legitimate interest as a legal basis for these prospecting operations.
In such circumstances, the restricted party considers that the company is required to obtain the prior, free, specific and informed consent of people to receive direct prospecting messages by e-mail, in accordance with article L. 34-5 of the CPCE. , which it does not do.
The restricted training considers that the deletion of personal data collected without the consent of the persons is necessary insofar as this data is processed in the absence of a legal basis, the persons concerned having not given their consent. She notes that the company told her that it had destroyed its database containing the personal data of prospects, without however justifying it. It also considers that it is not necessary to delete the data of prospects who have now become customers of the company.
Under these conditions, the restricted committee considers that the company has disregarded the provisions of article L. 34-5 of the CPCE.
2. On the absence of consent from persons creating an account on the website or the application of the company, upon receipt of commercial prospecting messages
The rapporteur maintains that the company does not collect the consent of people creating an account on its website or its application for the processing of their personal data for the purposes of commercial prospecting by e-mail.
The rapporteur noted that during the creation of an account by the CNIL delegation on the company's website, during the control carried out on May 3, 2019, no process aimed at obtaining consent to the collection and data processing for commercial prospecting purposes by e-mail was not implemented.
The rapporteur also noted that the CNIL delegation, which had neither placed any order nor given such consent, received prospecting emails and SMSs from the company. Such mailings continued until August 2019 and are recognized by the company.
The restricted party considers that the company is required to obtain the prior, free, specific and informed consent of people creating an account on the company's website or application, to receive direct prospecting messages by e-mail, in accordance with in paragraph 1 of Article L. 34-5 of the CPCE.
As part of the procedure, the company has justified having inserted a method of obtaining consent from September 11, 2019 on the website and from March 5, 2020 on the application, and its compliance with article L 34-5 of the CPCE since when creating a customer account on the website or on the NESTOR application, the user must complete a registration form, one of the sections of which is to fill in, in particular, his choice to receive daily or weekly menus or special offers by email by checking one of the corresponding boxes.
Under these conditions, the restricted committee considers that the breach of article L. 34-5 of the CPCE has been established, but that the company has completely brought itself into compliance on the closing date of the instruction.
C. On the breach relating to the obligation to inform individuals pursuant to Articles 12 and 13 of the GDPR
Under the terms of paragraph 1 of article 12 of the GDPR: The controller takes appropriate measures to provide any information referred to in articles 13 and 14 as well as to proceed with any communication under articles 15 to 22 and Article 34 as regards the processing of the data subject in a concise, transparent, understandable and easily accessible manner, in clear and simple terms […].
Article 13 of the GDPR requires the controller to provide, at the time the data is collected, information relating to his identity and contact details, the purposes of the processing and its legal basis, the recipients or the categories of recipients. personal data, where applicable transfers of personal data, the retention period of personal data, the rights enjoyed by individuals as well as the right to lodge a complaint with a supervisory authority.
The rapporteur notes that, as it emerges from the findings made during the online check of February 20, 2020, the information made available to users of the site and the application was not complete within the meaning of Article 13 of the Rules or easily accessible within the meaning of section 12 of the Rules.
In defense, the company indicated that it had made corrections, as part of the procedure, in order to deliver information in accordance with the requirements of the GDPR.
The restricted committee recalls that in order to consider that a data controller fulfills his obligation of transparency, the information provided must in particular be easily accessible to the persons concerned within the meaning of Article 12 of the Regulation.
It notes, in this regard, that this provision must be interpreted in the light of recital 61 of the Regulation, according to which: information on the processing of personal data relating to the data subject should be provided to him at the time when such data are collected from it. In this sense, it shares the position of the G29 presented in the guidelines on transparency within the meaning of the Regulation, adopted in their revised version on 11 April 2018 (hereinafter the guidelines on transparency), which recalls that the person concerned shouldn't have to search for the information but should be able to access it right away.
In this case, the restricted committee notes that the personal data collection form allowing registration on the company's website did not include all of the information required by Article 13 of the GDPR or did not refer not to a dedicated page containing all the information provided for by the GDPR. Thus, the restricted committee notes that no information relating to the legal bases of the processing implemented, to the recipients or categories of recipients of the data, to the retention period of the latter or even the existence of the right to introduce a complaint to a supervisory authority was not provided.
In addition, the restricted committee considers that the confidentiality policy on the home page of the website was incomplete with regard to the information relating to the retention periods for the personal data of prospects.
The restricted party also considers that the confidentiality policy does not allow people to know, for each treatment, what legal basis it is based on, nor the legitimate interest pursued by the data controller when processing of personal data is based on this legal basis.
The restricted committee also considers that the confidentiality policy is imprecise with regard to information relating to the recipients of personal data since it is indicated that the data may be transmitted to certain partners […]. The restricted committee considers that if the company is not required to provide the identity of all the recipients of the data, it must, however, at least inform people of the categories of recipients of the data.
Finally, the restricted committee observed that no information relating to the protection of personal data was provided to people creating an account on the mobile application.
It nevertheless notes that, in the context of the procedure, the company has justified having taken measures to comply with Articles 12 and 13 of the GDPR.
First of all, concerning the registration form on the website, the company justifies having inserted in the form, a link entitled Your personal data referring to the confidentiality policy. The company also justifies having brought its confidentiality policy into compliance, which now contains all the information required by article 13 of the GDPR. Finally, the company indicates that it has operated a redesign of its mobile application since March 5, 2020, and that the registration page and the home page of the application have since offered a link to the policy of confidentiality, which also contains all the information required by Article 13 of the GDPR.
Under these conditions, the restricted committee considers that the breach of articles 12 and 13 of the GDPR has been established, but that the company had brought itself into compliance by the closing date of the instruction.
D. On the breach relating to the obligation to respect the right of access of individuals pursuant to Article 15 of the GDPR
Article 15, paragraph 1, of the GDPR provides that the right for a person to obtain from the controller access to personal data concerning him and in particular when the personal data are not collected from the person concerned, any available information as to their source.
It is also provided for in paragraph 3 of the same article that the controller provides a copy of the personal data being processed.
Finally, article 12.4 of the GDPR provides that the data controller provides the data subject with information on the measures taken following a request made in application of articles 15 to 22, as soon as possible and in any event. within one month of receipt of the request.
During the investigation of two complaints received by the CNIL (referrals no. […] And […]), it appeared that the company failed in its obligation to provide the complainants with a copy of the personal data concerning them which 'it held in its database, as well as information relating to the source of these data.
Regarding the first complaint (no. […]), The company maintains that after the complaint was referred to the CNIL by the complainant, Mr. X, it communicated to it supporting information specifying that the unsubscription from the lists had been unsuccessful from redirects emails from a second email address to the first.
Regarding the second complaint (no. […]), The company maintains that, after the complaint was referred to the CNIL by the complainant, Mr. Y, it communicated to him the source of his personal data. The company adds that the request made by Mr. Y was a request for portability falling under article 20 of the GDPR and not a request relating to the right of access falling under article 15 of the GDPR.
In the course of the proceedings, the company argued that it had not understood the scope of these two requests.
First, the restricted committee notes that it emerges from the complaint lodged by Mr. X that the latter asked the company, by email of November 8, 2018, for a copy of all of his personal data. is sent as well as information on the source of its data. The restricted committee notes that the company only indicated in return to Mr. X that he was indeed unsubscribed from its mailing lists.
The restricted committee thus notes that it emerges from the responses provided by the company to the complainant that it did not provide him with a copy of his personal data, nor their source, as requested.
Secondly, the restricted committee notes that it emerges from the complaint lodged by Mr. Y that the company responded to its access request of December 14, 2018 more than five months later, i.e. May 14, 2019.
The restricted party considers that the company did not indicate the source of the data, but was content to tell Mr. Y that he had reconstituted his email address on the basis of another email address without indicating to him that this other address. electronic had been obtained via the professional social network [...]. So the company only listed the type of data it was processing. The restricted committee also considers that it was clear that this was not a request for portability, in particular in that Mr. Y precisely indicated in his email sent to the company on December 14, 2018 […] I would like to introduce a request for access under the European Data Protection Regulation (RGPD / GDPR) in order to obtain a copy of any information that you keep about me, whether in computerized or manual form, in relation to my information […]. In any event, whether it is a request addressed to the company under article 15 of the GDPR or on the basis of its article 20, the restricted committee considers that the company has not granted it since no his dataset has not been communicated in any format whatsoever.
Under these conditions, the restricted committee considers that the breach of article 15 of the GDPR is constituted on these two complaints, although the latter do not demonstrate a structural nature of the breach alleged against the company. The restricted committee also considers that the company had still not brought itself into compliance by the closing date of the instruction.
E. On the failure to ensure the security of personal data pursuant to Article 32 of the GDPR
Article 32 of the Rules provides:
1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which vary, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures to guarantee a level of security adapted to the risk, including, among others, as needed:
a) pseudonymization and encryption of personal data;
b) the means to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services;
c) the means to restore the availability of personal data and access to them within an appropriate timeframe in the event of a physical or technical incident;
d) a procedure for testing, analyzing and regularly evaluating the effectiveness of technical and organizational measures to ensure the security of processing. […].
The rapporteur noted that during the online check of May 3, 2019, the delegation observed that a single character password was accepted when creating an account by a person via the mobile application and that a password consisting of six characters was accepted when creating an account via the company's website.
During the control of February 20, 2020, the rapporteur noted that if the company had taken measures to strengthen the composition of the password required for the creation of an account on the website of the company, a password composed of a single character was always accepted for the creation of an account on the mobile application.
The rapporteur therefore maintains that the password for connecting customers to their personal space, accessible from the mobile application, was still insufficiently robust to ensure the security of personal data, since it was composed of a single character.
In defense, the company disputes the deliberate nature of the security defect for which it is accused and indicates that it has modified the measures relating to the management of login passwords to user accounts on its mobile application during the update. of the latter, on March 5, 2020.
The restricted group considers that the length and the complexity of a password remain elementary criteria allowing to appreciate the strength of this one. It notes in this regard that the need for a strong password is also underlined by the National Information Systems Security Agency, which indicates that a good password is above all a strong password. is difficult to find even using automated tools. The strength of a password depends on its length and the number of possibilities available for each character in it. This is because a password made up of lower case letters, upper case letters, special characters and numbers is technically more difficult to discover than a password made up of all lower case letters.
By way of clarification, the restricted training recalls that to ensure a sufficient level of security and meet the requirements of the robustness of passwords, when authentication is based solely on a username and password, the CNIL recommends, in its deliberation n ° 2017-012 of January 19, 2017, that the password has at least twelve characters - containing at least one uppercase letter, one lowercase letter, one number and one special character - or has at least eight characters - containing three of these four categories of characters - if it is accompanied by an additional measure such as, for example, the timeout of access to the account after several failures (temporary suspension of access whose duration increases with the number of attempts), the implementation of a mechanism to guard against automated and intensive submission of attempts (eg: captcha) and / or blocking of the account after several authentication attempts we unsuccessful.
In the present case, the restricted committee considers, first of all, that with regard to the undemanding rules governing their composition, the strength of the passwords accepted by the company was too weak, leading to a risk of compromise of the associated accounts and of the data they contain.
However, the training notes that the company justifies having modified the measures relating to the management of login passwords to user accounts.
Consequently, the restricted committee considers that the breach relating to the obligation to ensure the security of personal data is established but that in view of the elements provided by the company during the procedure, there is no instead of issuing an injunction.
III. On corrective measures and their publicity
Under the terms of III of article 20 of the law of 6 January 1978 as amended:
When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee of the committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures: […]
2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty payment the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; […]
7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous fiscal year, whichever is greater. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.
Article 83 of the GDPR provides that Each supervisory authority shall ensure that the administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. ,
First, concerning the pronouncement of an administrative fine, the company maintains that the restricted body does not have the power to pronounce a fine for a breach of article L. 34-5 of the CPCE. In addition, the company notes that articles 20 of the law of January 6, 1978 and 83 of the GDPR do not indicate any fine limit applicable for a breach of article L. 34-5 of the CPCE and do not specify the criteria to be taken into account in determining the amount of the fine.
As the restricted formation has previously demonstrated, paragraph 6 of article L. 34-5 of the CPCE gives full competence to the CNIL to ensure its respect for the matter which concerns it by using the competences which are recognized to it. by the Data Protection Act.
Article 20, paragraph III, point 7) of the amended law of 6 January 1978 specifies that the CNIL has the power to pronounce administrative fines, sets the ceilings and makes a reference to article 83 of the GDPR to know the criteria to be taken into account in determining the amount of these fines. Thus, contrary to what seems to be maintained by the company, it is not Article 83 of the GDPR which is in this case applied to allow the restricted formation to pronounce a fine, but indeed Article 20 of the Law of January 6, 1978, the application of which is expressly provided for by paragraph 6 of Article L. 34-5 of the CPCE and which, for its part, makes a reference to the criteria of Article 83 of the GDPR for determining the Amount of the fine.
In view of the aforementioned provisions, the restricted committee therefore considers that it has the power to pronounce a fine for a breach of article L. 34-5 of the CPCE.
Secondly, the company maintains that the sanction report does not contain any motivation with regard to the legal criteria justifying the imposition of a fine and its amount. The company adds that the proposed fine is disproportionate given the economic context caused by the Covid-19 health crisis. It emphasizes that its financial situation is already severely impacted by this crisis so that the imposition of a fine against it would seriously compromise the sustainability of its activities. In this regard, the company produces an accounting certificate certifying that the estimated available cash for the month of December 2020 would amount to […] euros.
On the contrary, the restricted committee considers that the pronouncement of an administrative fine is justified with regard to the criteria laid down by Article 83 paragraph 2 of the GDPR.
With regard to the breach of Article L. 34-5 of the GDPR, the restricted committee considers that the company has shown serious negligence in considering that it could, in order to constitute its base of prospects, refrain from collect people's consent. The seriousness of this violation is proven due in particular to the particularly large number of people concerned by the violation and the fact that the CNIL received several complaints, at the origin of the CNIL control procedure.
Regarding the breach of the obligation to inform individuals, the restricted training recalls that information and transparency relating to the processing of personal data are essential obligations incumbent on data controllers so that individuals are fully aware of the use that will be made of their personal data, once it has been collected.
Therefore, the restricted committee considers that it is necessary to pronounce an administrative fine with regard to the breaches of articles L. 34-5 of the CPCE and 12 and 13 of the RGPD.
Regarding the breach of the obligation to respect people's right of access, pursuant to Article 15 of the GDPR, the restricted panel notes that, in the context of the procedure, the company argued that it did not understand the scope of the requests and that the two complaints received do not demonstrate a structural nature of the breach alleged against the company. Regarding the breach of the obligation to ensure data security, in application of article 32 of the GDPR, the restricted committee considers that, in view of the measures taken by the company, it has shown good faith in the framework of the procedure. Consequently, the restricted panel considers, in view of the circumstances of the case, that there is no need to base its fine on the basis of these two breaches, although they are characterized.
Regarding the amount of the administrative fine, the restricted panel recalls that paragraph 3 of Article 83 of the Rules provides that in the event of multiple violations, as is the case in the present case, the total amount of the fine cannot exceed the amount fixed for the most serious violation. Insofar as the company is accused of a breach of Articles L. 34-5 of the CPCE and 12 and 13 of the Regulations, the maximum amount of the fine that may be retained is 20 million euros or 4% of worldwide annual sales, whichever is greater.
However, the restricted committee also takes into account, in determining the amount of the fine imposed, the financial situation of the company. The company reported its estimated turnover for the year 2020, for the period from January 1 to July 31, at […] euros, a sharp drop compared to 2019 when its turnover had reached […] Euros at December 31. The company also reports an estimate for the period from January 1 to July 31, 2020, of its profit before interest, taxes and depreciation, negative of […] euros.
Therefore, in view of the economic context caused by the Covid-19 health crisis, its consequences on the financial situation of the company and the relevant criteria of Article 83, paragraph 2, of the Regulation mentioned above, the restricted committee considers that the imposition of a fine of 20,000 euros appears to be at the same time effective, proportionate and dissuasive, in accordance with the requirements of article 83, paragraph 1, of these Rules.
Third, an injunction to bring the processing into line with the provisions of Articles L. 34-5 of the CPCE, 12, 13, 15 and 32 of the GDPR was proposed by the rapporteur when the report was notified.
Regarding the failure to obtain the consent of the person concerned by a direct prospecting operation by means of an automated electronic communications system in application of Article L. 34-5 of the CPCE, the training Restricted considers that the company having taken the satisfactory measures to obtain the consent of persons when creating an account on the application and on the website, and having undertaken, as part of the procedure, not to send direct prospecting messages by e-mail to prospects without their prior consent, the injunction proposed in the report is no longer necessary. However, the restricted committee considers that the company has not demonstrated that it has deleted from the database of prospects whose prior, free, specific and informed consent to receive direct prospecting messages by e-mail has not been collected by the company. Consequently, the restricted panel considers that an injunction should be issued on this point.
Regarding the breach of the obligation to respect people's right of access, in application of article 15 of the GDPR, the company maintains that it has put in place an internal procedure making it possible to grant the requests made with regard to the Article 15 of the GDPR and to have amended it in order to satisfy requests for the right of access in a satisfactory manner. It communicated its internal procedure to the restricted formation, in accordance with the latter's invitation, on November 6, 2020.
The restricted committee considers, however, that the company has not fully responded to the requests for access rights presented by Mr. X and Mr. Y.
Thus, without ignoring the steps taken by the company to comply with the GDPR and the establishment and amendment of its internal procedure, the restricted committee considers that the company has still not demonstrated its compliance with the Article 15 of the Rules, for lack of having satisfied the requests of Mr. X and Mr. Y. The restricted panel therefore considers that an injunction should be issued.
Fourth, the restricted committee considers that the publication of the sanction is justified in view of the plurality of breaches noted, their persistence and their seriousness. Indeed, the restricted committee considers that, if the company has taken measures within the framework of the sanction procedure making it possible to bring the processing of personal data that it carries out into conformity, it has however not taken into account all the requirements set by Article L. 34-5 of the CPCE in terms of obtaining consent, nor those resulting from the Data Protection Act.
In addition, the restricted committee considers that the practices of the company, which carried out prospecting operations by e-mail in the absence of contentment of the people, justify the publication of its decision.
Finally, the restricted committee considers that publication would strengthen the dissuasive nature of the main sanction.
FOR THESE REASONS
The restricted formation of the CNIL, after having deliberated, decides to:
- pronounce on the company NESTOR SAS an administrative fine in the amount of 20,000 (twenty thousand) euros for breaches of Articles L. 34-5 of the Postal and Electronic Communications Code (hereinafter the CPCE ) and 12 and 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the GDPR);
- issue an injunction against the company NESTOR SAS to bring the processing into line with the obligations resulting from Articles L. 34-5 of the CPCE and 15 of the RGPD, and in particular:
• with regard to the failure to obtain the consent of the person concerned by a direct prospecting operation by means of an automated electronic communications system:
* Justify the deletion of all personal data previously collected without the consent of prospects;
• with regard to the breach of the obligation to respect the right of access:
* Fully comply with requests for access rights by communicating a copy of all their personal data held to the requesters, as well as, where applicable, information relating to the source from which their data comes;
- match the injunction with a penalty of 500 (five hundred) euros per day of delay at the end of a period of 3 (three) months following the notification of this deliberation, the supporting documents for compliance must be be sent to the restricted group within this period;
- make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.
The vice president
Philippe-Pierre CABOURDIN


This decision may be appealed against to the Council of State within two months of its notification.
</pre>
</pre>

Revision as of 09:55, 11 January 2021

CNIL - SAN-2020-018
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 12 GDPR
Article 12(4) GDPR
Article 13 GDPR
Article 15(1) GDPR
Article 15(3) GDPR
Article 32 GDPR
Article 20 III loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Article 8 loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Article L. 34-5 Code des postes et des communications électroniques
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.12.2020
Published: 06.01.2021
Fine: 20000 EUR
Parties: Nestor SAS
National Case Number/Name: SAN-2020-018
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA (CNIL) imposed a fine of €20,000 on the catering company Nestor. The company sent commercial emails without gathering consent (Article L. 34-5 Postal and Electronic Communication law), it did not provide sufficient information to data subjects (Articles 12 and 13 GDPR), it failed to respect data subjects' right of access (Article 15) and finally, did not afford sufficient security to personal data it processed (Article 32)

English Summary

Facts

Nestor SAS, founded in 2015, provides a service of prepared and delivered meals to office employees which order these on their website. It was subject to various complaints over time.

In November 2018 and January 2019, CNIL received four complaints from people that were not clients, indicating that they had received commercial emails despite having never provided their consent.

Additionally, another complainant outlined that it is particularly difficult to object to the processing of personal data for commercial emailing purposes. Some complainants received emails despite having unsubscribed to the mailing list.

Another two complainants attempted to get a copy of their personal data from Nestor, without success. Nestor did not either respond to requests asking information about the purpose of processing, the duration of processing or their source.

The CNIL also conducted a investigation of the Nestor website and app in May 2019. This was performed to check its compliance with the GDPR and the French national data protection law 1978 as amended (loi n°78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés). CNIL did this again in February 2020.

The CNIL also inspected the company's headquarters in May 2019.

CNIL continued its investigation in June and September 2019 by requiring further information on the legal basis for processing data, the right to object and the duration of processing of personal data.

Dispute

There were four key material law questions:

  • Did Nestor violate Article L. 34-5 of the Postal and Electronic Communication law (Code des postes et des communications électroniques) by sending commercial emails without consent?
  • Did Nestor fail to provide sufficient information to the data subject at the moment of collecting their personal data in violation of Articles 12 and 13 GDPR?
  • Did Nestor fail to respect the exercises of the right of access in violation of Article 15 GDPR?
  • Did Nestor fail to satisfy the obligation of security in violation of Article 32 GDPR?

Holding

Regularity of the Procedure:

Claim that CNIL did not have to power to impose measures:

Nestor claimed that the CNIL lacked powers to impose any sanctioning measures unless there was continuous non-compliance with the law.

The CNIL held that Article 20 III of the 1978 national data protection law (amended) cannot be interpreted to restrict the functions of the CNIL. Instead, the legislator sought to allow the CNIL to impose sanctions for any violations even if this had stopped and corrective measures are no longer necessary.

The CNIL highlights that this interpretation of Article 20 1978 law in coherent with the GDPR as highlighted in Recital 148.

The CNIL also referred to a decision n°423559 by the French Supreme Administrative Court (Conseil d'Etat) which allowed for such sanctions, even if the violation had been corrected.

Therefore, the CNIL dismissed the argument brought by Nestor that they did not have the power to impose sanctions.

Claim that the CNIL did not have standing:

Nestor also argued that the CNIL misinterpreted the scope of the referral for the investigation, which did not refer to Article L. 34-5 of the French Postal and Electronic Communication law (Code des postes et des communications électroniques). Therefore, the CNIL could not pronounce itself on the violations of Article L. 34-5 of that law.

However, the CNIL referred to Article 8 of the 1978 law (amended) to specify that the CNIL has for mission to apply the 1978 law, as well as other provisions relating to data protection law in legislative texts, EU legislation and international agreements that France is signatory to. Therefore, Article L. 34-5 of the French Postal and Electronic Communication law falls within that scope.

The French Supreme Administrative Court also confirmed that the CNIL could ensure respect of Article L. 34-5 of the French Postal and Electronic Communication law in its decision n°368624.

Therefore, the CNIL could apply the Postal and Electronic Communication law to investigate potential violation of that law.

Claim that the allegations lacked precision:

The CNIL rejected the argument that the allegations it made lacked precision as it deems that there was sufficient material and temporal information to allow Nestor to exercise its right of defense.

Violation of the obligation to gather consent as prescribed by Article L. 34-5 of the Postal and Electronic Communication law:

Lack of consent from natural persons receiving commercial emails:

The CNIL found in its investigation that Nestor worked with two companies to create a database of personal data to send commercial emails. This was achieved by combining the name of the natural person with the company they work for and collating it in a database. Nestor revealed that 635,033 commercial emails were send that way since 2017.

The CNIL dismissed Nestor's allegation that this processing of personal data relied on their legitimate interest as a legal basis (and therefore Nestor's claim that they did not need prior consent).

The CNIL held that sending commercial emails to natural persons had no link to the recipients' professional activity as it concerned lunch meals. The CNIL therefore held that Nestor sent emails and SMS without having gathered consent beforehand. According to the CNIL, these commercial emails fell within the scope of Article L. 34-5 of the Postal and Electronic Communication law which also excludes legitimate interest as a legal basis.

Therefore, Nestor violated Article L. 34-5 of the Postal and Electronic Communication law.

Lack of consent to receive commercial emails from natural persons creating accounts on Nestor's website or app:

The CNIL held that Nestor did not gather valid consent to send commercial emails to users creating account on their website or app.

This was therefore in violation of Article L. 34-5 of the Postal and Electronic Communication law. Nestor has since corrected this issue.

Violations of the obligations to inform as prescribed by Article 12 and 13 GDPR:

The CNIL held that the information provided by Nestor to data subjects concerning the processing of their personal data, at the moment of collecting such data, was incomplete and hence, in violation of Article 13 GDPR. The questionnaire to subscribe to Nestor did not include all the information required by Article 13 GDPR: there was no information on legal bases for processing, recipients of the personal data, duration of processing nor the right to file a complaint before the relevant authority.

Additionally, the CNIL held that the privacy policy on the home page was not complete: lack of information on duration of the processing, the legal bases and any potential third party recipients.

It also held that this information was also no easily accessible for the data subject in violation of Article 12 GDPR. The CNIL highlighted that Article 12 must be interpreted in light of Recital 61 and the Article 29 Working Party Guidelines on transparency (i.e. the data subject must not have to look for information, but must be able to access it immediately).

Therefore, Nestor, violated Articles 12 and 13 GDPR. The company has since remedied these issues.

Violations of the obligations to respect the right of access as prescribed by Article 15 GDPR:

The CNIL held that Nestor failed to provide a requesting data subject a copy of their personal data that Nestor had on their database. Nestor only unsubscribed the data subject from their mailing list. This was therefore a failure to respect the exercise of the right of access as per Article 15(3) GDPR.

Additionally, the CNIL held that Nestor responded to an request for information under Article 15 after more than 5 months had pass (Article 12(4) GDPR requires this to be done in 1 month) Similarly, Nestor failed to provide information as to their source for collecting personal data: it only described that the data subject's email was reconstituted based on another email address without mentioning that the latter had been obtained on a professional social media platform. Nestor also did not provide any copy of the data to the data subject

Therefore, Nestor failed to respect data subjects' exercise of their right of access in violation of Article 15.

Violations of the obligations to ensure security of personal data as prescribed by Article 32 GDPR:

The CNIL found that Nestor's subscription page allowed data subjects to have a password of only one character on the app, and of 6 characters on the website.

The CNIL held that the app's requirements for password were insufficient to ensure security of the personal data as required by Article 32 GDPR. According to the DPA, length and complexity of a password is what is necessary for security purposes. The CNIL referred to it recommendations found in the deliberation n° 2017-012 (19 January 2017) on password security.

The CNIL therefore held that Nestor violated Article 32 GDPR.

Corrective measures:

For the aforementioned violations, the CNIL imposed a fine of €20,000 on Nestor SAS having considered the economic impact of COVID-19 on the catering company. It also required Nestor to ensure compliance with the violated Article in the future (including the access requests).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training n ° SAN-2020-018 of December 8, 2020 concerning the company NESTOR SAS

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Dominique CASTERA, Mrs. Anne DEBET and Mrs. Christine MAUGÜE, members;

Having regard to Convention No. 108 of the Council of Europe of January 28, 1981 for the protection of individuals with regard to automatic processing of personal data;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms modified, in particular its articles 20 and following;

Considering Ordinance No. 2020-306 of March 25, 2020 relating to the extension of deadlines expired during the period of health emergency;

Considering the decree no 2019-536 of May 29, 2019 taken for the application of the law no 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Freedoms;

Having regard to referrals nos […], […], […], […] and […];

Considering the decision n ° 2019-082C of April 24, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or to have carried out a mission to verify the processing implemented by this body or on behalf of NESTOR;

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated December 19, 2019;

Having regard to the report by Mr. François PELLEGRINI, commissioner rapporteur, notified to the company NESTOR on February 28, 2020;

Having regard to the written observations made by the company NESTOR on August 21, 2020;

Having regard to the rapporteur's response to these observations notified on September 18, 2020 to the company's board;

Having regard to the new written observations made by the board of the company NESTOR, received on October 16, 2020, as well as the oral observations made during the restricted training session;

Having regard to the internal procedure for managing requests for the exercise of rights paid by the Board of NESTOR on November 6, 2020;

Having regard to the other documents in the file;

Were present during the restricted training session of November 5, 2020:

Mr François PELLEGRINI, commissioner, heard in his report;

As representatives of NESTOR:

[…] ;

[…] ;

[…] ;

[…] ;

[…].

The NESTOR company having had the floor last;

The restricted committee adopted the following decision:

I. Facts and procedure

The company NESTOR SAS (hereinafter the company) is a simplified joint stock company created in February 2015, whose activity is the preparation and delivery of meals to office workers, ordered from the company's website. nestorparis.com and a mobile application. Its head office is located at 113, rue Victor Hugo in Levallois-Perret (92300).

In 2018, NESTOR SAS achieved a turnover of around […] euros and a negative net result of around […] euros. In 2019, the company achieved a turnover of approximately […] euros and a negative net result of approximately […] euros. NESTOR employs approximately 74 people. On May 14, 2019, the company had 169,768 customer accounts created via its site and its mobile application.

In November 2018 and January 2019, the National Commission for Informatics and Freedoms (hereinafter the CNIL or the Commission) received four complaints from people who are not clients of the company, indicating that they had received prospecting emails from by the latter without their having provided their prior consent (referrals no. […], […], […] and […]). These emails contained information relating to commercial offers and menus offered by the company. Some complainants informed the CNIL that the company had told them that it had reconstituted their e-mail address, in order to contact them, on the basis of the format of their company's e-mail address from the data disseminated on the company's professional social network [... ].

Furthermore, a complainant indicated that she encountered difficulties in objecting to the processing of her personal data by the company for the purposes of prospecting by electronic mail (referral no. […]). Several complainants also indicated that despite their unsubscription from the newsletter received by email, they continued to receive prospecting messages through this means.

Finally, two complainants indicated that they had unsuccessfully requested from the company a copy of the personal data concerning them processed by it, as well as several information relating to the purpose of the processing, to the recipients of the data, to the retention periods. data or the source of their data (referrals no. […] and […]).

On May 3, 2019, in application of the decision no 2019-082C of the president of the CNIL, a delegation of the CNIL carried out an online control mission, on the website and the mobile application implemented by the society. The purpose of this mission was to verify that this company complied with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the Regulation or the GDPR) and of the Law n ° 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter the law of January 6, 1978 as amended or the Data Protection Act).

During this control mission, the delegation followed the registration process of a person on the website as well as on the company's mobile application and created an account in the name of the CNIL. It thus carried out checks in relation to the data entered by the persons when they registered, the information relating to the protection of personal data provided to the persons concerned as well as the security measures put in place by the company with regard to passwords associated with the accounts.

On May 14, 2019, a delegation from the CNIL carried out a control mission on the company's premises, in application of the aforementioned decision n ° 2019-082C. During this check, the company told the delegation that it was redesigning its website in order to comply with the GDPR, in particular with regard to informing individuals and the means of opposition to the receipt of the newsletter. The company also explained to the delegation how they build their prospect database. Finally, verifications were carried out with regard to the follow-up to complaints submitted to the CNIL, with regard to the rights of access and opposition of individuals.

In response to a request of June 21, 2019, the company provided the CNIL control delegation, by email of the following July 3, with information relating to the source of the personal data contained in its prospect database. Finally, by email of September 11, 2019, the company provided the CNIL with information relating to the legal basis of the processing carried out for the purposes of commercial prospecting, the right of opposition as well as the retention periods for the data of prospects and customers.

For the purposes of examining these elements, the President of the Commission appointed Mr. François PELLEGRINI as rapporteur, on December 19, 2019, on the basis of article 22 of the law of January 6, 1978 amended in the version applicable to day of designation.

On February 20, 2020, in order to update the findings already made, a CNIL delegation carried out a new online control mission of the nestorparis.com site and the company's mobile application. The Delegation again created an account on behalf of the Commission, on the website and mobile application, and carried out checks on the transparency of the information provided to individuals as well as the strength of the passwords associated with accounts.

At the end of his investigation, the rapporteur notified the company NESTOR SAS, on February 28, 2020, of a report detailing the breaches of the GDPR that he considered constituted in this case.

This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into line with the provisions of Articles L. 34-5 of the Postal and Electronic Communications Code (hereinafter the CPCE) and 12, 13, 15 and 32 of the Rules, accompanied by a fine of five hundred euros per day of delay at the end of a period of three months following the notification of the deliberation of the restricted formation, as well as an administrative fine. He also proposed that this decision be made public and no longer make it possible to identify the company by name after a period of two years from its publication.

Also attached to the report was a notice to attend the restricted training session of May 7, 2020 indicating to the company that it had one month to communicate its written observations in application of the provisions of article 40 of the decree. n ° 2019-536 of May 29, 2019.

On March 11, 2020, through its council, NESTOR requested by reasoned letter, a deadline to produce its observations. By email of March 18, 2020, the president of the restricted formation informed the company NESTOR that it could produce its defense observations until April 20, 2020.

April 8, 2020, by virtue of order n ° 2020-306 of March 25, 2020 relating to the extension of deadlines expired during the period of health emergency and to the adaptation of procedures during this same period, taken in application of emergency law n ° 2020-290 of 23 March 2020 to deal with the Covid-19 epidemic, the president of the restricted formation informed the company that it had additional time to submit its observations to the rapporteur's report, until August 24, 2020.

On August 21, 2020, through its counsel, the company filed comments. The rapporteur replied on the following September 18.

On September 10, 2020, the Commission services sent the company a notice to attend the restricted training session on November 5, 2020.

By email of August 25, 2020, on the basis of article 40, paragraph 4, of decree n ° 2019-536 of May 29, 2019 taken for the application of the Data Protection Act (hereinafter the decree of 19 May 2019), the rapporteur asked the chairman of the restricted formation for an additional fifteen days to respond to the company's observations, which was granted to him on August 27, 2020. The company was informed on the same day.

On October 16, the company produced further submissions in response to those of the rapporteur.

The company and the rapporteur presented oral observations during the restricted training session on November 5, 2020.

II.Reasons for the decision

A. On the regularity of the procedure

1.On the complaint alleging the lack of powers of the restricted panel

The company considers that the restricted formation only has the power to pronounce the measures referred to in article 20 III of the Data Protection Act in the presence of persistent breaches.

First, it maintains that this analysis follows from the interpretation of the terms of the law, Article 20 III of the Data Protection Act providing for the possibility for the restricted training to have recourse to the measures provided for in the aforementioned article. when the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law.

The rapporteur maintains that the interpretation of article 20 III of the Data Protection Act presented by the company cannot be followed. The legislator intended to allow the restricted formation of the CNIL to pronounce a sanction, in particular pecuniary, including in the event of breach duly noted but for which a formal notice would be pointless, the breach having ceased and no longer calling for correction. .

The restricted committee considers that the measures taken by a data controller to put an end to a noted breach, if they justify that no formal notice or no injunction be sent to it for the future, do not deprive it of the possibility of pronouncing a corrective measure, and in particular an administrative fine, insofar as the compliance of the controller does not have the effect of eliminating the existence of past breaches.

It emphasizes that this interpretation of article 20 of the Data Protection Act is in line with the RGPD in that this article aims at the accountability of data controllers. The corrective measures falling under the powers of the CNIL's restricted formation can be taken directly in all cases, whether or not the breach may still be brought into conformity or not. Recital 148 of the GDPR specifies that any violation of this Regulation may be subject to sanctions: In order to strengthen the application of the rules of this Regulation, sanctions including administrative fines should be imposed for any violation of this Regulation, in addition to or instead of the appropriate measures imposed by the supervisory authority under this Regulation. […]. However, due account should be taken of the nature, gravity and duration of the breach, the intentional nature of the breach and the measures taken to mitigate the damage suffered, the degree of liability or any relevant breach previously committed, the manner in which the supervisory authority became aware of the violation […]. The criterion of duration of the breach therefore applies to both a completed and a persistent breach.

In addition, the restricted formation observes that the Council of State adopted this interpretation by recalling that: It follows from these provisions, clarified by the preparatory work of the law of October 7, 2016, that the restricted formation of the CNIL can, without prior notice, sanction a data controller whose breaches of obligations incumbent on him are not likely to be rectified, either they cannot be rectified, or they have already been remedied. (CE, n ° 423559, April 17, 2019, Association for the development of stoves).

Secondly, the company maintains that the absence of prescription rules for breaches in the Data Protection Act and the GDPR shows that only breaches in progress on the day of the restricted training session can be sanctioned and that an interpretation otherwise would run up against the case-law adopted by the European Court of Human Rights according to which limitation rules are a condition of a fair trial.

The rapporteur recalls that the Commission received four complaints between 2018 and 2019, that checks were carried out by the CNIL delegation in May 2019 and February 2020 and that the rapporteur appointed in December 2019 for the purposes of investigating these elements notified its report on February 28, 2020. The restricted panel therefore considers that the Commission applied a reasonable time between the findings made by the control delegation and the referral to the restricted panel.

The restricted committee notes in this regard that it follows from the case law of the Court of Justice of the European Union that the obligation of the administration to act within a reasonable time, compliance with which is likely to be monitored by the Union judge, offers a sufficient level of protection in situations where no limitation period is fixed by the texts. (CJEU, n ° T-342/14, Order of the General Court, CR v European Parliament and Council of the European Union, December 12, 2014).

The restricted committee therefore considers that the company is not justified in claiming that it only has the power to pronounce the measures referred to in Article 20 III of the Data Protection Act in the presence of persistent and current breaches, and that the procedure followed before it infringed the right to a fair trial.

2. The complaint alleging failure to understand the scope of the referral to the restricted committee

The company considers that the restricted committee cannot pronounce on the alleged breach of the provisions of Article L. 34-5 of the Postal and Electronic Communications Code (hereinafter the CPCE).

In the first place, the company maintains that the control decision n ° 2019-082C of the president of the CNIL, the acts of investigation or instruction which followed, as well as the decision of the president of December 19, 2019 appointing a rapporteur and referral to the restricted committee, do not apply to article L. 34-5 of the CPCE. Consequently, the restricted committee could not rule on the alleged breach of the provisions of Article L. 34-5 of the CPCE without disregarding the scope of its referral.

The company also maintains that the restricted panel cannot rely on the elements of the investigation to establish a breach of Article L. 34-5 of the CPCE without disregarding the principles of the investigation's specialty - requiring that the investigation or carried out within the limits of its field defined by the decision which constitutes its legal basis - and of fairness of the investigation - obliging the investigators to mention the object and the legal basis of the investigations.

The rapporteur recalls that the aforementioned decisions concern the Data Protection Act and the GDPR and that the resulting investigative or investigative acts are carried out within this framework. Article 8 of the law sets the missions of the CNIL and specifies in particular that it ensures that the processing of personal data is implemented in accordance with the provisions of this law and other provisions relating to the protection of personal data. personal data provided for by laws and regulations, European Union law and France's international commitments.

The rapporteur therefore maintains that the amended law of 6 January 1978 refers to all the provisions relating to the protection of personal data provided for by legislative and regulatory texts. The prospecting operations referred to in Article L. 34-5 of the CPCE concern the processing of personal data and this article gives competence to the CNIL to ensure compliance with it when the processed data is of a personal nature. Paragraph 6 of Article L. 34-5 of the CPCE thus provides that: The National Commission for Informatics and Freedoms monitors, as regards direct prospecting using the contact details of a subscriber or a person physical, compliance with the provisions of this article by using the skills recognized by law n ° 78-17 of 6 January 1978 mentioned above.

The restricted party considers that it is within this framework that the CNIL delegation carried out three checks on the company and that the restricted party was contacted.

The restricted committee also underlines that this interpretation was adopted by the Council of State which recognized the competence of the CNIL to ensure compliance with the provisions of Article L. 34-5 of the CPCE (CE, n ° 368624, March 11, 2015, TUTO4PC Company).

Consequently, the restricted committee was regularly seized and it is without disregarding the principles of specialty and loyalty that it relies on the elements of the controls to examine the facts committed by the company with regard to the provisions of article L 34-5 of the CPCE.

Secondly, the company maintains that, if the restricted committee could be seized of alleged breaches of article L. 34-5 of the CPCE, the investigators of the CNIL cannot carry out investigative measures to this effect, this prerogative being reserved, by virtue of paragraph 7 of article L. 34-5 of the CPCE, to the agents of competition, consumption and the repression of fraud and to the civil servants in charge of missions of economic protection of the consumers.

However, the rapporteur recalls that the provisions of paragraph 6 of article L. 34-5 of the CPCE provide that the CNIL uses its powers in order to ensure compliance with the aforementioned article with regard to direct prospecting using contact details of a subscriber or a natural person. These powers are specified in the law of 6 January 1978 as amended and they include, under Articles 19 and 20, powers of investigation and sanction.

The restricted committee therefore considers that the CNIL agents are competent to carry out control missions under the provisions of Article L. 34-5 of the CPCE in order to ensure compliance with this article specifically concerning direct prospecting. using the contact details of a subscriber or a natural person.

3. The vagueness of the complaints against the company

The company stresses that the grievances notified in the sanction report are neither materially nor in time and do not meet the standard of proof required in criminal matters. As a result, the company maintains that it is unable to exercise its rights of defense effectively.

The rapporteur indicates that the facts on which the breaches were based were noted during the checks carried out by the CNIL delegation on May 3 and 14, 2019 and February 20, 2020. These breaches were materially and temporally characterized in the notified report. to the society. The rapporteur therefore considers that he has enabled the company to exercise its rights of defense.

The rapporteur also stresses that the restricted formation is not a criminal jurisdiction and that it has the power to pronounce sanctions of an administrative nature and that therefore the standard of proof required before the restricted formation must not meet the requirements of the criminal matters but to those set by the Data Protection Act and by its implementing decree.

In this regard, the rapporteur also recalls that each complaint is supported by elements resulting from the control operations within the framework of which a report, including attached documents, is drawn up.

In view of all of these elements, the restricted committee considers that the delegation of control ensured a high standard of proof which guarantees their reliability, that the shortcomings were materially and temporally characterized in the report notified to the company and that thus, the company cannot take advantage of an imprecision of the complaints which are opposed to it.

B. On the failure to obtain the consent of the person concerned by a direct prospecting operation by means of an automated electronic communications system in application of Article L. 34-5 of the CPCE

1.On the absence of consent from people to receive commercial prospecting messages

Article L. 34-5 of the CPCE provides: Direct prospecting by means of an automated electronic communications system within the meaning of 6 ° of Article L. 32, a fax machine or electronic mail using the contact details of '' a natural person, subscriber or user, who has not previously expressed his consent to receive direct prospecting by this means.

For the purposes of this article, consent is understood to mean any free, specific and informed manifestation of will by which a person accepts that personal data concerning him / her be used for the purpose of direct prospecting. […].

Under paragraph 6 of the same article, the National Commission for Informatics and Liberties ensures, with regard to direct prospecting using the contact details of a subscriber or a natural person, compliance with the provisions of this article by using the skills which are recognized by the aforementioned law n ° 78-17 of 6 January 1978. To this end, it may in particular receive, by any means, complaints relating to breaches of the provisions of this article […].

The rapporteur maintains that the company does not obtain the consent of persons whose personal data are accessible on the Internet, prior to sending commercial prospecting messages.

The rapporteur noted that, during the control of March 14, 2019, the company indicated to the CNIL control delegation that it is building its prospect database from personal data accessible online on the network website. social professional of society [...]. She specified that she was working with two companies, A and B, for the creation of personal databases intended for commercial prospecting.

First, company A establishes prospecting lists containing the first and last names of prospects, associated with the name of the company in which they work. These data are collected by the Sales Navigator service offered by the company [...], which lists all the people working in a company and a region. The NESTOR company then transfers the file established by company A to company B, which enriches this file, in particular by adding the professional e-mail address of the persons.

The company indicated to the CNIL control delegation that the files compiled with the help of these two companies allow it, subsequently, to contact people likely to be interested in its services. To do this, it is finally up to another company, company C, to send these prospects information emails and promotional codes on behalf of NESTOR.

The company informed the delegation that, since 2017, 635,033 prospects have received such prospecting emails.

The company maintains that the legal basis of the processing for the purpose of commercial prospecting of people, carried out on their professional email address, is the legitimate interest of the controller. The company also specified that its ambition is to become the benchmark for business lunch delivery services to its clients' business premises and that it is therefore vital for it to acquire a base of potential business clients.

The rapporteur noted that at first, the company had informed the delegation that it was not obtaining the consent of the people since this prospecting emailing - the legal basis of which is the legitimate interest of NESTOR - strictly intervenes in the professional framework constituted by company lunches (professional email address, delivery to professional premises, during the client's professional activity hours, etc.).

In its response to the sanction report, the company went on to argue that it ensured individuals' consent for their personal data to be used for ad targeting purposes by choosing the services of the company ... ], whose confidentiality policy provides for the communication of the personal data of its members to advertisers: By choosing the services of the company [...], NESTOR has taken the necessary precautions to ensure the consent of prospects to that their data is used for advertising targeting purposes and that it is communicated to advertisers. In this case, NESTOR uses the services of the company [...] as one of its subcontractors. The company [...] therefore acts in the name and on behalf of NESTOR, which can therefore legitimately rely on the consent obtained by the company [...] on its behalf.

The restricted training notes that the professional social network [...] allows people to register in order to get in touch with professionals, as part of a job search, or to share information with their professional network and to extend this professional network. The limited training therefore considers that the prospecting messages sent by the company for the sale of meals at the workplace of people have little connection with the professional activity of prospects.

The restricted party also considers that the prospects canvassed were not aware of the collection of their personal data by the company and that it carried out prospecting by email and SMS, without having previously obtained their consent.

In addition, the restricted committee emphasizes that the commercial prospecting carried out by the company falls within the scope of paragraph 1 of Article L. 34-5 of the CPCE which provides for a specific legal basis based on consent, thus ruling out the possibility legitimate interest as a legal basis for these prospecting operations.

In such circumstances, the restricted party considers that the company is required to obtain the prior, free, specific and informed consent of people to receive direct prospecting messages by e-mail, in accordance with article L. 34-5 of the CPCE. , which it does not do.

The restricted training considers that the deletion of personal data collected without the consent of the persons is necessary insofar as this data is processed in the absence of a legal basis, the persons concerned having not given their consent. She notes that the company told her that it had destroyed its database containing the personal data of prospects, without however justifying it. It also considers that it is not necessary to delete the data of prospects who have now become customers of the company.

Under these conditions, the restricted committee considers that the company has disregarded the provisions of article L. 34-5 of the CPCE.

2. On the absence of consent from persons creating an account on the website or the application of the company, upon receipt of commercial prospecting messages

The rapporteur maintains that the company does not collect the consent of people creating an account on its website or its application for the processing of their personal data for the purposes of commercial prospecting by e-mail.

The rapporteur noted that during the creation of an account by the CNIL delegation on the company's website, during the control carried out on May 3, 2019, no process aimed at obtaining consent to the collection and data processing for commercial prospecting purposes by e-mail was not implemented.

The rapporteur also noted that the CNIL delegation, which had neither placed any order nor given such consent, received prospecting emails and SMSs from the company. Such mailings continued until August 2019 and are recognized by the company.

The restricted party considers that the company is required to obtain the prior, free, specific and informed consent of people creating an account on the company's website or application, to receive direct prospecting messages by e-mail, in accordance with in paragraph 1 of Article L. 34-5 of the CPCE.

As part of the procedure, the company has justified having inserted a method of obtaining consent from September 11, 2019 on the website and from March 5, 2020 on the application, and its compliance with article L 34-5 of the CPCE since when creating a customer account on the website or on the NESTOR application, the user must complete a registration form, one of the sections of which is to fill in, in particular, his choice to receive daily or weekly menus or special offers by email by checking one of the corresponding boxes.

Under these conditions, the restricted committee considers that the breach of article L. 34-5 of the CPCE has been established, but that the company has completely brought itself into compliance on the closing date of the instruction.

C. On the breach relating to the obligation to inform individuals pursuant to Articles 12 and 13 of the GDPR

Under the terms of paragraph 1 of article 12 of the GDPR: The controller takes appropriate measures to provide any information referred to in articles 13 and 14 as well as to proceed with any communication under articles 15 to 22 and Article 34 as regards the processing of the data subject in a concise, transparent, understandable and easily accessible manner, in clear and simple terms […].

Article 13 of the GDPR requires the controller to provide, at the time the data is collected, information relating to his identity and contact details, the purposes of the processing and its legal basis, the recipients or the categories of recipients. personal data, where applicable transfers of personal data, the retention period of personal data, the rights enjoyed by individuals as well as the right to lodge a complaint with a supervisory authority.

The rapporteur notes that, as it emerges from the findings made during the online check of February 20, 2020, the information made available to users of the site and the application was not complete within the meaning of Article 13 of the Rules or easily accessible within the meaning of section 12 of the Rules.

In defense, the company indicated that it had made corrections, as part of the procedure, in order to deliver information in accordance with the requirements of the GDPR.

The restricted committee recalls that in order to consider that a data controller fulfills his obligation of transparency, the information provided must in particular be easily accessible to the persons concerned within the meaning of Article 12 of the Regulation.

It notes, in this regard, that this provision must be interpreted in the light of recital 61 of the Regulation, according to which: information on the processing of personal data relating to the data subject should be provided to him at the time when such data are collected from it. In this sense, it shares the position of the G29 presented in the guidelines on transparency within the meaning of the Regulation, adopted in their revised version on 11 April 2018 (hereinafter the guidelines on transparency), which recalls that the person concerned shouldn't have to search for the information but should be able to access it right away.

In this case, the restricted committee notes that the personal data collection form allowing registration on the company's website did not include all of the information required by Article 13 of the GDPR or did not refer not to a dedicated page containing all the information provided for by the GDPR. Thus, the restricted committee notes that no information relating to the legal bases of the processing implemented, to the recipients or categories of recipients of the data, to the retention period of the latter or even the existence of the right to introduce a complaint to a supervisory authority was not provided.

In addition, the restricted committee considers that the confidentiality policy on the home page of the website was incomplete with regard to the information relating to the retention periods for the personal data of prospects.

The restricted party also considers that the confidentiality policy does not allow people to know, for each treatment, what legal basis it is based on, nor the legitimate interest pursued by the data controller when processing of personal data is based on this legal basis.

The restricted committee also considers that the confidentiality policy is imprecise with regard to information relating to the recipients of personal data since it is indicated that the data may be transmitted to certain partners […]. The restricted committee considers that if the company is not required to provide the identity of all the recipients of the data, it must, however, at least inform people of the categories of recipients of the data.

Finally, the restricted committee observed that no information relating to the protection of personal data was provided to people creating an account on the mobile application.

It nevertheless notes that, in the context of the procedure, the company has justified having taken measures to comply with Articles 12 and 13 of the GDPR.

First of all, concerning the registration form on the website, the company justifies having inserted in the form, a link entitled Your personal data referring to the confidentiality policy. The company also justifies having brought its confidentiality policy into compliance, which now contains all the information required by article 13 of the GDPR. Finally, the company indicates that it has operated a redesign of its mobile application since March 5, 2020, and that the registration page and the home page of the application have since offered a link to the policy of confidentiality, which also contains all the information required by Article 13 of the GDPR.

Under these conditions, the restricted committee considers that the breach of articles 12 and 13 of the GDPR has been established, but that the company had brought itself into compliance by the closing date of the instruction.

D. On the breach relating to the obligation to respect the right of access of individuals pursuant to Article 15 of the GDPR

Article 15, paragraph 1, of the GDPR provides that the right for a person to obtain from the controller access to personal data concerning him and in particular when the personal data are not collected from the person concerned, any available information as to their source.

It is also provided for in paragraph 3 of the same article that the controller provides a copy of the personal data being processed.

Finally, article 12.4 of the GDPR provides that the data controller provides the data subject with information on the measures taken following a request made in application of articles 15 to 22, as soon as possible and in any event. within one month of receipt of the request.

During the investigation of two complaints received by the CNIL (referrals no. […] And […]), it appeared that the company failed in its obligation to provide the complainants with a copy of the personal data concerning them which 'it held in its database, as well as information relating to the source of these data.

Regarding the first complaint (no. […]), The company maintains that after the complaint was referred to the CNIL by the complainant, Mr. X, it communicated to it supporting information specifying that the unsubscription from the lists had been unsuccessful from redirects emails from a second email address to the first.

Regarding the second complaint (no. […]), The company maintains that, after the complaint was referred to the CNIL by the complainant, Mr. Y, it communicated to him the source of his personal data. The company adds that the request made by Mr. Y was a request for portability falling under article 20 of the GDPR and not a request relating to the right of access falling under article 15 of the GDPR.

In the course of the proceedings, the company argued that it had not understood the scope of these two requests.

First, the restricted committee notes that it emerges from the complaint lodged by Mr. X that the latter asked the company, by email of November 8, 2018, for a copy of all of his personal data. is sent as well as information on the source of its data. The restricted committee notes that the company only indicated in return to Mr. X that he was indeed unsubscribed from its mailing lists.

The restricted committee thus notes that it emerges from the responses provided by the company to the complainant that it did not provide him with a copy of his personal data, nor their source, as requested.

Secondly, the restricted committee notes that it emerges from the complaint lodged by Mr. Y that the company responded to its access request of December 14, 2018 more than five months later, i.e. May 14, 2019.

The restricted party considers that the company did not indicate the source of the data, but was content to tell Mr. Y that he had reconstituted his email address on the basis of another email address without indicating to him that this other address. electronic had been obtained via the professional social network [...]. So the company only listed the type of data it was processing. The restricted committee also considers that it was clear that this was not a request for portability, in particular in that Mr. Y precisely indicated in his email sent to the company on December 14, 2018 […] I would like to introduce a request for access under the European Data Protection Regulation (RGPD / GDPR) in order to obtain a copy of any information that you keep about me, whether in computerized or manual form, in relation to my information […]. In any event, whether it is a request addressed to the company under article 15 of the GDPR or on the basis of its article 20, the restricted committee considers that the company has not granted it since no his dataset has not been communicated in any format whatsoever.

Under these conditions, the restricted committee considers that the breach of article 15 of the GDPR is constituted on these two complaints, although the latter do not demonstrate a structural nature of the breach alleged against the company. The restricted committee also considers that the company had still not brought itself into compliance by the closing date of the instruction.

E. On the failure to ensure the security of personal data pursuant to Article 32 of the GDPR

Article 32 of the Rules provides:

1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which vary, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures to guarantee a level of security adapted to the risk, including, among others, as needed:

a) pseudonymization and encryption of personal data;

b) the means to ensure the confidentiality, integrity, availability and continued resilience of processing systems and services;

c) the means to restore the availability of personal data and access to them within an appropriate timeframe in the event of a physical or technical incident;

d) a procedure for testing, analyzing and regularly evaluating the effectiveness of technical and organizational measures to ensure the security of processing. […].

The rapporteur noted that during the online check of May 3, 2019, the delegation observed that a single character password was accepted when creating an account by a person via the mobile application and that a password consisting of six characters was accepted when creating an account via the company's website.

During the control of February 20, 2020, the rapporteur noted that if the company had taken measures to strengthen the composition of the password required for the creation of an account on the website of the company, a password composed of a single character was always accepted for the creation of an account on the mobile application.

The rapporteur therefore maintains that the password for connecting customers to their personal space, accessible from the mobile application, was still insufficiently robust to ensure the security of personal data, since it was composed of a single character.

In defense, the company disputes the deliberate nature of the security defect for which it is accused and indicates that it has modified the measures relating to the management of login passwords to user accounts on its mobile application during the update. of the latter, on March 5, 2020.

The restricted group considers that the length and the complexity of a password remain elementary criteria allowing to appreciate the strength of this one. It notes in this regard that the need for a strong password is also underlined by the National Information Systems Security Agency, which indicates that a good password is above all a strong password. is difficult to find even using automated tools. The strength of a password depends on its length and the number of possibilities available for each character in it. This is because a password made up of lower case letters, upper case letters, special characters and numbers is technically more difficult to discover than a password made up of all lower case letters.

By way of clarification, the restricted training recalls that to ensure a sufficient level of security and meet the requirements of the robustness of passwords, when authentication is based solely on a username and password, the CNIL recommends, in its deliberation n ° 2017-012 of January 19, 2017, that the password has at least twelve characters - containing at least one uppercase letter, one lowercase letter, one number and one special character - or has at least eight characters - containing three of these four categories of characters - if it is accompanied by an additional measure such as, for example, the timeout of access to the account after several failures (temporary suspension of access whose duration increases with the number of attempts), the implementation of a mechanism to guard against automated and intensive submission of attempts (eg: captcha) and / or blocking of the account after several authentication attempts we unsuccessful.

In the present case, the restricted committee considers, first of all, that with regard to the undemanding rules governing their composition, the strength of the passwords accepted by the company was too weak, leading to a risk of compromise of the associated accounts and of the data they contain.

However, the training notes that the company justifies having modified the measures relating to the management of login passwords to user accounts.

Consequently, the restricted committee considers that the breach relating to the obligation to ensure the security of personal data is established but that in view of the elements provided by the company during the procedure, there is no instead of issuing an injunction.

III. On corrective measures and their publicity

Under the terms of III of article 20 of the law of 6 January 1978 as amended:

When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted committee of the committee with a view to pronouncing, after contradictory procedure, of one or more of the following measures: […]

2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty payment the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; […]

7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous fiscal year, whichever is greater. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

Article 83 of the GDPR provides that Each supervisory authority shall ensure that the administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. ,

First, concerning the pronouncement of an administrative fine, the company maintains that the restricted body does not have the power to pronounce a fine for a breach of article L. 34-5 of the CPCE. In addition, the company notes that articles 20 of the law of January 6, 1978 and 83 of the GDPR do not indicate any fine limit applicable for a breach of article L. 34-5 of the CPCE and do not specify the criteria to be taken into account in determining the amount of the fine.

As the restricted formation has previously demonstrated, paragraph 6 of article L. 34-5 of the CPCE gives full competence to the CNIL to ensure its respect for the matter which concerns it by using the competences which are recognized to it. by the Data Protection Act.

Article 20, paragraph III, point 7) of the amended law of 6 January 1978 specifies that the CNIL has the power to pronounce administrative fines, sets the ceilings and makes a reference to article 83 of the GDPR to know the criteria to be taken into account in determining the amount of these fines. Thus, contrary to what seems to be maintained by the company, it is not Article 83 of the GDPR which is in this case applied to allow the restricted formation to pronounce a fine, but indeed Article 20 of the Law of January 6, 1978, the application of which is expressly provided for by paragraph 6 of Article L. 34-5 of the CPCE and which, for its part, makes a reference to the criteria of Article 83 of the GDPR for determining the Amount of the fine.

In view of the aforementioned provisions, the restricted committee therefore considers that it has the power to pronounce a fine for a breach of article L. 34-5 of the CPCE.

Secondly, the company maintains that the sanction report does not contain any motivation with regard to the legal criteria justifying the imposition of a fine and its amount. The company adds that the proposed fine is disproportionate given the economic context caused by the Covid-19 health crisis. It emphasizes that its financial situation is already severely impacted by this crisis so that the imposition of a fine against it would seriously compromise the sustainability of its activities. In this regard, the company produces an accounting certificate certifying that the estimated available cash for the month of December 2020 would amount to […] euros.

On the contrary, the restricted committee considers that the pronouncement of an administrative fine is justified with regard to the criteria laid down by Article 83 paragraph 2 of the GDPR.

With regard to the breach of Article L. 34-5 of the GDPR, the restricted committee considers that the company has shown serious negligence in considering that it could, in order to constitute its base of prospects, refrain from collect people's consent. The seriousness of this violation is proven due in particular to the particularly large number of people concerned by the violation and the fact that the CNIL received several complaints, at the origin of the CNIL control procedure.

Regarding the breach of the obligation to inform individuals, the restricted training recalls that information and transparency relating to the processing of personal data are essential obligations incumbent on data controllers so that individuals are fully aware of the use that will be made of their personal data, once it has been collected.

Therefore, the restricted committee considers that it is necessary to pronounce an administrative fine with regard to the breaches of articles L. 34-5 of the CPCE and 12 and 13 of the RGPD.

Regarding the breach of the obligation to respect people's right of access, pursuant to Article 15 of the GDPR, the restricted panel notes that, in the context of the procedure, the company argued that it did not understand the scope of the requests and that the two complaints received do not demonstrate a structural nature of the breach alleged against the company. Regarding the breach of the obligation to ensure data security, in application of article 32 of the GDPR, the restricted committee considers that, in view of the measures taken by the company, it has shown good faith in the framework of the procedure. Consequently, the restricted panel considers, in view of the circumstances of the case, that there is no need to base its fine on the basis of these two breaches, although they are characterized.

Regarding the amount of the administrative fine, the restricted panel recalls that paragraph 3 of Article 83 of the Rules provides that in the event of multiple violations, as is the case in the present case, the total amount of the fine cannot exceed the amount fixed for the most serious violation. Insofar as the company is accused of a breach of Articles L. 34-5 of the CPCE and 12 and 13 of the Regulations, the maximum amount of the fine that may be retained is 20 million euros or 4% of worldwide annual sales, whichever is greater.

However, the restricted committee also takes into account, in determining the amount of the fine imposed, the financial situation of the company. The company reported its estimated turnover for the year 2020, for the period from January 1 to July 31, at […] euros, a sharp drop compared to 2019 when its turnover had reached […] Euros at December 31. The company also reports an estimate for the period from January 1 to July 31, 2020, of its profit before interest, taxes and depreciation, negative of […] euros.

Therefore, in view of the economic context caused by the Covid-19 health crisis, its consequences on the financial situation of the company and the relevant criteria of Article 83, paragraph 2, of the Regulation mentioned above, the restricted committee considers that the imposition of a fine of 20,000 euros appears to be at the same time effective, proportionate and dissuasive, in accordance with the requirements of article 83, paragraph 1, of these Rules.

Third, an injunction to bring the processing into line with the provisions of Articles L. 34-5 of the CPCE, 12, 13, 15 and 32 of the GDPR was proposed by the rapporteur when the report was notified.

Regarding the failure to obtain the consent of the person concerned by a direct prospecting operation by means of an automated electronic communications system in application of Article L. 34-5 of the CPCE, the training Restricted considers that the company having taken the satisfactory measures to obtain the consent of persons when creating an account on the application and on the website, and having undertaken, as part of the procedure, not to send direct prospecting messages by e-mail to prospects without their prior consent, the injunction proposed in the report is no longer necessary. However, the restricted committee considers that the company has not demonstrated that it has deleted from the database of prospects whose prior, free, specific and informed consent to receive direct prospecting messages by e-mail has not been collected by the company. Consequently, the restricted panel considers that an injunction should be issued on this point.

Regarding the breach of the obligation to respect people's right of access, in application of article 15 of the GDPR, the company maintains that it has put in place an internal procedure making it possible to grant the requests made with regard to the Article 15 of the GDPR and to have amended it in order to satisfy requests for the right of access in a satisfactory manner. It communicated its internal procedure to the restricted formation, in accordance with the latter's invitation, on November 6, 2020.

The restricted committee considers, however, that the company has not fully responded to the requests for access rights presented by Mr. X and Mr. Y.

Thus, without ignoring the steps taken by the company to comply with the GDPR and the establishment and amendment of its internal procedure, the restricted committee considers that the company has still not demonstrated its compliance with the Article 15 of the Rules, for lack of having satisfied the requests of Mr. X and Mr. Y. The restricted panel therefore considers that an injunction should be issued.

Fourth, the restricted committee considers that the publication of the sanction is justified in view of the plurality of breaches noted, their persistence and their seriousness. Indeed, the restricted committee considers that, if the company has taken measures within the framework of the sanction procedure making it possible to bring the processing of personal data that it carries out into conformity, it has however not taken into account all the requirements set by Article L. 34-5 of the CPCE in terms of obtaining consent, nor those resulting from the Data Protection Act.

In addition, the restricted committee considers that the practices of the company, which carried out prospecting operations by e-mail in the absence of contentment of the people, justify the publication of its decision.

Finally, the restricted committee considers that publication would strengthen the dissuasive nature of the main sanction.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

- pronounce on the company NESTOR SAS an administrative fine in the amount of 20,000 (twenty thousand) euros for breaches of Articles L. 34-5 of the Postal and Electronic Communications Code (hereinafter the CPCE ) and 12 and 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the GDPR);

- issue an injunction against the company NESTOR SAS to bring the processing into line with the obligations resulting from Articles L. 34-5 of the CPCE and 15 of the RGPD, and in particular:

• with regard to the failure to obtain the consent of the person concerned by a direct prospecting operation by means of an automated electronic communications system:

* Justify the deletion of all personal data previously collected without the consent of prospects;

• with regard to the breach of the obligation to respect the right of access:

* Fully comply with requests for access rights by communicating a copy of all their personal data held to the requesters, as well as, where applicable, information relating to the source from which their data comes;

- match the injunction with a penalty of 500 (five hundred) euros per day of delay at the end of a period of 3 (three) months following the notification of this deliberation, the supporting documents for compliance must be be sent to the restricted group within this period;

- make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.

The vice president

Philippe-Pierre CABOURDIN

This decision may be appealed against to the Council of State within two months of its notification.