We first wrote this note on 26 November 2020 and have updated it with more details about the case.
Following investigations (triggered by complaints), the French data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL), has sanctioned two French organisations for a number of data protection compliance failures: Carrefour France was fined €2.25 million; and, Carrefour Banque was fined €800,000.
The list of privacy violations included failure to obtain cookies consent, failure to respect data subject rights, excessive data retention periods (kept under a loyalty programme and post transaction), and unfair processing. Transparency failures regarding information provided on the organisations’ websites were also singled out including the lack of information concerning data transfers on one of the websites. The data transfer element is especially interesting given the issues with the collapse of Privacy Shield and the increased focus on data transfer using Standard Contractual Clauses (see https://bit.ly/pshielddead).
What did CNIL say?
CNIL was involved in a series of checks and found the following shortcomings:
- Information about data protection was not sufficiently accessible – it was too complicated and in long documents containing other information.
- Information was written in general and imprecise terms and was sometimes too complicated.
- There was insufficient information on data retention.
- On the carrefour.fr site there was not enough information on data transfers outside the EU and the legal basis for processing.
- Cookie use was unlawful.
- Data was kept for too long and longer than the data retention periods set. CNIL felt that a retention period of 4 years for customer data after the last purchase was excessive.
- The policy on dealing with data subject requests was too restrictive.
- Time limits for meeting data subject requests were not complied with.
- Carrefour transferred data without being fully transparent.
CNIL recognised the significant remedial action which had been taken since the investigation including the purge of data which Carrefour undertook after hearing CNIL’s concerns. CNIL also recognised the extra resources Carrefour had allocated to deal with data subject requests.
What are the takeaways?
Data transfers is very much a hot topic right, most recently coming into the spotlight with the EU issuing its draft revised Standard/Model Clauses, which we’ve written about here https://www.corderycompliance.com/draft-eu-standard-model-clauses/. It seems that data protection regulators are also focussing on what organisations are saying on their websites about data transfers. Consider therefore reviewing your website to ensure that it meets GDPR transparency standards, especially to meet the required standard with information on data transfers.
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes films, templates, guidance notes and a monthly updating call.
For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/
We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.
For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/
and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.
The CNIL’s press release and two decisions can be found here (in French): https://www.cnil.fr/fr/sanctions-2250000-euros-et-800000-euros-pour-carrefour-france-carrefour-banque
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
|Office: +44 (0)207 075 1784
|Office: +44 (0)207 075 1785