November 26, 2020
UNOFFICIAL ENGLISH TRANSLATION
FRENCH DATA PROTECTION AUTHORITY – NEWS
Fines of 2 250 000 euros and 800 000 euros for the CARREFOUR FRANCE and CARREFOUR BANQUE companies
26 November 2020
After receiving several complaints, the CNIL has sanctioned two companies of the CARREFOUR group for breaches of the GDPR, concerning, amongst others, the information provided to individuals and respect for their rights.
After receiving several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.
At the end of this procedure, the restricted committee – the CNIL body responsible for imposing sanctions – indeed considered that the companies had failed to comply with several obligations under the GDPR.
It therefore fined CARREFOUR FRANCE 2 250 000 euros and CARREFOUR BANQUE 800 000 euros. However, it did not issue an injunction as it noted that significant efforts had been made to bring all the identified breaches into compliance.
Breach of the obligation to inform individuals (Article 13 of the GDPR)
The information provided to users of the carrefour.fr and carrefour-banque.fr websites, as well as to people wishing to join the loyalty program or the Pass card, was not easily accessible (access to the information was too complicated, in very long documents containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated wording). Moreover, it was incomplete with regards to the duration of data retention.
Concerning the carrefour.fr website, the information was also insufficient regarding data transfers outside the European Union and the legal basis for the processing operations (files).
On this point, the companies modified their information notices and websites during the procedure to bring themselves into compliance.
Breach relating to cookies (Article 82 of the French Data Protection Act)
The CNIL noted that, when a user connected to the carrefour.fr or carrefour-banque.fr websites, several cookies were automatically placed on the user’s terminal, before any action was taken on his/her part. Several of these cookies were used for advertising purposes, and the user’s consent should have been obtained before they were placed.
During the procedure, the companies updated this processing on their website. No more advertising cookies are now placed before the user has given his/her consent.
Breach of the obligation to limit the data retention period (Article 5.1.e of the GDPR)
CARREFOUR FRANCE did not respect the data retention periods it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years was being kept as part of the loyalty program. The same happened for 750,000 users of the carrefour.fr website who had been inactive for five to ten years.
Furthermore, in this case, the restricted committee considers that a retention period of 4 years for customer data after their last purchase, is excessive. Indeed, this duration, initially set by the company, exceeds what appears necessary in the field of mass retailing, given the consumption habits of customers who mainly make regular purchases.
During the procedure, CARREFOUR FRANCE committed significant resources to make the necessary changes to bring it into compliance with the GDPR. Amongst others, all data that was too old has been deleted.
Breach of the obligation to facilitate the exercise of rights (Article 12 of the GDPR)
CARREFOUR FRANCE required, except for opposition to commercial prospecting, proof of identity for any request to exercise a right. This systematic request was not justified as there was no doubt as to the identity of the persons exercising their rights. In addition, the company was unable to process several requests to exercise rights within the timeframe required by the GDPR.
On these two points, the company modified its practices during the procedure. In particular, it deployed significant human and organizational resources to respond to all requests received within less than one month.
Failure to respect rights (Articles 15, 17 and 21 of the GDPR and L34-5 of the Postal and Electronic Communications Code)
Firstly, CARREFOUR FRANCE did not respond to several requests from people wishing to access their personal data. The company approached all the people concerned during the procedure.
Secondly, in several cases, the company did not proceed with the deletion of data requested by several people when it should have done so. On this point, too, the company complied with all requests during the proceedings.
Finally, the company did not take into account a number of requests from people who had objected to receiving advertising by SMS or e-mail, including due to occasional technical errors. The company complied during the procedure on this point as well.
Breach of the obligation to process data fairly (Article 5 of the GDPR)
When a person subscribing to the Pass card (a credit card that can be linked to the loyalty account) also wished to join the loyalty program, they had to tick a box indicating that they agreed to CARREFOUR BANQUE communicating their last name, first name and e-mail address to “Carrefour fidélité”. CARREFOUR BANQUE explicitly indicated that no other data would be transmitted. However, the CNIL noted that other data was indeed transmitted, such as postal address, telephone number and the number of children, although the company had committed to not transmit any other data.
On this point, the company changed its practices during the procedure. It has completely overhauled its online subscription process for the Pass card and people are now informed of all the data transmitted to CARREFOUR FRANCE.
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!