CNIL imposes a wonderful of EUR 3.05 million on two firms within the Carrefour group for violating the GDPR and cookies
Carrefour France and Carrefour Banque are both subsidiaries of the French retail group Carrefour Group. The group has diversified its activities in banking and insurance, travel agencies and e-commerce.
Between June 8, 2018 and April 6, 2019, the CNIL received 15 complaints from individuals relating to the exercise of their data protection rights with affiliates of the Carrefour group. The complainants alleged that Carrefour (1) had failed to comply with their data access or deletion requests. (2) sent them direct marketing communications in spite of complainants objecting to receiving such communications; or (3) in one instance failed to allow the complainant to unsubscribe from marketing emails. The CNIL carried out online inspections on the carrefour.fr and carrefour-banque.fr websites, as well as on-site inspections at the premises of Carrefour France and the Group’s parent company, Carrefour SA. These inspections were intended to verify that Carrefour France and Carrefour Banque comply with all provisions of the GDPR and French data protection law.
The inspections by the CNIL revealed that both companies, when processing customer or web user data, violated several obligations of the GDPR and the cookie law provisions of article 82 of the French data protection law. On November 18, 2020, the CNIL fined each company for these violations. The CNIL did not impose any further sanctions, such as an injunction, to reconcile the data processing activities in question, as both Carrefour companies went to great lengths during the procedure to remedy the non-compliance.
Violations of the GDPR and cookies
In its ruling against Carrefour France, the CNIL stated that the company is failing to meet the basic GDPR requirements and its obligations as a data controller, including (1) storage limitation obligations; (2) Obligation to facilitate the exercise of individuals’ data protection rights; (3) Obligation to inform individuals about the processing of their personal data in an easily accessible form, in clear and straightforward language and in a comprehensive manner (i.e. with all information required by the GDPR); (4) obligation to fulfill requests for subject rights; and (5) obligations to ensure the security of personal information and to report breaches of personal information. The CNIL also found that Carrefour France was in breach of the requirements of the Cookies Act by automatically placing cookies on the user’s device when the user visited the home page of the carrefour.fr website.
In its decision against Carrefour Banque, the CNIL found that the company had violated the (1) obligation to process personal data fairly. (2) Obligation to publish in an easily accessible form, in plain language and in a comprehensive manner; and (3) cookie law requirements.
The highlights of the CNIL’s decisions are listed below.
- Storage limit: The CNIL noted that Carrefour France has defined an excessive retention period for the personal data of its customers who are members of its loyalty program. The details of the members of the loyalty program have been retained for four years since their last activity. According to the CNIL, the four-year retention period is too long: Personal data of inactive customers should not be kept for longer than three years. The CNIL also found that Carrefour France kept personal data of members of the loyalty program and web users for longer than the set retention period. The inspections revealed that the personal data of more than 28 million inactive customers under the loyalty program had been retained for five to ten years. Likewise, the personal data of more than 750,000 web users were stored for five to ten years from the date of their last order. Finally, the CNIL found that Carrefour France systematically requested a copy of an identification document when individuals were exercising their data protection rights and kept that copy for one to six years. According to the CNIL, copies of identification documents should only be kept for the time necessary to verify the identity of the applicant. Once this identity has been confirmed, there is no longer any need to keep a copy of the identification document. Carrefour France should only have archived a copy of its reply to the individual for evidence. The CNIL came to the conclusion that Carrefour France has violated the storage restriction obligation of the GDPR.
- Facilitation of the rights of the individual: The CNIL stressed that the requirement for a copy of an identification document for each request for subject rights is excessive. ID should only be requested in cases where the company had reasonable doubts about the identity of the applicant. The CNIL also found that Carrefour France failed to comply with the requests for subject rights within the one month period required by the GDPR. In some cases, individuals did not hear from the company for up to nine months. Carrefour France stated that the submission of the GDPR request resulted in an increase in the number of requests for subject rights (from one to two requests per day before May 25, 2018 to sometimes more than 75 requests per day after that date). The CNIL made it clear that the company should have anticipated this increase in the number of applications and concluded that the company was in breach of Article 12 of the GDPR. The CNIL noted that during the procedure, the company had introduced new ad hoc tools to handle requests for subject rights and that it can now respond to such requests on average within less than 15 days.
- Compliance with the rights of individuals: The CNIL also noted that Carrefour France had failed to comply with several requests for rights of the subject, including requests from individuals to access their personal data, requests to delete their personal data and the objection of individuals to receive direct marketing communications by SMS or email. In particular, the CNIL noted that one of the deletion requests related to the email address that the company uses for direct marketing purposes. The inspection by the CNIL revealed that the email address had not been deleted. The company stated that the email address could not be deleted because the company used each individual’s email address as a database entry point. The CNIL determined that the company had to implement a system for organizing its customer database in such a way that the company could comply with the requirements of subject law.
- Note for individuals: The CNIL noted that the communication was not easily accessible to web users and customers wishing to sign up for the Carrefour loyalty program or payment card. The note on the processing of your personal data has been split into several documents and is fragmented (general conditions of use, conditions of use, page on protection of personal data, special page on exercising personal data protection rights) In addition, the notice was drafted using general, vague, or unclear terms, e.g. B. “These processing activities include, without limitation,” “Your data may be processed for one or more of the following purposes”, “Your data may be used” or “Certain data about you are used”. According to the CNIL, these conditions do not allow individuals to understand the scope of the processing of their personal data. Similarly, general terms such as “You also have the right to obtain the restriction of a data processing activity and the right to the portability of the data you provide, which may apply in certain cases” did not allow individuals to understand the situations in which their rights apply, and the terms of their application. In addition, the CNIL found that the information was incomplete and insufficient. In particular, the CNIL noted that the information provided on the carrefour.fr and carrefour-banque.fr websites did not specify the retention periods for all data collected or all data processing purposes, including data collected through cookies. According to the CNIL, it was not enough to state that “personal data will be retained for the applicable statute of limitations” or that “Carrefour Banque’s retention of your data will vary in accordance with the laws and regulations in force”.
- Obtaining user consent for non-essential cookies: The CNIL noted that cookies were automatically set on the carrefour.fr and carrefour-banque.fr websites before web users took any action. The CNIL noted that this included some non-essential cookies such as Google Analytics cookies and that the data collected by these cookies could be used with data from other processing activities to serve targeted advertisements. Accordingly, these cookies could only be set if the user accepted them.
Interestingly, when setting the fine on Carrefour France, the CNIL relied on the ‘company’ concept under EU competition law in order to take into account not only the revenues of Carrefour France, but also the higher revenues of the two subsidiaries that benefited from it the relevant data processing activities. Carrefour France and Carrefour Banque can now appeal the decisions of the CNIL within two months before the highest French administrative court (Conseil d’Etat).