In France the data protection regulator, Commission nationale de l’informatique et des libertés (CNIL), has penalised French retail giant Carrefour more than €3m ($3.7m) in relation to a number of breaches of the European Union’s General Data Protection Regulation.
The total fine was split between the retails giant €2.25m and the banking subdivision, Carrefour Banque, that it operates (€800,000). The fine was made public on the web portal of CNIL.
The punishment could have been even worse, however while calculating the amount , CNIL considered the actions Carrefour took to address the GDPR breaches discovered earlier.
This included:
- Information in relation to data protection not being clear and concise for customers to understand.
- Important details in relation to data retention could not be found.
- The same information being difficult to find in large documents that contained a lot of other information.
- An inadequate process for managing data subject requests was too restrictive.
- Failure to comply with data subject request time limits
- Data transfers that were not completely transparent.
- Illegal cookie use
Commenting on of the GDPR breaches, CNIL said that the group was of the opinion that a data retention period of four years for customer data after the last purchase was too long. It said: “£he restricted committee considers that a retention period of 4 years for customer data after their last purchase is excessive. Indeed, this duration, initially adopted by the company, exceeds what appears necessary in the field of mass distribution, taking into account the consumption habits of customers who mainly make regular purchases. “
Additionally it said that there was a lack of adequate information on on the carrefour.fr website in relation to transferring data outside of the EU and the legal basis for processing data. It said: “The information provided to users of the carrefour.fr and carrefour-banque.fr sites as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (access to information too complicated, in very long containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). In addition, it was incomplete with regard to the duration of data retention.”