Data Breach Leads to Massive Carrefour Fine

by | Dec 12, 2020

In France the data protection regulator, Commission nationale de l’informatique et des libertés (CNIL), has penalised French retail giant Carrefour more than €3m ($3.7m) in relation to a number of breaches of the European Union’s General Data Protection Regulation.

The total fine was split between the retails giant €2.25m and the banking subdivision, Carrefour Banque, that it operates (€800,000). The fine was made public on the web portal of CNIL. 

The punishment could have been even worse, however while calculating the amount , CNIL considered the actions Carrefour took to address the GDPR breaches discovered earlier. 

This included:

  • Information in relation to data protection not being clear and concise for customers to understand.
  • Important details in relation to data retention could not be found.
  • The same information being difficult to find in large documents that contained a lot of other information.
  • An inadequate process for managing data subject requests was too restrictive.
  • Failure to comply with data subject request time limits
  • Data transfers that were not completely transparent.
  • Illegal cookie use

Commenting on of the GDPR breaches, CNIL said that the group was of the opinion that a data retention period of four years for customer data after the last purchase was too long. It said: “£he restricted committee considers that a retention period of 4 years for customer data after their last purchase is excessive. Indeed, this duration, initially adopted by the company, exceeds what appears necessary in the field of mass distribution, taking into account the consumption habits of customers who mainly make regular purchases. “

Additionally it said that there was a lack of adequate information on on the website in relation to transferring data outside of the EU and the legal basis for processing data. It said: “The information provided to users of the and sites as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (access to information too complicated, in very long containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). In addition, it was incomplete with regard to the duration of data retention.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy