In France the data protection regulator, Commission nationale de l’informatique et des libertés (CNIL), has penalised French retail giant Carrefour more than €3m ($3.7m) in relation to a number of breaches of the European Union’s General Data Protection Regulation.
The total fine was split between the retails giant €2.25m and the banking subdivision, Carrefour Banque, that it operates (€800,000). The fine was made public on the web portal of CNIL. You can read it here.
The penalty could have been much higher. However, in calculating the overall amount, CNIL took into account the actions that Carrefour took to address the GDPR breaches that had been earlier discovered. The list of these concerns extended to nine key areas. it included aspects such as:
- Information in relation to data protection not being clear and concise for customers to understand.
- Important details in relation to data retention could not be found.
- The same information being difficult to find in large documents that contained a lot of other information.
- An inadequate process for managing data subject requests was too restrictive.
- Failure to comply with data subject request time limits
- Data transfers that were not completely transparent.
- Illegal cookie use
Commenting on of the GDPR breaches, CNIL said that the group was of the opinion that a data retention period of four years for customer data after the last purchase was too long. It said: “£he restricted committee considers that a retention period of 4 years for customer data after their last purchase is excessive. Indeed, this duration, initially adopted by the company, exceeds what appears necessary in the field of mass distribution, taking into account the consumption habits of customers who mainly make regular purchases. “
Additionally it said that there was a lack of adequate information on on the carrefour.fr website in relation to transferring data outside of the EU and the legal basis for processing data. It said: “The information provided to users of the carrefour.fr and carrefour-banque.fr sites as well as to people wishing to join the loyalty program or the Pass card was not easily accessible (access to information too complicated, in very long containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). In addition, it was incomplete with regard to the duration of data retention.”
CNIL is renowned as one of the more stringent of the European Union’s data protection agencies. In the past it has sanctioned some large fines including:
- French Data Protection Agency hits Google with €50m GDPR Penalty
- French Company Optical Center Hit with €250k Fine for Pre-GDPR Data Breach
- First GDPR Lawsuit: $8.2 billion Fines Claimed from Facebook and Google
- GDPR Violation Warning Issued to Two French Location Data Companies