France: CNIL fines Monsanto Company €400,000 for failing to inform political figures of data collected for lobbying purposes
The French data protection authority ('CNIL') announced that it had issued a decision to fine the Monsanto Company €400,000 for failing to inform over 200 individuals, including politicians and political activists, of the collection of their personal data for lobbying purposes related to the renewal of the authorisation of glyphosate in Europe, in violation of Article 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, CNIL outlined that the file in question included information on the individuals' parent organisation, job title, professional address, professional landline number, mobile phone number, email address, and, in some cases, Twitter account. In addition, CNIL noted that a score ranging from 1 to 5 was assigned to each person, in order to assess their influence, credibility, and support for Monsanto on various subjects such as pesticides or genetically modified organisms.
Notably, CNIL highlighted that the collection of such data and the creation of such files for lobbying purposes is not, in itself, illegal, but that individuals were nonethless entitled to be informed of the existence of the file, in order to be able to exercise additional rights, in particular the right to object. Furthermore, CNIL found that the data collection activities had in fact been carried out by a vendor contracted by Monsanto, Fleishman-Hillard, and that Monsanto had also breached Article 28 of the GDPR by failing to include the provisions stipulated by the GDPR, notably in relation to data security, in its contracts with Fleishman-Hillard.