Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL imposes €2.25M fine on Carrefour France for GDPR and electronic communications code breaches

The French data protection authority ('CNIL') announced, on 26 November 2020, that it had issued, on 18 November 2020, Deliberation No. SAN-2020-008 fining Carrefour France €2.25 million for failures under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties ('the Act'), and the Post and Electronic Communications Code. In particular, CNIL found that Carrefour France had, among other things, retained the data of more than 28 million inactive customers, through its customer loyalty programme, for an excessive period and in contravention of Article 5(1) of the GDPR, and failed to sufficiently act upon customer requests to delete their data as well as customer objections to SMS and telemarketing, thereby breaching L34-5 of the Communications Code. In addition, CNIL noted that Carrefour France had not acted on its obligation to facilitate the exercise of data subject rights by asking excessively for proof of identity for exercising said rights and by not complying with the time limits set out in Article 12 of the GDPR for responding to data subject rights.

Moreover, CNIL found that Carrefour France had failed to provide adequate information on data transfers and the legal basis of processing on its website and had not provided information in an easily comprehensible format, thus breaching Article 13 of the GDPR on the right to be informed. Moreover, CNIL held that Carrefour France breached Article 82 of the Act by automatically placing cookies on users' devices upon their access of the website, without first having obtained users' consent to the application of cookies.

Lastly, CNIL noted that it has taken the decision not to issue an injunction against the Carrefour France as there had been substantive efforts to bring its practices to compliance.

You can read the press release here and the deliberation here, both only available in French.