France: CNIL imposes €2.25M fine on Carrefour France for GDPR and electronic communications code breaches
The French data protection authority ('CNIL') announced, on 26 November 2020, that it had issued, on 18 November 2020, Deliberation No. SAN-2020-008 fining Carrefour France €2.25 million for failures under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties ('the Act'), and the Post and Electronic Communications Code. In particular, CNIL found that Carrefour France had, among other things, retained the data of more than 28 million inactive customers, through its customer loyalty programme, for an excessive period and in contravention of Article 5(1) of the GDPR, and failed to sufficiently act upon customer requests to delete their data as well as customer objections to SMS and telemarketing, thereby breaching L34-5 of the Communications Code. In addition, CNIL noted that Carrefour France had not acted on its obligation to facilitate the exercise of data subject rights by asking excessively for proof of identity for exercising said rights and by not complying with the time limits set out in Article 12 of the GDPR for responding to data subject rights.
Moreover, CNIL found that Carrefour France had failed to provide adequate information on data transfers and the legal basis of processing on its website and had not provided information in an easily comprehensible format, thus breaching Article 13 of the GDPR on the right to be informed. Moreover, CNIL held that Carrefour France breached Article 82 of the Act by automatically placing cookies on users' devices upon their access of the website, without first having obtained users' consent to the application of cookies.
Lastly, CNIL noted that it has taken the decision not to issue an injunction against the Carrefour France as there had been substantive efforts to bring its practices to compliance.