France: CNIL imposes €800,000 fine on Carrefour Banque for GDPR and electronic communications code breaches
The French data protection authority ('CNIL') announced, on 26 November 2020, that it had issued, on 18 November 2020, Deliberation No. SAN-2020-009 fining Carrefour Banque €800,000 for failures under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties ('the Act'), and the Post and Electronic Communications Code.
In particular, CNIL found that Carrefour Banque had failed to provide adequate and complete information on its website, as well as information on the subscription of users with the 'pass card' online subscription in an easily comprehensible format, thus breaching Article 13 of the GDPR on the right to be informed. Moreover, CNIL held that Carrefour Banque had breached Article 82 of the Act by automatically placing cookies on users' devices upon their access of the website, without first having obtained users' consent to the application of cookies.
Lastly, CNIL noted that it had taken the decision not to issue an injunction against Carrefour Banque as it had corrected all shortcomings indicated by CNIL in the breach report, and had changed its pass card online subscription programme, and informed users about the data that is being transmitted to the third-company Carrefour France.