France’s Data Protection Authority Imposes Large Sanctions on a Major Retailer for the GDPR Violations

France’s Data Protection Authority (CNIL) imposed a €2.25 million fine on retailer Carrefour France and a €800,000 fine on its affiliate, Carrefour Banque for a number of violations of the GDPR and local data protection regulations.

Specifically, the CNIL found that the disclosures provided to users of the Carrefour websites as well as to individuals wishing to join its loyalty and Pass card (credit card that can be attached to the loyalty account) programs were not easily accessible, nor easily understandable.  For example, the information was written in general and imprecise terms, sometimes using unnecessarily complicated language.  Furthermore, the disclosures failed to provide necessary information as to the duration of data retention, legal basis for processing, and transfers of data outside of the European Union.

Carrefour further violated the Data Protection Act by automatically placing advertising cookies on the user’s terminal without user’s consent and before any action on the user’s part.

Carrefour also failed to comply with the obligation to limit the retention period of personal data, as required by the GDPR.  The company continued to retain data of millions of its customers even though the data was no longer necessary for its purpose.

Carrefour also failed to facilitate the exercise of data subject rights required by the GDPR.  The company required proof of identity for every request to exercise data subject rights, even where there was no doubt as to the identity of the persons exercising the rights.  According to CNIL, such requests were not justified under the circumstances. Furthermore, the company did not process several requests within the time limits required by the GDPR, and failed to act upon some requests altogether.

Finally, the CNIL concluded that Carrefour breached its obligation to process data fairly in accordance with Article 5 of the GDPR when it represented to customers subscribing to the Pass car who also wished to join the loyalty program that only certain personal information would be transmitted to Carrefour Banque (a banking affiliate), when in fact additional personal data was transmitted without customer’s consent.

The fines imposed on Carrefour follow several high-profile large GDPR fines imposed by the European Data Protection Authorities in recent months.  Privacy regulators throughout the European Union are setting a precedence of regulatory enforcement and sending a strong message that companies must respect personal privacy, protect personal data, and uphold their obligations under the applicable privacy laws. Companies that ignore their privacy and data protection obligations are bound to pay the price in the form of regulatory fines, consumer litigation, and diminished reputation with their customers.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653.