On November 26, 2020, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €2.25 million on Carrefour France and a fine of €800,000 on Carrefour Banque for various violations of the EU General Data Protection Regulation (“GDPR”) and Article 82 of the French Data Protection Act governing the use of cookies.
Background
Carrefour France and Carrefour Banque are both affiliates of the French retail group, the Carrefour Group. The group has diversified its activities into the banking and insurance, travel agency and e-commerce sectors.
Between June 8, 2018 and April 6, 2019, the CNIL received 15 complaints from individuals relating to the exercise of their data protection rights with affiliates of the Carrefour Group. The complainants argued that Carrefour (1) did not comply with their data access or erasure requests; (2) sent them direct marketing communications despite the fact that the complainants had objected to receiving those communications; or (3) in one case, did not allow the complainant to unsubscribe to marketing emails. The CNIL carried out online inspections on the carrefour.fr and carrefour-banque.fr websites and onsite inspections at the premises of Carrefour France and the parent company of the group, Carrefour SA. These inspections aimed to verify whether Carrefour France and Carrefour Banque were in compliance with all provisions of the GDPR and the French Data Protection Act.
The CNIL’s inspections revealed that both companies infringed several obligations of the GDPR and the cookie law requirements of Article 82 of the French Data Protection Act when processing customer or web user data. On November 18, 2020, the CNIL imposed a fine on each company for these infringements. The CNIL did not impose other sanctions, such as an injunction to bring the data processing activities in question into compliance, as both Carrefour companies made huge efforts during the proceedings to remedy the non-compliance.
GDPR and Cookie Violations
In its decision against Carrefour France, the CNIL found that the company failed to comply with basic GDPR requirements and its obligations as a data controller, including the (1) storage limitation requirement; (2) obligation to facilitate the exercise of individuals’ data protection rights; (3) obligation to provide notice to individuals about the processing of their personal data in an easily accessible form, using clear and plain language and in a comprehensive manner (i.e., with all information required by the GDPR); (4) obligation to comply with subject right requests; and (5) obligations to ensure the security of personal data and to notify personal data breaches. Further, the CNIL found that Carrefour France infringed cookie law requirements by automatically setting cookies on the user’s device when the user visited the home page of the carrefour.fr website.
In its decision against Carrefour Banque, the CNIL found that the company failed to comply with the (1) obligation to process personal data fairly; (2) obligation to provide notice in an easily accessible form, using clear and plain language and in a comprehensive manner; and (3) cookie law requirements.
Highlights from the CNIL’s decisions are detailed below.
-
Storage limitation: The CNIL found that Carrefour France defined an excessive data retention period for the personal data of its customers who are members of its loyalty program. Loyalty program members’ data had been retained for a period of four years from their last activity. According to the CNIL, the four-year retention period is excessive: personal data of inactive customers should not have been kept for more than three years. Further, the CNIL found that Carrefour France kept personal data of loyalty program members and web users for a longer period than the defined retention period. The inspections revealed that the personal data of more than 28 million inactive customers had been retained for five to ten years in the context of the loyalty program. Similarly, the personal data of more than 750,000 web users had been retained for five to ten years from the date of their last order. Finally, the CNIL found that Carrefour France systematically asked for a copy of an ID document when individuals exercised their data protection rights and kept that copy for a period of one to six years. According to the CNIL, copies of ID documents should only be retained for the time necessary to verify the identity of the requester. As soon as that identity is confirmed, it is no longer necessary to keep a copy of the ID document. Carrefour France should have archived only a copy of its response to the individual for evidentiary purposes. The CNIL concluded that Carrefour France infringed the GDPR’s storage limitation requirement.
-
Facilitating the individuals’ rights: The CNIL stressed that asking for a copy of an ID document for every subject rights request is excessive. An ID document should have been requested only in cases where the company had reasonable doubt as to the identity of the requester. Further, the CNIL found that Carrefour France did not comply with subject rights requests within the one-month time limit required by the GDPR. In some cases, individuals did not hear from the company for up to nine months. Carrefour France explained that the entry of application of the GDPR led to an increase of subject right requests (from one to two requests a day before May 25, 2018 to sometimes more than 75 requests a day after that date). The CNIL made it clear that the company should have anticipated this increase in the number of requests and concluded that the company infringed Article 12 of the GDPR. The CNIL noted that the company adopted during the proceedings new ad hoc tools to handle subject right requests and can now respond to such requests, on average, within less than 15 days.
-
Complying with individuals’ rights requests: The CNIL further found that Carrefour France did not comply with several subject rights requests, including individuals’ requests to access their personal data, requests for erasure of their personal data and individuals’ objection to receiving direct marketing communications by text message or email. In particular, the CNIL noted that one of the erasure requests related to the email address used by the company for direct marketing purposes. The CNIL’s inspection revealed that the email address had not been erased. The company explained that it could not erase the email address because the company used the individuals’ email address as the database entry point. The CNIL found that the company had to implement a system for organizing its customer database in such a way that the company could comply with subject right requests.
-
Notice to individuals: The CNIL found that the notice provided to web users and customers who wish to sign up for Carrefour’s loyalty program or payment card was not easily accessible. The notice about the processing of their personal data was dispersed and fragmented among several documents (general terms of use, terms and conditions, page relating to the protection of personal data, dedicated page for the exercise of individuals’ data protection rights). Further, the notice was drafted using broad, vague or unclear terms, such as “these processing activities include, without limitation,” “your data may be processed for one or several of the following purposes,” “your data may be used” or “certain data about you are used”. In the CNIL’s view, these terms did not allow individuals to understand the extent of the processing of their personal data. Similarly, general terms such as “you also have the right to obtain the restriction of a data processing activity, and the right to the portability of the data you may have provided, which may apply in certain cases,” did not allow individuals to understand the situations in which their rights apply and the conditions for their application. Additionally, the CNIL found that the information was incomplete and insufficient. In particular, the CNIL found that the information provided on the carrefour.fr and carrefour-banque.fr websites did not specify the data retention periods for all data collected or all purposes of the data processing, including the data collected by cookies. In the CNIL’s view, it was insufficient to specify that “personal data are retained for the applicable statute of limitation periods” or that “the retention of your data by Carrefour Banque varies according to the applicable laws and regulations.”
-
Obtaining users’ consent for non-essential cookies: The CNIL found that cookies were automatically set on the carrefour.fr and carrefour-banque.fr websites prior to any action from web users. The CNIL noted that this included some non-essential cookies such as Google Analytics cookies, and that the data collected by these cookies could be used with data from other processing activities to serve targeted ads. Accordingly, these cookies could not have been set unless the user accepted them.
CNIL’s Fines
Interestingly, in setting the fine against Carrefour France, the CNIL relied upon the concept of “undertaking” within the meaning of EU competition law to take into account not only the revenues of Carrefour France but also the higher revenues of its two subsidiaries who benefited from the data processing activities in question. Carrefour France and Carrefour Banque may now appeal the CNIL’s decisions within two months before France’s highest Administrative Court (Conseil d’Etat).