CNIL, French Data Protection Authority on 5th August 2020 announced a fine of 250,000 Euros against Spartoo SAS, a multi-national e-commerce company with operations in thirteen EU countries.
What is GDPR?
GDPR stands for General Data Protection Regulation which came into effect on 25th May 2018. GDPR makes companies liable on the use of personal data & gives consumers rights over their personal data. GDPR is the strictest data protection regime across the world, applies to private & government entities, and is applicable to both EU & Non- EU organizations. GDPR applies only in the context of personal data & anonymized data is out of the scope of GDPR. We covered GDPR in detail in our post on, What is GDPR?
What is CNIL?
CNIL is The Commission nationale de l'informatique et des libertés, an independent regulatory authority established in 1978 to protect personal data in accordance to the French Data Protection Act and recently General Data Protection Regulations(GDPR).
This is the first fine by CNIL as a lead regulator for a company involved in cross-border processing. Some insights from the decision posted by CNIL:
Data Minimization(Article 5-1 c) Violation
Article 5-1 c) of GDPR states that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization).
- Controller was recording telephone conversations between customers & support team. The purpose for this processing activity was "Employee Training & Evaluation".
- Customers had an option to opt-out of these recordings. CNIL pointed that no such option was available for the employees
- Also, the company stated that trainer listens to only one employee recording per week. CNIL pointed that recording all calls is not necessary for the purpose of "Training" pursued.
- Few of the call recordings had customer's bank details. CNIL pointed that bank details were not necessary for the purpose of "Training" pursued by the controller.
- Collection of Identity Card & Health Card in Italy for the purpose of "Fight Against Fraud". CNIL pointed that for identity card was enough to establish identity for the purpose of "Fight Against Fraud". Health card collection violates data minimization(GDPR Article 5-1 c)and is excessive & irrelevant to the purpose pursued.
Storage Limitation(Article 5-1 e) Violation
Article 5-1 e) of GDPR states personal data must be kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed. ; (storage limitation).
- Controller had a retention policy for inactive account for 5 Years. However, they only sent prospecting emails for two years from inactive time. CNIL pointed that the two years is the appropriate retention period for the purpose of processing. Hence, keeping the data for 5 years is a violation of storage limitation(GDPR Article 5-1 e)
- CNIL also criticized the company for determining activity as mere opening of emails and suggested opening could be by mistake or design of the mail service and opening of a hyperlink inside the email or such activity should be used to determine interest of the user and the last active time.
- At the end of retention period, controller was deleting all personal data except email and password which were encrypted using SHA-256 and kept in a separate database. The controller argued that this data was anonymous and is kept so that user can login with the same credentials even after the retention period. CNIL pointed that even with SHA-256 the data is pseudonymized & controller cannot keep the data beyond the retention period for a hypothetical future use case. Hence, this violates Article 5-1 e of GDPR.
Violation of obligation of informing individuals(Article 13)
Article 13 of the GDPR requires the data controller to provide, at the time the data is collected, information relating to his identity and contact details, those of the data protection officer, the purposes of the processing and its legal basis, the recipients of the personal data, if applicable the transfers of personal data, the retention period of the personal data, the rights enjoyed by individuals as well as the right to lodge a complaint with 'a supervisory authority.
- Controller's privacy notice failed to mention that data is being transferred to Madagascar and hence violated Article 13 of GDPR.
Violation of obligation to implement Technical & Organizational Measures(Article 32-1)
Article 32-1 of GDPR states: Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, including the degree probability and severity vary, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk and in particular the means to ensure the continued confidentiality, integrity, availability and resiliency of processing systems and services.
- Controllers allowed users to create a six digit password with same character which was changed to minimum 8 characters. CNIL pointed that a 8-digit password of same category of characters is weak and does not meet the requirements of robustness.
- Controllers collected scans of bank cards over unencrypted emails & kept it with the other supporting documents with no additional security measures. Hence, the company did not put appropriate security measures to protect customer's banking data and violates Article 32-1 of GDPR.
The complete deliberation by CNIL has more details including discussions between company and CNIL. It is a wealth of information for the privacy team on setting up a privacy program for GDPR compliance. You can start GDPR compliance with our data mapping tool.